Big Data,HIPAA

AndThe Common

Rule:Time for Big

Change?

Margaret  Foster  Riley,  J.D.

Big  Data,  Health  Law  and  BioethicsHarvard  Law  SchoolMay  6,  2016

THE COMMON RULE AND IRBSTWENTIETH CENTURY MODEL

§ Academic Centers§ Phenotypic Disease Model§ Traditional Clinical Trial Design

§ Time, place, and inclusion§ Clearer Lines between Clinical

Treatment and Research § Paper Record

HIPAA: TOO EARLY, OUT OF DATE AND WAY TOO COMPLICATED?§ Pre-Genomic/Molecular/Network Identifiers§ True De-Identification, even when HIPAA

identifiers are removed, is very difficult§ But there are (sophisticated) analytics that can be

used§ Most of these are beyond the capabilities of most

IRBs (if acting as Privacy Board) and many institutions

§ The more complex (useful!) the data, the more difficult this may be

§ We want sharing between institutions

NETWORKED MEDICINE

A  tremendous  amount  of  this  data  comes  from  sources  outside  thetypical  health  record

DATA SOURCES IN NETWORKED MEDICINE

Claims  and  Cost  Data;  depending  on  the  entity  subject  

to/or  not  HIPAA                                                                                                                                                                                                                            

Pharmaceutical/Laboratory  R&D;  may  be  subject  to  HIPAA;    but  

depends  on  how  data  is  acquired;    Trade  Secrets  may  apply

Clinical  Data  Controlled  by  Providers;  generally  subject  to  HIPAA/Digital  

Ownership  Unclear

Patient  Behavior  and  Preferences;  Depending  on  Source  may  be  

outside  HIPAA  and  Commercially  Owned

Rapidly  increasing  Commercial  

Use

§ Adaptive clinical trials§ “Large Simple Studies” and “Pragmatic

TrialsӤ Research networks

INCREASINGLY DIFFICULT TO DISTINGUISH RESEARCH FROM CLINICAL CARE

THE DARK SIDE OF HIT

§ With health IT, it is now possible for the first time in the history of medicine to:§ Violate the health privacy of millions of individuals in

a matter of seconds§ Steal health information without having physical

access to it; and § Violate an individual’s health information privacy in a

manner that makes it impossible to restore. “The Financial Impact of Breached PHI”, ANSI (March 2012)http://webstore.ansi.org/phi

BUT DOES RESEARCHADD RISKS?§ Most breaches and compromise are

part of the clinical process§ Many of those breaches are bread and

butter financial fraud§ Research (sadly?) is a fairly minor

application of Big Data Health Information use

COMMON RULE NEEDS A MAJOR OVERHAUL TO DEAL WITH DATA ISSUES § Simply adding new rules does not do the

trick; complicates rather than simplifies§ Fundamental Disagreement is on where

notice is sufficient vs. full informed consent§ —Notions of Autonomy

§ Faden/Kass consistent w/ general privacy law (notice is sufficient)

§ Miller—health care is different

FUNDAMENTAL CHARACTERISTICS OF BIG DATA CHALLENGE THE STRUCTURE OF THE COMMON RULE AND HIPAA§ The analysis of Big Data is often for a different

purpose than the purpose for which it was originally collected§ How does one do meaningful consent?

§ The volume of data used for Big Data purposes means that it comes from many sources§ Outside the purview of any single (or many) IRBs

A PATCHWORK SYSTEM OF PRIVACY LAW IN THE UNITED STATES

§ The United States does not have comprehensive federal privacy laws

§ Privacy Law in the United States is Sectoral (but Federal Trade Commission/OCR play overarching regulatory roles)§ Health§ Finance§ Education

§ States also have privacy laws—which may or may not be pre-empted

PRIVACY, CONTROL AND OWNERSHIP§ Context driven privacy interests§ Unclear rules on ownership

§ But rarely the individual that the data describes

§ Illusory Control

CENTRAL PRINCIPLES FOR PRIVACY COMPLIANCE RELATING TO (ANY) DATA COLLECTION: TRANSPARENCY AND PROTECTION§ Transparency

§ Notice -how will the data be used and shared§ Choice- the individual’s desires as to that

use and sharing§ Access-how the individual can implement

those desires—this means a meaningful “opt out”

§ Security Protections

BIG DATA REALLY REQUIRES A COMPREHENSIVE (NON-SECTORAL) APPROACH§ This requires us to fully examine the

question: is health care really different?§ If not, perhaps then we should have an

data/informational risk scheme for research that is driven by all needs rather than tacking on HIPAA notions to other areas