Author: Eva Pastor
Date: 09-15-09 18:12
Source: ModernHealtcare.com
URL: http://www.modernhealthcare.com/apps/pbcs.dll/article?AID=/20090914/REG/309149953/1153
Date published: September 14th 2009
Healthcare lawyer criticizes IOM privacy rule report
By Joseph Conn / HITS staff writer
Posted: September 14, 2009 - 11:00 am EDT
Mark Rothstein wears a number of hats: healthcare lawyer, college professor, medical ethicist and health information technology privacy expert.
Most recently he has donned the garb of a healthcare privacy policy “literary critic” in authoring a critique of an Institute of Medicine report, “Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research,” on the secondary use of clinical data. The IOM report was published in February by its Committee on Health Research and the Privacy of Health Information.
“It was obvious,” Rothstein wrote that, despite its title, the IOM report is “not about enhancing privacy,” but rather “about the committee's view of improving health research by relaxing privacy protections.”
Rothstein levels his criticisms in “Improve Privacy in Research by Eliminating Informed Consent? IOM Report Misses the Mark,” a commentary appearing in the Fall 2009 issue of the Journal of Law, Medicine & Ethics.
Rothstein is the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine. He previously served as a member of the National Committee on Vital and Health Statistics and chairman of its subcommittee on privacy and confidentiality.
Rothstein starts off his commentary praising a number of the recommendations in the IOM report, including the IOM's call that privacy protections in general should apply to all research regardless of the funding source.
Another laudable recommendation, Rothstein said, was the IOM committee's request to HHS, that it harmonize the privacy rule under the Health Insurance Portability and Accountability Act of 1996, with the Common Rule, formally known as the Federal Policy for the Protection of Human Subjects. HIPAA applies to hospitals, physician offices and other so-called “covered entities” and their business associates. The Common Rule, formally published in the Federal Register in 1991, but with roots that go back decades earlier, applies to federally conducted or funded research projects.
Rothstein wrote that researchers should be freed from some of the cumbersome provisions of HIPAA and the Common Rule that are “excessive, duplicative, unnecessary, inconsistent and burdensome.”
But Rothstein quickly—as soon as the third paragraph of his article—takes up the most controversial recommendation of the IOM report, which was to eliminate the requirement that informed consent of the patient be obtained prior to release of his or her medical records for research other than for “interventional,” i.e., clinical research.
He also quickly sets to work criticizing the regulatory distinction proposed by the IOM to set up this proposed waiver of the consent requirement. According to the IOM, there is a difference between interventional research, regarding which of the Common Rule protections apply, and “information-based” research, which the IOM committee does not define, but explicitly includes the use of stored human specimens, he said.
For information-based research, the IOM calls for a new and less-restrictive regulatory approach, recommending that research programs' or institutions' be certified by some unnamed body or organization, according to Rothstein. Once certified, these programs or institutions information-based research would qualify for a privacy regulatory “safe harbor” and could, under certain circumstances, collect and analyze personally identifiable healthcare information without patient consent, he said. Such safe harbors would, according to the IOM report, be “most appropriate for disease registries and other very large-scale research databases,” he wrote.
According to Rothstein, the IOM's proposed new regulatory distinction without further definition is a bad idea.
Rothstein also terms “extreme” the IOM argument that for such research “obtaining permission from patients to use their health information and specimens is too burdensome for researchers and therefore should be eliminated entirely.”
“To summarize,” Rothstein wrote, for information-based research, “if direct identifiers are removed, certified entities and their collaborators could conduct research without consent or authorization.” For information-based research using patient identifiable information, again, “no consent or authorization is required,” Rothstein said, “but an ethics oversight board would have to approve the action after weighing the scientific merit of the research against the potential harm to individual privacy.”
Put another way, Rothstein said, the report recommends “all research should be exempt from the (HIPAA) privacy rule and that only interventional research should be subject to the Common Rule.”
“Because of the lack of specificity in the IOM report, it is difficult to assess how such a certification system would work, the number of entities likely to apply for certification, or even whether certification would take the form of self-regulation by an organization established by the research institutions” themselves, Rothstein wrote. “Besides the myriad ethical and policy issues raised by this proposal,” Rothstein wrote, “it is impossible to support replacing the current regulatory regime, notwithstanding its flaws, with such a vaguely described successor.”
In defense of its proposed shift in privacy policies, Rothstein noted the IOM presents three arguments.
One is a commonly mentioned complaint among the research community that allowing patients to deny access to their medical records might introduce selection bias into the research results. Rothstein said such an assertion of bias “is not well-supported” by research, and added wryly that it “could be read as questioning the validity of much contemporary research.”
He said it is ironic “in a report extolling the value of research, there are no recommendations to undertake ongoing, systematic research on the effects of various options for obtaining consent to participate in research.”
Another extremely important IOM defense, Rothstein said, is that patient consent can be prohibitively costly and difficult to obtain. But that addresses the matter only from the perspective of researchers, he said. The IOM's conclusion “relies greatly on the surveys of researchers” but otherwise “receives insufficient attention in the report.” Again, the IOM “fails to consider alternatives to reduce expenses and delays other than abandoning informed consent,” he wrote.
Finally, according to Rothstein, the IOM argues that privacy rights should be overridden by the greater good of improved healthcare, which is to be derived from the benefits of less restricted research and thus, “governing regulations should support the use of such information, with appropriate oversight.”
In taking that position, Rothstein concluded, the IOM report's “central proposal demonstrates a lack of respect for individuals as autonomous agents and assumes that all individuals have the same values and interests with regard to research.”
“The decision whether to grant any individual or entity access to one's health record or biological specimen is personal and subjective, just as the decision whether to enroll in a clinical trial or consent to treatment is personal and subjective,” Rothstein wrote. “Clinicians, researchers and their institutions do not have the moral authority to override the wishes of autonomous agents. Individuals seeking treatment at a medical facility are not expressly or impliedly waiving their right to be informed before their health information and biological specimens are used for research.
“The IOM report would automatically convert all patients into research subjects without their knowledge or consent,” Rothstein said. “Such abrogation of individual rights is not saved by simply removing direct patient identifiers.”
Even de-identification that meets HIPAA requirements “presents risks,” Rothstein wrote, “including the potential for re-identification, group-based harms, objectionable uses, commercial exploitation and loss of trust.”
Removing “direct identifiers” as the IOM report suggests, would meet neither the HIPAA nor even the more relaxed Common Rule standards for de-identification, thus the IOM recommended form of de-identification would be “even less likely to protect the identity of the individual,” Rothstein wrote.
Rothstein notes the first international code on research ethics flowed out of the Nuremberg trials of Nazi doctors who conducted medical experiments during the Holocaust. “The first principle of that first code begins unequivocally,” he wrote: “The voluntary consent of the human subject is absolutely essential.”
“The Nuremberg Code did not distinguish between interventional and information-based research,” Rothstein wrote, adding “a broadly considered notion of informed consent has been the cardinal principle of research ethics around the world for over half a century. The IOM report fails to recognize the magnitude of the change it suggests and fails to carry its burden of making the case for eliminating the current obligations.”
“Unquestionably, biomedical research is a societal good,” Rothstein said. “It needs to be encouraged, funded, supported, nurtured and free of excessive regulation.” But its importance notwithstanding, “health research does not trump all other values and interests” and so “the interests of individuals in deciding whether they want to become research subjects must be respected.”
Timing of the IOM report, as the federal government prepares to spend billions of dollars for health information technology projects under the American Recovery and Reinvestment Act of 2009, which also included beefed-up privacy and security protections, “is also extremely problematic,” Rothstein said. “The IOM report runs directly counter to the emerging federal policy of affording increased protection to health record and providing individuals with greater control over the uses and disclosures of their health information.”
In conclusion, Rothstein called the IOM report “a missed opportunity” to harmonize the HIPAA and Common Rule privacy conflicts. Instead, “it adopted as its centerpiece a set of implausible measures supporting the anti-regulatory agenda of some researchers and organizations. Unfortunately, the result of producing such an unpersuasive and easily dismissed document is the increased likelihood of perpetuating a regulatory system that fails to serve the interests of the researchers, research subjects, or the public.”
Lawrence Gostin is the co-chairman of the IOM committee that authored the report, and also is the associate dean and professor of global health law at the Georgetown University Law Center, among a number of his academic positions. According to his biography at the Georgetown University Web site, Gostin led in the drafting of the Model State Emergency Health Powers Act. The model has been used by dozens of states to modify their own state laws. It provides for empowering state and local public health officials in the event of an incidence of bioterrorism or pandemic.
Gostin is traveling in Australia and could not be reached for an interview regarding Rothstein's commentary, but said via e-mail, “It is an excellent article that Mark has written.”
Rothstein described Gostin as “a very good friend of mine,” and the committee as “a lot of very smart, caring people.”
“I think where they went wrong was thinking research was so important, and we can't get in the way of research and the end justifies the means,” Rothstein said. “I'm not seeing any sinister motives in this. I'm assuming they want to do good science and get it out to the public as soon as possible, but it is just the wrong way of doing it. You don't need a limited data set if you ask people for permission. But they want to be asked.”
|
|
