Enforcement
12. Research institutions should establish strong enforceable remedies and sanctions for violations of privacy and confidentiality protections
For rules and policies to be truly effective, strong, and enforceable sanctions need to be established for violations of privacy and confidentiality, inside and outside an institution. HIPAA penalties are limited in application, since they would apply only to researchers who fit the definition of a covered entity, such as researchers who are also health care providers who transmit or maintain health information in an electronic format.
Notes
1 William W. Lowrance, Privacy and Health Research: A Report to the U.S. Secretary of Health and Human Services 21–29 (May 1997).
2 Data are discrete pieces of information. Health information, as used in this paper, is the knowledge obtained from investigation or study of health data.
3 Associated Press, Medical data up for grabs, Nov. 9, 1998.
4 Office of Inspector General, Department of Health and Human Services, Recruiting Human Subjects: Pressures in Industry-Sponsored Clinical Research 24, OEI-01-97-00195 (June 2000) [hereinafter Office of Inspector General, Recruiting Human Subjects].
5 Janlori Goldman, Protecting Privacy to Improve Public Health, 17 Health Affairs47, 48 (Nov.–Dec. 1998).
6 Ibid.
7 Health Privacy Project, Best Principles for Health Privacy: A Report of the Health Privacy Working Group 10 (July 1999), available at www.healthprivacy.org/resources/index.shtml.
8 We broadly define health research to include basic research, clinical trials, epidemiological studies, and health services research.
Health services research is a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations (Committee on Health Services Research:
Training and Work Force Issues, Institute of Medicine, Health Services Research: Work Force and Educational Issues, 1995).
9 Tom L. Beauchamp and James F. Childress, Principles of Biomedical Ethics407 (4th ed., 1994).
10 Alan F. Westin, Privacy and Freedom7 (1967).
11 Anita L. Allen, Coercing Privacy, 40 W m and Mary L. Rev.723, 723–724 (1999).
12 Beauchamp and Childress, supranote 9, at 121.
13 Ibid., at 410.
14 Louis D. Brandeis and Samuel D. Warren, The Right to Privacy, 4 Harv. L. Rev.193–197 (1890).
15 Janlori Goldman, Privacy and Individual Empowerment in the Interactive Age, in Visions of Privacy: Policy Choices for the Digital Age97–115, 101 (Colin J. Bennett and Rebecca Grant, eds., University of Toronto Press 1999).
16 Alan F. Westin, Computers, Health Records, and Citizen Rights6 (U.S. Government Printing Office, 1976).
17 Federal Policy for the Protection of Human Subjects, 56 Fed. Reg.28002-28032 (1991); 45 CFR 46, subpt. A.
18 Department of Agriculture, Energy, Commerce, Health and Human Services, Housing and Urban Development, Justice, Defense, Education, Veterans Affairs and the Transportation; the National Aeronautics and Space Administration, The Social Security Administration; the Consumer Product Safety Commission; the Agency for International Development; the Environmental Protection Agency; the National Science Foundation; and the Central Intelligence Agency. The Common Rule provisions are codified in regulation by the individual agencies. The Food and Drug Administration issued its own regulations for research involving FDA-regulated products.
19 21 CFR Parts 50 and 56.
20 Medical Records Confidentiality in the Modern Delivery of Health Care: Hearing Before the Subcomm. on Health and
Environment of the House Comm. on Commerce, 106th Cong. 34 (1999) (Statement of Robert Amdur, Former Associate Professor of Medicine and Chairperson, Dartmouth Committee for the Protection of Human Subjects, Dartmouth Medical School).
21 Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection, Division of Health Services, Institute of Medicine, Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary 2 (National Academy Press, 2000) [hereinafter Workshop Summary].
22 Personally identifiable health data are data concerning a person’s health or treatment that are or may readily be associated with an individual. Synonyms include individually identifiable health data and personal health data.
23 Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection, Division of Health Services, Institute of Medicine, Protecting Data Privacy in Health Services Research 45 (National Academy Press, 2000) [hereinafter Institute of Medicine, Protecting Data Privacy in Health Services Research].
24 Ibid.
25 Office of Inspector General, Recruiting Human Subjects, supranote 4, at 24.
26 Ibid. at 25.
27 In Indiana (Ind. Code § 16-38-2-5), Nebraska (Neb. Rev. Stat. § 81-666), and Ohio (Oh. Rev. Code § 3701.263), for example, a researcher may get access to individually identifiable data from the cancer registry if they meet certain conditions specified by the state health departments, such as providing to the department information about the purpose of the project, the nature of the data to be collected, the records the researcher wishes to review, and the safeguards the researcher will put in place to protect the identity of the patients. See also, Office of Inspector General, Recruiting Human Subjects, supranote 4, at 24.
28 Alliance for Health Reform and The Forum on Technology and Innovation, Policy Briefing: Medical and Genetic Privacy (Washington, D.C., July 14, 2000).
29 H.R. 2470 Medical Information Protection and Research Enhancement Act of 1999: Hearing Before the Subcomm. On Health and Environment of the House Comm. On Commerce, 106th Cong. (1999) [hereinafter House Hearing] (Statement of Carolin M.
Frey, Chair, Institutional Research Review Board, Pennsylvania State Geisinger Medical Center).
30 Editorial, W hose Heart Data?The Boston Globe, June 21, 2000; Ronald Rosenberg and Liz Kowalczyk, Heart Study W ill Sell
31 George J. Annas, Rules for Research on Human Genetic Variation— Lessons from Iceland, 342 The New England Journal of Medicine(2000).
32 Ibid.
33 Workshop Summary, supranote 21, at 4.
34 William W. Lowrance, Privacy and Secondary Use of Data in Health Research, Proceedings of the Inaugural Robert H. Levi Leadership Symposium 13, 14 (April 2000).
35 Lowrance, Privacy and Health Research, supranote 1, at 19.
36 The criteria include the purpose of the research project 1) requires the use of identifiable data; 2) is of sufficient importance to warrant risk to the individual that additional exposure of the record might bring; and 3) is likely to be accomplished because the project is soundly designed and properly financed. U.S. General Accounting Office, Medicare: Improvements Needed to Enhance Protection of Confidential Health Information 39, GAO/HEHS-99-140 (July 20, 1999).
37 45 CFR Parts 160 and 162; The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of DHHS to adopt national standards for electronic health care transactions. Today, health care providers and health plans that conduct business electronically use different formats for electronic transactions. The purpose of these standards is to improve the efficiency and effectiveness of the health care system. For more information, visit DHHS’ Administrative Simplification website http://aspe.hhs.gov/admnsimp/index.htm>.
38 Alliance for Health Reform and The Forum on Technology and Innovation, supranote 29; See also, Latanya Sweeney, Controlling Inference and Protecting Privacy by Constructing an Anonymous Data System, Carnegie Mellon University, unpublished paper,
November 1998.
39 Latanya Sweeney, Weaving Technology and Policy Together to Maintain Confidentiality, 25 J.L. Med. and Ethics98, 100 (1997).
40 Robert Mittman and Mary Cain, The Future of the Internet in Health Care1 (January 1999), available on the web at http://ehealth.chcf.org/forecast4/index_show.cfm?doc_id=17.
41 Online Privacy: Researchers Use Internet Chat Rooms for Studies, California Healthline(May 1, 2000).
42 Jeffrey M. Cohen, Human Subjects Issues in Internet Research, 13 Health L. News5 (2000).
43 A recent report sponsored by the California HealthCare Foundation profiled the policies and practices of 21 health-related web-sites and found that most of the privacy policies do not meet the minimum fair information practices, such as adequate notice and giving users some control over their information. Furthermore, the report shows inconsistencies between the privacy policies and the actual practices of the health websites. There were instances where personally identified data were transferred to third parties in direct violation of stated privacy policies. (Janlori Goldman et al., Report on the Privacy Policies and Practices of Health Web Sites [February 2000], available on the web at http://ehealth.chcf.org/priv_pol3/ index_show.cfm?doc_id=33).
44 Online Privacy: Researchers Use Internet Chat Rooms for Studies, supranote 41.
45 Ibid.
46 Associated Press, Scientists announce DNA mapping, June 26, 2000.
47 Lisa N. Geller et al., Individual, Family, and Societal Dimensions of Genetic Discrimination: A Case Study Analysis, 2 Science and Engineering Ethics71 (1996).
48 U.S. Department of Labor, U.S. Department of Health and Human Services, Equal Employment Opportunity Commission, and U.S. Department of Justice, Genetic Information and the Workplace (Jan. 20, 1998), available at
www.dol.gov/dol/_sec/public/media/reports/genetics.htm.
49 Ibid.
50 Reuters and The Associated Press, Genome announcement “technological triumph:” Milestone in genetics ushers in new era of discovery, responsibility(June 26, 2000), available at www.cnn.com/2000/HEALTH/06/26/ human.genome.04/ index.html.
51 45 CFR § 46.102(d).
52 David Casarett et al., Determining W hen Quality Improvement Initiatives Should Be Considered Research, 283 JAMA2275, 2276 (2000).
53 U.S. General Accounting Office, Medical Records Privacy: Access Needed for Health Research, but Oversight of Privacy Protections Is Limited11–12, GAO/HEHS-99-55 (February 1999).
54 Telephone interview with Daniel K. Nelson, Director, Human Research Studies, and Associate Professor of Social Medicine and Pediatrics, School of Medicine, University of North Carolina-Chapel Hill (July 14, 2000).
55 Louis Harris and Associates, Inc., Health Information Privacy Survey: A Survey of the Public and Leaders(1993).
56 Louis Harris and Associates, Inc., The 1996 Equifax-Harris Consumer Privacy Survey(1996).
57 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 17.
58 Ibid. at 16.
59 California HealthCare Foundation, National Survey: Confidentiality of Medical Records(January 1999), available on the Web at http://ehealth.chcf.org/cons_att2/index_show.cfm?doc_id=155>.
60 Ibid.
61 Goldman, Protecting Privacy to Improve Public Health, supranote 5, at 49.
62 Numerous federal reports in the past 20 years have recommended that comprehensive federal medial records confidentiality legislation be passed to protect patient privacy and the confidentiality of the health information. See National Research Council, For the Record: Protecting Electronic Health Information(1997); National Academy of Sciences, Institute of Medicine, Health Data in the Information Age: Use, Disclosure and Privacy(1994); Office of Technology Assessment, Protecting Privacy in Computerized Medical Information(1993); Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens(1973).
63 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 3.
64 45 FR § 46.110.
65 House Hearing, supranote 29 (Statement of Elizabeth Andrews, Director of Worldwide Epidemiology, Glaxo Wellcome).
66 Ibid.
67 Health Privacy Project, supranote 7, at 39.
68 Federal Policy for the Protection of Human Subjects, 56 Fed. Reg.28003 (1991); 45 CFR § 46.101(b).
69 Telephone interview with Daniel K. Nelson, supranote 54.
70 Latanya Sweeney, supranote 39, at 100.
71 Ibid. at 98.
72 National Bioethics Advisory Commission, Executive Summary, Research Involving Human Biological Materials: Ethical Issues and Policy Guidance(August 1999).
73 45 CFR § 116(d).
74 42 USC §§ 1320d–1320d-8.
75 Under the regulations, “protected health information” is information that relate to a person’s physical or mental health, the provision of health care, or the payment of health care; identify, or could be used to identify, the person who is the subject of the information; be created by or received from a covered entity; and have been electronically maintained or transmitted by a covered entity at some point (Standards for Privacy of Individually Identifiable Health, 64 Fed. Reg.59918, 60053 [1999]).
76 Exceptions are (1) inspection could be reasonably likely to endanger the life or physical safety of the patient or another person;
2) information identifies another individual and inspection is reasonably likely to cause substantial harm to that other individual;
3) disclosure is likely to reveal the source of information provided under a promise of confidentiality; 4) while the research study is in progress, and an IRB/privacy board has approved the denial of access and the participant has agreed to the denial when consenting to participation in the study; or 5) disclosure compiled for a legal proceeding (Standards for Privacy of Individually Identifiable Health, 64 Fed. Reg.at 60059–60060).
77 5 USC § 552a.
78 Jerry Berman and Janlori Goldman, A Federal Right of Information Privacy: The Need for Reform14 (Washington, DC: Benton Foundation 1989); See also William W. Lowrance, Privacy and Health Research, supranote 1, at 59–60.
79 Berman and Janlori, supranote 78, at 15.
80 Memorandum from President William J. Clinton to the Heads of Executive Departments and Agencies, Privacy and Personal Information in Federal Records (May 14, 1998), available at www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/1998/5/14/8.text.1.
81 42 USC § 290dd-2.
82 21 USC § 872.
83 42 USC § 299a-1(c).
84 42 USC § 241(d).
85 42 USC § 242m(d).
86 42 USC §§ 242k and 242m(d).
87 42 USC § 3789g.
88 20 USC § 1232h.
89 Omnibus Consolidated and Emergency Supplemental Appropriations Act, Pub. L. No. 105-277.
90 Many states have Public Records statutes that provide access to information compiled by agencies of the state government. Some researchers have expressed concern that these state statutes may be used by individuals or corporations opposed to certain research to get access to research data that may identify subjects, threatening the privacy of the subjects and the confidentiality of their data.
For example, in 1998, a law firm subpoenaed an environment scientist conducting research on pollutants, requesting records of private conversations and the scientist’s personal finances under the state’s open-records statute and FOIA. The scientist was forced to comply because her lawyers could not find recourse under state or federal law (Daniel K. Nelson, Vision 2030 Task Force for Social and Ethical Issues— Health and Biological Information).
91 Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338.
92 12 CFR Part 40.
93 12 CFR Part 216.
94 16 CFR Part 313.
95 12 CFR Part 573.
96 17 CFR Part 248.
97 12 CFR Part 716.
98 Joni Gray et al., Ethical and Legal Issues in AIDS Research137 (1995).
99 638 F.2d 570 (3d Cir. 1980).
100 Isaacsonv. Keck, 875 F. Supp. 478 (N.D. Ill. 1994).
101 Farnsworthv. Procter & Gamble Co,758 F.2d 1545 (11th Cir. 1985).
102 See e.g., United States Environmental Protection Agencyv. General Electric Co.,197 F.3d 592 (2d Cir. 1999).
103 Fed. R. Civ. P. 45(c)(3)(B)(i) and (ii).
104 1994 U.S. Dist. LEXIS 16933 (1994).
105 42 USC § 241(d).
106 Office for Protection from Research Risks, Office of Extramural Research, National Institutes of Health, U.S. Department of Health and Human Services, Certificates of Confidentiality: Privacy Protection for Research Subjects, available at
http://ohrp.osophs.dhhs.gov/humansubjects/guidance/certconpriv.htm (last updated June 23, 2000).
107 Telephone interview with Moira A. Keane, Director, Research Subjects’ Protection Program IRB/IACUC, University of Minnesota Health Center (August 1, 2000).
108 Telephone interview with Daniel K. Nelson, supranote 54.
109 21 USC § 355(i).
110 21 CFR § 1316.21.
111 Joy Pritts et al., The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes) (August 1999), available at www.healthprivacy.org/resources/index.shtml.
112 Hawaii and California are notable exceptions. Both states passed comprehensive health privacy laws in 1999. A few states are considering comprehensive health privacy legislation but are waiting for the release of the HIPAA regulations before passing any laws.
113 For example, HIV/AIDS statutes requiring physicians to report to the state health department the names and addresses of indi-viduals suffering from HIV/AIDS also include restrictions on disclosure of such information to others. Such restrictions were passed in response to public fear that certain health information would be widely disclosed and used to deny benefits or cause other harm.
114 Minn. Stat. § 144.335(3a)(d).
115 Mich. Comp. Laws § 333.2632.
116 S.D. Codified Laws § 26-8-13.
117 Joy Pritts et al., supranote 111.
118 European Parliament and the Council of the European Union, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data(95/46/EC), Official Journal of the European Communities No. L281, 31-50 (Nov. 23, 1995), available at www.privacy.org/ pi/intl_orgs/ec/final_EU_Data_Protection.html.
119 Kamran Abbassi, W MA to Produce Guidelines on Health Databases 320 BMJ1295 (2000).
120 Associated Press, EU to Let U.S. Data Deal Stand, July 13, 2000.
121 Ibid.
122 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 5.
123 House Hearing, supranote 29 (Statement of Greg Koski, former Director, Human Research Affairs, Partners Health Care System).
124 Office for Protection from Research Risks, Office of Extramural Research, National Institutes of Health, U.S. Department of Health and Human Services, Protecting Human Research Subjects: Institutional Review Board Guidebook(1993) [hereinafter Institutional Review Board Guidebook]; 45 CFR § 46.103.
125 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 16.
126 Rick Weiss and Deborah Nelson, U.S. Halts Cancer Tests in Oklahoma, Wash. Post, July 11, 2000, at A1.
127 Information on the Office for Human Research Protections is available at http://ohrp.osophs.dhhs.gov.
128 1) Does the research involve observation or intrusion in situations where the subjects have a reasonable expectation of privacy?
Would reasonable people be offended by such an intrusion? Can the research be redesigned to avoid the intrusion?
2) If privacy is to be invaded, does the importance of the research objective justify the intrusion? W hat if anything, will the subject be told later?
3) If the investigators want to review existing records to select subjects for further study, whose permission should be sought for access to those records? How should the subjects be approached?
4) Will the investigator(s) be collecting sensitive information about individuals? If so, have they made adequate provisions for protecting the confidentiality of the data through coding, destruction of identifying information, limiting access to the data, or whatever methods that may be appropriate to the study? If the information obtained about subjects might interest law enforcement or other government agencies to the extent that they might demand personally identifiable information, can a grant of confidentiality be sought from a federal or state agency to protect the research data and the identity of the subjects from subpoena or other legal process?
5) Are the investigator’s disclosures to subjects about confidentiality adequate? Should documentation of consent be waived in order to protect confidentiality? Institutional Review Board Guidebook, supranote 124, at 3–36 and 3–37.
129 Office of Inspector General, Recruiting Human Subjects, supranote 4, at 30.
130 U.S. General Accounting Office, Scientific Research: Continued Vigilance Critical to Protecting Human Subjects 5–6, GAO/T-HEHS-96-102 (March 12, 1996).
131 Telephone interview with Moira A. Keane, supranote 107.
132 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 21.
133 Telephone interview with Moira A. Keane, supranote 107.
134 Workshop Summary, supranote 21, at 19.
135 U.S. General Accounting Office, Medicare: Improvements Needed to Enhance Protection of Confidential Health Information, supranote 36, at 3.
136 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 17–18.
137 Ibid.
138 Lowrance, Privacy and Health Research, supranote 1, at 42.
139 Office of Inspector General, Department of Health and Human Services, Institutional Review Boards: A Time for Reform 5–6, OEI-01-97-00193 (June 1998); See also James Bell et al., Final Report: Evaluation of NIH Implementation of Section 491 of the Public Health Service Act, Mandating a Program of Protection for Research Subjects, Prepared for the Office of Extramural Research, National Institutes of Health 83–86 (June 15, 1998).
140 Office of Inspector General, Institutional Review Boards: A Time for Reform, supranote 139, at 6–8.
141 Office of Inspector General, Recruiting Human Subjects, supranote 4, at 26.
142 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 1–22.
143 Institute of Medicine, Protecting Data Privacy in Health Services Research, supranote 23, at 1–152.
144 House Hearing, supranote 29 (Statement of Carolin M. Frey, Chair, Institutional Research Review Board, Pennsylvania State Geisinger Medical Center).
145 Ibid.
146 Telephone interview with Daniel K. Nelson, supranote 54.
147 Health Privacy Project, supranote 7, at 37.
148 Bell et al., supranote 139, at 1–86.
149 U.S. General Accounting Office, Medical Records Privacy, supranote 53, at 21.
150 Ibid. at 13.
151 Ibid. at 10.
152 Ibid. at 12.
153 National Bioethics Advisory Commission, Summary of Preliminary Findings: Adequacy of Federal Protections for Human Subjects in Research, at bioethics.gov/finalmay3.pdf. (See Memorandum attached to Letter from Dr. Harold T. Shapiro, Chair of the National Bioethics Advisory Commission, to President William J. Clinton on the National Bioethics Advisory Commission Summary of Preliminary Findings: Adequacy of Federal Protections for Human Subjects in Research, May 4, 1999).
154 House Hearing, supranote 29 (Statement of Greg Koski, former Director, Human Research Affairs, Partners Health Care System).
155 Health Privacy Project, supranote 7, at 36.
156 Telephone interview with Daniel K. Nelson, supranote 54.
157 Office of Inspector General, Institutional Review Boards: A Time for Reform, supranote 139, at 6.
158 Ibid.
159 Telephone interview with Daniel K. Nelson, supranote 54.
160 Ibid.
161 U.S. Department of Health and Human Services, Fact Sheet, Protecting Research Subjects(May 23, 2000).
162 Telephone interview with Moira A. Keane, supranote 107.
163 In a recent article in the Journal of the American Medical Association, the authors suggest criteria to distinguish quality improve-ment activities from health research, proposing that an activity should be regulated as research if 1) the majority of participants involved are not expected to benefit directly from the knowledge to be gained or 2) additional risks or burdens are imposed to make the results generalizable. The authors acknowledge that such criteria may create greater burdens on health care institutions and IRBs by categorizing more initiatives as research but argue that “it makes little sense to reject these criteria, if they are otherwise sound, simply because they would create additional burdens for institutions (Casarett et al., supranote 52, at 2276–2279).