August 5, 2011 SACHRP Letter to the HHS Secretary (Including recommendations on HIPAA/HITECH Notice of Proposed Rulemaking)

Dear Ms. Sebelius:

The Secretary’s Advisory Committee on Human Research Protections (SACHRP) is charged with providing the Secretary, HHS, with advice and recommendations on issues relating to human research protections, with the dual aims of improving the protection of human subjects and the quality of protection programs, and of decreasing regulatory burdens that do not meaningfully contribute to the protection of such subjects. The protection and promotion of scientifically rigorous and ethically sensitive research in the public interest is our collective concern.

Recommendations on HIPAA/HITECH Notice of Proposed Rulemaking on Accounting of Disclosures and Access Reports, RIN 0991-AB62

Shortly after its creation in 2003, SACHRP began developing recommendations on significant topics in research, including the protection of the privacy of research subjects. Consistent with its longstanding interest in and recommendations relating to this issue, SACHRP submits the following comments in response to the Notice of Proposed Rulemaking (NPRM) published on May 31, 2011 (76 Fed. Reg. 31426) pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA). We summarize herein the major topics that have been discussed in our deliberations, and request that these comments be forwarded accordingly, through the Secretary, HHS.

SACHRP’s comments address two HHS proposals: (1) exempting research from the requirement to account for disclosures under the HIPAA Privacy Rule ("Accounting Requirement"), and (2) requiring, as a new regulatory measure, access reports, for which there must be electronic tracking of every person's access to electronic information in a designated record set at covered entities and business associates, with very limited exceptions ("Access Reports").

Accounting Requirement: Exemption for Research

SACHRP strongly supports the HHS proposal to exempt research disclosures from the Accounting Requirement. As the NPRM notes, this proposal would implement a recommendation that SACHRP submitted to the Secretary in 2004. See SACHRP Chair Letter to HHS Secretary on HIPAA, Sept. 27, 2004, and Appendix A.

SACHRP's primary rationale for its 2004 recommendation was that strong protections already are in place for research conducted pursuant to a waiver of authorization (i.e., the research that currently is subject to the Accounting Requirement). This research may proceed only with a waiver of authorization approved by a privacy board or institutional review board (IRB), in accordance with several strict regulatory criteria. (Many of the same studies also undergo IRB scrutiny to determine if the Common Rule's separate criteria for a waiver of consent are met.) Given this high level of oversight and the specificity of researchers' commitments to protect individuals in these studies, SACHRP indicated in 2004 that the accounting requirement was unnecessary and overly burdensome to the research community.

SACHRP's rationale for its 2004 recommendation is even more compelling today. The federal government is investing over a billion dollars in comparative effectiveness research, an area of study that often requires waivers of individual authorization. Recent HHS policies also provide significant incentives for covered entities to conduct retrospective patient safety and benchmarking studies to improve the quality and safety of patient care. The HHS proposal to exempt research from the Accounting Requirement allows the research community to pursue and expand these critical areas of work without attendant administrative burden.

SACHRP further notes that in a 2009 report, prepared at the conclusions of a lengthy committee study, the Institute of Medicine similarly concluded that the Accounting Requirement unduly burdens research without materially adding privacy protection. See Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, Institute of Medicine of the National Academies (2009).

Access Reports

The NPRM's new regulatory proposal for Access Reports would require covered entities and business associates to report to individuals, upon request, every access to their electronic information that is part of a designated record set (i.e., any health information relied upon for treatment or billing purposes, among other activities). This requirement would have an expansive reach: it would seem to include all electronic health record systems within a covered entity, of which there can be several at any one covered entity, such as those systems for main hospital or clinical records, labs, billing, and other services. The requirement would also include all electronic research forms, systems, or databases, and business associates' electronic records, provided that the electronic information includes a designated record set. More specifically

under the NPRM, upon an individual's request, a covered entity would need to aggregate all logs of access into the individual's electronic information over three years, contact all business associates for their own records of internal access to and disclosure of the individual's designed record set information, and provide an understandable report to individuals within 30 days, unless an extension is approved.

SACHRP is concerned that this proposal would pose several significantly burdensome challenges to the research enterprise. First, researchers are increasingly using electronic health records and other electronic information about a patient's care to facilitate research. These systems are critical to advancing research for many reasons: for example, they allow for more precise review and design of research questions, more tailored enrollment, more valuable longitudinal data, and more readily available sources of data, both for studies of widespread conditions and critical studies of rare diseases. Such research is not possible without accurate health information, which is increasingly found in electronic designated record sets. While covered entities likely would have records of electronic access to provide to individuals, if individuals had questions about the reports, covered entities that tried to respond would need to track down numerous protocols and research teams' membership, which would be extremely time-intensive. Further, the required Access Reports might be confusing even to individuals who had authorized their participation in research, but who do not understand the listings in the Access Report or the connection of those listings to the research in which they voluntarily enrolled. Similarly, for studies conducted under waivers of authorization and waivers of consent, in accordance with highly specific regulatory criteria and oversight, these Access Reports could lead individuals to have questions or concerns for research institutions even when the institutions have fully complied with privacy board and IRB review requirements. In sum, with so many multiple entries for completely valid, expressly authorized or clearly permitted research uses of the electronic medical record, the informational value to research subjects of making these entries available in an Access Report is not clear.

A second set of concerns is based on the fact that many researchers in covered entities access and record electronic designated record set information in multiple places. For example, cancer patients’ participation in clinical trials is extremely common and often extends to multiple research studies. Researchers typically need to access information in electronic health record systems for the clinical trials, and they often record trial data in the electronic medical record, in electronic case report forms, and in electronic databases. It would seem that all of these sets of electronic information would contain information relied upon for treatment or billing purposes, and therefore would qualify as electronic designated record sets. It would be quite difficult for covered entities to identify all the applicable electronic designated record sets containing a given individual's information, and preparing the Access Report (which includes all other types of non-research access at the covered entities and by its business associates) would therefore be extremely time-consuming and burdensome. Moreover, the Access Report would contain potentially duplicative information, in that researchers would have required access to multiple electronic systems containing somewhat similar information (e.g., medical record, updated case report forms, and other databases) for purposes of even a single clinical trial.

A third area of concern is that the NPRM proposes that, in order to generate an Access Report for a requesting individual, a covered entity must contact all of its business associates that have electronic designated record set information. While, to date, business associate relationships have not been common for research activities, some relationships already exist and more seem likely in the near future, as covered entities outsource functions due to expertise deficits and staff budget constraints. For example, some researchers within covered entities have hired information technology (IT) vendors to facilitate data collection, analysis, and storage in large survey studies. Researchers also hire outside consultants to assist in recruiting patient-participants for studies, and these consultants could maintain electronic designated record set information. SACHRP therefore is concerned about the significant burden that would be imposed on covered entities to identify and contact every business associate that may have electronic designated record set information for a given study, for reasons including but not limited to research.

Fourth, the primary interest of a research subject in seeking an Access Report presumably would be to ascertain any unauthorized uses or disclosures of his or her electronic medical record. Yet other requirements of the Privacy and Security Rules already offer significant protection against such unauthorized uses and disclosures, and moreover require notification to a patient if unauthorized access to an electronic record occurs. Indeed, in the breach notification provisions, HHS has already determined the specific circumstances of unauthorized access in which notification to a patient must occur. Requiring an Access Report therefore seems unnecessary and overly burdensome on research institutions, without meaningfully adding protection beyond what already exists in the breach notification requirements and in the various requirements for IRB and privacy board approval of waivers of authorizations.

Summary

In summary, SACHRP supports the HHS proposal to exempt research from the Accounting Requirement. At the same time, SACHRP has serious concerns about the new proposed Access Report requirement for reasons including, but not limited to, its negative effects on the research enterprise and its uncertain value to the overall interests of research subjects. SACHRP would recommend, instead, as follows:

• Recommendation One:
  • Covered entities not be required to disclose access for research purposes, as part of the electronic access report requirement;
• Recommendation Two:
  • The Office for Civil Rights clarify that institutions have discretion, for purposes of the electronic access report, to define what electronic databases are intended primarily for research use and thus lie outside the “designated record set,” with a presumption of validity as to explicit institutional decisions in this regard; and
• Recommendation Three:
  • The Office for Civil Rights clarify that institutions have discretion, for purposes of the electronic access report requirement, to designate that “business associates” engaged for mixed research and other purposes may omit access for research purposes in responding to requests for electronic record access reports.
• Recommendation Four:
  • In recognition of the public desire for greater transparency in unconsented uses and disclosures of identifiable data for research purposes, the Office for Civil Rights should open a dialogue with OHRP and other relevant agencies about possible guidelines for public access to information relating to waivers of informed consent and HIPAA authorizations that are granted by IRBs and/or privacy boards.

The Secretary should note that these recommendations in their entirety were endorsed by a majority of seven of the ten members of SACHRP who were present, while three other SACHRP members expressed their opposition, based on their commitment to increased access by individuals to information about research uses and disclosures of their protected health information.

SACHRP appreciates the consideration that has been given to its prior recommendations and the opportunity to comment on this NPRM.

On behalf of SACHRP, I would like to thank you for your consideration of these comments, and ask again that this document be forwarded to the Office for Civil Rights. The committee, the Subpart A Subcommittee and the Subcommittee on Harmonization share the Commission's dedication to human subjects protections, and hope that these remarks provide some assistance in their current endeavor.

Sincerely,

// signed//

Barbara E. Bierer, M.D.
Chair, Secretary’s Advisory Committee
on Human Research Protections
(SACHRP)