6 December 2019 Stacey Gray Rachele HendricksSturrup Senior

6 December 2019 Stacey Gray, Rachele Hendricks-Sturrup Senior Counsel, Health Policy Counsel, Future of Privacy Forum

Regulatory and Legal Oversight for Health and Biomedical Research: ● ● HHS Oversight - Common Rule (federally funded research) FDA Oversight - for development of pharmaceuticals, medical devices HIPAA governance over healthcare entities FTC Oversight - for consumer protections Additional U. S. regulatory frameworks: ● ● FERPA - Educational Institutions COPPA - Children’s Privacy (<13 years old) European Union: ● GDPR - General Data Protection Regulation

● ● ● Pharmaceutical industry sponsored studies, e. g. clinical trials, regulated by the FDA Research conducted by investigators at HIPAA-covered entities (hospitals, insurance companies, health systems) ○ Governed by HIPAA Privacy Rule ○ May be shared with (in a partnership) or sold to external or private companies, if (1) de-identified; or (2) within a limited dataset Research conducted by investigators at academic institutions ○ If federally funded, subject to the Common Rule ○ Requires IRB approval and oversight ○ May partner with a private company (to obtain/collect data), subject to the academic institution’s IRB and contractual obligations with the company

● Independent research conducted by private companies ○ Collecting and analyzing their own data; entities that collect health data directly (not through a HIPAA governed entity or academic institution). ● Research conducted independently by citizen scientists ○ Analyzing widely available (“public”) data or open data; can involve one person or millions of people collaborating towards a common goal. The public is involved in data collection, analysis, or reporting.

● ● The Belmont Report that was written in 1979 by the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research and inspired the development of the Common Rule of 1991. Ethical tenets in the Common Rule: ○ Respect for persons ■ Individuals should be treated as autonomous agents ■ Persons with diminished autonomy are entitled to protection ○ Beneficence ■ Persons are treated in an ethical manner not only by respecting their decisions and protecting them from harm, but also by making efforts to secure their well-being ■ (1) Do no harm (2) maximize possible benefits and minimize possible harms ○ Justice ■ Fairness in distribution (select participants equitably) ■ Who ought to receive the benefits of research and bear its burdens?

● Revised Common Rule (2017) was revised to modernize, strengthen, and make the Common Rule more effective and was designed to address the broader types or changing nature of research conducted or supported under the Common Rule. ○ Retained wording of the pre-2018 definition of research and explicitly removed four categories of activities from activities that would meet that definition: ■ (1) Research that involves the use of educational tests, survey procedures, interview procedures, or observation of public behavior uninfluenced by the investigators; ■ (2) research involving the collection or study of information that has been or will be acquired solely for non-research activities or were acquired for research studies other than the proposed research study; ■ (3) research conducted by a federal government agency using federal governmentgenerated non-research information when certain criteria are met; and ■ (4) research regulated as ‘‘health care operations, ’’ ‘‘public health activities, ’’ or ‘‘research’’ under HIPAA.

● ● Under the HIPAA Privacy Rule, research is defined as, “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. ” (45 CFR 164. 501) Under the HIPAA Privacy Rule there are conditions under which protected health information (PHI) may be used or disclosed by Covered Entities for research purposes: ○ Documented Institutional Review Board (IRB) or Privacy Board approval ○ Representations from the researcher, either in writing or orally, that the use or disclosure of PHI is solely to prepare a research protocol or other necessary elements for research activities. ○ A Data Use Agreement for Limited Data Sets ○ Authorization from the research participant to disclose PHI ○ Account for research disclosures

For non-traditional research (not governed by HIPAA, the Common Rule, the FDA, or overseen by an institutionally-held IRB), voluntary review boards may accomplish similar goals. ● ● “Ethical Review Boards” “Privacy Review Boards” “Consumer Subject Review Boards” “Data Safety Monitoring Boards”

Privacy Policies: ● ● Categories of Data Collected (Specific) Purposes of Data Collection ○ E. g. Academic research (as an additional purpose) Categories of entities to whom data is transferred or sold (CCPA, Wicker Draft) ○ E. g. “Academic researchers” Specific entities to whom data is transferred or sold (Sen. Cantwell’s COPRA) Process Requirements: ● ● Public, easily available Written in language that an average consumer can understand (multiple languages if applicable) Access Requests: ● ● ● “Verified” Requests Inferences or Derived Data (CCPA, federal proposals) Pseudonymous Data almost always included in De-identified data usually not included Rulemaking authority

● ● ● Independence Expertise Diverse stakeholders ○ Patient advocates, ethicists, philosophers, technical experts (e. g. deidentification experts) Anticipated benefits to participants and to society (science, the public interest, or “generalizable knowledge”) Steps taken to minimize risks to participants ○ Re-identification attacks ○ Risks to autonomy inherent in not being able to provide individual right (e. g. access, deletion, or informed consent) Publication of results