Tiger Team Tackles Defining 'Research'Privacy, Security Recommendations for Updated 'Common Rule'
The Department of Health and Human Services and the Food and Drug Administration are accepting comments through Oct. 26 on their "advance notice of proposed rulemaking," a solicitation of ideas for changing the Common Rule, which has been in effect for 20 years (see: Research Data Protections Considered.) The agencies are seeking feedback on a plan to, among other things, establish mandatory data security and information protection standards for research involving identifiable or potentially identifiable data.
The existing Common Rule, which is designed mainly to address clinical trials, focuses primarily on protecting patients from physical risks. But it also addresses research based on patient-identifiable information.
Operations vs. ResearchIn presenting its recommendations to the Health IT Policy Committee Sept. 14, tiger team leaders stated that when a provider organization uses data from electronic health records to evaluate the safety, quality and effectiveness of prevention and treatment activities, that amounts to using it for "operations" and not "research." As a result, the provider should not need to obtain "informed consent" from patients for these evaluations, the team leaders said. And such studies should not need independent review by an Institutional Review Board, as is required for broader research projects.
These evaluations, however, should be exempt from informed consent and review requirements under the updated Common Rule only if the provider organization "retains oversight and control over decisions regarding when their identifiable EHR data is used for quality, safety and effectiveness evaluations," the tiger team recommended.
This recommendation "is based on previous tiger team and policy committee recommendations that recognize that patients place their trust in their healthcare providers with respect to stewardship of their health information," according to the tiger team's draft letter on the subject.
Tiger team members are concerned that treating such evaluation activities by provider organizations as research subject to the updated Common Rule guidelines "could limit these activities," said Deven McGraw, tiger team co-chair.
Nevertheless, the tiger team would like to see HHS further investigate how to draw the line between research and operations as it prepares a new rule.
Research GuidelinesWhen a provider organization that created a patient's EHR no longer has control over decisions about the use of the data, a patient should be able to choose whether their information can be used for that broader research, McGraw stressed.
The tiger team also recommended that research entities subject to the updated Common Rule should be required to adopt "fair information practices." For example, researchers should limit the amount of information collected to what is necessary to perform the research, and "adopt security protections consistent with the privacy risks. ..."
The HIT Policy Committee, which is advising HHS on this issue, endorsed the recommendations in principle and asked the tiger team to refine its recommendations letter with more details. The committee will review the final letter at its Oct. 12 meeting.