Tiger Team Tackles Defining 'Research'

Privacy, Security Recommendations for Updated 'Common Rule'
Tiger Team Tackles Defining 'Research'
Responding to a request for ideas on how to update the Common Rule, which provides guidelines for research on human subjects, the Privacy and Security Tiger Team says a key issue is how to define "research." For example, it says a hospital's use of data from patients' electronic health records for an evaluation of care quality should not be considered research that's subject to the potential new rule.

The Department of Health and Human Services and the Food and Drug Administration are accepting comments through Oct. 26 on their "advance notice of proposed rulemaking," a solicitation of ideas for changing the Common Rule, which has been in effect for 20 years (see: Research Data Protections Considered.) The agencies are seeking feedback on a plan to, among other things, establish mandatory data security and information protection standards for research involving identifiable or potentially identifiable data.

The existing Common Rule, which is designed mainly to address clinical trials, focuses primarily on protecting patients from physical risks. But it also addresses research based on patient-identifiable information.

Operations vs. Research

In presenting its recommendations to the Health IT Policy Committee Sept. 14, tiger team leaders stated that when a provider organization uses data from electronic health records to evaluate the safety, quality and effectiveness of prevention and treatment activities, that amounts to using it for "operations" and not "research." As a result, the provider should not need to obtain "informed consent" from patients for these evaluations, the team leaders said. And such studies should not need independent review by an Institutional Review Board, as is required for broader research projects.

These evaluations, however, should be exempt from informed consent and review requirements under the updated Common Rule only if the provider organization "retains oversight and control over decisions regarding when their identifiable EHR data is used for quality, safety and effectiveness evaluations," the tiger team recommended.

This recommendation "is based on previous tiger team and policy committee recommendations that recognize that patients place their trust in their healthcare providers with respect to stewardship of their health information," according to the tiger team's draft letter on the subject.

Tiger team members are concerned that treating such evaluation activities by provider organizations as research subject to the updated Common Rule guidelines "could limit these activities," said Deven McGraw, tiger team co-chair.

Nevertheless, the tiger team would like to see HHS further investigate how to draw the line between research and operations as it prepares a new rule.

Research Guidelines

When a provider organization that created a patient's EHR no longer has control over decisions about the use of the data, a patient should be able to choose whether their information can be used for that broader research, McGraw stressed.

The tiger team also recommended that research entities subject to the updated Common Rule should be required to adopt "fair information practices." For example, researchers should limit the amount of information collected to what is necessary to perform the research, and "adopt security protections consistent with the privacy risks. ..."

The HIT Policy Committee, which is advising HHS on this issue, endorsed the recommendations in principle and asked the tiger team to refine its recommendations letter with more details. The committee will review the final letter at its Oct. 12 meeting.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.