margaret foster riley, "big data, hipaa, and the common rule: time for big change?"
Post on 11-Apr-2017
116 Views
Preview:
TRANSCRIPT
Big Data,HIPAA
AndThe Common
Rule:Time for Big
Change?
Margaret Foster Riley, J.D.
Big Data, Health Law and BioethicsHarvard Law SchoolMay 6, 2016
THE COMMON RULE AND IRBSTWENTIETH CENTURY MODEL
§ Academic Centers§ Phenotypic Disease Model§ Traditional Clinical Trial Design
§ Time, place, and inclusion§ Clearer Lines between Clinical
Treatment and Research § Paper Record
HIPAA: TOO EARLY, OUT OF DATE AND WAY TOO COMPLICATED?§ Pre-Genomic/Molecular/Network Identifiers§ True De-Identification, even when HIPAA
identifiers are removed, is very difficult§ But there are (sophisticated) analytics that can be
used§ Most of these are beyond the capabilities of most
IRBs (if acting as Privacy Board) and many institutions
§ The more complex (useful!) the data, the more difficult this may be
§ We want sharing between institutions
NETWORKED MEDICINE
A tremendous amount of this data comes from sources outside thetypical health record
DATA SOURCES IN NETWORKED MEDICINE
Claims and Cost Data; depending on the entity subject
to/or not HIPAA
Pharmaceutical/Laboratory R&D; may be subject to HIPAA; but
depends on how data is acquired; Trade Secrets may apply
Clinical Data Controlled by Providers; generally subject to HIPAA/Digital
Ownership Unclear
Patient Behavior and Preferences; Depending on Source may be
outside HIPAA and Commercially Owned
Rapidly increasing Commercial
Use
§ Adaptive clinical trials§ “Large Simple Studies” and “Pragmatic
TrialsӤ Research networks
INCREASINGLY DIFFICULT TO DISTINGUISH RESEARCH FROM CLINICAL CARE
THE DARK SIDE OF HIT
§ With health IT, it is now possible for the first time in the history of medicine to:§ Violate the health privacy of millions of individuals in
a matter of seconds§ Steal health information without having physical
access to it; and § Violate an individual’s health information privacy in a
manner that makes it impossible to restore. “The Financial Impact of Breached PHI”, ANSI (March 2012)http://webstore.ansi.org/phi
BUT DOES RESEARCHADD RISKS?§ Most breaches and compromise are
part of the clinical process§ Many of those breaches are bread and
butter financial fraud§ Research (sadly?) is a fairly minor
application of Big Data Health Information use
COMMON RULE NEEDS A MAJOR OVERHAUL TO DEAL WITH DATA ISSUES § Simply adding new rules does not do the
trick; complicates rather than simplifies§ Fundamental Disagreement is on where
notice is sufficient vs. full informed consent§ —Notions of Autonomy
§ Faden/Kass consistent w/ general privacy law (notice is sufficient)
§ Miller—health care is different
FUNDAMENTAL CHARACTERISTICS OF BIG DATA CHALLENGE THE STRUCTURE OF THE COMMON RULE AND HIPAA§ The analysis of Big Data is often for a different
purpose than the purpose for which it was originally collected§ How does one do meaningful consent?
§ The volume of data used for Big Data purposes means that it comes from many sources§ Outside the purview of any single (or many) IRBs
A PATCHWORK SYSTEM OF PRIVACY LAW IN THE UNITED STATES
§ The United States does not have comprehensive federal privacy laws
§ Privacy Law in the United States is Sectoral (but Federal Trade Commission/OCR play overarching regulatory roles)§ Health§ Finance§ Education
§ States also have privacy laws—which may or may not be pre-empted
PRIVACY, CONTROL AND OWNERSHIP§ Context driven privacy interests§ Unclear rules on ownership
§ But rarely the individual that the data describes
§ Illusory Control
CENTRAL PRINCIPLES FOR PRIVACY COMPLIANCE RELATING TO (ANY) DATA COLLECTION: TRANSPARENCY AND PROTECTION§ Transparency
§ Notice -how will the data be used and shared§ Choice- the individual’s desires as to that
use and sharing§ Access-how the individual can implement
those desires—this means a meaningful “opt out”
§ Security Protections
BIG DATA REALLY REQUIRES A COMPREHENSIVE (NON-SECTORAL) APPROACH§ This requires us to fully examine the
question: is health care really different?§ If not, perhaps then we should have an
data/informational risk scheme for research that is driven by all needs rather than tacking on HIPAA notions to other areas
top related