Medical Research and 'Trust Issues'Panel Spells Out When Privacy Measures Are Needed
The Health IT Policy Committee says that when a provider organization uses data from electronic health records to evaluate the safety, quality and effectiveness of prevention and treatment activities, that amounts to using it for "operations" and not "research." As a result, the provider should not need to obtain "informed consent" from patients for these evaluations or approval by an institutional review board, as is required for broader research projects.
Examples of activities that should be exempt from the extra privacy protections, according to the committee, include:
- Using EHR data to evaluate the effectiveness of care;
- Identifying patterns of adverse events for early detection of patient safety issues;
- Evaluating interventions designed to improve compliance with existing standards of care, such as measures to reduce hospital-acquired infections;
- Monitoring individual clinicians for adherence to treatment protocols;
- Increasing patient compliance with guidelines, such as for vaccinations and cancer screening tests.
A provider organization should be exempt from informed consent and review requirements under the updated Common Rule, however, only if the organization "retains oversight and control over decisions regarding when their identifiable EHR data is used for quality, safety and effectiveness evaluations," the committee stresses.
The Department of Health and Human Services and the Food and Drug Administration are accepting comments through Oct. 26 on their "advance notice of proposed rulemaking," a solicitation of ideas for changing the Common Rule, which has been in effect for 20 years (see: Research Data Protections Considered.) The agencies are seeking feedback on a plan to, among other things, establish mandatory data security and information protection standards for research involving identifiable or potentially identifiable data.
The existing Common Rule, which is designed mainly to address clinical trials, focuses primarily on protecting patients from physical risks. But it also addresses research based on patient-identifiable information.
Privacy RecommendationsOn Oct. 12, the HIT Policy Committee, which advises HHS, approved a comment letter on the Common Rule update issue, incorporating recommendations from its Privacy and Security Tiger Team (see: "Draft Transmittal Letter" on the committee's website.)
The narrow definition of research "is based on previous tiger team and policy committee recommendations that recognize that patients place their trust in their healthcare providers with respect to stewardship of their health information," according to the comment letter.
When a provider organization that created a patient's EHR no longer has control over decisions about the use of the data, a patient should be able to choose whether their information can be used for that broader research, the committee recommends.
Deven McGraw, tiger team co-chair, recently said that team members were concerned that treating quality evaluation activities by provider organizations as research subject to the updated Common Rule guidelines "could limit these activities." Nevertheless, the tiger team would like to see HHS further investigate how to draw the line between research and operations as it prepares a new rule, she said.
The HIT Policy Committee also recommended that researchers subject to the updated Common Rule should be required to adopt "fair information practices." For example, researchers should limit the amount of information collected to what is necessary to perform the research and protect the data "with security measures that are commensurate with the risks to privacy."
Query Health GuidelinesAt its Oct. 12 meeting, the HIT Policy Committee also accepted the tiger team's privacy recommendations for the upcoming Query Health project.
The voluntary project, which the HHS Office of the National Coordinator for Health IT expects to launch with pilots next year, will test standards for querying data from electronic health records to conduct research (see: EHR Queries for Research to be Tested ). The project is one of several that will test metadata standards that could help pave the way for secure nationwide electronic health information exchange (see: Tests of Metadata Tags for EHRs Planned). Such tags, for example, could indicate a patient's consent for use of certain data elements within a record for research purposes.
The Query Health project will study the use of metadata tags to support queries of EHRs for broad population analyses used to support research for such purposes as developing new clinical and payment strategies, according to Farzad Mostashari, who heads ONC. The project, for example, will involve calculating quality measures for populations of patients, he explained in a blog.
The HIT Policy Committee stressed that the decision to release data in response to any inquiry will be under the control of the disclosing data holder. In the pilot, the information exchanged will either be test data or de-identified data sets, with a data use agreement in place that "prohibits the recipient from re-identifying the data."