1 Addressing Privacy and Security Concerns in Health Data Analytics Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP June 8, 2014
2 Health Big Data Data analytics conducted by traditional health care system is regulated ltdby HIPAA. Health data (and data with health implications) collected, used and disclosed by consumer-facing and non-health care system entities is not. FTC has authority to address unfair or deceptive practices engaged in by for-profit companies; also enforce HITECH data breach notification for personal health record vendors & related apps. Aim should be tosupport and build public trust in data analytics that advance the learning health care system.
3 How does HIPAA govern analytic uses of data? HIPAA applies only to individually id identifiable health information data that is de-identified per HIPAA standards is not subject to any regulation. Limited Data Sets (the close cousin to de-identified data) are permitted for research; data holders are required to execute data use agreements; individual consent typically not required. We are familiar with research networks that rely on these We are familiar with research networks that rely on these data types but not always ideal for all types of research
4 HIPAA & Analytics (cont.) Before fully identifiable information can be used for research purposes, the patient s authorization must be obtained (currently authorization must be study specific but Omnibus rule allows for authorizations for future research, as long as that future research is sufficiently described ) Can be waived dby a Privacy Board or IRBif too difficult to obtain authorization, risk to privacy is considered to be low, and benefits are high Some exceptions (review of data onsite in preparation for research, research on decedent s info, and use of limited data set) Scope of new rule uncertain
5 HIPAA & Analytics (3) Uses and disclosures of identifiable health data for health care operations do not require individual consent or authorization Includes conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines; population-based activities relating to improving health or reducing costs However, if obtaining of generalizable knowledge is a primary g g g p y purpose of these activities, it is considered research and not operations
6 The Common Rule Applies to federally funded research (or research in federally funded institutions) on identifiable data Includes health hservices research Review of IRB (either full or expedited) required Consent required, although can be waived if: The research involves no more than minimal risk The waiver will not adversely affect the rights & welfare of subjects The research could not be practicably conducted w/out the waiver; and When appropriate, subjects are provided with additional info after When appropriate, subjects are provided with additional info after participation.
7 The Common Rule (cont.) ANPRM sought comment on fairly significant changes Research on data collected for clinical purposes but secondarily used for research purposes would be exempt from requiring IRB approval one-two page registration of study with IRB/institution required instead If data are identifiable, consent is required (but general consent would suffice); Rely on HIPAA for standards of identifiability Require adoption of data security protections Biospecimens collected for clinical purposes requires consent for research even if not identifiable Unclear if/when proposed rule will be issued
8 Issues with Current Federal Legal Frameworks Governing Health Data Analytics Genuine confusion about application of the rules Overly conservative interpretation i of the rules in most cases, HIPAA says can not must Health services research often requires multiple sites k h i ll to work together typically not easy Data as an asset Data holders have a legal responsibility to protect; variances in risk tolerance Differences in state law can also create obstacles
9 Research vs. Operations HIPAA Health care operations includes conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines,,provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities. (emphasis added) Also includes population-based activities relating to improving health or reducing health care costs, and protocol development. Research is a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Common Rule has the same definition for research.
10 Paradox Two studies using data for quality improvement purposes: both use the same data points, are done to address the same question or sets of questions, and are done by the same institution. They will be: Treated as operations if the results are only intended to be used internally Treated as research if a primary purpose is to share the results with others so that learning may occur. Guidance on primary purpose allows for a later change in plans but initially you have to intend to be doing only operations yy g y p How does this advance both the learning healthcare system and protections for data?
11 Health IT Policy Committee (HITECH) Comments to Common Rule ANPRM Use of clinical i l data to evaluate safety, quality and efficacy should be treated like operations, even if the intent is to share results for generalizable knowledge, as long as provider entity maintains oversight and control over data use decisions. Entities should follow the full complement of fair information practices in using PHI for these purposes. Recommendations provided some examples of activities with clinical data that should be treated as operations but also acknowledged further work was needed to determine e a new line for when analytics with EHR data should be treated under more robust rules. Recommendation letter of 10/18/11 -
12 Potential Paths Forward Increased focus on discriminatory/harmful uses (but don t ignore risks inherent in collection) At least experiment with different frameworks for protecting privacy in research using clinical data Rely less on consent and instead pursue other models of patient engagement (e.g., input into research; greater transparency re: research uses of data; requirements to share results with patients) Mechanisms of accountability/oversight (Canadian model (PHIPA), voluntary research network governance models, accreditation) Incentives to pursue privacy-enhancing data sharing architectures Study their efficacy in building and maintaining public trust in research.
INTRODUCTION This guidance is composed of a series of fact sheets that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information
United States Government Accountability Office Report to Congressional Committees March 2014 ELECTRONIC HEALTH RECORDS HHS Strategy to Address Information Exchange Challenges Lacks Specific Prioritized
April 2014 FDASIA Health IT Report Proposed Strategy and Recommendations for a Risk-Based Framework FDASIA Health IT Report Proposed Strategy and Recommendations for a Risk-Based Framework Table of Contents
Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
National Cancer Institute Taking Part in Cancer Treatment Research Studies U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES National Institutes of Health Taking Part in Cancer Treatment Research Studies If
Response of the German Medical Association to the European Commission proposal for a regulation of the European Parliament and of the Council on clinical trials on medicinal products for human use, and
IS YOUR PROJECT HUMAN SUBJECTS RESEARCH? A Guide for Investigators HUMAN SUBJECTS RESEARCH Research projects involving human subjects require review and approval by an Institutional Review Board. An IRB
Frequently Asked Questions : Personal Health Information Protection Act February 2005 Information and Privacy Commissioner/Ontario Ann Cavoukian, Ph.D Commissioner. Dr. Ann Cavoukian, the Information and
Guidance for Industry Expanded Access to Investigational Drugs for Treatment Use Qs & As DRAFT GUIDANCE This guidance document is being distributed for comment purposes only. Comments and suggestions regarding
Embedding Privacy into the Design of EHRs to Enable Multiple Functionalities Win/Win March 2, 2012 Information and Privacy Commissioner, Ontario, Canada Ann Cavoukian, Ph.D. Information & Privacy Commissioner
The Regulation of Health Information Privacy in Australia A description and comment Prepared by Professor Colin Thomson JANUARY 2004 I N V E S T I N G I N A U S T R A L I A S H E A L T H National Health
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
Wednesday, July 28, 2010 Part III Department of Health and Human Services 45 CFR Part 170 Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria
Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS www.fic.gov.bc.ca INTRODUCTION The Financial Institutions Commission 1 (FICOM) holds the Board of Directors 2 (board) accountable for the stewardship
A Guide to the Personal Health Information Protection Act December 2004 Information and Privacy Commissioner/Ontario Ann Cavoukian, Ph.D Commissioner Dr. Ann Cavoukian, the Information and Privacy Commissioner
Code of Federal Regulations TITLE 45 PUBLIC WELFARE Department of Health and Human Services PART 46 PROTECTION OF HUMAN SUBJECTS * * * Revised January 15, 2009 Effective July 14, 2009 SUBPART A Basic HHS
OSC Staff Consultation Paper 15-401 Proposed Framework for an OSC Whistleblower Program February 3, 2015 Table of Contents 1. Summary... 1 1.1 Purpose of Consultation... 3 2. Background... 3 2.1 Why Should
OCR PRIVACY BRIEF SUMMARY OF THE HIPAA PRIVACY RULE HIPAA Compliance Assistance SUMMARY OF THE HIPAA PRIVACY RULE Contents Introduction... 1 Statutory & Regulatory Background... 1 Who is Covered by the
Private vs. Public Cloud Solutions Selecting the right cloud technology to fit your organization Introduction As cloud storage evolves, different cloud solutions have emerged. Our first cloud whitepaper
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
A Cooperative Agreement Program of the Federal Maternal and Child Health Bureau and the American Academy of Pediatrics Acknowledgments The American Academy of Pediatrics (AAP) would like to thank the Maternal
Exposure Draft May 2014 Comments due: September 11, 2014 Proposed Changes to the International Standards on Auditing (ISAs) Addressing Disclosures in the Audit of Financial Statements This Exposure Draft
Rare Diseases: Common Issues in Drug Development Guidance for Industry DRAFT GUIDANCE This guidance document is being distributed for comment purposes only. Comments and suggestions regarding this draft