The Department of Health and Human Services (HHS) provided an Advanced Notice of Proposed Rule Making (ANPRN) on July 22, 2011, to enhance protections for medical research subjects, including standards around privacy and data security. The ANPRN seeks comments on how better to protect human research subjects while facilitating valuable research. The current Common Rule was developed over 20 years ago and does not reflect changes in how medical research is conducted today and the advanced technology used to facilitate the research.
HHS acknowledges concerns with the current Common Rule and the increasing use of genetic information, biospecimens, medical and research records and administrative data. The risks related to these types of research are considered informational risks, such as the unauthorized release of information about the research subject. The HIPAA Privacy Rule addresses some of these risks by imposing restrictions on how protected health information may be used and disclosed, including for research. The HIPAA Security Rule protects subjects by requiring covered entities and their business associates to have physical, administrative and technical safeguards to protect information in electronic form. However, not all research investigators are subject to HIPAA. Too, the Privacy Act of 1974 does not apply to non-Federal researchers. Further, HHS acknowledges the Common Rule and the HIPAA Privacy Rule can be inconsistent which makes it difficult for researchers to comply with both. Current privacy regulations do not take into account the genetic and information technologies that make complete de-identification of biospecimens impossible and re-identification of sensitive health data easier.
HHS proposes establishing mandatory data security and information protection standards for all research studies that involve identifiable and potentially identifiable data and where data is collected, stored analyzed or otherwise reused. HHS also anticipates creating rules to protect against the inappropriate re-identification of de-identified information that is collected as part of a research study. The ANPRN advocates for adopting the HIPAA standards around de-identification and pulling in those investigators who are not covered entities or business associates. With these new rules, HHS expects to streamline the Institutional Review Board (IRB) process, and no longer require the IRB to assess the adequacy of the protections against informational risks. In addition to adopting the HIPAA Privacy Rule, HHS further proposes the following: 1) research involving identifiable data would be required to adhere to the HIPAA Security Rule, including the breach notification standards; 2) data could be considered de-identified or in a limited data set if the investigator sees the identifiers but does not record them in a permanent research file; and 3) retrospective audits and additional enforcement tools.