The Global Privacy Environment and Its Impact on Records-Based Human Subject Biomedical Research...

The Global Privacy Environment and Its Impact on Records-Based Human Subject

Biomedical Research

Presentation To: The National Science Foundation

Center for Discrete Mathematics & Theoretical Computer Science (DIMACS)

Rutgers University DIMACS CenterPiscataway, NJ

December 10, 2003

Oliver M. Johnson , IIChief Privacy OfficerMerck & Co., Inc.

2

Overview

• The Global Privacy and Data Protection Environment

• Impact on Records-Based Biomedical Research

• Conclusions

Merck Privacy Office

3

The Global Privacy and Data Protection Environment

4

Definitions

• Privacy: the “right to be let alone.” Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 205 (1890)

• Data Protection: the administrative, technical and physical controls one uses to protect the confidentiality and ensure the proper use of personal information.


5

Privacy as a Social Issue• The Business Perspective

– Globalization– Personalization– Data Consolidation– Personal Information a Valuable Corporate Asset

• The Public Perspective– Growing Public Awareness– Strong Public Sentiment– Personal Information a Fundamental Personal Asset

• We are increasingly dependent on the ability to establish understanding and trust with large numbers of people from various cultures and perspectives.


6

Privacy as a Cultural Issue• Europe

– Personal privacy is a fundamental human right. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms

– Long history and culture of protecting individuals from government and private intrusions into personal affairs.

– Most EU countries have had privacy laws for decades.– Omnibus legislative approach.

• U.S.– Freedom from unreasonable government intrusion into

personal affairs is a fundamental Constitutional right. 4th Amendment to the United States Constitution

– Relatively recent legislative focus on protecting individuals from private intrusions into personal affairs.

– Sectoral legislative approach.


7

Privacy as an Ethical Issue

Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of

abroad, I will not divulge, as reckoning that all such should be kept secret.

Hippocrates (c. 400 B.C.)

• World Medical Association Declaration of Helsinki (1964)• U.S. Common Rule (Established 1979 / Codified 1991)• U.S. Food and Drug Administration Regulations (1980)• OECD Privacy and Transborder Flow Guidelines (1980)• CIOMS International Biomedical Research Guidelines (1983, 1992, 2002) • CIOMS International Epidemiological Study Guidelines (1991)• ICH Good Clinical Practice Guideline (1996)


8

• EU Data Protection Directive of 1995– Covers all personally identifiable information– Covers all types of entities (e.g., Research, Business, Government)– Also adopted by Iceland, Norway and Liechtenstein (EEA) – Prohibits transfers to non-EEA countries lacking “adequate” data

protection– Adequacy Determinations: Canada, Hungary, Switzerland, Argentina,

Guernsey, U.S. Safe Harbor, Model Contracts• National EU Data Protection Laws

– Prohibit transfers to non-EU countries lacking “adequate” data protection– Member States must abide by EU Commission adequacy determinations

• EU / U.S. Safe Harbor Agreement– Enables individual U.S. companies to receive EEA personal information – Applies only to transfers from EEA countries– Applies only to transfers to certified U.S. companies

Merck Privacy OfficePrivacy as a Legal Issue - Europe

9

• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations– Covered Entities: Health Care Plans, Health Care Clearinghouses, Health

Care Providers– Business Associates of Covered Entities– Personally Identifiable Health Information

• State Privacy Legislation– Health and Medical Information– Data Security– Genetic Research

• Electronic Communications Privacy Act of 1986 (ECPA)• FTC Code of Fair Information Practices (1999)• Children’s Online Privacy Protection Act of 1998 (COPPA)• New Federal Telemarketing, Spam and Fax Laws (2003)


Privacy as a Legal Issue - U.S.

10

Merck Privacy OfficeLegal Summary – Rest of World

Privacy laws pending or enacted in:

• Non-EEA EuropeAlbania, Bosnia, Bulgaria, Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Russia, Slovakia, Slovenia, Switzerland

• Asia PacificAustralia, Hong Kong, India (pending), Japan, New Zealand, Taiwan, Thailand

• Middle East / AfricaIsrael, South Africa

• Latin AmericaArgentina, Brazil, Chile, Mexico (pending), Paraguay, Peru

• North AmericaCanada

Many of these laws are based on the European model.

11

Laws apply common principles but create significantly different administrative requirements

Merck Privacy OfficePrivacy as a Business Issue

12

Privacy Principles

• Respect: Understand and respect the privacy perspectives of the individual.

• Necessity: Collect personal information only for identified business purposes. To the extent possible, use non-identifiable information, and limit the personal information that is used and disclosed to that which is necessary for the identified purposes.

• Notice: Provide notice to individuals regarding the information that will be collected, how it will be used, and who will have access to it.

• Choice: Allow individuals to determine whether personal information about them will be collected, used and disseminated.


13

Data Protection Principles• Data Integrity: Use personal information in accordance with

the notice given and the choices exercised. Keep personal information accurate, complete and current in regard to the purpose for which is was collected.

• Access and Correction: Allow individuals reasonable access, on request, to personal information about them, and correct information that is incorrect or incomplete.

• Transfers to Agents: Obtain written assurances from agents that they will collect, use, and secure personal information pursuant to Merck’s instructions.

• Security: Secure personal information from loss, misuse, unauthorized access, disclosure and alteration.

• Enforcement: Provide communications, training, monitoring and enforcement with respect to Merck privacy policies and procedures.


14

Impact on Records-Based Biomedical Research

15

European Style Laws

• Personal Information: information which identifies, or is used alone or in combination with other information to identify an individual.

• Sensitive Persona Information: Personal Information relating to race, ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.


16

Research Requirements (EU Directive, Article 8)

Sensitive Personal Information may not be usedunless:• Each data subject gives “explicit” consent;• The data are necessary to protect the “vital interests”

of the data subject or another person and the data subject is physically or legally not able to give consent;

• The data are “manifestly made public” by the data subject; or

• The data are required for preventive medicine, medical diagnosis, provision of care or treatment, or management of healthcare services, provided the user is operating under rules of professional secrecy.


17

International Transfers (EU Directive, Articles 25, 26)

No transfers of Personal Information from theEuropean Economic Area (EEA) to non-EEAcountries unless:

• Each data subject consents to the transfer;• The transfer is necessary or legally required on

important public interest grounds;• The transfer is necessary to protect the data subject’s

“vital interests;”• The transfer is made under a “model contract” between

the EEA sender and the non-EEA receiver;• The transfer is to a U.S. Safe Harbor company; or• The transfer is to Argentina, Canada, Guernsey,

Hungary, or Switzerland.


18

Exceptions

• European Union Member States may, for reasons of “substantial public interest,” create exceptions to the general rule. (EU Directive, Article 8, 4)

• Some European countries, such as Italy, have laws expressly allowing epidemiologic research without data subject consent.


19

Practical Application

• In most European countries medicine is socialized, and governments maintain comprehensive medical databases.

• Most governments extract data from these databases and make them available to researchers.

• Data provided typically include ages, dates, gender, race, geographic information, medical information.

• Governments generally consider these data non-identifiable.


20

What is HIPAA?

• The Health Insurance Portability and Accountability Act of 1996; and

• Three sets of regulations issued by the Clinton Department of Health and Human Services in 2000:– Privacy Regulations - April 14, 2003 Compliance

Deadline

– Transaction Standards - October 16,2002 Compliance Deadline

– Security Regulations – 2005 Compliance Deadline


21

Who is covered?• HIPAA “Covered Entities”

– Health Care Providers that transmit health data electronically in connection with 1 or more of 8 “HIPAA Transactions”

Physicians Hospitals ClinicsGroup Practices Pharmacies

– Health Care PlansHMOs Health Insurers MedicarePBMs Group Health Plans Medicaid

– Health Care ClearinghousesEntities that transmit data into a HIPAA “standard” format from anon-standard format or vice versa

• “Business Associates” of HIPAA Covered EntitiesEntities that use protected health information (PHI) for or on behalf

of covered entities


22

What is covered?

• Protected Health Information: individually identifiable health information in the possession of a HIPAA covered entity that relates to an identifiable individual’s past, present, or future health, healthcare, or to payment for an individual’s healthcare.


23

Research Requirements

Uses or disclosures of PHI require:• Signed, HIPAA “authorizations” from each

study participant in addition to consents complying with the Common Rule and FDA Regulations;

• IRB or “Privacy Board” waivers of some or all of the authorization requirements; or

• “De-identification” of patient data via one of two methods:– Removing each of 18 prescribed data elements; or– Statistical Analysis and opinion.


24

Waivers and Alterations (HIPAA vs. CR)

HIPAA 45 CFR 164.512(i)(2)(ii)

A. Use or disclosure involves no more than minimal risk to the privacy of individuals, as indicated by F-H below;

B. Alteration or waiver will not adversely affect privacy rights and welfare of individuals;

C. Research could not practicably be conducted without the alteration or waiver;

D. Research could not practicably be conducted without access to and use of PHI;

E. Privacy risks to individuals are reasonable in relation to the anticipated benefits if any, to the individuals, and the importance of the knowledge that may be reasonably expected to result from the research;

F. Adequate plan to protect identifiers from improper use and disclosure;

G. Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and

H. Adequate written assurances that PHI will not be reused or disclosed for other purposes.

Common Rule 45 CFR

46.116(d)

A. Research involves no more than minimal risk to subjects;

B. Waiver or alteration will not adversely affect the rights and welfare of subjects;

C. Research could not practicably be carried out without the waiver or alteration; and

D. Whenever appropriate, subjects will be provided with additional pertinent information after participation


25

De-identification (Two Methods)

HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i)• Names• Geographic subdivisions smaller than a state• Zip codes• Dates (birth, admission, discharge, death)• Age, if over 89• Telephone numbers• Fax numbers• E-mail addresses• Social security numbers• Medical record numbers• Health plan beneficiary numbers• Account numbers• Certificate and license numbers• Vehicle identification and serial numbers• License plate numbers• Device identifiers and serial numbers• URLs• Internet Protocol address numbers• Biometric identifiers (finger and voice prints)• Full face photos and comparable images• Any other unique identifiers

Statistical 45 CRF 164.514(b)(1)

• A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable;

• Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and

• Documents the methods and results.


26

HIPAA Research Exceptions

• Limited Data Sets

• Research on Decedents

• Work Preparatory to Research


27

Limited Data SetsAllowed• Admission Dates

• Discharge Dates

• Service Dates

• Death Dates

• Age (in hours, months or days)

• Age (for those over 90)

• Five Digit Zip Codes

• Demographic Data

Direct Identifiers Not Allowed• Names• Street Addresses• Telephone and Fax Numbers• e-Mail Addresses• Social Security Numbers• Certificate or License

Numbers• Vehicle ID and Serial

Numbers• URLs and IP Addresses• Full Face Photos and

Comparable Images


28

Limited Data Sets

• Data Use Agreement Required:– Data will be used only for research;– Researcher will not re-identify subjects; and– Researcher will not contact subjects.

• Minimum Necessary Rule Applies

• Must account for disclosures


29

Research Regarding Decedents

• PHI regarding decedents may be used for research.

• Researcher must provide to the institution:– Verification that PHI will be used and disclosed

solely for research on decedents;– Representation that the PHI is necessary for the

research; and– Documentation of death.

• Minimum Necessary Rule applies• Must account for disclosures


30

Work Preparatory to Research

• PHI may be used without an authorization or waiver for reviews preparatory to research.

• Covered entity must obtain from the researcher representations that:– Use or disclosure of PHI is sought solely to

prepare a research protocol “or for similar purposes preparatory to research.”

– No PHI will be removed from the covered entity by the researcher; and

– The PHI is necessary for the identified research purposes.


31

Work Preparatory to Research

• HHS has said in commentary on HIPAA that work preparatory to research includes activities such as:– Protocol development– Patient pre-screening– Subject recruitment

• Minimum Necessary Rule applies

• Must account for disclosures


32

Summary and Conclusions

• The governments of many countries with privacy and data protection laws have made special accommodations for records-based biomedical research.

• HIPAA provides new rules, but reasonably practical mechanisms for records-based biomedical research.

• It is important to consider state laws in the U.S., particularly in California.

• Remember that all privacy legal, regulatory and ethical regimes are based on the same principles.


33

Thank You!

Oliver [email protected]

908-423-7321

mailto:[email protected]

Date post:	21-Dec-2015
Category:	Documents
View:	214 times
Download:	0 times