31670-smu_65-1 Sheet No. 47 Side A 04/12/2012 11:52:32 AND , 4-APR-12 14:10 Seq: 1 LECTRONIC ESEARCH UTONOMY E R , A 85 unknown ABSTRACT EEDS IN ECORDS Andy Podgurski** Sharona Hoffman* RIVACY N R P EALTH H CIENTIFIC S ALANCING * Case West- Professor of Law and Bioethics, Co-Director of Law-Medicine Center, ** Professor of Electrical Engineering and Computer Science, Case Western Reserve The ongoing transition from paper medical files to electronic health The ongoing transition from paper realizing societal benefits from This Article analyzes the tension between multi-faceted approach to achieve In this Article, we formulate a novel, M K B ern Reserve University School of Law; B.A., Wellesley College; J.D., Harvard Law School; LL.M. in Health Law, University of Houston. University. B.S., M.S., Ph.D., University of Massachusetts.Jes- thank to wish authors The Pol- sica Berg, Jonathan Entin, Jessie Hill, Jacqueline Lipton, Maxwell Mehlman, Andrew lis, and Cassandra Robertson for their very helpful comments on drafts of this paper.The of Article was presented at a faculty workshop at Case Western Reserve University School Law at which the authors received additional helpful input. Professor Hoffman presented School “Privacy and e-Health Innovation,” from which this paper grew, at the Yale Law Privacy and Innovation Symposium. We are also grateful for the skilled research assistance of Isaac Figueras. \\jciprod01\productn\S\SMU\65-1\SMU103.txt records will provide unprecedented amounts of data for biomedical re- records will provide unprecedented significant advances in medical search, with the potential to catalyze knowledge. But this potential can be fully realized only if the data availa- of the patient population as a whole. ble to researchers is representative to exclude their health information, in Thus, allowing individual patients informed consent, may compromise the keeping with traditional notions of benefits it produces. research enterprise and the medical preferences for privacy.medical research and granting individual It argues regulatory frameworks that govern bi- for a shift in the conceptual and omedical research. When studies involve electronic record review rather autonomy-dominated model than human experimentation, the traditional, the common good.should give way to one that emphasizes In record- of individual informed consent come at based studies, the limited benefits too high a cost—difficult burdens, significant expenses, and administrative that distort study outcomes.a tendency to create selection biases Other subjects’ privacy and dignitary interests mechanisms can better protect data without compromising research opportunities. these ends. This approach recognizes that technical means for achieving suffi- identity concealment and information security are necessary but not while cient to protect patients’ medical privacy and to foster public trust C Y 31670-smu_65-1 Sheet No. 47 Side A 04/12/2012 11:52:32 04/12/2012 A 47 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 47 Side B 04/12/2012 11:52:32 R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R M K C Y [Vol. 65 ..... 114 ..... 97 4-APR-12 14:10 ...... 112 ASED ...... 105 ASED ESEARCH -B ESEARCH IGHT TO ...... 108 ...... 104 ...... 94 ONSENT ...... 114 EHR-B ...... 94 R R C ...... 104 Seq: 2 AW ...... 97 ...... 107 ...... 95 EHR R L ECORD ASED ...... 114 . R ...... 103 ...... 111 ...... 95 ...... 107 REATE ...... 123 EGARDING ...... 108 ...... 119 C R EHR-B unknown ONSENT ...... 109 ECORDS ONSTITUTIONAL SSOCIATED WITH C C R A ...... 118 ...... 119 ...... 87 ESEARCH AND THE ...... 91 ARMS SMU LAW REVIEW R ...... 91 EDICAL REFERENCES TABLE OF CONTENTS The Possibility of Re-identification De-identification Procedures ...... 102 ...... 102 H NITIATIVES TO XPERIMENTATION VS ...... 97 M ’ P I ...... 109 ii. i. Consent Mandates Evidence E ASED BSENCE OF A ONTRIBUTIONS OF ROUBLE WITH T A C a. Stigmatization Group c. No Share in Commercial Profits b. Moral Objections b. Privacy and De-identification a.Breach Harms Privacy a. Consent Options b. Empirical Evidence Concerning the Cost of a. Selection Bias vs. Confounding b. Selection Bias Is Confirmed by Empirical a. Information De-identified b. Other HIPAA Exemptions Burdensome UMAN ATABASES ESEARCH ONTROL XISTING HE HE HE ATIENTS OTENTIAL TUDIES 2. Not Related to Privacy Harms 1. Bias Informed Consent Can Lead to Selection 1. Research Regulations The Federal 2. Privacy Rule The HIPAA S C D R 1. Privacy 2. and Obtaining Informed Consent Can Be Costly D. T A. H B. T C. P B. EHR-B A. T B. P A. E EHR DATA I. INTRODUCTION II. BACKGROUND IV. INFORMED CONSENT III. THE BENEFITS AND RISKS OF RESEARCH USING facilitating research.facilitating (1) such means with for supplementing Hence, we call research and applies that is tailored to record-based an oversight process exempt from scru- patient records, which are currently even to de-identified nature and potential notice and education about the tiny, and (2) public benefits of such research. 86 \\jciprod01\productn\S\SMU\65-1\SMU103.txt 31670-smu_65-1 Sheet No. 47 Side B 04/12/2012 11:52:32 04/12/2012 B 47 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 48 Side A 04/12/2012 11:52:32 R R R R R R R R R R R R R R R R R R R R R 87 , 22 ECON- Digi- S 2 Finding a 4-APR-12 14:10 HROUGH EALTH T ...... 124 ATA ...... 141 ...... 128 H ENEFICENCE ...... 133 ...... 134 D ...... 128 B OOD Seq: 3 G EALTHCARE H ROTECT ...... 140 VERSIGHT ...... 127 P The “Meaningful Use” Regulation for . 501, 501 (2010)...... 137 OMMON O ECHNIQUES PPLIED TO THE MBODIED IN ED ...... 138 C ...... 133 T E A 1, 2 (2007). unknown N ...... 133 ’ . J. M RANSFORMING SS ...... 142 NG ESEARCH RECEDENTS A , T E ...... 126 OOD AS OOD AS R P EW DUCATION AFEGUARDS TO ...... 131 G G ...... 125 3 (2009), available at http://www.pwc.com/us/en/healthcare/ I. INTRODUCTION S E ...... 143 ...... 130 ...... 124 OOPERS ONCEALMENT C ...... 139 NTERESTS EALTH ...... 127 ATA C I NFORMATICS NDUSTRY D H . I OMMON OMMON USTICE MPORTANCE OF THE I ED . 103, 117–19 (2008); Charles Safran, Toward a National Framework for J I C C c. Security Safeguards a. IOM Proposal b. Proposed Regulatory Approach Quality? Databases One of the great promises of EHR technology is its dra- EALTH 1 DDITIONAL OTICE AND . M ARE HE HE HE UBLIC UBJECT TRENGTHENING ECH DENTITY M 3. of Notice and Education The Benefits 1. Notice 2. Initiatives Public Education 1. Databases of De-identified Data Large 2. Compromise Data Does De-identification 3. Statistical Analysis of Distributed Secure 1. Board Review Ethics AND S C H Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing RICEWATERHOUSE FRAMEWORK SUBJECTS WHILE PROMOTING RECORD-BASED SUBJECTS WHILE RESEARCH D. A A. I B. S C. N A. T B. T C. T D. P HE shift from hard-copy medical files to electronic health records (EHR) systems is transforming medical research in the United States. SE OF . J.L. & T U 1. David Blumenthal & Marilyn Tavenner, 2. P V. THE CONCEPTUAL RECONSTRUCTING VI. DATA SOLUTIONS: PROTECTING PRACTICAL M K ARV VII. CONCLUSION Electronic Health Records, 363 N matic potential to expand opportunities for biomedical research. T DARY 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt tizing medical files opens new frontiers for record-based research because electronic searches and computer analysis permit fast and inexpensive the Secondary Use of Health Data: An American Medical Informatics Association White the Secondary Use of Health Data: An American Medical Informatics Association Paper, 14 J. A publications/secondary-health-data.jhtml; Sharona Hoffman & Andy Podgurski, Cure: The Case for Regulation and Oversight of Electronic Health Record Systems H C Y 31670-smu_65-1 Sheet No. 48 Side A 04/12/2012 11:52:32 04/12/2012 A 48 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 48 Side B 04/12/2012 11:52:32 R , , M K M- C Y In- , I 10 Toward UALITY 298, 299 ONDUCT HIPAA [Vol. 65 Q C available at HE ]. RIVACY . 2082, 2087 P 4-APR-12 14:10 .: T FF RINCIPLES AND P A EPORT (1979), NFO could thus pro- I R 7 PIDEMIOLOGY The regulatory re- NHANCING EALTH ESEARCH AND 9 THICAL This wealth of infor- and help fill signifi- 8 EALTH OOPERATIVE TO 5 R Nonexperimental Compara- : E , 22 E ESEARCH : E ELMONT Seq: 4 H C R 2–3 (2009), available at http:// ULE , 29 H R . 79re1, 5 (2011), available at http:// EPORT ED R EALTHCARE M RIVACY OF UBJECTS OF RIVACY H P S URVEILLANCE 11 ELMONT ROTOTYPES AND THE S unknown B P 247 (Sharyl J. Nass et al. eds., 2009) [hereinafter UMAN & HE H AFETY HIPAA P GENCY FOR , T S RANSLATIONAL ETWORK ., A supra note 2, at 4. . T ESEARCH SMU LAW REVIEW ESEARCH CI N . 359, 359–60 (2009). R EALTH R ED , 3 S The secondary use of health data The secondary use H EYOND THE 6 M ROTECTION OF OF TUDIES AND EALTH P . S HROUGH EHR systems will enable the creation of sizeable record the creation of will enable EHR systems ROWN ET AL H T 3 B NSTS ON , IOM, B ASED . I NTERNAL ] (noting that “[t]he principle of autonomy currently dominates the ethical L -B ’ I ULE EALTH PECIFICATIONS FOR AT OMM EFFREY R H Electronic Medical Records for Genetic Research: Results of See Abel N. Kho et al., Electronic Medical Records for Genetic Research: See discussion infra Part III.A. (reviewing CER). Id. S EPORT NNALS Researchers could pose queries to databases that include very large pose queries to databases that Researchers could 3. 4. J 5. Douglas Peddicord et al., A Proposal to Protect Privacy of Health Information 8. 9. C 6. 7. but Secondary use can be defined as “non-direct care use of . . . [data] including 4 11. 45 C.F.R. § 46.116 (2010). 10. N But EHR-based research also raises new questions.But EHR-based a Traditionally, This paradigm, however, is a poor fit for research based on EHRs. This paradigm, however, is a poor UIDELINES FOR THE ESIGN RIVACY OPULATION cant gaps in medical knowledge. cant gaps in medical is human subject au- of biomedical research ethics paramount principle informed consent. tonomy, which is realized through mation could yield significant discoveries concerning the effectiveness of significant discoveries concerning mation could yield various treatments. mote Comparative Effectiveness Research (CER) mote Comparative P tive Effectiveness Research Using Linked Healthcare Databases tive Effectiveness Research Using Linked Healthcare www.effectivehealthcare.ahrq.gov/ehc/products/54/150/2009_0728DE- Til Sturmer et al., cIDE_DesignSpecNetCoopPopSafety.pdf; D PROVING landscape” for clinical research). EHR systems’ enormous potential to transform medical research has gen- EHR systems’ enormous potential appropriate extent of regulatory pro- erated significant debate about the stm.sciencemag.org/content/3/79/79re1.abstract; Mark G. Weiner & Peter J. Embi, stm.sciencemag.org/content/3/79/79re1.abstract; Reuse of Clinical Data for Research and Quality Improvement: The End of the Beginning? Reuse of Clinical Data for Research and Quality 151 A G data synthesis. P 88 \\jciprod01\productn\S\SMU\65-1\SMU103.txt IOM R databases or networks of smaller databases that facilitate large-scale stud- of smaller databases that facilitate databases or networks ies. http://ohsr.od.nih.gov/guidelines/belmont.html [hereinafter B dividuals must be free to decline to participate in studies if they so dividuals must be free to decline detailed guidance concerning the choose, and federal regulations provide contents of informed consent forms. (2011). While Accelerating Comparative Effectiveness Research quirement of informed consent dictates that researchers supply potential quirement of informed consent dictates with information about the antici- participants in biomedical research research project so that the potential pated benefits and risks of each about whether to enroll. participants can make educated decisions (2010). pro- not limited to analysis, research, quality/safety measurement, public health, payment, strictly vider certification or accreditation, and marketing and other business including commercial activities.” Safran, numbers of patients with diverse demographics who have been treated in with diverse demographics who numbers of patients settings over long periods of time. different clinical the eMERGE Consortium 31670-smu_65-1 Sheet No. 48 Side B 04/12/2012 11:52:32 04/12/2012 B 48 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 49 Side A 04/12/2012 11:52:32 R 89 AKE Are 12 , 34 W 4-APR-12 14:10 . 1765, 1798–1801 See also discussion EV Protecting Privacy in In addition, data 13 . L. R 507, 509–11 (2009). Seq: 5 Is Deidentification Sufficient to ALIF 3, 6–7 (2010). THICS 560, 564 (2008). , 98 C . & E IOETHICS ED THICS unknown . J. B M . & E ED 30, 31 (2010) (“dignitary harms . . . may result when a , 37 J.L. M , 10 A THICS supra note 9, at 33–35;Cate, H. Fred E , 36 J.L. M , EPORT LINICAL (Jan. 4, 2011, 12:07 PM), http://www.healthit.gov/buzz-blog/electronic- . 737, 752–58 (1999); Franklin G. Miller, Research on Medical Records EV Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing It is also important to emphasize that this Article focuses on It is also important to emphasize UZZ IOM R 15 ITB See L. R 14 15. Peter Garrett & Joshua J. Seidman, EMR vs EHR—What is the Difference?, 14. Daniel Kim et al., A Physician’s Role Following a Breach of Electronic Health 12. 13. Mark A. Rothstein, Improve Privacy in Research by Eliminating Informed Con- This Article employs an interdisciplinary approach, drawing upon the This Article employs an interdisciplinary At the same time, one might also ask whether EHR research actually one might also ask whether EHR At the same time, M K EALTH OREST tections for human subjects in studies that are solely record-based. in studies that human subjects tections for infra Part III.B. H patient’s autonomy is undermined”); Mark A. Rothstein, Protect Health Privacy in Research? Health Research: The Limits of Individual Choice Health Research: The Limits of Individual Information, 21 J. C legal, bioethics, and informatics literature to develop a full understanding legal, bioethics, and informatics literature complexities of EHR data use. of the regulatory, ethical, and technical information.Part I of the Article provides background It describes ex- databases and discusses the reg- isting initiatives to create EHR research ulations that govern EHR-based research. Part II evaluates the benefits and potential harms of EHR research. Part III analyzes the concept of a requirement of informed consent is informed consent and argues that inappropriate for record-based research. For the sake of simplicity, we to designate electronic health use the terms EHR and EHR systems operate, though we mean for EHR records and the systems in which they call the electronic medical record to be synonymous with what others (EMR). F 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt consent requirements barriers to conducting effective research? barriers to conducting effective consent requirements If in the course of the not undergo experimentation human subjects will records, do the will examine only their medical study, and researchers protections? the full panoply of regulatory subjects really need Does in- database research? sense in the context of EHR formed consent make Is regulation too high? the cost of extensive than less, regulatory protection.requires more, rather Computerization breaches that did not poses new risks of privacy of health information files could simply be locked away. exist when paper (2010); Henry T. Greely, Breaking the Stalemate: A Prospective Regulatory Framework for Unforeseen Research Uses of Human Tissue Samples and Health Information sent? IOM Report Misses the Mark subjects whose records are used in research without their consent might subjects whose records are used in arguably suffer other dignitary harms. Harms to dignity include not only stigmatization due to research findings, privacy violations, but also group records will be used for objectionable inability to control whether one’s to share in profits acquired by data purposes, and a lack of opportunity users. health-and-medical-records/emr-vs-ehr-difference/ (“Some people use the terms “elec- health-and-medical-records/emr-vs-ehr-difference/ (“Some people use the terms inter- tronic medical record” and “electronic health record” (or “EMR” and “EHR”) changeably. But here at the Office of the National Coordinator for Health Information almost Technology (ONC), you’ll notice we use electronic health record or EHR exclusively.”). Without Informed Consent C Y 31670-smu_65-1 Sheet No. 49 Side A 04/12/2012 11:52:32 04/12/2012 A 49 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 49 Side B 04/12/2012 11:52:32 R , . M K 20 EV C Y . L. R [Vol. 65 . 481, 482 EV OMP 4-APR-12 14:10 & C L ’ NT . U. L. R T . I note 12, at 562; Khadija See, e.g., Don E. Detmer, Furthermore, while . S ND A 21 it is not surprising that it is not surprising Seq: 6 But electronic-database 17 , 19 I . 725, 730–31 (2001). This Article explains that 18 , 17 G EV 19 16 . L. R 22 ENN unknown , 68 T 1, 1 (2000); Miller, supra ARE SMU LAW REVIEW C supra note 5, at 2,087 (“Consent is, at best, a rough proxy for Part IV.D. Is Too Much Privacy Bad for Your Health? An Introduction to supra note 9, at 19 (differentiating between clinical trials and , EALTH H EPORT UALITY IOM R J. Q See See discussion infra Part IV.D.1. See Peddicord et al., See discussion infra Part IV.A. See discussion infra L ’ NT 17. Sharona Hoffman, Continued Concern: Human Subject Protection, the Institutional 16. 18. 22. 20. 21. 19. Many articles describe the tension between these values. In Part V, this Article formulates several practical recommendations In Part V, this Article formulates This Article makes several important contributions.This Article makes Part IV argues for The many obstacles that hinder the attainment of informed consent in The many obstacles that hinder the Robin Pierce, Comparative Architecture of Genetic Privacy protection from privacy harm.”). the major research ethics codes emphasize human subject autonomy, the ethics codes emphasize human the major research harm, and consent. avoidance of individual information-based research). Review Board, and Continuing Review 89, 92 (2009); Charity Scott, the Law, Ethics, and HIPAA Rule on Medical Privacy that seek to balance the individual interests of those whose records will that seek to balance the individual needs to maximize the potential for be used in research with societal in human health.medical discoveries and achieve improvements ad- To this Article analyzes two identity con- dress apprehension about privacy, is to create large databases exclusively cealment techniques. One option a change in conceptual framework that rejects the primacy of autonomy framework that rejects the a change in conceptual research. in the context of non-interventional and informed consent In camp experi- abuses, such as the Nazi concentration light of past research Tuskegee syphilis trial, ments and the infamous record-based medical research rather than interventional research. interventional rather than medical research record-based Re- patient records, only involves review of existing cord-based research future. will be entirely electronic in the which we assume By contrast, testing, and involves physical or psychological interventional research on human beings. thus experimentation This Article thoroughly explains and illustrates how different forms of This Article thoroughly explains of study types. selection bias can impact a variety 90 \\jciprod01\productn\S\SMU\65-1\SMU103.txt informed consent provides subjects with a choice, it does not provide informed consent provides subjects privacy breaches, which are the them with any added protection against focus of most commentators’ concern. queries were not part of those prior atrocities, and they present a drasti- queries were not part of those prior that will inflict acute physical or cally diminished risk of gross abuses of record-based research, autonomy mental pain; thus, in the context good. should be secondary to the common advancing the common good will require concessions from both data sub- advancing the common good will require jects and the health care industry. further justify a change in conceptual large-scale, record-based studies framework. The consent process can be extremely burdensome and by introducing selection bias. costly and can distort research results (2000). 12 I Your Privacy or Your Health—Will Medical Privacy Legislation Stop Quality Health Care? 31670-smu_65-1 Sheet No. 49 Side B 04/12/2012 11:52:32 04/12/2012 B 49 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 50 Side A 04/12/2012 11:52:32 28 91 D. ILSON ATABASES 4-APR-12 14:10 D ESEARCH Seq: 7 EHR R Transparency and accountability on unknown 27 REATE C Although not all studies can utilize these Although not all 24 II. BACKGROUND supra note 9, at 266 (stating that one of the primary aims of consent , NITIATIVES TO I EPORT Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing be reviewed and monitored by an ethics board with expertise monitored by an ethics board with be reviewed and 26 25 XISTING A second approach is secure statistical analysis of distributed is secure statistical analysis A second approach See discussion infra Part VI.A.1. See discussion infra Part VI.A.3. See discussion infra Part II.B. See discussion infra Part VI.B. 23 24. 25. 26. 27. IOM R 23. 28. A federated network can be defined as one that “links geographically and organi- A variety of initiatives are already underway to create large databases Third, this Article emphasizes the need for notification and education Third, this Article emphasizes the EHR research databases are not a futuristic idea—theyEHR research databases are not a are fast becom- Second, data subjects should be protected through additional oversight. should be protected through additional Second, data subjects M K A. E for research that would include only EHRs that have been de-identi- that have been include only EHRs that would for research fied. databases, which allows researchers to query the EHR databases of medi- allows researchers to query the EHR databases, which to receive only sum- aggregators, but enables them cal facilities or trusted response. mary statistics in of EHRs or networks of smaller databases, called federated networks, in lieu of consent for EHR-based research.in lieu of consent for EHR-based Notification and education, respect for human subjects like consent, can demonstrate researchers’ and promote a sense of autonomy. 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt in record-based research. The degree of oversight should depend on the that can be linked to specific extent to which records contain identifiers patients.Research using identifiable records should be subject to a thor- in which patients’ identities will be ough approval process, and protocols registration process.concealed should undergo a streamlined All studies and potential unannounced audits. should be subject to continuing review for electronic databases should be In addition, security safeguards bolstered. is to “provide respect for the person”). zationally separate databases to allow a single query to pull information from multiple databases while maintaining the privacy and confidentiality of each database.” W the part of researchers should prevent data subjects from suffering seri- the part of researchers should prevent enthusiasm about biomedical re- ous research abuses and should inspire search. armed with knowledge and a political voice, Furthermore, seek to influence elected officials to informed members of the public can the legislative process. reverse objectionable policies through ing a reality. information concerning con- This Part provides background temporary efforts to build EHR resources for research purposes. It also discusses the federal oversight structure for record-based research. techniques, the two identity concealment mechanisms will work well in identity concealment mechanisms techniques, the two many cases. protocols, including recommendation that all research We make the novel exempt from de-identified data, which are currently those involving only scrutiny, C Y 31670-smu_65-1 Sheet No. 50 Side A 04/12/2012 11:52:32 04/12/2012 A 50 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 50 Side B 04/12/2012 11:52:32 M K ]. ii C Y ARE- MBU- avail- A W , http:// EPORT [Vol. 65 L.J. 67, 67 ATA R CCW pro- 4-APR-12 14:10 D RUG ENTER 32 Requests for ISTRIBUTED C 34 & D In 2009, another UMMARY , D 30 Researchers must ONDITION OOD ): S FDA’s Sentinel Initiative 33 C ET UALITY Seq: 8 SSISTANCE , 65 F Q A HRONIC ATA , C (DARTN The FDA does not plan to estab- D , Aug. 2009, at 3, 7, available at http:// 36 ., http://www.fda.gov/Safety/FDAsSentinelIni- ESEARCH AND unknown ETWORK 31 R N DMIN ESEARCH URRENTS A supra note 36. C , R RUG SMU LAW REVIEW EALTHCARE http://www.effectivehealthcare.ahrq.gov/ehc/products/53/151/ Rather, it intends to send queries concerning po- Rather, it intends to send queries H 35 HERAPEUTIC & D 37 The VA is now working to create a nationwide cen- The VA is now working ESEARCH T 29 OOD GENCY FOR http://www.dor.kaiser.org/external/dorexternal/news/press_releases/ ., A ESEARCH IN available at About Chronic Condition Data Warehouse Id. Id. (noting that, significantly, the records in the database will include free text, Id. Requesting CMS Data FDA’s Sentinel Initiative, R FDA’s Sentinel Initiative-Transforming How We Monitor The Safety of FDA-Regu- , http://www.ccwdata.org/about/index.htm (last visited Oct. 27, 2011). 32. 36. Barbara J. Evans, Authority of the Food and Drug Administration to Require Data 35. 30. 31. Press Release, Kaiser Permanente, National Institutes of Health Awards More 29. in U.S. Dep’t of Veterans Affairs, Study Will Boost Role of Electronic Records 33. 34. 37. The Centers for Medicare & Medicaid Services created a research The Centers for Medicare & Medicaid (FDA) Amendments Act of 2007 The Food and Drug Administration For many years, Department of Veterans Affairs (VA) researchers Department of Veterans Affairs For many years, ACE ET AL press_release.aspx?id=3361. identifiable data are scrutinized to ensure that disclosure will not violate identifiable data are scrutinized to privacy requirements. LATORY database called the Chronic Condition Data Warehouse (CCW) pursuant database called the Chronic Condition Act of 2003. to Section 723 of the Medicare Modernization health data network encompassing authorized the creation of the Sentinel records from 100 million individuals. that can be used for research purposes.be used for research that can of sample a below describe We private industry have federal government, states, and projects that the undertaken. or consolidated collected from particular VA facilities have used records at a regional level. P (2009), able at 92 \\jciprod01\productn\S\SMU\65-1\SMU103.txt Access and Control Use Rights in the Sentinel Data Network www.resdac.org/Medicare/requesting_data.asp (last modified Oct. 11, 2011). www.research.va.gov/news/research_highlights/records-080309.cfm. such as doctors’ notes, that is changed into structured data). Than $54 Million to Kaiser Permanente to Conduct Health Research (Oct. 12, 2009), submit requests through the Research Assistance Data Center and can submit requests through the Research or limited data sets. ask for either identifiable data files major health care system, Kaiser Permanente, received a multi-million- system, Kaiser Permanente, received major health care research database to establish a national electronic dollar federal grant current and past pa- health information from 30 million that will include regions. tients in eight geographic vides researchers with information about Medicare and Medicaid benefi- vides researchers with information assessment data. ciaries, claims for services, and lish its own database. HOUSE 2009_0728DEcIDE_DARTNet.pdf. Care, Research, VA R (2010); lated Products, U.S. F tralized data repository of de-identified patient charts. tralized data repository tiative/ucm2007250.htm (last updated Oct. 5, 2011) [hereinafter tential product safety problems to various participating data holders, such tential product safety problems to who would have their own EHR or as health care facilities and insurers 31670-smu_65-1 Sheet No. 50 Side B 04/12/2012 11:52:32 04/12/2012 B 50 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 51 Side A 04/12/2012 11:52:32 R R 47 93 39 Se- . J.L. M 41 , http:// , 36 A 4-APR-12 14:10 49 42 DARTNet is ROGRAM 46 P 45 Seq: 9 IABETES . D AL C , ., https://cabig.nci.nih.gov/overview/ (last modi- unknown NST supra note 2, at 13; Welcome to MedMining, I , supra note 43. ANCER OOPERS C C L ’ Using automated mechanisms, the data holders the data automated mechanisms, Using AT DARTNet researchers query the de-identified feder- DARTNet researchers query the supra note 28, at 1. 38 48 ., MedMining asserts on its website that its customers in- on its website that its customers MedMining asserts 43 Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing , http://www.medmining.com/index.html (last visited Oct. 27, 2011). The data sets it delivers to customers feature “lab results, vital The data sets it delivers to customers RICEWATERHOUSE ACE ET AL 44 Within thirty days of discharge, hospitals must report a large of discharge, hospitals must Within thirty days the Interagency Registry for Mechanically Assisted Circulatory the Interagency Registry for Mechanically Id. Welcome to MedMining, Id. Id. Inpatient Hospital Discharge Data Id. Id. at 2. Id. About caBIG, N Id. . 586, 615 (2010). INING 50 40 M ED 45. 46. P 41. Marc A. Rodwin, Patient Data: Property, Privacy & the Public Interest 44. 42. 38. 39. 40. 47. 48. 49. 50. 43. P Other agencies and organizations are creating electronic registries and Other agencies and organizations Yet another initiative is the Distributed Ambulatory Research in Ther- Yet another initiative is the Distributed At the state level, the California Office of Statewide Health Planning the California Office of Statewide At the state level, a company Geisinger Health Systems established In the private sector, M K ED claims databases. signs, medications, procedures, diagnoses, lifestyle data, and detailed signs, medications, procedures, diagnoses, settings. costs” from both inpatient and outpatient clude numerous major pharmaceutical, medical device, and biotech cus- clude numerous major pharmaceutical, tomers. number of details, including diagnoses, treatments, and drug intake. including diagnoses, treatments, number of details, www.caldiabetes.org/content_display.cfm?contentID=487&CategoriesID=31 (last updated Nov. 18, 2010). ated databases, consisting of data from EHRs, laboratories, imaging ated databases, consisting of data though the patient EHRs them- centers, pharmacies, and billing systems, at which they are stored. selves never leave the clinical sites would assess their records and send summary responses to the FDA. records and send summary responses would assess their databases to focus on specific disease categories and to support research databases to focus on specific disease through data sharing. These include the Cancer Biomedical Informatics Grid, apeutics Network (DARTNet), a federated network of EHR data from apeutics Network (DARTNet), a over 400,000 patients. eight large organizations serving & Development discharge a database of inpatient hospital established data. it, and offers it to that extracts EHR data, de-identifies called MedMining researchers. For each DARTNet member organization, relevant clinical information is For each DARTNet member organization, and then transferred to another captured in a standardized database data for query access through a se- database that presents de-identified cure web-portal. 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt lected datasets that do not directly identify patients are available for do not directly identify patients lected datasets that research. public and thus could be used for purchase by the funded by the Agency for Healthcare Research and Quality (AHRQ). funded by the Agency for Healthcare & M M fied July 2, 2011) (stating that the initiative’s goal is to “[b]uild or adapt tools for collecting, and analyzing, integrating, and disseminating information associated with cancer research care.”). C Y 31670-smu_65-1 Sheet No. 51 Side A 04/12/2012 11:52:32 04/12/2012 A 51 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 51 Side B 04/12/2012 11:52:32 M K ., 57 C Y RG , U.S. O [Vol. 65 and the 52 UPPORT 4-APR-12 14:10 S Because of the IFE AW L 59 L By contrast, research Seq: 10 55 , http://www.unos.org/donation/in- XTRACORPOREAL , E HARING S cover only research on human sub- 53 58 unknown ESEARCH AND THE RGAN R O , INTERMACS, http://www.uab.edu/ctsresearch/in- ASED ., http://www.hhs.gov/ohrp/humansubjects/commonrule/in- SMU LAW REVIEW and patients must authorize the release of iden- and patients must 54 ERVS ETWORK FOR . S N UM B. EHR-B NITED & H the Extracorporeal Life Support Organization, Life the Extracorporeal id. § of “Protected Health Information.” 160.103 for the definition and is not subject to coverage by the HIPAA Privacy Rule. and is not subject to coverage by 51 56 EALTH ELSO Registry Information Data Policy Id. § 164.508(b)(3)(i). Id. § 46.101(b)(4). See Federal Policy for the Protection of Human Subjects (‘Common Rule’) INTERMACS Description Data, U H T ’ 52. 54. 45 C.F.R. § 46.109 (2010). 55. 56. 57. See 58. 51. 53. 59. 45 C.F.R. § 46.102. These few examples illustrate the increasing use and importance of illustrate the increasing use These few examples institutional review research protocols require Ordinarily, biomedical The federal regulations that require IRB review and participant con- The federal regulations that require EP termacs/description.htm (last visited Oct. 27, 2011) (explaining that analysis of the col- termacs/description.htm (last visited Oct. 27, 2011) (explaining that analysis of the lected data is expected to improve patient care and to “influence future research”). dex.php?topic=data (last visited Oct. 27, 2011) (discussing the creation of UNet, an online dex.php?topic=data (last visited Oct. 27, 2011) (discussing the creation of UNet, an event database system that “contains data regarding every organ donation and transplant occurring in the United States since 1986”). D United Network for Organ Sharing. United Network using de-identified EHRs can be conducted with few regulatory burdens; using de-identified EHRs can be conducted records need not be approved by research involving solely de-identified an IRB jects, and define a human subject as “a living individual about whom an jects, and define a human subject intervention or interaction with investigator . . . obtains (1) [d]ata through private information.” the individual, or (2) [i]dentifiable tifiable information to researchers under the Health Insurance Portability to researchers under the Health tifiable information Privacy Rule. and Accountability Act (HIPPA) EHR databases for research purposes.does not ignore the use The law in key fed- in research and addresses its permissibility of medical records eral regulations. board (IRB) approval, Support, Consequently, health care providers, including clinicians and medical fa- Consequently, health care providers, data to researchers without obtaining cilities, can disclose de-identified privacy safeguards to the de-identi- patient consent or applying HIPAA’s fied data. This section reviews provisions of the federal research regula- that apply to EHR-based research. tions and the HIPAA Privacy Rule 1. The Federal Research Regulations sent, known as the Common Rule, 94 \\jciprod01\productn\S\SMU\65-1\SMU103.txt http://www.elso.med.umich.edu/DataRequests.html (last updated Oct. 12, 2010) (providing of que- details concerning the collection of data with most identifiers removed, submission ries, and release of query results to members in aggregate form). very minimal risk of harm to participants, the regulations specifically ex- very minimal risk of harm to participants, or study of existing data, docu- empt research “involving the collection is recorded by the investigator ments, [or] records . . . if the information be identified, directly or through in such a manner that subjects cannot dex.html (last visited Oct. 27, 2011). 31670-smu_65-1 Sheet No. 51 Side B 04/12/2012 11:52:32 04/12/2012 B 51 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 52 Side A 04/12/2012 11:52:32 Id. 95 61 Further- ., http://an- 63 4-APR-12 14:10 ERVS Consequently, . S 64 UM Seq: 11 & H Accordingly, even record- Accordingly, even 62 EALTH H Thus, the Rule does not prohibit 66 TOF The regulations provide no details as provide no The regulations ’ unknown 60 EP from disclosing de-identified data to third parties, in- from disclosing de-identified data 67 The HIPPA Privacy Rule’s application to research activities The HIPPA Privacy Rule’s application 65 Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing Id. § 46.101(b)(4). Id. Id. § 46.117(c). Human Research Protections Frequently Asked Questions: Can I Analyze Data Id. § 164.506. Id. § health information”). 160.103 (defining “protected 60. 61. 62. 63. 66. 67. The HIPAA Privacy Rule applies to health plans, health care clearinghouses, 64. 45 C.F.R. § 46.101(b)(4). 65. The Common Rule provides IRBs with flexibility and allows them to provides IRBs with flexibility The Common Rule The HIPAA Privacy Rule generally prohibits disclosure of individually The HIPAA Privacy Rule generally Research utilizing a database of EHRs that have been previously de- a database of EHRs that have Research utilizing a. De-Identified Information Privacy Rule covers only “individ- Like the Common Rule, the HIPAA M K identifiers linked to the subjects.” identifiers covered entities That Are Not Individually Identifiable, Such as Medication Databases Stripped of Individual of Patient Identifiers, for Research Purposes Without Having to Apply the HHS Protection Human Subjects Regulations?, U.S. D exercise discretion in appropriate circumstances.exercise discretion the re- IRBs may waive involves no more consent if they find that a study quirement of informed for which consent for subjects and entails no procedure than minimal risk in the treatment setting. would be required 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt §§ 160.102–160.103; 42 U.S.C. § 17931 (2006). health care providers who transmit health information electronically for particular pur- health care providers who transmit health information electronically for particular poses (generally claims or benefits activities), and their business associates. swers.hhs.gov/ohrp/questions/7284 (last updated Dec. 30, 2010). more, the applicability of the federal regulations to research involving more, the applicability of the federal with patients depends on the medical records rather than interaction by the investigator. method by which data is recorded even research through a service that queries EHRs with identifiable pa- even research through a service that in summary, non-identifiable tient data but presents results to researchers from IRB review.form would most likely be exempt At most, however, to IRBs, would be deemed to pose such project proposals would be sent would consequently require no in- only minimal risk to subjects, and formed consent process. 2. The HIPAA Privacy Rule patient consent, unless the infor- identifiable health information without of treatment, payment, or health care mation is transmitted for purposes operations. based research involving personally identifiable health information may personally identifiable health based research involving the informed consent mandate. be exempted from not be covered by the research regulations. identified would to which identifiers need to be removed to render data de-identified. need to be removed to render to which identifiers cluding researchers. provide that information can be The regulations that considered de-identified: (1) if an appropriate expert determines is analyzed in this section. ually identifiable health information.” C Y 31670-smu_65-1 Sheet No. 52 Side A 04/12/2012 11:52:32 04/12/2012 A 52 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 52 Side B 04/12/2012 11:52:32 M K 71 C Y [Vol. 65 4-APR-12 14:10 This criterion is 68 Seq: 12 In the alternative, informa- In the alternative, 69 unknown . 1701, 1737 (2010). EV SMU LAW REVIEW if the following eighteen identifiers are removed: if the following 70 Id. § 164.514(b)(2)(ii). (A) Names; (B) street smaller than a State, including All geographic subdivisions (1) the by combining all zip codes with The geographic unit formed (2) three digits of a zip code for all such geographic units The initial (C) of dates (except year) for dates directly related to All elements (D) numbers; Telephone (E) Fax numbers; (F) mail addresses; Electronic (G) security numbers; Social (H) record numbers; Medical (I) plan beneficiary numbers; Health (J) numbers; Account (K) numbers; Certificate/license (L) identifiers and serial numbers, including license plate Vehicle (M) identifiers and serial numbers; Device (N) Universal Resource Locators (URLs); Web (O) Internet Protocol (IP) address numbers; (P) voice prints; Biometric identifiers, including finger and (Q) images; and Full face photographic images and any comparable (R) or code. Any other unique identifying number, characteristic, 70. Standard for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 71. 45 C.F.R. § 164.514(b)(2)(i). In addition, information will not be considered de- 68. 45 C.F.R. § 164.514(b)(1). 69. Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of address, city, county, precinct, zip code, and their equivalent geocodes, precinct, zip code, and their equivalent address, city, county, to the cur- three digits of a zip code if, according except for the initial Census: data from the Bureau of the rent publicly available than 20,000 people; and same three initial digits contains more is changed to 000; containing 20,000 or fewer people admission date, discharge date, date an individual, including birth date, all elements of dates (including year) of death; and all ages over 89 and such ages and elements may be ag- indicative of such age, except that age 90 or older; gregated into a single category of numbers; The requirements for de-identification under this provision are far The requirements for de-identification under this provision are known as the HIPAA “statistical standard.” known as the HIPAA 53,182, 53,232 (Aug. 14, 2002) (codified at 45 C.F.R. pts. 160 & 164). or in identified if an entity has “actual knowledge that the information could be used alone infor- combination with other information to identify an individual who is a subject of the mation.” Anonymization, 57 UCLA L. R more specific than those of the Common Rule. It is, therefore, possible there is only a “very small” risk that the information could be re-identi- could risk that the information a “very small” there is only expert documents his or her analysis. fied, and (2) the 96 \\jciprod01\productn\S\SMU\65-1\SMU103.txt tion is deemed de-identified according to the HIPAA Privacy Rule’s “safe according to the HIPAA tion is deemed de-identified harbor” provision 31670-smu_65-1 Sheet No. 52 Side B 04/12/2012 11:52:32 04/12/2012 B 52 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 53 Side A 04/12/2012 11:52:32 R 97 L. ORNELL 4-APR-12 14:10 , 90 C 76 ESEARCH R Limited data sets al- Limited data sets may disclose “limited 74 73 Seq: 13 ASED 72 Researchers can obtain fur- 77 EHR-B The Poor State of Health Care Quality in the Id. § 164.512(i)(1)(ii). unknown According to some estimates, as few as 79 The limited data set provision also elimi- The limited data set provision also 75 USING EHR DATA 78 note 9, at 173. ONTRIBUTIONS OF supra C , HE EPORT Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing A. T III.OF RESEARCH THE BENEFITS AND RISKS See supra note 67 and accompanying text. Id. Id. § 164.512(i)(1)(iii). Id. § 164.512(i)(1)(i). without pa- Identifiable medical records may also be used . 893, 952 (2005) (observing that “[a] great deal of uncertainty exists about the ‘best’ 73. 74. 45 C.F.R. § 164.514(e)(1); see also § details concerning 164.514(e)(4) (containing 75. 45 C.F.R. § 164.514(e)(2). 76. 77. 78. 79. David A. Hyman & Charles Silver, 72. IOM R EHR technology could make an invaluable contribution to medical re- EHR technology could make an invaluable In addition, the HIPAA Privacy Rule does not protect records of dece- In addition, the HIPAA Privacy Rule b. Other HIPAA Exemptions that apply Rule contains several other exceptions The HIPAA Privacy The advent of EHRs has the potential to transform medical research by The advent of EHRs has the potential M K EV that a protocol would be exempt from the Common Rule’s consent man- Common Rule’s exempt from the would be that a protocol would still require identifiers will be removed, but date because some Rule because not all under the HIPAA Privacy patient authorization identifiers are redacted. eighteen safe harbor data sets” without patient consent if the recipient signs a data use agree- patient consent if the recipient signs data sets” without re-identification of the data. ment that prohibits data use agreements). do not tient consent to prepare (but not carry out) research protocols as long as the records leave the facility in which they are stored. U.S.: Is Malpractice Liability Part of the Problem or Part of the Solution? search because it can facilitate large-scale observational studies that will search because it can facilitate large-scale observational studies that fill existing knowledge gaps. medical practice involves a Contemporary startling amount of guesswork. dents that are used for research purposes. to research use of health data.to research use of Covered entities 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt ther exemptions with approval of an IRB or privacy board in accordance ther exemptions with approval of with regulatory guidance. low somewhat more liberal disclosures than the safe harbor provision liberal disclosures than the low somewhat more to the eighteen-factor list: disclo- because they make three modifications exact birth dates, is permitted, and sure of all elements of dates, including withheld, patients’ towns or cities and while specific addresses must be zip codes can be revealed. nates the catch-all item of “any other unique” identifier. nates the catch-all item of “any other R enabling investigators to conduct computerized searches that will yield an enabling investigators to conduct computerized about patient care and treatment unprecedented wealth of information efficacy. research raises By the same token, the prospect of electronic serious concerns that cannot be ignored.harms and benefits possible The analyzed in this part. of EHR-based research are thoroughly C Y 31670-smu_65-1 Sheet No. 53 Side A 04/12/2012 11:52:32 04/12/2012 A 53 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 53 Side B 04/12/2012 11:52:32 M K 87 C Y In HYSI- 80 . 1390, P 1 (1992). [Vol. 65 ED AIN FFECTIVENESS 4-APR-12 14:10 E TUDIES , 13 P . J. M CER’s aim is S Such research NG 83 Facts, Fallacies, and 85 81 How CER Could Pay E EW ESEARCH OMPARATIVE R Seq: 14 Randomized, controlled C , May 29, 2006, at 72 (asserting , 364 N 86 The Patient Protection and The Patient Protection EEK 82 W http://www.iom.edu/Reports/2009/ . 449, 452–54 (2001) (describing different NALYSIS OF EV A RIORITIES FOR USINESS unknown P . L. R ONN ESIGN AND . w181, w181 (2007) (discussing the “inferential gap” . w181, w181 (2007) (discussing the “inferential available at A 2009 IOM Report similarly emphasized A 2009 IOM Report FF D ATIONAL 84 SMU LAW REVIEW , 33 C N HE A , T S-3, S-3 (2000), available at http://www.nature.com/ki/journal/ L ’ NITIAL EALTH NT ANLY ., I I ED 3 (2009), – M F. J. M IDNEY OF . 1 RYAN see also Sharona Hoffman, The Use of Placebos in Clinical Trials: Responsible NST In a randomized experiment, subjects are randomly assigned to In a randomized experiment, subjects Id. § G. Elshaug & Alan M. Garber, 1320e(d)(2)(A); Adam See id. See 42 U.S.C. § Laxmaiah Manchikanti et al., 1320(e) (2010); 88 , E23, E38–39 (2010). 86. 42 U.S.C. § 1320e(d)(2)(A). 87. Friedrich K. Port, Role of Observational Studies Versus Clinical Trials in ESRD 83. 42 U.S.C. § 1320e(a)(2)(A). 84. 80., B John Casey, Medical Guesswork 82. 81. 85. I 88. B Both the Obama Administration and the Institute of Medicine (IOM) Administration and the Institute Both the Obama CER is to be conducted through a wide variety of means, including CER is to be conducted through ESEARCH ComparativeEffectivenessResearchPriorities.aspx. Research, 57 K to generate improved patient outcomes while maximizing the benefit of patient outcomes while maximizing to generate improved health care expenditures. for Itself—Insights from Vertebral Fracture Treatments Affordable Care Act of 2010 defines CER as “research evaluating and Act of 2010 defines CER as “research Affordable Care risks, and bene- outcomes and the clinical effectiveness, comparing health treatments, services, and items.” fits of 2 or more medical clinical trials are considered to be the gold standard of medical studies. clinical trials are considered to be between “the paucity of what is proved to be effective for selected groups of patients ver- between “the paucity of what is proved to required for individual patients”). sus the infinitely complex clinical decisions v57/n74s/full/4491615a.html (stating that “[r]andomized controlled clinical trials have been re- considered by many to be the only reliable source for information in health services search”); Research or Unethical Practice? that many “physicians say the portion of medicine that has been proven effective is still that many “physicians say the portion of outrageously low — in the range of 20% to 25%”). Politics of Comparative Effectiveness Research: Part I Basic Consideration 1392–93 (2011); Manchikanti et al., supra note 82, at E39. CIAN have recognized the importance of CER. have recognized R 20 to 25% of treatments have been definitively proven effective. have been definitively of treatments 20 to 25% and about the ‘best’ way to perform those treatment for particular clinical conditions, medical treatments has never been proven”); treatments” and that the “efficacy of most Health Record and Walter F. Stewart et al., Bridging The Inferential Gap: The Electronic Clinical Evidence, 26 H Experimental clinical studies involve “the collection of data on a process Experimental clinical studies involve of variables that are assumed to affect when there is some manipulation other variables constant as far as possi- the outcome of a process, keeping ble.” 98 \\jciprod01\productn\S\SMU\65-1\SMU103.txt many instances, physicians initially try particular treatment plans, medi- initially try particular treatment many instances, physicians to be changed or knowing that these will likely need cations, or dosages patient receives optimal treatment. adjusted before the could lead to a significant reduction in human suffering, disease-related could lead to a significant reduction death rates, and health care costs. studies. both clinical trials and observational designs of clinical trials). the need for CER and proposed initial CER priorities. the need for CER receive one of the interventions under study (possibly including no inter- receive one of the interventions under vention).For example, investigators might design a clinical trial to in- patients are randomly assigned: one clude two groups to which eligible 31670-smu_65-1 Sheet No. 53 Side B 04/12/2012 11:52:32 04/12/2012 B 53 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 54 Side A 04/12/2012 11:52:32 R R R R . 99 see EV , Sept. see also IOMEDI- UIDANCE B IMES ., G . U. L. R 4-APR-12 14:10 M For example, DMIN , 2–7 (2011), avail- , N.Y. T 96 MPLEMENTATION OF CT ETHODS IN A , 55 A A Thus, rather than —I M The goal of this ex- The goal of this RUG 91 89 RIALS Seq: 15 & D vii (2d ed. 2002). OSMETIC T C OOD VALUATION AND . F , E . 1878, 1879–83 (2000). TUDIES , LINICAL S ED C ERVS RUG YATT S Observational studies are often con- , D unknown . J. M A Comparison of Observational Studies and Ran- 93 C. W NG OOD UMAN E F TUDIES AND EW BSERVATIONAL EREMY S & H , O EDERAL & J note 88, at 1 (explaining that observational studies involve the note 88, at 1 (explaining that observational F EALTH For example, in exploring the utility of EHRs for For example, in exploring the utility These studies are not randomized, and the absence These studies are not randomized, H 92 95 supra , OSENBAUM OF THE RIEDMAN 369 (2d ed. 2006) (defining observational studies as involving an 369 (2d ed. 2006) (defining observational TOF ’ OSTMARKETING EP note 88, at 4–5. P )(3) ANLY P. F R. R O Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing M One source defines an “observational study” as “an empiric an “observational study” as One source defines 94 AUL 90 supra 505( See Benson & Hartz, supra note 92, at 1878 (stating that “[c]oncern about inherent See Gary Taubes, Do We Really Know What Makes Us Healthy? See , HARLES NFORMATICS NDUSTRY C I I 91. P 96. 95. 89. Sharona Hoffman, “Racially-Tailored” Medicine Unraveled 92. Kjell Benson & Arthur J. Hartz, 93. Kho et al., supra note 3, at 4–5. 94. U.S. D 90. Observational studies, such as reviews of EHR data, are vulnerable to Observational studies, such as reviews By contrast, research can also be accomplished through observational can also be accomplished through By contrast, research M K ANLY ECTION group receives Angiotensin-Converting Enzyme (ACE) inhibitors for (ACE) Enzyme Angiotensin-Converting group receives inhibitors in combina- the second group receives ACE heart failure, and drug for the same condition. tion with a different investigation of treatments, policies, or exposures and the effects they policies, or exposures investigation of treatments, investigator cannot from an experiment in that the cause, but it differs of treatments to subjects.” control the assignment CAL “[a]pproach to study design that entails no experimental manipulation” in which “[a]pproach to study design that entails by carefully observing . . . [subjects] with or “[i]nvestigators typically draw conclusions without an information resource”). also collection of data “by observing some process which may not be well-understood”); collection of data “by observing some process M bias” in observational studies “has limited their use in comparing treatments”); 16, 2007, at 52 (describing the limitations of observational studies and stating that they 16, 2007, at 52 (describing the limitations of observational studies and stating that “can only provide what researchers call hypothesis-generating evidence—what a defense attorney would call circumstantial evidence”). able at http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/ Guidances/UCM172001.pdf. of randomization may introduce biases that skew results. of randomization may introduce biases several criticisms. S 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt domized, Controlled Trials, 342 N conducting a controlled experiment, investigators might review the charts experiment, investigators might conducting a controlled different medications or different or electronic files of patients receiving condition to determine the efficacy types of surgery to treat a particular of each approach. if investigators review only records that come from a particular wealthy, if investigators review only records derived may not apply to low-in- suburban medical practice, the results of stress, poorer diets, and inferior come populations with higher levels perimental study would be to determine which treatment is more would be to determine which perimental study by one or more outcome measures. effective as reflected studies. FOR ducted when the FDA requires post-marketing studies to verify the safety ducted when the FDA requires post-marketing of drugs. genetic research, a recent study found that data captured from EHRs genetic research, a recent study with sufficient accuracy to be used in could identify disease characteristics genome-wide association studies. 395, 400–02 (2005) (describing a clinical trial for heart failure medication). C Y 31670-smu_65-1 Sheet No. 54 Side A 04/12/2012 11:52:32 04/12/2012 A 54 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 54 Side B 04/12/2012 11:52:32 M K C Y . 70, 88, Thus, [Vol. 65 NFORMAT- ECH 100 I 163, 170–71 4-APR-12 14:10 EDICAL 104 . J.L. & T M If researchers do in For example, “MS” ARV , IOMEDICINE 101 105 B . L.J. 1523, 1537–45 (2009). Seq: 16 99 , 25 H ECH T E-Health Hazards: Provider Liability INING IN M To estimate error rates and magni- ERKELEY ATA 103 unknown D , 24 B However, there are ways of controlling for the However, there SMU LAW REVIEW Similar skewing, however, may occur in inter- may occur in skewing, however, Similar In addition, patients who see doctors at differ- In addition, patients who see doctors 98 97 106 ANAGEMENT AND supra note 88, at 4–5. , M Researchers cannot assume that EHR data is completely Researchers cannot assume that ANLY M 102 107 See id. at 16. See id. at 4–5. See id. at 9. See Sharona Hoffman & Andy Podgurski, See discussion infra Part IV.D.1 (explaining how informed consent can lead to se- See See id. See id. at 1565–69, 1577. Id. at 170, tbl. 6-1. NOWLEDGE 99. 97. 98. : K Third, EHR database studies may also be affected by data quality Third, EHR database studies may Problems with the completeness and accuracy of EHR data can be mit- Problems with the completeness and Other complications may compromise the quality of EHR data as well. Other complications may compromise A second concern is that observational study results could be con- is that observational study results A second concern 100. 101. 102. 103. 104. 105. Christopher G. Chute, Medical Concept Representation 106. 107. Barbara Evans, Much Ado About Data Ownership ent medical facilities whose EHR systems are not interoperable may have ent medical facilities whose EHR their medical histories in different fragmented records and pieces of EHRs. accurate. The data in EHRs may be incomplete or erroneous because, make typing mistakes, do not have among other reasons, clinicians and error-free records, or have dif- enough time to create comprehensive ficulty navigating the EHR system. not carefully monitor and adjust for these factors, any conclusion con- not carefully monitor and adjust issue is likely to be questionable. cerning the efficacy of the drug at problems. and Electronic Health Record Systems 93–94 (2011). lection bias). igated in part through increased use of electronic means for collecting igated in part through increased Medical terminology lacks standardization, and physicians can use the Medical terminology lacks standardization, different things. same abbreviations to mean very founded by uncontrolled variables because the assignment of different variables because the assignment founded by uncontrolled randomized. placebos, to patients is not treatments, including access to medical care. access to 100 \\jciprod01\productn\S\SMU\65-1\SMU103.txt ICS any changes that are observed might be caused not by the intervention of are observed might be caused not any changes that both the treat- such as age or sex, that influence interest but by factors, they have. ment patients receive and the outcomes can mean “mitral stenosis,” “multiple sclerosis,” “morphine sulfate,” and can mean “mitral stenosis,” “multiple “magnesium sulfate.” (Hsinchin Chen et al. eds., 2005). tudes, researchers may need to validate the EHRs of a sample of patients, tudes, researchers may need to validate or their physicians. which would entail contacting them ventional research if the population from which subjects are recruited is if the population from which subjects ventional research not sufficiently diverse. bias problem in creating (or extracting data from) an EHR database, such (or extracting data from) an bias problem in creating and drawn randomly the database is both large enough as ensuring that a diverse patient population. from the EHRs of 31670-smu_65-1 Sheet No. 54 Side B 04/12/2012 11:52:32 04/12/2012 B 54 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 55 Side A 04/12/2012 11:52:32 R R R R . , FF 112 , 21 101 , 305 A EALTH -H E EALTH & 4-APR-12 14:10 Seven Pillars of This may be , 26 H 114 It must also be recog- It must also The Gap Between Evidence ELEMEDICINE Pragmatic Trials—Guides to Seq: 17 108 The data used in observational The data used in Is the Randomized Clinical Trial the Gold 233, 233–40 (2010); & George Ron Dagan 111 938, 938–42 (2001). . 1685, 1685 (2011) (discussing the shortcomings unknown supra note 87, at S-3, S-4. Design and Statistical Analysis of Oral Medicine ED ISEASES D . J. M For example, investigators could not examine For example, investigators could not J. 894, 894–901 (2002); Barbara J. Evans, NG RAL NDROLOGY 116 E . w119, w120 (2007) (asserting that “EHRs have the potential . 960, 961 (2007). . 419, 439–50 (2010); Martha Clare Morris & Christine C. FF EW ED ISEASES EV A D . J. M Researchers must be aware of the limitations of their re- be aware of the limitations of their Researchers must L. R EALTH NG E 109 AME Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing NFECTIOUS EW I D A Potential Design Flaw of Randomized Trials of Vitamin Supplements A Potential Design Flaw of Randomized Clinical studies may also be unrealistic because it would be un- Clinical studies may also be unrealistic See, e.g., Lynn M. Etheredge, A Rapid-Learning Health System See, e.g., Lorena Baccaglini et al., See Etheredge, supra note 111, at w107. EHR databases could allow researchers to access vast amounts of could allow researchers to access EHR databases supra note 109, at 446 (“Phase III trials typically last one to four years and may 113 115 OTRE 110 In fact, observational studies have several advantages over clinical tri- studies have several advantages In fact, observational In some cases, it is impossible to conduct clinical trials. In some cases, it is impossible to conduct 111. 110. diminished cost, Benson & Hartz, supra note 92, at 1878 (citing the advantages of 108., 14 T Kevin D. Blanchet, Remote Patient Monitoring 109. 114. Benson & Hartz, supra note 92, at 1878. 115. 116. Benson & Hartz, supra note 92, at 1878. 113. Benson & Hartz, supra note 92, at 1878 (mentioning “greater timeliness” as an 112. Sheila Weiss Smith, Sidelining Safety—The FDA’s Inadequate Response to the M K EDIATRIC patient data, such as remote patient monitoring. such as remote patient data, timeliness, and a broader spectrum of patients). search tools and techniques and strive continuously to improve them. techniques and strive continuously search tools and als. ethical to conduct them. information about patients with diverse demographics collected over a patients with diverse demographics information about by clinical trials, of time than that encompassed much longer period only a few years. which typically last Better Patient Care?, 364 N to take over where clinical trials and evidence-based research leave off, by providing real- to take over where clinical trials and evidence-based research leave off, by providing over world evidence of drugs’ and treatments’ effectiveness across subpopulations and longer periods of time”); James H. Ware & Mary Beth Hamel, because it is too difficult to recruit a large enough subject population to because it is too difficult to recruit such as when the condition is very yield statistically significant results, rare. Flaws in Design and Conduct of Clinical Trials in Acute Otitis Media H. McCracken, Flaws in Design and Conduct of Clinical P JAMA 1348, 1348–49 (2011); Stephen D. Simon, Standard of Research?, 22 J. A Tangney, Observational studies can also be considerably less costly and time-con- Observational studies can also be because the data used already suming than experimental research exist. 127, 128–30 (2008). 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt advantage of observational studies); Port, w107, w111 (2007), available at http://content.healthaffairs.org/cgi/content/full/26/2w107; Evans, the include 1000 to 10,000 patients of whom only a few hundred patients typically receive new drug for more than three to six months.”); Louise Liang, and Practice, 26 H of clinical trials). IOM, 357 N nized that data integrity problems are not unique to observational stud- problems are not unique nized that data integrity ies. and other criticized for design flaws Clinical trials are often deficiencies. studies, consequently, may be far more comprehensive than the data gen- may be far more comprehensive studies, consequently, include fewer than 3,000 patients. erated by clinical trials, which often a New Evidentiary Paradigm: The Food, Drug, and Cosmetic Act Enters the Genomic Era a New Evidentiary Paradigm: The Food, Drug, 85 N the outcomes of patients who receive the wrong treatment by deliberately the outcomes of patients who receive Studies: Common Pitfalls, 16 O C Y 31670-smu_65-1 Sheet No. 55 Side A 04/12/2012 11:52:32 04/12/2012 A 55 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 55 Side B 04/12/2012 11:52:32 R R R , M K 126 C Y [Vol. 65 Investiga- ESEARCH 4-APR-12 14:10 118 R ASED But see Gordon H. Guyatt et By contrast, review of By contrast, Seq: 18 In addition, researchers In the words of one com- In the words of one 117 EHR-B 119 122 123 unknown However, observational studies are an in- However, observational SSOCIATED WITH 121 A 167, 173 (2000) (cautioning researchers about the risks of SMU LAW REVIEW supra note 9, at 16–17. , ARMS supra note 87, at S-5 (arguing that both observational studies and According to the IOM, privacy focuses on the “collec- According to the IOM, privacy focuses Confidentiality concerns the duty to avoid improper Confidentiality concerns the duty H supra note 88, at 13–14. supra note 111, at w108. , EPORT 124 125 PIDEMIOLOGY E ANLY M IOM R OTENTIAL See See Etheredge, supra note 111, at w107. See id. at w109. See id. at w109–w116. See id. at w108. See Benson & Hartz, supra note 92, at 1878, 1884 (concluding, based on a litera- Id. at 16–17, 76. Id. at 76. See LINICAL 120 Randomized Trials Versus Observational Studies in Adolescent Pregnancy Prevention While the anticipated benefits of EHR-based research are significant, While the anticipated benefits of are at times used inter- The terms “privacy” and “confidentiality” It is not anticipated that EHR-based observational studies will replace that EHR-based observational It is not anticipated 117. 118. 119. 120. 121. 122. 125. 126. 123. Etheredge, 124. B. P disclosure of information that is conveyed in an intimate relationship. disclosure of information that is conveyed dispensable addition to the research tool kit. dispensable addition tion, storage, and use of personal information” and thus on questions of tion, storage, and use of personal access to data. observational studies and stating that recommendations should be based on randomized trials whenever possible). such research is not devoid of risks. Data subjects may risk privacy viola- all of which are addressed in this tions as well as other dignitary harms, part. 1. Privacy the IOM offers illuminating definitions changeably or inconsistently, but of these words. randomized clinical trials. randomized clinical giving some individuals incorrect medications. individuals incorrect giving some data may involve violations of both Inappropriate disclosures of EHR confidentiality.and privacy simplicity, we use However, for purposes of all aspects of the concern about data the word “privacy” to encompass disclosure. 102 \\jciprod01\productn\S\SMU\65-1\SMU103.txt tors could gain access to patient records all over the country, including to patient records all over tors could gain access with very rare illnesses. those of individuals EHR databases could allow for a broader range of research. allow for a broader range of EHR databases could mentator, EHRs “will offer the capacity for real-time learning from the “will offer the capacity for real-time mentator, EHRs and will greatly increase the abil- experience of tens of millions of people ity to generate and test hypotheses.” could study data relating to actual patients who are treated in a clinical relating to actual patients who are could study data a research trial, and in the controlled environment of setting, rather than including substandard that is of varying quality, could analyze care care. ture review, that “observational studies and randomized, controlled trials usually produce similar results”); Port, clinical studies have their place and complement each other). al., 53 J. C 31670-smu_65-1 Sheet No. 55 Side B 04/12/2012 11:52:32 04/12/2012 B 55 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 56 Side A 04/12/2012 11:52:32 R 132 103 . 331, , U.S. Thus, EV Breaches Various 135 131 4-APR-12 14:10 , May 30, 2011, 129 IMES , 48 B.C. L. R Employers wish to Employers wish , N.Y. T 130 Seq: 19 The news media and other The news media In Sickness, Health, and Cyberspace: supra note 9, at 95–96 tbl. 2-2; Milt 127 , lose financial and other oppor- 133 409, 421–24 (2010). 136 Y ’ EPORT unknown OL . P UB IOM R 134 ., http://www.hhs.gov/ocr/privacy/hipaa/administrative/ ERVS . S . J.L. & P The Department of Health and Human Services The Department UM AN 128 & H Breaches Lead to Push to Protect Medical Data Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing EALTH H Id. Id. Id. Id. See id. See Sharona Hoffman & Andy Podgurski, See id. at 332–33; see also Health Information Privacy: Breaches Affecting 500 or More Individuals TOF ’ a. Privacy Breach Harms breaches re- is digitized, it is vulnerable to privacy Once information Advertisers and marketers hope to influence doctors’ prescribing deci- Advertisers and marketers hope to research databases can be linked to If health information contained in The personal and sensitive information contained in medical records sensitive information contained The personal and 130. Hoffman & Podgurski, supra note 127, at 334–35. 131. 132. 133. 134. 135. Sharona Hoffman, Employing E-Health: The Impact of Electronic Health Records 136. 127. 128. 129. M K EP sulting from hacking; stolen or misplaced laptops and storage devices; ac- stolen or misplaced laptops and sulting from hacking; sent to the wrong such as e-mails inadvertently cidental disclosures, intentional misconduct. recipient; or even tunities; become victims of criminal conduct; or suffer public tunities; become victims of criminal harms may be mitigated by existing embarrassment, though some of these (HHS) website lists almost 300 health care providers and insurers that almost 300 health care providers (HHS) website lists of 2009. breaches since September have reported significant types of insurers (e.g., life, disability, long-term care) want to find clients types of insurers (e.g., life, disability, payments will exceed claims. who are low-risk and whose premium on the Workplace, 19 K breachnotificationrule/breachtool.html (last visited Oct. 27, 2011) [hereinafter Affecting). patients whose information falls into inappropriate hands could face em- patients whose information falls into ployment or insurance discrimination; 332–34 (2007). sions and patients’ medical purchasing choices; political operatives may sions and patients’ medical purchasing disqualify or embarrass candidates; and hope to use health information to seek financial gain through the pos- blackmailers or other criminals may session and use of such data. with access to the data could theoreti- the names of data subjects, those third parties.cally sell or distribute it to interested Comprehensive reproductive and sexual histories, EHRs will include psychiatric records, as cancer, and much more. HIV status, serious illnesses such might be of interest to a large number of parties. might be of interest Lenders are interested in borrowers who can work and earn salaries that Lenders are interested in borrowers loans. will enable them to pay off their 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt hire healthy workers who will not have productivity and absenteeism hire healthy workers who will not claims for reimbursement. problems or submit costly medical Freudenheim, organizations have provided accounts of many such violations during the provided accounts of many such organizations have last several years. at B1. Protecting the Security of Electronic Private Health Information D C Y 31670-smu_65-1 Sheet No. 56 Side A 04/12/2012 11:52:32 04/12/2012 A 56 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 56 Side B 04/12/2012 11:52:32 R R . M K EV C Y AK- M . R [Vol. 65 Thus, if Further- OMM Further- Thus, pa- C 145 ECISION 4-APR-12 14:10 138 Automated De- 144 139 & D OMPUTER On the Leakage of Per- The potential short- 564, 572 (2007). N 141 , 40 C ’ Seq: 20 NFORMATICS SS . I A ED 41–55 (Jack M. Balkin & Beth Simone ERSON NFORMATICS unknown , 8 BMC M P . I ED IGITAL . M D M infra Part VI.A.1 (discussing de-identification techniques). supra note 129. SMU LAW REVIEW 137 HE , T OLOVE supra note 14, at 5; see also Ishna Neamatullah et al., supra note 14, at 5–6. The quality of de-identification may vary among different The quality of de-identification may J. S 142 Nevertheless, commentators worry that de-identification does Nevertheless, commentators worry Different parts of the EHR, such as patient demographics, cli- Different parts of the EHR, such see also discussion infra Part VI.C.2. see also Ben Wellner et al., Rapidly Re-targetable Approaches to Deidentifica- ANIEL 140 143 Id.; See Breaches Affecting, See supra Part II.B. (discussing the application of federal regulations to de-identi- See supra Part II.B.2.a (listing identifiers discussed in the HIPAA Privacy Rule). Id. at 5. Id.; i. De-identification Procedures 32, 33 (2008), available at http://www.biomedcentral.com/content/pdf/1472-6947-8- It is important to note, however, that the danger of electronic privacy note, however, that the danger of It is important to b. Privacy and De-Identification privacy risks is de-identification of One technique that could reduce Some experts question the reliability of contemporary de-identification Some experts question the reliability 144. Rothstein, 137. 138. 139. D 140. 145. 141. Rothstein, 142. 143. EHR systems; de-identification capacity often is not designed into EHR EHR systems; de-identification capacity after data is exported from an EHR systems, and, thus, it must be added system. nicians’ free-text notes, laboratory and imaging reports, and hospitaliza- nicians’ free-text notes, laboratory separately, and, thus, the tion records, may have to be de-identified and time-consuming. process might be very labor-intensive not provide sufficient protection to data subjects. not provide sufficient protection to 112, 112 (2010). breaches arises as soon as providers convert patients’ medical files from soon as providers convert patients’ breaches arises as patients about EHRs, and clinicians do not consult paper format to whether to undertake this transition. fact To date, data breaches have in setting. in the clinical rather than research generally occurred anti-discrimination laws. anti-discrimination 104 \\jciprod01\productn\S\SMU\65-1\SMU103.txt more, patients routinely face privacy risks not only because of security face privacy risks not only more, patients routinely vulnerabilities in their EHR systems, but also because of vulnerabilities in of data sources other electronic devices, data mining own computers or information directly records, and elicitation of sensitive such as purchase services. websites such as social networking from patients by de-identification is not automated, it would need to be assigned to trusted de-identification is not automated, more, a fragmented and complex process could result in many instances more, a fragmented and complex and retained in the record. in which identifiers are overlooked 32.pdf. tients should not perceive research activities involving EHRs as generat- perceive research activities involving tients should not be entirely nonexistent. ing privacy risks that would otherwise records. Noveck eds., 2004); Balachander Krishnamurthy & Craig E. Wills, sonally Identifiable Information Via Online Social Networks techniques. comings of de-identification are analyzed below. comings of de-identification are analyzed ING identification of Free-Text Medical Records fied records); see also discussion tion in Medical Records, 14 J. A 31670-smu_65-1 Sheet No. 56 Side B 04/12/2012 11:52:32 04/12/2012 B 56 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 57 Side A 04/12/2012 11:52:32 R 2 147 152 OL- 105 LEC- RAC- C 5, 28 EALTH E & P reidentify H EALTH ECRETARY OF 4-APR-12 14:10 S 149 RINCIPLES : P LECTRONICALLY J.L. & H RIVACY IN THE 169, 169 (2010). E ILL P N ’ OF G SS C ” Seq: 21 EPORT TO THE A SES could be re-identified. , 2 M , R U For example, information 151 available at dataprivacy.org/projects/ ROTECTIONS FOR USES OF ORKSHOP ON ONFIDENTIALITY 148 P C W TATISTICS NFORMATICS ECONDARY S Policy by Procrastination: Secondary Use of Policy by Procrastination: Secondary Use . I Latanya Sweeney, a leading author- 36 n.16 (2007), available at www.ncvhs.hhs.gov/ unknown “S ED 150 NHANCED ATA TATISTICAL . M ACHINERY EALTH E M D ., S M & H Simple Demographics Often Identify People Uniquely EALTH ITAL note 69, at 1703 (“Clever adversaries can often supra note 69, at 1703 (“Clever adversaries can H V RAMEWORK FOR ERVICES ON OMPUTIVE F S ON C UNCAN ET AL . 77, 77 (2006), available at http://crypto.stanford.edu/~pgolle/papers/ UMAN T. D OMM the people hidden in an anonymized database.”) (emphasis added). N FOR ’ RANSMITTED C H Y SS Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing ’ L ’ T 153 A TEWARDSHIP OC EORGE AT in Id. at 29–31 (discussing use of microdata). See supra Part II.B.2.a (discussing de-identification standards under the HIPAA Id. at 28–29; Ohm, Such a key would need to be carefully safeguarded so that it does need to be carefully safeguarded Such a key would S : A S ii. of Re-identification The Possibility 37 (2011). 146 deanonymize Experts have found that de-identified information can be re-identified that de-identified information Experts have found It is estimated that between 63% and 87% of the U.S. population could It is estimated that between 63% and In general, de-identification is based on assumptions that third parties is based on assumptions In general, de-identification 146. Brady, Patricia Kosseim & Megan 149. 150. Philippe Golle, Revisiting the Uniqueness of Simple Demographics in the U.S. Pop- 153. Kathleen Benitez & Bradley Malin, Evaluating Re-identification Risks with Respect 151. 147. 152. N 148. G M K EALTH AND ATA professionals.have key will that a cryptographic it is possible In addition, follow-up studies that case researchers need to conduct to be retained in to specific individu- so that data can be linked require re-identification als. using publicly available resources, such as voter registration records. resources, such as voter registration using publicly available not fall into the hands of potential wrongdoers. not fall into the hands TICE ulation, ity, asserts that 0.04% of records that comply with the de-identification ity, asserts that 0.04% of records Rule requirements of the HIPAA Privacy be accurately identified based on the three factors of gender, zip code, be accurately identified based on for details such as name, social secur- and date of birth, without any need ity number, or a precise address. H D Dr. Sweeney is famous for having identified the health records of Massa- Dr. Sweeney is famous for having she was a graduate student in 1996 chusetts Governor William Weld when data that was released to the based on anonymized hospital discharge information that was also publicly public and voter registration available. 2012] small, but it exists. The risk may be data subjects that may facilitate re- do not have certain information about may legally or illegally obtain such identification; however, adversaries and then correlate it to de-identi- information from a variety of sources fied records to achieve re-identification. \\jciprod01\productn\S\SMU\65-1\SMU103.txt 071221lt.pdf. to the HIPAA Privacy Rule, 17 J. A census.pdf; Latanya Sweeney, (Carnegie Mellon Univ., Working Paper No. 3, 2000), identifiability/paper1.pdf. (2008). LECTED AND TRONIC about patients’ medication purchases or evidence of the web links on about patients’ medication purchases useful for this purpose. which an individual clicks can be Electronic Health Records for Health Research Purposes Electronic Health Records for Health Research Privacy Rule). or C Y 31670-smu_65-1 Sheet No. 57 Side A 04/12/2012 11:52:32 04/12/2012 A 57 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 57 Side B 04/12/2012 11:52:32 R R R M K 154 C Y In In a 164 [Vol. 65 162 160 NFORMATICS 4-APR-12 14:10 . I ED . M M Seq: 22 , 18 J. A They quantified the risk of 159 are potentially vulnerable to re- are potentially supra note 153, at 170. 155 unknown SMU LAW REVIEW Never Too Old for Anonymity: A Statistical Standard for In 2011, the same authors published a second In 2011, the same When all eighteen HIPAA safe harbor provision When all eighteen 158 156 They focus on a “marketer attack” using demographic data They focus on a “marketer attack” The authors also assume that adversaries will use publicly The authors also assume that adversaries When the identifiers permitted by HIPAA for limited data sets permitted by HIPAA for limited When the identifiers see also supra notes 74–76 and accompanying text (discussing limited data sets Needless to say, these assumptions may not apply in actual Needless to say, these assumptions 161 163 157 Id. at 4–5; see also Benitez & Malin, Id. See supra Part II.B.2.a. Id. at 169. Id.; 3, 3 (2011). The statistical standard is articulated in 45 C.F.R. § 164.514(b)(1) (2010) 165 N ’ A recent paper by the Technology Policy Institute, a nonprofit, asserted A recent paper by the Technology Both of the Benitez and Malin studies make particular assumptions Both of the Benitez and Malin studies A study published in 2010 by Kathleen Benitez and Bradley Malin and Bradley by Kathleen Benitez published in 2010 A study 160. Malin et al., supra note 159, at 7. 161. 154. 155. 156. Benitez & Malin, supra note 153, at 176. 157. 158. 159. Bradley Malin et al., 162. Benitez & Malin, supra note 153, at 170; Malin et al., supra note 159, at 4. 163. Benitez & Malin, supra note 153, at 170; Malin et al., supra note 159, at 4. 164. Benitz & Malin, supra note 153, at 170. 165. Benitez & Malin, supra note 153, at 170; Malin et al., supra note 159, at 4. SS were added in, the risk percentage rose to between 10% and 60%, de- risk percentage rose to between were added in, the pending on the state. attempts at re-identification, and, thus, the risk figures supplied by Beni- attempts at re-identification, and, tez and Malin may be misleading. re-identification by a true adversary that “there is no evidence that or journalist interested in the efficacy (somebody other than a researcher available data and not engage in illegal activity, such as hacking. available data and not engage in (stating that information can be considered de-identified if an appropriate expert deter- (stating that information can be considered de-identified if an appropriate expert and mines that there is only a “very small” risk that the information could be re-identified documents her analysis). “marketer attack,” the adversary simply tries to identify as many records “marketer attack,” the adversary on a particular record or subset of as possible and does not focus records. and the HIPAA Privacy Rule). Demographic Data Sharing Via the HIPAA Privacy Rule identification. depends of risk varies from state to state and The degree public through voter information is available to the on what demographic registration records. about the re-identification scheme and the external data used to imple- about the re-identification scheme ment it. identifiers are removed, the percentage of a state’s population vulnerable the percentage of a state’s identifiers are removed, from 0.01% to was estimated to range to unique re-identification 0.25%. A 106 in accordance with that have been de-identified found that even records Rule specifications HIPAA Privacy \\jciprod01\productn\S\SMU\65-1\SMU103.txt addition, attackers are assumed to be private individuals rather than busi- addition, attackers are assumed to information about targeted data sub- ness entities that might have more jects. about patients, such as that found in voter registration records. about patients, such as that found re-identification in this case as ranging “from 0.01% to 0.19%.” re-identification in this case as ranging paper in which they assessed their own method of de-identification—con-paper in which they sistent with HIPAA’s statistical standard. 31670-smu_65-1 Sheet No. 57 Side B 04/12/2012 11:52:32 04/12/2012 B 57 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 58 Side A 04/12/2012 11:52:32 R R 168 172 . U. 107 M 170 LLUSORY I , 55 A Still, even HE available at 4-APR-12 14:10 167 ., T NST I Data subjects whose The authors asserted The authors OLICY Seq: 23 175 166 7 (2011), . P 1259, 1264 (2000). ECH Would race-based prescrip- , T 174 If patients are not asked to con- If patients are not ENETICS ONES . G 169 -J UM unknown ARTH . J. H B M For example, the genetic abnormalities 171 ANIEL Sorrell v. IMS Health Likewise, the FDA’s 2005 approval of the drug Likewise, the FDA’s 2005 approval & D 173 supra note 14, at 6–7. supra note 171, at 423. AKOWITZ ROBLEM IN Y Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing see also Sharona Hoffman, “Racially-Tailored” Medicine Unraveled ANE P Id. at 396–97. Id. at 424. Id. See discussion infra Part IV.D.2.b. See, e.g., Golle, supra note 150, at 77. Id.; . 395, 423–27 (2005). EV a. Group Stigmatization if researchers find that individuals Group stigmatization may occur While the potential for privacy breaches has received significant atten- for privacy breaches has received While the potential 173. Hoffman, 174. 175. 172. Roxana Moslehi, BRCA1 and BRCA2 Mutation Analysis of 208 Ashkenazi Jewish 166. J 167. 168. 169. 170. Rothstein, 171. M K RIVACY of privacy protections) has actually happened.” protections) has of privacy Women with Ovarian Cancer, 66 A a fraction of a percent of re-identification risk could mean that hundreds of re-identification risk could a fraction of a percent be vulnerable. de-identified records would of thousands of Americans’ sent to research that involves their EHRs, they will have no opportunity involves their EHRs, they will sent to research that to accept the risks of dignitary to determine whether they are willing harms. Professor Mark Rothstein has argued, these harms include As supporting medical developments group stigmatization, inadvertently and enabling commercial enter- that one finds morally objectionable, data subjects do not share. prises to garner large profits in which that because re-identification is very difficult to achieve, it may be possi- is very difficult to achieve, that because re-identification populations under unusual conditions.” ble “only for small www.techpolicyinstitute.org/files/ the%20illusory%20privacy%20problem%20in%20sorrell.pdf. with particular ancestry are more vulnerable to a specific illness than with particular ancestry are more with treatment that is different other groups or have better outcomes from standard therapy. When genetic testing was developed to identify the BRCA1 and BRCA2 When genetic testing was developed community became anxious that mutations, some members of the Jewish a flawed genetic makeup or as being Jews would be perceived as having unusually diseased. P 2012] 2. to Privacy Harms Not Related or autonomy of other possible harms to the dignity tion in the literature, concerns as well. patients have raised \\jciprod01\productn\S\SMU\65-1\SMU103.txt L. R de-identified information is used in research without their consent will de-identified information is used in research without their consent tions lead some to assume that African-Americans were biologically dif- tions lead some to assume that African-Americans to others? ferent from and measurably inferior BRCA1 and BRCA2 are associated with an increased risk of breast and BRCA1 and BRCA2 are associated commonly in Ashkenazi Jews. ovarian cancer and are found more BiDil only for African-Americans generated significant concern about BiDil only for African-Americans the implications of ethnopharmacology. C Y 31670-smu_65-1 Sheet No. 58 Side A 04/12/2012 11:52:32 04/12/2012 A 58 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 58 Side B 04/12/2012 11:52:32 R R R R M K C Y , BI- supra [Vol. 65 4-APR-12 14:10 181 However, when med- Seq: 24 179 Furthermore, according to a 25 (2010), available at www.pfizer.com/ 178 EPORT unknown R A patient who opposes abortion may find A patient who opposes 177 . 151, 164, 166 (2003). The Price of Innovation: New Estimates of Drug Develop- For example, research may reveal that particu- For example, research INANCIAL SMU LAW REVIEW and these profits are not shared with the re- and these profits are not shared CON 176 180 A 2008 Canadian study found that research partici- A 2008 Canadian study found that E ., 2010 F 182 NC EALTH supra note 14, at 7. I FIZER P See Miller, supra note 12, at 561 (“[S]ome individuals whose data are used might Id. See Greely, supra note 12, at 760–61 (providing the examples of research concern- See c. No Share in Commercial Profits can enable pharmaceutical Biomedical research, at its most successful, Informed consent forms often include language that explains the possi- Informed consent forms often include b. Moral Objections that some data sub- could also lead to outcomes Biomedical research 176. 179. David Thomas, Release of BIO/Biomedtracker Drug Approval Rates Study 181. Rothstein, 182. 177. 180. 178. Joseph A. DiMasi et al., search subjects who participated in the relevant studies. search subjects who participated in ical products are marketed, they can be very lucrative, generating billions ical products are marketed, they can of dollars of revenue, it abhorrent to have her medical file play a role in such research, even if it her medical file play a role in such it abhorrent to have a large database of de- to an automated query as part of is merely subject identified files. she will be Yet, without an informed consent process, given no choice in the matter. significant monetary rewards.and device manufacturers to enjoy How- success only after the investment ever, manufacturers achieve commercial product development and then only in of considerable time and money in a minority of instances. The cost of bringing a drug from initial clinical estimated at $802 million, and the pro- testing to FDA approval has been cess takes an average of 90.3 months. bility that the research sponsor or another party will benefit financially bility that the research sponsor or from the research. likely not have opportunities to opt out of studies that could conceivably studies that could to opt out of have opportunities likely not identify. of groups with which they strongly lead to stigmatization jects find unacceptable. 108 \\jciprod01\productn\S\SMU\65-1\SMU103.txt files/annualreport/2010/financial/financial2010.pdf (indicating that, in 2010, Pfizer earned files/annualreport/2010/financial/financial2010.pdf (indicating that, in 2010, Pfizer $10.733 billion from Lipitor, $1.928 billion from Viagra, and $1.718 billion from Effexor). study of clinical trial data from 2003 to 2010, only 10% of drugs actually study of clinical trial data from 2003 approval. progress from phase one trials to FDA lar fetal abnormalities can be discovered in-utero, and testing for the can be discovered in-utero, lar fetal abnormalities fetuses that they ultimately induce parents to abort abnormality may kept. would have otherwise pants were particularly concerned about their ability to consent if others pants were particularly concerned object to the purpose of the research.”). OTECH NOW (Feb. 15, 2011), www.biotech-now.org/events12011/021/release-of-biobi- omedtracker-drug-approval-rates-study/. ment Costs, 22 J. H ing “genetic associations with intelligence, violence, or sexual orientation or research into ing “genetic associations with intelligence, violence, or sexual orientation or research human evolution,” all of which might be offensive to some individuals); Rothstein, note 14, at 7. 31670-smu_65-1 Sheet No. 58 Side B 04/12/2012 11:52:32 04/12/2012 B 58 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 59 Side A 04/12/2012 11:52:32 R R . ED 109 4-APR-12 14:10 TUDIES , 9 BMC M Thus, manu- S 184 If patients are not If patients ASED 183 -B The Nuremberg Code Seq: 25 186 ¶ 1 (1949), available at http:// ECORD ODE . R C unknown UREMBERG note 2, at 118; Port, supra note 87, at S-5. , N note 87, at 471. The provision goes on to discuss the need to in- The importance of informed consent was initially EALTH 187 IV. INFORMED CONSENT H XPERIMENTATION VS 185 OF E . NSTS UMAN I Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing L ’ AT Id. 18, 27 (2008). A. H Informed consent undoubtedly has taken root as a normative compo- Informed consent undoubtedly has in research emerged from the A commitment to informed consent Because there is some possibility that record-based research will result Because there is some possibility that 183. Donald J. Willison et al., Alternatives to Project-Specific Consent for Access to Per- 184. Hoffman & Podgurski, supra 185. Sharona Hoffman, supra 186. 187. N M K THICS might gain financial benefits from use of their data. from use of their financial benefits might gain sonal Information for Health Research: Insights from a Public Dialogue ohsr.od.nih.gov/guidelines/nuremberg.html. nent of medical research. But, examining the origins of the doctrine concern was largely protecting reveals that, historically, the underlying interventions rather than against subjects against abusive experimental unwanted observational studies. Nazi doctors conducted brutal exper- ruins of World War II, during which iments on prisoners. 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt E facturers seeking to make large profits will still conduct studies for which to make large profits will still conduct facturers seeking who will in turn have gain the consent of participants they will need to decline enrollment. the opportunity to that data subjects should be given in harm to patients, some would argue to release their files for EHR studies. an opportunity to withhold consent of the informed consent doctrine and This Part will address the origins to EHR database studies.the appropriateness of applying it It makes the is sensible with respect to clinical case that obtaining informed consent but is generally unnecessary trials that involve human experimentation to accessing EHR databases.for research projects that are restricted As other safeguards that protect data we will argue in Part V of the Article, research should replace the subjects and are better suited to EHR-based informed consent framework. asked to consent, they cannot opt out no matter how strongly they object they cannot opt out no matter how asked to consent, to this possibility. extremely un- be noted, however, that it is It should entirely based on medical products will be developed likely that lucrative using EHRs.observational studies clinical trials Randomized, controlled standard for drug and device approval. remain the gold opens by stating that “[t]he voluntary consent of the human subject is opens by stating that “[t]he voluntary consent of the human subject absolutely essential.” recognized in the Nuremberg Code, the first major international docu- recognized in the Nuremberg Code, the first major international ment to provide guidelines on research ethics. form each subject of “the nature, duration, and purpose of the experi- ment” and of “the effects upon his health or person which may possibly C Y 31670-smu_65-1 Sheet No. 59 Side A 04/12/2012 11:52:32 04/12/2012 A 59 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 59 Side B 04/12/2012 11:52:32 R R R . M K 197 192 ED C Y Bel- M Spe- ERVICE [Vol. 65 S 198 4-APR-12 14:10 EALTH H ] (amended 2008). RINCIPLES FOR P UBLIC The studies contem- The studies This wording and the ELSINKI 189 THICAL H 188 Seq: 26 199 http://www.cdc.gov/tuskegee/ : E Under the Declaration of , U.S. P 193 ELSINKI though the consent mandate ap- though the consent H available at REVENTION 191 ECLARATION OF 194 unknown & P Several provisions of the Declaration de- Several provisions §§ 24–29, available at http://www.wma.net/en/30publi- (2011), 190 ONTROL SMU LAW REVIEW ECLARATION OF This project was undertaken in the wake of the This project was undertaken in the C D supra note 10; Hoffman, supra note 87, at 472–73. supra note 10, at Parts B.1, C.1. UBJECTS N , , ’ 195 USKEGEE S SS T ISEASE . A EPORT EPORT UMAN D ED supra note 87, at 474. R R H M FOR In the course of the study, researchers withheld penicillin In the course of the study, researchers . TUDY AT ORLD ELMONT TRS ELMONT 196 S Id. at C.1. Id. § 25. Id. See id. §1. Id. See id. ¶ 2 (providing for human consent in an “experiment,” not data collection). Id. NVOLVING identified “respect for persons” as one of three foun- Belmont Report identified “respect for persons” as . I In the United States, the National Commission for the Protection of In the United States, the National A second international document that embodies research ethics gui- document that embodies A second international 196. C 199. 192. 193. 194. 195. B 188. 189. 190. Hoffman, 191. W 197. 198. B ES YPHILIS plies only to personally identifiable medical data or biological material. identifiable medical data or plies only to personally from the subjects after it was proven to be effective in treating syphilis from the subjects after it was proven the natural course of the disease. because they wanted to learn about cations/10policies/b3/17c.pdf, [hereinafter D Helsinki, research utilizing de-identified data would not require consent, Helsinki, research utilizing de-identified for use of individually identifiable and further exceptions could be made data in appropriate circumstances. mont Report in 1979. Human Subjects of Biomedical and Behavioral Research issued the Human Subjects of Biomedical and dance, the Declaration of Helsinki, was adopted in 1964 and has been of Helsinki, was adopted dance, the Declaration since. revised multiple times S come from his participation in the experiment.” his participation come from The and demands that investigators dational principles for ethical research from all human subjects. obtain informed and voluntary consent 110 that “[t]here may be Declaration of Helsinki recognizes Furthermore, the to obtain for consent would be impossible or impractical situations where of the research.would pose a threat to the validity such research or In be done only after consideration and such situations the research may approval of a research ethics committee.” \\jciprod01\productn\S\SMU\65-1\SMU103.txt states: “Respect for persons requires that cifically, the Belmont Report states: “Respect for persons requires capable, be given the opportunity to subjects, to the degree that they are to them.” choose what shall or shall not happen plated by the Nuremberg Code, therefore, involve physical interventions Code, therefore, involve plated by the Nuremberg by the Nazis, rather such as the testing perpetrated that affect the body, queries at issue in this Article. than the database suggest that its primary con- historical backdrop of the Belmont Report than the collection of data from cern is clinical experimentation rather timeline.htm. R tail informed consent requirements, tail informed consent infamous Tuskegee syphilis trial.syphilis Tuskegee infamous 1932 until The trial took place from men, 399 of whom had 1972 and involved 600 African-American syphilis. 31670-smu_65-1 Sheet No. 59 Side B 04/12/2012 11:52:32 04/12/2012 B 59 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 60 Side A 04/12/2012 11:52:32 R 207 111 . 631, 642 EV 4-APR-12 14:10 . §(West 41-9-65 L. R NN IGHT . A OWA R But see Person v. Farm- Part V.B (discussing fur- The Supreme Court The Case for Public Own- . § 68-11-304(a)(1) (2011); ODE , 95 I NN 201 . C Seq: 27 A ISS ECORDS 205 ODE R However, the property status 200 . C 204 Belmont Report is beneficence, which en- ONSTITUTIONAL 202 ENN See discussion infra C EDICAL unknown see also Rodwin, supra note 41, at 588–89. M Similarly, Professor Barbara Evans calls Similarly, Professor Barbara Evans . § (“Medical information 151:21 (LexisNexis 2005) NN 208 Id. at B.3. . A ONTROL TAT . § 456.057(1) (West 2007); M BSENCE OF A . S C NN Id. at B.2. The third principle is justice, which requires that the A EV TO . § 44-115-20 (2002); T . A , 302 JAMA 86, 87 (2009); see also Mark A. Hall, Property, Privacy, HE NN A TAT supra note 41, at 609. supra note 41, at 589. . S . § 32.1-127.1:03A (West 2011); Young v. Murphy, 90 F.3d 1225, 1236 (7th Several state statutes and judicial decisions acknowledge that Several state statutes and judicial B. T supra note 203, at 642; Rodwin, supra note 41, at 588; Evans, supra note 107, ODE LA Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing NN F He proposed that clinicians, hospitals, and insurers be required He proposed that clinicians, hospitals, A 203 But see N.H. R See Evans, supra note 107, at 72–73 (noting ownership is left to state law and state See Id. Id. at 590. See Rodwin, supra note 41, at 587–88; Marc A. Rodwin, 206 ODE . C Recently, several scholars have posited that patients should not enjoy Recently, several scholars have posited Federal regulations that allow record-based research without consent that allow record-based research Federal regulations and lacks a clear data ownership is complicated The question of health 200. in the The second principle articulated 201. Rodwin, 202. 204. 206. Rodwin, 207. 208. 203. 205. Hall, M K A existing records for observational studies. for observational existing records by federal law to report de-identified patient data to public authorities by federal law to report de-identified that researchers could utilize. who would create aggregate databases healthcare providers own their records. compasses the mandates to “do no harm” and to “maximize potential benefits” while mini- compasses the mandates to “do no harm” mizing risks in research. fairly and that selection procedures for human benefits and risks of research be distributed subjects be sound and impartial. ther the concepts of beneficence and justice). (2010). an absolute ownership right to their health information.an absolute ownership right to their example, For “treating patient data as private Professor Marc Rodwin argued against forming comprehensive databases re- property [because it] precludes important public health and safety quired for many of . . . [the] most uses.” would likely not violate any constitutional rights. would likely not answer. of generally considered to be the property Medical records are than the property of hospitals that create them rather the physicians and patients. Rodwin believes that patient data should be treated as public property Rodwin believes that patient data rather than private property. 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt Cir. 1996); Holtkamp Trucking Co. v. Fletcher, 932 N.E.2d 34, 44 (Ill. App. Ct. 2010); Cir. 1996); Holtkamp Trucking Co. v. Fletcher, 932 N.E.2d 34, 44 (Ill. App. Ct. Estate of Finkle, 395 N.Y.S.2d 343, 344, 552 (N.Y. Surr. Ct. 1977). V of a patient’s health data, as opposed to any physical or electronic records of a patient’s health data, as opposed ambiguous. containing such data, is far more has not found that patients have either a property right or a privacy right patients have either a property has not found that medical records. associated with their contained in the medical records at any facility licensed under this chapter shall be deemed to be the property of the patient.”). 2007); S.C. C courts have issued inconsistent holdings); ers Ins. Grp. of Cos., 61 Cal. Rptr. 2d 30, 31 (Cal. Dist. Ct. App. 1997) (finding that health ers Ins. Grp. of Cos., 61 Cal. Rptr. 2d 30, 31 (Cal. Dist. Ct. App. 1997) (finding that records belong to the patient). at 72–74. ership of Patient Data and the Pursuit of Interconnected Electronic Medical Records C Y 31670-smu_65-1 Sheet No. 60 Side A 04/12/2012 11:52:32 04/12/2012 A 60 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 60 Side B 04/12/2012 11:52:32 M K 218 C Y [Vol. 65 and deter- 4-APR-12 14:10 212 ONSENT C Although the results 216 Seq: 28 62, 69 (2008) (finding that most 213 EGARDING The Court explicitly declined to The Court explicitly IOETHICS R supra at 373–74. 211 . J. B unknown At the same time, empirical data sug- At the same time, empirical data M NASA v. Nelson, the In a 2011 case, 214 210 , 8 A Of those wanting to know about research Of those wanting to know about Patients’ Views on Identifiability of Samples and In- REFERENCES 219 SMU LAW REVIEW ’ P 215 supra note 9, at 268. , ATIENTS EPORT supra note 107, at 77. The U.S. study, conducted through telephone interviews of The U.S. study, conducted through 209 C. P at 763–64. 217 Id. at 65. Id. at 119. Id. at 81–86. Id. at 756–57. Id. at 757. Id. Patient Consent Preferences for Research Uses of Information in Electronic Medical Two studies, one from the United States, and one from Canada, found Two studies, one from the United According to the IOM, public opinion polls show that “a significant According to the IOM, public opinion determine patient preferences as to Several empirical studies sought to Furthermore, the Supreme Court has never recognized a constitutional Supreme Court has never recognized Furthermore, the 218. Hull et al., supra note 217, at 64. 219. 215. 216. 217. Sara Chandros Hull et al., 209. Evans, 210. NASA v. Nelson, 131 S. Ct. 746, 748 (2011). 211. 212. 213. 214. IOM R 1,193 patients, focused on research using samples of genetic material. 1,193 patients, focused on research are inconclusive, a review of a few of them can be illuminating. are inconclusive, a review of a few consent and often do not distinguish that patients prefer to be asked for data for purposes of their re- between identifiable and de-identified sponses. patients surveyed did not differentiate between identifiable and non-identifiable genetic patients surveyed did not differentiate between identifiable and non-identifiable et samples and questioning whether the regulatory distinction is useful); Donald J. Willison al., Records: Interview and Survey Data, 326 BMJ 373, 375 (2003) (noting a “lack of distinction between identifiable and anonymised information” in the minds of survey participants). the The Canadian study involved 123 patients, seventeen of whom were interviewed, while remainder completed surveys. Willison et al., formed Consent for Genetic Research involving either identifiable or anonymized samples, 57% would require involving either identifiable or anonymized 43% would be content with notifica- that their permission be sought, and portion of the public would prefer to control all access to their medical portion of the public would prefer records via informed consent.” to research studies that will in- whether they should be asked to consent medical files. volve only an examination of their right to informational privacy. right to informational for a debate about “appropriate public uses of private data and how best of private data public uses about “appropriate for a debate individuals’ uses while adequately protecting to facilitate these interests.” wanted to know about research if their It found that 81% of respondents 72% wished to be informed if the sam- samples would be identifiable, and ples would be anonymous. 112 \\jciprod01\productn\S\SMU\65-1\SMU103.txt mined that if it did, the government’s inquiries during employment back- the government’s inquiries during mined that if it did, not violate that right. ground checks would determine whether a right to informational privacy exists a right to informational privacy determine whether gests that a majority of Americans are supportive of medical research and gests that a majority of Americans recognize its benefits. Supreme Court noted that the lower courts have issued inconsistent rul- that the lower courts have issued Supreme Court noted purported right. ings concerning this 31670-smu_65-1 Sheet No. 60 Side B 04/12/2012 11:52:32 04/12/2012 B 60 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 61 Side A 04/12/2012 11:52:32 113 , 14 J. 4-APR-12 14:10 226 Only 13% of 230 404, 407 (2007). Assurances about ano- Seq: 29 It also specified the pur- ARE 231 C 229 The questionnaire clearly stated EALTH H 228 unknown AFETY The study concluded that the majority of The study concluded & S With respect to automated abstraction, 27%, With respect to 224 706, 707 (2007). N 223 ’ UALITY SS A It is noteworthy, however, that 68% agreed to some de- It is noteworthy, however, that 68% Twenty-four percent indicated they would be satisfied Twenty-four percent 225 222 With respect to use of data directly from medical records, use of data directly from medical With respect to 220 Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing NFORMATICS 221 This study examined responses from 166 patients who recently This study examined responses from . I Id. at 404 Id. at 405. Id. at 405–06. Id. at 406. Id. at 66. Id. at 708. Id. Id. at 709. Id. at 710. Id. at 708. ED 227 . M By contrast, a British study concluded that a majority of patients were By contrast, a British study concluded The Canadian study asked 1,230 adults for their reaction to (1) use of asked 1,230 adults for their reaction The Canadian study The disparate results make it difficult to draw definitive conclusions The disparate results make it difficult 228. 229. 230. 231. 220. 221. Donald J. Willison et al., Alternatives to Project-Specific Consent for Access to Per- 222. 223. 224. 225. 226. 227. Bruce Campbell, Extracting Information from Hospital Records: What Patients M K M tion alone. gree with the statement: “Research that could be beneficial to people’s gree with the statement: “Research people’s privacy.” health is more important than protecting as opposed to 12%, were comfortable with use of information without were comfortable with use of as opposed to 12%, permission or notification. 60% of respondents felt that their permission should be obtained, though felt that their permission should 60% of respondents rather than gen- wished for project-by-project consent only half of those eral consent. had been discharged from a hospital. A sonal Information for Health Research: What Is the Opinion of the Canadian Public? that doctors, rather than other parties, would access the data in patient that doctors, rather than other parties, form. records and would use it in anonymous willing to share their data without being asked for consent when no iden- willing to share their data without other than their treating physi- tifiers would be disclosed to parties cians. data directly from their medical files, and (2) automated abstraction of their medical files, and (2) automated data directly from would not be with assurances that direct identifiers data from their EHRs collected. 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt with notification alone, and 12% believed that neither notification nor alone, and 12% believed that neither with notification permission was needed. Think About Consent, 16 Q patients questioned indicated that they would definitely want to be asked patients questioned indicated that records. for permission to use their medical nymity, restriction of access to doctors alone, and the constructive pur- nymity, restriction of access to doctors used may account for the high degree poses for which the data would be without burdening physicians of patient willingness to share information with consent requirements. from studies concerning patient preferences and attitudes.discrep- The poses for which the information would be used, including clinical audits, poses for which the information would treatment outcomes in different hospi- research, training, comparison of in medical journals. tals, and publications about diseases patients “wished to maintain some level of control over the use of their patients “wished to maintain some information.” C Y 31670-smu_65-1 Sheet No. 61 Side A 04/12/2012 11:52:32 04/12/2012 A 61 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 61 Side B 04/12/2012 11:52:32 R M K 232 C Y [Vol. 65 By one PIDEMIOL- The stud- 240 4-APR-12 14:10 , 15 E 233 237 136 (3d ed. 2008). The term “selection In addition, contacting This could happen if a 239 Seq: 30 236 ONSENT 241 C PIDEMIOLOGY This section argues against rou- E 238 unknown ODERN ., M ROUBLE WITH T A Structural Approach to Selection Bias SMU LAW REVIEW HE supra note 9, at 79 (“[H]ow the questions and responses are , ´ supra note 9, at 201; Miller, supra note 12, at 560. supra note 9, at 201; Miller, supra note 12, at 560. supra note 9, at 209; Miller, supra note 12, at 560. D. T OTHMAN ET AL , , , EPORT supra note 12, at 565 (“[P]ublic education is important to explain the 235 J. R EPORT EPORT EPORT However, the studies’ outcomes suggest that, with further ed- outcomes suggest that, with However, the studies’ supra note 12, at 1789–93. IOM R Miller 234 ENNETH See Id. at 70. Id. at 201. See 615, 615 (2004). While consent requirements promote patient autonomy and may be fa- While consent requirements promote One major difficulty with informed consent is that it leads to selection One major difficulty with informed a. Selection Bias vs. Confounding used to select subjects and Selection biases result from procedures 241. IOM R 237. Cate, 238. IOM R 239. K 232. 233. 234. 235. 240. Miguel A. Hernan et al., 236. IOM R ucation about the benefits of comprehensive data collection for research benefits of comprehensive data ucation about the privacy, patients may implemented to protect and about the safeguards advances (from which willing to prioritize medical become increasingly the record-based re- over concerns about risks in they too can benefit) search context. ies also reveal some degree of confusion and ambivalence on the part of degree of confusion and ambivalence ies also reveal some patients. thousands or millions of patients who are included in a database can be a thousands or millions of patients who undertaking for researchers and very expensive and time-consuming studies to proceed. might make it impossible for many worded and framed can significantly influence the results and their interpretation.”). OGY vored by patients, they can also interfere with the scientific integrity of vored by patients, they can also interfere the research enterprise. Consent requirements can result in selection bias outcomes. that can actually invalidate research ancies may stem from the phrasing of questions in the different studies in the different phrasing of questions stem from the ancies may 1. Bias Informed Consent Can Lead to Selection bias, which can skew research results. 114 between the populations of participants. and from variation \\jciprod01\productn\S\SMU\65-1\SMU103.txt definition, selection bias occurs when those who decide to consent to par- definition, selection bias occurs when of individuals who are not repre- ticipate in research constitute a subset of interest. sentative of the patient population disproportionate number of people of one ancestry or economic class opt disproportionate number of people of one ancestry or economic class out of a study. with certain behavior It can likewise happen if individuals bias” is used to describe subtly different kinds of study biases. bias” is used to describe subtly different tinely granting data subjects a choice concerning inclusion of their tinely granting data subjects a unacceptable risk of selection bias. records in research because of the participation. from other factors that affect study rationale for access to medical records for research without consent and the safeguards in rationale for access to medical records for research without consent and the safeguards place to protect private information from being misused.”). 31670-smu_65-1 Sheet No. 61 Side B 04/12/2012 11:52:32 04/12/2012 B 61 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 62 Side A 04/12/2012 11:52:32 R 245 243 , 58 115 For 248 4-APR-12 14:10 Seq: 31 Once the nature and magnitude 247 300, 306 (2003). 249 For example, doctors’ concerns about unknown Thus, researchers may seek a group of Thus, researchers may seek a group 251 265, 265 (2004). 246 Consequently, using results from the study Consequently, using “Classical” confounding occurs when the val- “Classical” confounding occurs when PIDEMIOLOGY EALTH 242 250 A Definition of Causal Effect for Epidemiological Research Quantifying Biases in Casual Models: Classical Confounding vs . H supra note 239, at 146–47. , 14 E ., ´ supra note 9, at 209; Miller, supra note 12, at 560. supra note 9, at 209–11. MTY , , & C EPORT EPORT These studies typically assess whether a certain treatment has These studies typically assess whether Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing 244 OTHMAN ET AL Id. Id. Id. at 147. See id. Id. PIDEMIOLOGY If the process of obtaining patients’ informed consent to participate in obtaining patients’ informed consent If the process of In causal effect studies, researchers may consider confounding bias In causal effect studies, researchers However, in one type of medical research, known as causal effect stud- However, in one type of medical research, 247. 248. 249. 250. Sander Greenland, 251. 245. 246. R 243. IOM R 244. Miguel A. Hernan, 242. IOM R M K traits that might be pertinent to a study—such might be pertinent traits that habits, as diet, smoking and exercise—disproportionatelyalcohol or drug consumption, opt out. bias, then the con- is subject to this kind of selection a research study sample of the popula- not comprise a representative senting patients will study. tion targeted for Collider-Stratification Bias a beneficial causal effect on patients with a particular condition or a beneficial causal effect on patients harmful causal effect on individuals. whether a certain exposure has a J. E (confounding) to be a greater threat than selection bias to the validity of (confounding) to be a greater threat causal effect estimates. In such a study, use of a representative sample of subjects from a broad In such a study, use of a representative study’s internal validity, due to vari- population may actually threaten the or exposure and the outcome ations in factors other than the treatment (e.g., genetic abnormalities). 2012] of consenters to the will not generalize from the set That is, the estimates target population. statistics is often not the primary ies, accurately estimating population concern. \\jciprod01\productn\S\SMU\65-1\SMU103.txt ues of certain variables, called confounders, influence both whether indi- ues of certain variables, called confounders, influence both whether they viduals receive a treatment or exposure under study and whether exhibit the outcomes of interest. example, although the causal link between smoking and lung cancer was example, although the causal link of men, the link was assumed by ex- established mainly through studies on the physiological similarity be- perts to exist in women also, based tween the lungs of women and men. of a causal effect is established using such a group, researchers may seek of a causal effect is established using diverse population either by reasoning to generalize the results to a more or by conducting an empirical study from existing knowledge and theory of the population. with a sample of subjects that is representative population to estimate measures of interest, such as disease prevalence or measures of interest, such as population to estimate that differ systemati- effect, will tend to yield estimates average treatment target population. values of these measures for the cally from the true study subjects that is relatively homogeneous, except that some are study subjects that is relatively not. treated or exposed and others are C Y 31670-smu_65-1 Sheet No. 62 Side A 04/12/2012 11:52:32 04/12/2012 A 62 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 62 Side B 04/12/2012 11:52:32 R R M K 263 C Y [Vol. 65 supra note ´ an, 4-APR-12 14:10 is one that On the other 262 257 Seq: 32 261 Elderly, feeble patients who may Elderly, feeble patients If they did take the study drug and If they did take 253 Such a practice would result in con- Such a practice unknown 254 252 Moreover, noncompliance and loss to fol- Moreover, noncompliance and loss note 239, at 202. 258 SMU LAW REVIEW supra note 239, at 488. ., 255 supra supra note 239, at 136. ., ., 259 because only patients who consent to participate will be because only patients who consent 260 OTHMAN ET AL R OTHMAN ET AL OTHMAN ET AL Randomized treatment assignment, when feasible, tends to pre- Randomized treatment assignment, See supra notes 244–50, 260–64 and accompanying text (discussing causal effect See Id. at 185. Id. at 136–37 (distinguishing confounding from selection bias); Hern See id. See id. See id. Id. at 58. Id. at 88–89 (discussing randomization). 256 The selection bias at issue, also called “collider bias,” The selection bias at issue, also Informed consent itself cannot be a confounding variable in a causal Informed consent itself cannot be In an observational study, if all potential confounding variables are study, if all potential confounding In an observational 260. 252. 261. R 262. 263. 253. 254. 255. 256. 257. 258. Stewart et al., supra note 79, at w181. For additional discussion of observational 259. R vent confounding because randomization helps to ensure that the subjects vent confounding because randomization are similar with respect to the values in the treatment and control groups even unknown ones. of potential confounding variables, involves selection based on a common causal effect of two factors. involves selection based on a common effect study known and are accurately measured, adjustments can be made during sta- measured, adjustments can known and are accurately confounding of the results that reduce or eliminate tistical analysis bias. side effects of a new treatment may influence them to favor it for them to may influence of a new treatment side effects have better outcomes patients who are likely to younger, more robust frail patients. than older, more a group of subjects who received a Like confounding, this bias can cause not treatment or exposure to differ from the control group, which did 116 \\jciprod01\productn\S\SMU\65-1\SMU103.txt included in the study. That is, consent status is fixed and not a variable at all among the participants.think that seeking in- Therefore, one might allowing them to decline to participate formed consent from subjects and studies.is not problematic for causal effect However, while informed it can still produce a type of selection consent will not cause confounding, whether a certain treatment or bias that makes it difficult to determine exposure has a causal effect on patients. studies). trials, see supra Part III. hand, lack of generalizability to actual patient populations is a recognized hand, lack of generalizability to actual which EHR-based observational re- limitation of many randomized trials, search is meant to address. not do well with any therapy, including the one at issue, are unlikely to any therapy, including the one at not do well with in question. receive the treatment their poor outcomes were to be considered, the study drug would likely were to be considered, the study their poor outcomes appear less successful. founding because it would make the new treatment appear far more ef- it would make the new treatment founding because than it really is. fective on average low-up may cause substantial confounding and selection bias even in low-up may cause substantial confounding randomized trials. 244, at 267. 31670-smu_65-1 Sheet No. 62 Side B 04/12/2012 11:52:32 04/12/2012 B 62 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 63 Side A 04/12/2012 11:52:32 117 As we 264 4-APR-12 14:10 Seq: 33 unknown supra note 239, at 186. ., Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing OTHMAN ET AL not increase the risk of heart attacks.errone- may investigators The Consider, for example, a retrospective EHR-based cohort study under- a retrospective EHR-based Consider, for example, have consented to use of their All subjects in the study cohort must in- Observe that in this hypothetical scenario consent status is causally 264. R M K receive it, in ways that seriously distort causal effect estimation. distort causal in ways that seriously receive it, will illustrate, this kind of selection bias could arise in an EHR-based kind of selection bias could arise will illustrate, this use of their EHRs decisions about permitting research study if patients’ the treatment two factors, one of which also influences are influenced by which influences the later studied and the other of or exposure variable outcome variable. diet medication if taking a certain heavily advertised taken to determine risk of heart attack.increases a person’s the public, Suppose that, among medication and the of individuals using the both the probability their EHRs increase consenting to research uses of probability of them and other favorable publicity. with television viewing, due to advertising it is not considered in the study, Suppose also that chronic stress, though attack but decreases the likelihood increases individuals’ risk of heart uses of their EHRs.that they will consent to research Assume that, for among the public is positively these reasons, use of the diet medication and with consent, but it is negatively correlated with television viewing correlated with chronic stress. medication is nega- Thus, non-use of the and with consent, but it is posi- tively correlated with television viewing tively correlated with chronic stress. Note that these are statistical neither using the diet medication associations, not causal relationships; to cause or prevent television viewing, nor avoiding it should be assumed consent, or chronic stress. Finally, assume there is no one factor that is a not using, the diet medication and of common cause of both using, or having, or not having, a heart attack.hypo- this in influences causal The the causal diagram in Figure 1. thetical scenario are illustrated by EHRs in research. Due to the aforementioned correlations, consenters more likely to suffer chronic stress who took the diet medication were the medication.than consenters who did not take con- of causes two The of chronic stress.sent are television viewing and absence Consenters who likely to watch television and hence did not take the medication were less more likely to be free of chronic stress. that the diet medication Assume does ously come to the opposite conclusion when they compare the outcomes of the subjects who used the medication to the outcomes of the subjects suf- who did not use it, because, unknown to the researchers, the users fered more heart attacks due to chronic stress. using fluenced (positively) by television viewing, which is also a cause of the diet medication, and is causally influenced (negatively) by chronic stress, which is also a cause of heart attacks.bias selection to led This that falsely indicated that the medication caused heart attacks.hy- This in- pothetical scenario illustrates how subject selection influenced by 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt C Y 31670-smu_65-1 Sheet No. 63 Side A 04/12/2012 11:52:32 04/12/2012 A 63 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 63 Side B 04/12/2012 11:52:32 M K 265 C Y [Vol. 65 4-APR-12 14:10 Heart Stress Attack Chronic – Seq: 34 Thus, usually, only the In addition, many patients 269 268 The authors found major selection – 266 unknown . 1414, 1415 (2004). Consent Informed ED SMU LAW REVIEW . J. M NG + E EW TV Use ++ This skewing occurred because nurse coordinators had diffi- Viewing Medication Id. at 1416–17. Id. at 1419. Id. Id. 267 In a different research project, 876 Irish patients with ischaemic heart b. Evidence Selection Bias Is Confirmed by Empirical bias is not merely a theoretical Several studies confirm that selection 265. Jack Tu et al., Impracticability of Informed Consent in the Registry of the Canadian 266. 267. 268. 269. culty obtaining consent from grieving or very distressed families of culty obtaining consent from grieving or very distressed families patients who had died or were critically ill. Stroke Network, 350 N healthiest patients with the best prognosis provided consent. to disease returned questionnaires that included a request for consent Nurse coordinators obtained consent from approximately 3,100 patients, Nurse coordinators obtained consent most often inability to contact the and the reasons for non-consent were patient rather than explicit refusal. Diagram indicating causal influences among variables in example scenario Figure 1: Diagram indicating causal influences among consent.illustrating selection bias due to informed indicates positive influ- Plus sign ence; minus sign indicates negative influence. effect estimate because of collider formed consent can distort a causal bias. problem. For instance, one study focused on the Registry of the Cana- twenty Canadian hospitals. dian Stroke Network, which includes 118 \\jciprod01\productn\S\SMU\65-1\SMU103.txt could not provide consent because of impairments resulting from their could not provide consent because of impairments resulting from strokes, and no surrogates were available. biases because of the consent requirement. Specifically, “the in-hospital patients was only 6.9%, which is much mortality rate among the enrolled among all patients with stroke in Ca- lower than the true mortality rate nada.” 31670-smu_65-1 Sheet No. 63 Side B 04/12/2012 11:52:32 04/12/2012 B 63 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 64 Side A 04/12/2012 11:52:32 119 4-APR-12 14:10 Analysis of these 271 The investigators found The investigators Seq: 35 272 , 338 BMJ b866, b873 (2009) (reviewing , discusses several additional studies Of these, 574, or 65.5%, signed the 574, or 65.5%, Of these, unknown Therefore, future studies cannot easily Therefore, future studies cannot 270 274 The IOM concluded that the HIPAA Privacy Rule’s The IOM concluded that the HIPAA supra note 9, at 209–12. , 276 275 1116, 1117–18 (2007). EPORT Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing 273 EART Id. at 216. Id. at 1118. Id. Id. at 1119. A review of literature about selection bias, however, concluded that no about selection bias, however, A review of literature In addition to generating selection bias, consent requirements can be In addition to generating selection a. Consent Options EHR databases could be sought in Consent for research drawing upon First, data subjects could be asked to consent generally to use of their Beyond the HIPAA Privacy Rule: Enhancing Privacy, An IOM Report, Beyond the HIPAA Privacy Rule: 276. 270. Brian Buckley et al., Selection Bias Resulting from the Requirement for Prior Con- 275. IOM R 271. 272. 273. 274. Michelle Kho et al., Written Informed Consent and Selection Bias in Observational M K participate in further research. participate sent in Observational Research: A Community Cohort of People with Ischaemic Heart Dis- sent in Observational Research: A Community Cohort of People with Ischaemic Heart ease, 93 H consent form and agreed to participate in the future. consent form and seventeen published studies and finding “authorisation bias in studies requiring informed consent for use of data from medical records”). Studies Using Medical Records: Systematic Review clear factors, such as age, sex, socio-economic status, or medical history, clear factors, such as age, sex, socio-economic of which patients would agree or de- emerged as consistently predictive cline to participate in studies. 2.Be Costly and Burdensome Obtaining Informed Consent Can for investigators.very expensive and work-intensive can they Therefore, or even make them impossible to significantly hinder research projects pursue. a variety of ways. has its own shortcomings Each mechanism, however, and risks. records in observational studies. Thus, subjects would be asked to pro- 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt patients’ records revealed that their willingness to be involved in further revealed that their willingness to patients’ records (1) a prior surgical with four distinctive predictors: research correlated (3) lower (2) lower blood pressure measurements, cardiac intervention, and (4) being an ex-smoker. cholesterol levels, clear indications of selection bias and concluded that if consent is re- of selection bias and concluded clear indications of individuals may consist disproportionately quired, study populations have previously bene- healthy lifestyle decisions, who “who have made are already well or those whose clinical risk factors fited from healthcare managed.” control for specific factors to combat the problem of selection bias. control for specific factors to combat Improving Health Through Research of selection bias. requirement of patient authorization for use of identifiable health infor- requirement of patient authorization and jeopardizes the validity of re- mation generates biased study samples search outcomes. C Y 31670-smu_65-1 Sheet No. 64 Side A 04/12/2012 11:52:32 04/12/2012 A 64 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 64 Side B 04/12/2012 11:52:32 R R M K C Y Re- 282 [Vol. 65 4-APR-12 14:10 supra note 183, at This would be This would supra note 183, at 19. 277 Seq: 36 Numerous commentators ar- 1505, 1505 (2009) (“Still others argue 283 If investigators had to re-contact For example, research concerning For example, research ANCER 281 unknown 278 . J. C note 146, at 22–26;al., et Willison RIT 279 SMU LAW REVIEW , 101 B If research enrollment requests come as one of dozens of e- If research enrollment requests Such a requirement, however, would be unworkable. Such a requirement, however, The See supra Part IV.D.1.a. See Kosseim & Brady, supra Id. at 25. Id. at 20, 24. See Hoffman, supra note 87, at 484–87. 284 280 However, other methods of contacting subjects, such as by mail or tele- To save time and money, investigators might consider automating con- To save time and money, investigators In the alternative, to maximize data subject autonomy, investigators to maximize data subject autonomy, In the alternative, 278. 279. E. Vermeulen, A Trial of Consent Procedures for Future Research with Clinically 277. 280. Kosseim & Brady, supra note 146, at 20–22;al., et Willison 281. Kosseim & Brady, supra note 146, at 9 n.11. 282. 283. 284. mails that individuals receive each day and if patients are not alerted to mails that individuals receive each more personal contact, they may the importance of their decision through or clicking on a box without giving well default to ignoring such messages the matter significant thought. phone, may endanger privacy and exacerbate selection bias. Patients databases of de-identified EHRs or federated systems that we envision databases of de-identified EHRs would include millions of records. search staff might spend more time seeking permission from patients than search staff might spend more time health outcomes. actually conducting research to improve electronic messages about proposed sent so that subjects would receive electronically to indicate their studies and would be asked to respond records included.agreement or refusal to have their to rate response The to be unsatisfactory, and many may e-mail solicitations, however, is likely deprives patients of the opportu- feel that such an impersonal approach nity to provide truly meaningful consent. Derived Biological Samples 19. psychiatric conditions or HIV might be obstructed because individuals or HIV might be obstructed psychiatric conditions privacy leaks and po- are particularly worried about with these conditions refuse to allow their and, thus, disproportionately tential stigmatization, in databases.records to be included the nature of In addition, because that subjects who are is unknown, it is arguable future research projects make an in- on a one-time basis cannot realistically asked for consent choice. formed, meaningful could obtain consent for each separate research project from all data sub- for each separate research project could obtain consent jects. vide broad consent for all future, unspecified studies. future, unspecified consent for all vide broad 120 \\jciprod01\productn\S\SMU\65-1\SMU103.txt the least burdensome option for investigators but could nevertheless in- option for investigators but the least burdensome selection bias. troduce significant every data subject for permission before conducting each study, many re- every data subject for permission or time-consuming to pursue. search projects could be too costly that informing patients about future research with tissue is impossible, even in basic terms, that informing patients about future research with tissue is impossible, even in basic and that consent cannot be truly ‘informed’”). gue that even more formal and extensive informed consent procedures gue that even more formal and extensive often make decisions about participa- are deeply flawed and that subjects or comprehension of the data they are tion without sufficient information given. 31670-smu_65-1 Sheet No. 64 Side B 04/12/2012 11:52:32 04/12/2012 B 64 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 65 Side A 04/12/2012 11:52:32 293 287 121 This op- 4-APR-12 14:10 290 288 Whoever han- 285 Large numbers of indi- Seq: 37 291 unknown In addition, patients who know the pre- In addition, patients 286 (Feb. 17, 2011, 10:09 AM), www.thehastingscenter.org/ To illustrate, they could indicate that they do To illustrate, they could indicate For example, it may be difficult to determine in 289 ORUM supra note 9, at 209. 294 F , supra note 9, at 252. , 292 EPORT supra note 289. IOETHICS EPORT Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing IOM R Id. at 103. Id. at 251–52. Id. Id. at 102; Mark A. Rothstein, Debate of Patient Privacy Control in Electronic See supra Part IV.D.1 (discussing selection bias). See Willison et al., supra note 221, at 707. Id. at 711. See Alternatively, patients could describe outcomes they wish to avoid by Alternatively, patients could describe Several middle-ground options exist as well.Several middle-ground options exist sub- data example, For 286. 287. 288. 289. 285. IOM R 292. 293. 294. 290. Rothstein, 291. M K would need to be re-identified each time consent is sought for individual is sought each time consent to be re-identified would need records, which would identities would be linked to their studies, and their according to their preferences. be included or excluded stating that they wish to be excluded from studies that might promote stating that they wish to be excluded for pharmaceutical companies. abortion or result in commercial profits jects might be permitted to describe particular categories of studies from jects might be permitted to describe excluded, and their choices would be which they want their data to be included in their EHRs. However, it will likely be impossible for researchers to predict which However, it will likely be impossible outcomes that are objectionable studies will ultimately lead to particular to specific individuals. 2012] contacted by inves- by which patients are frequently Moreover, a process of inclusion, may consent, and reminded of the risks tigators, asked for participation and en- anxious about research make patients needlessly of their records. courage them to refuse to allow inclusion \\jciprod01\productn\S\SMU\65-1\SMU103.txt tion may also create significant selection bias. tion may also create significant selection bioethicsforum/post.aspx?id=5139. dles the consent communication would therefore be able to scrutinize communication would therefore dles the consent to eavesdropping data, and the data could be subject identifiable medical intruders. by hackers or other viduals may decline to participate because they have the condition at viduals may decline to participate these are precisely the individuals issue and fear being identified, but whose records might be most valuable. Similarly, individuals may dispro- because of specific political, cultural, portionately withhold their records from the study population may skew or other beliefs, and their absence research results. not want their data used in studies concerning genetic abnormalities or not want their data used in studies psychological illnesses. Combing through all data subjects’ records to de- would be a very work-intensive task termine their preferences, however, could be fully automated. for researchers unless the function cise nature of each project for which they are asked to allow use of their project for which they are asked cise nature of each feelings about the deny permission based on their records may selectively health problems. they believe it is to their own study or how relevant advance whether a research project will ultimately lead to a genetic dis- advance whether a research project will ultimately lead to a genetic Health Records, B C Y 31670-smu_65-1 Sheet No. 65 Side A 04/12/2012 11:52:32 04/12/2012 A 65 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 65 Side B 04/12/2012 11:52:32 R R M K 296 298 C Y [Vol. 65 4-APR-12 14:10 80, 90 (2006). it is possible that politi- Seq: 38 . 681, 702 (2007).articles These Ensuring the Privacy and Confi- When Iceland adopted a 303 EV But sequestering such data But sequestering 301 NNOVATION . L. R 297 , 1 I LL These might include sensitive infor- These might include unknown 295 In the United States, if CER is enthusi- , 2007 U. I Without these details, the other data con- Without these details, 302 299 SMU LAW REVIEW . 8, 51–52 (2002); David E.Winickoff, Genome and Nation: ECH See generally Terry & Francis, supra; Rothstein, supra note 289. In addition, opting out could be made difficult so that In addition, opting out could be supra note 289. 300 . J.L. & T A see also Nicolas P. Terry & Leslie P. Francis, Id. at 23. See supra note 83 and accompanying text (discussing the Obama Administration’s Id.; See Rothstein, supra note 289. Id. Yet another approach would be to allow subjects to refuse disclosure of would be to allow subjects to Yet another approach Arguably, the least damaging alternative would be presumed consent Arguably, the least damaging alternative 301. 302. Jamaica Potts, At Least Give the Natives Glass Beads: An Examination of the Bar- 303. 295. Rothstein, 296. 297. Terry & Francis, supra note 296, at 702; Rothstein, supra note 289. 298. 299. 300. Willison et al., supra note 183, at 19. gain Made Between Iceland and DeCODE Genetics with Implications for Global Biopros- pecting, 7 V only those who are truly committed to having their records excluded pur- only those who are truly committed sue it. checking a box, individuals may be re- To illustrate, rather than may be asked to renew their opt-out quired to write out a request and their decisions.indication annually so that they revisit Although this ap- described above, it still raises con- proach is more appealing than those cerns about data integrity. Supplying an opt-out choice could be quite subjects were to be given the option burdensome for researchers if data for each separate study. Even a general opt-out choice that covered all bias. EHR studies could lead to selection cal opponents, media personalities with political agendas, and others who cal opponents, media personalities will encourage large numbers of are suspicious of government initiatives the quality of research databases. followers to opt out, thus diminishing mation such as psychiatric conditions, HIV status, or sexual history. conditions, HIV status, mation such as psychiatric covery that could cause some women to abort fetuses because of genetic fetuses because women to abort could cause some covery that became detectable. abnormalities that of information. certain categories 122 designated parts of would agree to have all but the Thus, data subjects to researchers. their records accessible conditions, and history, such as HIV status, psychiatric Details of medical outcomes of various may well be relevant to the reproductive problems, records should be or to deciding whether a subject’s biomedical studies place. included in the first \\jciprod01\productn\S\SMU\65-1\SMU103.txt discuss the option of allowing patients to sequester data in their EHRs in the clinical set- discuss the option of allowing patients to sequester data in their EHRs in the clinical ting so that it will be hidden from other clinicians; the papers do not address research questions specifically. support for CER). presumed consent and opt-out approach for inclusion of records in the presumed consent and opt-out approach at least 7% of the population, or country’s Health Sector Database, 20,200 individuals, opted out. would surely compromise the integrity of studies in some instances. the integrity of studies would surely compromise astically promoted by government authorities, astically promoted by government tained in an EHR may at times be essentially meaningless. tained in an EHR may at times be with an opt-out opportunity. Records would be available to researchers specifically requested that her record as a default unless the data subject be excluded. Iceland’s Health Sector Database and Its Legacy dentiality of Electronic Health Records 31670-smu_65-1 Sheet No. 65 Side B 04/12/2012 11:52:32 04/12/2012 B 65 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 66 Side A 04/12/2012 11:52:32 R ER- 123 , 298 S Other 312 EALTH 305 4-APR-12 14:10 306 In addition, of A British study , 14 J. H 307 308 In a U.S. study, 2,228 Seq: 39 309 Yet another study focused on e215, e217–18 (2010). 310 Respondents expressed frustration Respondents expressed unknown 304 EDIATRICS , 126 P . 316, 320, 322, & 329 (1999). EV supra note 9, at 199–209. , R 77, 79–80 (2009). Of the 230 individuals who were sent consent forms, Y ’ Consent, involving three mailings and follow-up telephone Consent, involving three mailings Id. EPORT OL 311 Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing . & P VALUATION Id. Id. Id. ES R b. Mandates Concerning the Cost of Consent Empirical Evidence requirements are the contention that consent Empirical data supports It is difficult to determine how these figures would translate into a cost It is difficult to determine how these Several studies have attempted to quantify the cost and time demands attempted to quantify the cost Several studies have 311. Finn-Aage Esbensen et al., Differential Attrition Rates and Active Parental Con- 312. 307. Tu et al., supra note 265, at 1418. 308. 309. Sian Noble et al., Feasibility and Cost of Obtaining Informed Consent for Essential 304. Roberta B. Ness, Influence of the HIPAA Privacy Rule on Health Research 310. Wade D. Rich et al., Antenatal Consent in the SUPPORT Trial: Challenges, Costs, 305. 306. IOM R M K associated with significant costs.associated with significant A 2007 survey of 1,527 epidemiologists requirements had Privacy Rule’s authorization found that the HIPAA research. significantly hindered sent, 23 E calls to non-responders, was estimated to cost at least $50,000. calls to non-responders, was estimated estimated that the cost of obtaining consent through a combination of e- estimated that the cost of obtaining review of records of prostate cancer mail, mail, and telephone calls for consented. patients was $248 for each man who VICES Review of Medical Records in Large-Scale Health Services Research mothers who were likely to deliver preterm infants were approached in mothers who were likely to deliver neonatal care.person for consent to a study of Consent was found to and to cost between $65,945 and take between 1,735 and 2,790 hours $106,029, depending on staff salaries. estimate for obtaining consent, on either a one-time basis or a case-by- estimate for obtaining consent, on subjects.case basis, from potential EHR research It is clear, however, consent from all or most U.S. patients that an effort to contact and obtain national databases would be extremely for purposes of creating and using expensive. of consent processes. The study of the Registry of the Canadian Stroke The study of the Registry of of consent processes. thatNetwork, discussed above, concluded nurse coordinators spent a patient or surrogate for consent pur- median of forty minutes with each interviews. poses, including the time spent arranging 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt and Representative Enrollment 179 consented. studies reveal similar objections and even suggest that some health care objections and even suggest studies reveal similar out of conducting research altogether. providers are opting the 2 million Canadian dollars spent on the registry during the first two the 2 million Canadian dollars spent activities alone. years, $500,000 was spent on consent parental consent to the participation of 2,496 middle-school-aged children parental consent to the participation in a survey. with the cost and delays associated with regulatory compliance. delays associated with regulatory with the cost and JAMA 2164, 2167 (2007). C Y 31670-smu_65-1 Sheet No. 66 Side A 04/12/2012 11:52:32 04/12/2012 A 66 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 66 Side B 04/12/2012 11:52:32 , M K 315 314 C Y IMES With [Vol. 65 317 , N.Y. T 4-APR-12 14:10 OOD G Seq: 40 OMMON C unknown All instances of serious research abuse, All instances of 316 SMU LAW REVIEW Part VI.B. MPORTANCE OF THE The current, consent-centered ethical framework The current, consent-centered . 1195, 1195–96 (1987). I ED 313 supra note 9, at 247. HE , . J. M NG EPORT A. T 318 E EW See supra Parts III.A, IV.A. Id. See David J. Rothman, Ethics and Human Experimentation: Henry Beecher Revis- See discussion infra V. FRAMEWORK RECONSTRUCTING THE CONCEPTUAL The traditional concepts of informed consent center upon the individ- The traditional concepts of informed In the words of the IOM, “[t]he principle of autonomy currently domi- IOM, “[t]he principle of autonomy In the words of the We wish to emphasize that we address only research that involves re- We wish to emphasize that we address 314. 315. Donald G. McNeil Jr., U.S. Infected Guatemalans with Syphilis in ‘40s 313. IOM R 316. 317. 318. Oct. 2, 2010, at A1. ual rights of research subjects because the research contemplated is gen- ual rights of research subjects because erally physically or psychologically invasive. of large With the advent only EHR databases and the proliferation of research studies that involve good record review, it is appropriate to turn to the value of the common as a counterweight to concern about individual risk.beings human When and are not subject to any physical or psychological testing in research, only their records are scrutinized, the value of the common good should prevail over individual interests. in achieving medical Society’s interests and advances should outweigh the individual risks of privacy breaches nates the ethical landscape for both medical care and clinical research in landscape for both medical care and nates the ethical the United States.” 124 Reverby discov- Wellesley College Professor Susan As recently as 2011, exploitation. previously unknown human subject ered evidence of infected Guatema- American researchers deliberately From 1946 to 1948, venereal diseases to mental patients, and soldiers with lan prison inmates, penicillin. test the efficacy of \\jciprod01\productn\S\SMU\65-1\SMU103.txt respect to record-based research, and in light of the great promise of respect to record-based research, to shift the discussion from EHR research databases, it is appropriate goal of promoting the common good. autonomy to a new focus on the cord review without clinical testing. One might be concerned that focus- to a slippery slope and, eventually, to ing on the common good will lead altogether.rationalizing away informed consent In the research context, distinction between interven- however, it is easy to draw a bright-line tional and record-based studies. In the case of interventional studies, should not be subordinated to concerns about harm to human subjects and consent should not be aban- the goal of promoting social benefits, doned. same is not true, however, for noninterventional research so The to stringent oversight and privacy long as all studies are subject protections. however, have occurred in the context of interventional studies. however, have occurred in the context is based on the assumption that research will involve human experimen- that research will involve is based on the assumption research abuses. rooted in a history of shocking tation, and is firmly ited, 317 N 31670-smu_65-1 Sheet No. 66 Side B 04/12/2012 11:52:32 04/12/2012 B 66 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 67 Side A 04/12/2012 11:52:32 , 41 242, 125 USTICE THICS J . E But see Stuart 4-APR-12 14:10 ED . 651, 676 (1992). 321 52–53 (Roger D. Masters Individuals who are EV Rethinking Research Ethics, 322 Seq: 41 ENEFICENCE AND . L. R B ONTRACT supra note 321, at 67. , 302 JAMA 67, 68 (2009). C OLUM when all reasonable efforts are reasonable efforts when all Free Riders and Pious Sons—Why Science 319 OCIAL , 92 C 161, 162–64 (2009); G. Owen Schaefer et al., S unknown MBODIED IN From Social Contract to Hypothetical Agreement: N THE E IOETHICS , O In Defense of the Duty to Participate in Biomedical Re- However, one need not take a position regard- However, one need not take a position , 23 B 37, 38 (2008); Rosamond Rhodes, 324 OOD AS OUSSEAU . 40, 46 (2011) (arguing that the moral status of research participa- G R EP 7, 15 (2005) (“reasonable people should endorse policies that make R IOETHICS The concept of social consent may be applied to the medi- The concept of social consent may Refusal to participate in research can be characterized as in research can be characterized Refusal to participate supra note 12, at 564. ACQUES 323 OMMON -J Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing . J. B ENTER 320 see also Sarah Chan & John Harris, M IOETHICS C C EAN Viewing Research Participation as a Moral Obligation: In Whose Interests? See, e.g., John Harris, Scientific Research Is a Moral Duty, 31 J. M Id.; Edward A. Harris, Note, See supra Part III.B. Id.; HE . J. B M All patients benefit from medical care improvements that have been from medical care improvements All patients benefit The value of the common good has already been incorporated into bi- The value of the common good has Subordinating individual freedom to the common good because indi- freedom to the common Subordinating individual A few bioethicists have gone as far as to argue that individuals have a A few bioethicists have gone as far 324. 323. 319. 320. Miller, 321. 322. J M K ASTINGS B. T non-privacy-related dignitary injuries dignitary non-privacy-related “free riding” because there is no practical way to prevent those who do there is no practical way to “free riding” because the benefits of im- records to research from enjoying not contribute their resulting from biomedical studies. proved treatment ed., Judith R. Masters trans., St. Martin’s Press 1978). research participation a social duty”); Schaefer et al., Rennie, H 247 (2005); Rosamond Rhodes, search, 8 A Research Remains Obligatory 5 A made to prevent such harms. made to prevent past research studies.made possible by irresponsible arguably is it Thus, from accessing some patients to prohibit researchers or inequitable for to the research to make their own contribution their data and decline endeavor. omedical ethics through the second and third concepts articulated in the omedical ethics through the second viduals profit from societal initiatives is consistent with the philosopher viduals profit from societal initiatives social consent.Jean-Jacques Rousseau’s theory of Rousseau spoke of a willingly give up freedom and auton- social contract by which individuals in society. omy to enjoy the advantages of living The Obligation to Participate in Biomedical Research 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt tion should not be changed). cal arena as well. Because essentially all individuals will at some time in may be deemed to tacitly consent to their lives receive medical care, they that makes treatment possible. having their EHRs available for research research, which extends even to moral duty to participate in biomedical interventional studies. residents of a political state necessarily accept its benefits, and by doing residents of a political state necessarily that enable governmental authority so, citizens tacitly consent to the laws to function. ing whether participation in research rises to the level of a moral duty to ing whether participation in research patients from withholding their argue that it is ethically sound to prohibit information from EHR databases. Consent and the Obligation to Obey the Law C Y 31670-smu_65-1 Sheet No. 67 Side A 04/12/2012 11:52:32 04/12/2012 A 67 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 67 Side B 04/12/2012 11:52:32 R R M K C Y The EHR- Belmont [Vol. 65 331 In addi- 332 334 4-APR-12 14:10 The Belmont 328 Beneficence most 326 Seq: 42 PPLIED TO THE A NDUSTRY I unknown OOD AS ARE C G 329 supra note 10, at B.2. health care entities must make their records SMU LAW REVIEW EALTH , OMMON This principle prohibits exploitation of vulnera- This principle prohibits exploitation 333 H supra note 9, at 230 (stating that researchers report that they C , 330 EPORT Thus, it is not foreign to the field of research ethics. the field of research is not foreign to Thus, it HE R 325 EPORT C. T also recognizes the impor- also recognizes However, the Belmont Report ELMONT supra notes 195–99 and accompanying text for prior discussion of the IOM R B 327 See id. Id. Id. at C.2. Id. at B.3. Id. Id. See supra notes 202–04 and accompanying text. See See The common good principle supports the imposition of certain burdens The common good principle supports The principle of justice requires that the benefits and risks of research The principle of justice requires that Beneficence mandates that researchers do no harm and maximize po- that researchers do no harm Beneficence mandates 327. 328. 329. 330. 331. 332. 333. 334. 326. 325. See tance of societal interests and instructs that the benefits “that may result interests and instructs that the benefits tance of societal development of novel of knowledge and from the from the improvement must be considered in and social procedures” medical, psychotherapeutic, to proceed with research studies. determining whether clearly dictates that investigators eschew harming individual research par- investigators eschew harming individual clearly dictates that ticipants. Report. on patients, namely, depriving them of choice as to whether their EHRs on patients, namely, depriving them are accessible to researchers. At the same time, the common good re- providers who create EHRs, includ- quires concessions from health care others.ing physicians, clinics, hospitals, and Despite having ownership claims to medical files, be distributed fairly and that selection procedures for human subjects be be distributed fairly and that selection sound and impartial. Belmont Report. Belmont 126 \\jciprod01\productn\S\SMU\65-1\SMU103.txt tential benefits while minimizing research risks. tential benefits while tion, providers should not be able to charge excessive fees for access to tion, providers should not be able to charge excessive fees for access the records they control. to be useful, a research As discussed above, vulnerable must not bear a disproportionate burden in research initia- vulnerable must not bear a disproportionate make a fair contribution. tives, and those who will benefit must based research is likely to encompass many, if not most medical condi- based research is likely to encompass in advance what knowledge it will tions, and it is impossible to predict from it.yield over the years and who will benefit Consequently, the prin- of all Americans in EHR databases to ciple of justice supports inclusion promote the common good. ’s explanation of the principle’s application states that at times the the principle’s application states that Report’s explanation of research will justify significant societal benefits from potential to gain of such potential ben- human subjects and that the loss risks to individual efits is of serious concern. ble groups for the benefit of those who are more advantaged. ble groups for the benefit of those available to researchers to facilitate treatment improvements. “have difficulty obtaining deidentified information” from health care entities). 31670-smu_65-1 Sheet No. 67 Side B 04/12/2012 11:52:32 04/12/2012 B 67 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 68 Side A 04/12/2012 11:52:32 127 NNALS 338 , 45 A 4-APR-12 14:10 Seq: 43 Providers, like patients, will Providers, like patients, RECEDENTS 335 P To comply with these mandates, 337 unknown EALTH H UBLIC From Hippocrates to HIPAA: Privacy and Confidentiality in D. P . 53, 57 (2005). The research initiatives contemplated in this Article are dis- The research initiatives contemplated ED Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing M State legislatures have also imposed reporting requirements State legislatures have also imposed 339 WHILE PROMOTING RECORD-BASED RESEARCH 336 See supra Part IV.D.1. Id. Id. See 45 C.F.R. § 164.512 (2010). Even with greater focus on the principle of promoting the public good, The public health reporting requirements produce information that is The public health reporting requirements Public policy already places the common good ahead of concerns about Public policy already places the common 335. 336. John C. Moskop et al., 337. 338. 339. M K MERGENCY VI. PRACTICAL SOLUTIONS: PROTECTING DATA SUBJECTS database must be sufficiently large and contain records that are represen- records that large and contain must be sufficiently database that it generates relia- of the patient population so tative of all segments research outcomes. ble and generalizable concerns about the privacy vulnerabilities of EHR-based research and concerns about the privacy vulnerabilities of EHR-based research the risk of harm to data subjects cannot be taken lightly.opportunity The they to consent, however, does not protect data subjects from harm if tinguishable in that they would open EHR databases to private sector tinguishable in that they would open and less predictable public bene- researchers and would yield less certain fits. the reporting mandates constitute precedent for an ap- Nevertheless, welfare over individual privacy and proach that assigns primacy to public other dignitary concerns. with respect to conditions that affect a patient’s ability to drive safely and with respect to conditions that affect elder abuse, or violence against an injuries resulting from child abuse, intimate partner or dependent adult. conveyed only to the government and that addresses particular medical conveyed only to the government problems. privacy and autonomy in establishing a large number of reporting re- privacy and autonomy in establishing quirements. Physicians are required by law to report to authorities cases tuberculosis, sexually transmit- of particular infectious diseases, including agents, and new epidemic ill- ted diseases, infection by bioterrorism nesses. E 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt benefit from medical advances because they will enjoy professional suc- advances because they will enjoy benefit from medical perhaps larger in- career satisfaction, and cess, enhanced reputations, effective treatment improved knowledge and more comes resulting from protocols. right to unfair to deprive patients of the It would be entirely to consent to their information and the opportunity control their health to contribute their leave providers at liberty to refuse research use but files.and conces- will thus require cooperation Achieving social benefits industry. of both patients and the health care sions on the part physicians must supply personally identifiable information without asking physicians must supply personally to patients’ privacy concerns. patients for consent or deferring Emergency Medicine—Part I: Conceptual, Moral, and Legal Foundations C Y 31670-smu_65-1 Sheet No. 68 Side A 04/12/2012 11:52:32 04/12/2012 A 68 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 68 Side B 04/12/2012 11:52:32 R M K , 1 A C Y OD- , 10 : M 343 OF THE . [Vol. 65 Privacy and INING OMM 4-APR-12 14:10 M ATA , 53 C 557, 557–70 (2002). D 1, 1, 2 (2007); see gener- YSTEMS ATA Seq: 44 S ECHNIQUES D RESERVING T -P Consent merely allows indi- Consent ASED -B 340 RIVACY , P This Article, therefore, does not pro- This Article, therefore, U unknown L-Diversity: Privacy Beyond K-Anonymity ISCOVERY FROM NOWLEDGE 342 D ONCEALMENT S. Y C & K HILIP SMU LAW REVIEW & P NOWLEDGE UZZINESS K DENTITY (1st ed. 2008); Arvind Narayanan & Vitaly Shmatikov, , F supra note 5, at 2087. A. I GGARWAL C. A LGORITHMS NCERTAINTY Neither covers de-identified EHRs; limited data sets can be de-identified EHRs; limited data Neither covers A See supra Part II.B. See supra Part II.B. RANSACTIONS ON HARU 341 J. U L ’ One mechanism to address concerns about privacy is identity conceal- One mechanism to address concerns Patient privacy may be protected through de-identification. All eigh- Nevertheless, record-based research without consent will be ethically Nevertheless, record-based research As noted earlier, the federal research regulations and the HIPAA Pri- the federal research regulations and As noted earlier, 340. Peddicord, 341. 342. 343. Ashwin Machanavajjhala et al., NT employed without patient authorization; and even research using clearly patient authorization; and even employed without consent if author- can proceed without informed identifiable information privacy board. ized by an IRB or ELS AND ACM T ment.large body of work exists concerning a variety of identity con- A l-diversity, and others. cealment techniques, including k-anonymity, ACM 24, 25 (2010); Latanya Sweeney, K-Anonymity: A Model for Protecting Privacy choose to participate in research studies. participate in research choose to I 128 \\jciprod01\productn\S\SMU\65-1\SMU103.txt Security Myths and Fallacies of “Personally Identifiable Information” comprehensive treatment of the topic is beyond the scope of this Article. comprehensive treatment of the topic for only two options: 1) building large Here, we detail recommendations to which researchers can have direct databases of de-identified records systems through which researchers access; and 2) establishing federated distributed databases and receive sum- can conduct statistical analyses of mary information without direct identifiers. 1. Large Databases of De-identified Data mini- teen safe harbor provision identifiers would need to be removed to ally, C pose a radical departure from the current regulatory regime. from the current regulatory pose a radical departure It argues for non-interventional consent need not be sought only that, as a norm, research. safeguards are implemented.justified only if a number of important This techniques and urges that they be Part first analyzes identity concealment used as often as possible. Second, it recommends additional oversight for the limitations of identity conceal- mechanisms that help compensate EHR-based research.ment techniques and are tailored to pro- it Finally, all individuals whose records might be poses that notice be provided to in de-identified form), and empha- included in research projects (even about the nature and benefits of sizes the need for public education EHR-based research. viduals to assume the risks knowingly or to opt out completely. the risks knowingly or to opt out viduals to assume the absence of con- prohibit record-based research in vacy Rule do not sent. 31670-smu_65-1 Sheet No. 68 Side B 04/12/2012 11:52:32 04/12/2012 B 68 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 69 Side A 04/12/2012 11:52:32 R , 354 129 348 4-APR-12 14:10 As we suggested in As we suggested 346 Seq: 45 For example, we have pro- To ensure appropriate de- appropriate To ensure For a given patient seeking 352 344 353 Improving Health Care Outcomes Through An important question is whether, as An important question supra note 2, at 3. supra note 2, at 5. unknown , , 347 Such an outcry could hinder compliance 349 OOPERS OOPERS For example, access to the database should be For example, access to the database C C 350 Use of the service could be denied to those who Use of the service could be denied supra note 9, at 173. , 425, 425 (2011). 355 EPORT THICS supra note 41, at 615–16 (recommending that federal law mandate the 345 RICEWATERHOUSE RICEWATERHOUSE Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing . & E IOM R P P Another incentive may be access to commercial services that Another incentive may be access ED See supra Part III.B.1.b.ii (discussing re-identification risks). See See id. at 146–47. See Hoffman & Podgurski, supra note 2, at 162–64. Id. See See id. at 589–90. See id. at 599–600. See 351 If it is to yield reliable and widely applicable research results, the reliable and widely applicable research If it is to yield may generate an while scientifically justifiable, A strict legal mandate, Consequently, policy makers may consider alternatives to mandated Consequently, policy makers may 353. Sharona Hoffman & Andy Podgurski, 344. 345. 346. 347. 348. Rodwin, 354. 355. 349. 350. 351. their own One complication may be that some research institutions will not have 352. M K mize the possibility of re-identification. mize the available only to investigators whose institutions contribute their records available only to investigators whose to it. Personalized Comparisons of Treatment Effectiveness Based on Electronic Health Records 39 J.L. M serve as electronic resources for clinicians. posed the development of services for conducting personalized compari- posed the development of services sons of treatment effectiveness (PCTE). database should be as comprehensive as possible. database should patient communities, fueled by pol- outcry from the medical, and perhaps to generate distrust and resentment of iticians and news media who wish “big government” initiatives. The creation of such services would give institutions and individual prov- The creation of such services would a stake in the success of the database, iders that do not conduct research that they will contribute the EHRs thereby increasing the likelihood under their control. 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt previous work, ideally, a national research database would include all a national research database previous work, ideally, EHRs. Americans’ de-identified identification, information technology experts would de-identify patient technology experts would identification, information would be available to them to a separate database that records and copy researchers. the most appropriate treatment for her condition, a PCTE service would the most appropriate treatment for of the available treatments by ana- characterize the relative effectiveness patients who, when treated, were lyzing EHRs for a cohort of treated respect to clinically relevant factors. similar to the given patient with Professor Marc Rodwin recommended, health care providers should be recommended, health care Professor Marc Rodwin database. submit their EHRs to a research required by law to and foster public resentment of the entire biomedical research endeavor. and foster public resentment of the research database.participation in a comprehensive national A system of be needed to encourage providers to incentives and disincentives would contribute their EHRs. EHR systems. creation of a national database of de-identified data and require health care providers to creation of a national database of de-identified data and require health care providers submit their records to the government for this purpose). C Y 31670-smu_65-1 Sheet No. 69 Side A 04/12/2012 11:52:32 04/12/2012 A 69 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 69 Side B 04/12/2012 11:52:32 R M K C Y NFEC- and I There 363 [Vol. 65 Of par- 356 360 4-APR-12 14:10 LINICAL The safe harbor , 49 C 364 Researchers may be Researchers may , supra note 9, at 232–33. 358 Seq: 46 EPORT Similar objections were voiced IOM R 361 unknown see also Another paper concluded that elimination 359 SMU LAW REVIEW 357 362 supra note 9, at 175. , It also allows disclosure of dates, including age, by year, It also allows disclosure of dates, 328, 330 (2009). EPORT supra note 12, at 1789. 365 ISEASES See id. D In response, HHS explained that it very carefully researched the data In response, HHS explained that The principal drawback of relying on incentives to encourage contribu- of relying on incentives to The principal drawback To be deemed de-identified under the HIPAA Privacy Rule, records under the HIPAA Privacy To be deemed de-identified 362. 65 Fed. Reg. Standards for Privacy of Individually Identifiable Health Information, 356. note 2, at 126–28. Hoffman & Podgurski, supra 357. 358. 45 C.F.R. § 164.514(b)(2)(i) (2010). 359. Cate, 360. Infectious Diseases Soc’y of Am., Grinding to a Halt: The Effects of the Increasing 363. 65 Fed. Reg. Standards for Privacy of Individually Identifiable Health Information, 364. Fed. Reg. at Standard of Privacy of Individual Identifiable Health Information, 67 365. 45 C.F.R. § 164.514(b)(2)(i)(B) (2010). three digits of a zip code cannot The initial 361. IOM R 82,462, 82,710 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160 & 164); Standards for Privacy 2002) of Individually Identifiable Health Information, 67 Fed. Reg. 53,182, 53,232 (Aug. 14, (codified at 45 C.F.R. pts. 160 & 164); Regulatory Burden on Research and Quality Improvement Efforts in comments submitted to HHS concerning the proposed HIPAA Privacy in comments submitted to HHS concerning Rule in 2000 and 2002. at 82,710–12; Identifiable Health Information, 67 Fed. Standards for Privacy of Individually Reg. at 53,232–34. 53,232. as of be disclosed if 20,000 or fewer people live in that zip code, but, according to HHS, 2002, only seventeen zip codes were excluded for this reason. Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. at 53,234. elements to be included in the HIPAA safe harbor provision elements to be included in the of the HIPAA data elements reduced data by 31% and precluded access of the HIPAA data elements reduced for research purposes. to information that is vitally important fail to do so. fail to do mandate is rather than establishing an enforceable tions to the database full participation, es- not be strong enough to induce that incentives may commercial advantages to nonparticipation. pecially if there are 130 2. Compromise Data Quality? Does De-identification types of identifiers removed. must have eighteen \\jciprod01\productn\S\SMU\65-1\SMU103.txt TIOUS ticular importance may be the elimination of all elements of dates other ticular importance may be the elimination from determining the time than year, which could prevent researchers care. that elapsed between episodes of strove to “balance the need to protect individuals’ identities with the strove to “balance the need to protect to be useful.” need to allow de-identified databases would be nothing to stop providers from opting out based on their own to stop providers from opting out would be nothing cost–benefit calculations. provision allows retention of some information about geographic loca- provision allows retention of some and, in most cases, the first three zip tion, including the relevant state code digits. legitimately concerned that removing so many identifiers will compro- legitimately concerned that removing research data.mise the quality or usefulness of One author asserts that identifiers would render data “useless removal of the eighteen HIPAA for most medical research.” 31670-smu_65-1 Sheet No. 69 Side B 04/12/2012 11:52:32 04/12/2012 B 69 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 70 Side A 04/12/2012 11:52:32 . N- ED I 131 NTER- . M I M OMPUTA- EALTH each in- H , J. A NNALS 370 would sub- Ideally, all 4-APR-12 14:10 372 , 14 J. C 371 In a federated , 151 A 369 An Electronic Practice- The query service 374 NTERNATIONAL Seq: 47 197, 197, 199 (2009).ap- The ˚ ACM I ST 1 Finally, important details such as important details Finally, to initiate operations, communicate HIPAA-qualified, de-identified data HIPAA-qualified, 366 unknown 373 ONFIDENTIALITY 367 & C The Shared Health Research Information Network RIVACY ROCEEDINGS OF THE . 263, 263–64 (2005). 368 TAT in P 250, 251–54 (2010); Wilson D. Pace et al., S , 1 J. P 624, 624 (2009). N ’ SS A Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing YMPOSIUM RAPHICAL Federated Querying Architecture for Clinical and see also Oren E. Livne et al., Federated Querying Architecture for Clinical S . 338, 338–39 (2009). a of the fitted model, without disclosing to each other either individual-level or See discussion infra Part VI.B.1.b (discussing approval and oversight mechanisms). See § 164.514(b)(2)(i). See supra notes 36–37, 46–49 and accompanying text. Id.; & G ED M Secure statistical analysis of distributed databases involves querying analysis of distributed databases Secure statistical Nevertheless, for other studies, it may be crucial to include identifiers other studies, it may be crucial to Nevertheless, for 372. 373. Queries may be qualified in various ways. For example, a researcher may limit the 374. Alan F. Karr, Secure Statistical Analysis of Distributed Databases, Emphasizing 366. 45 C.F.R. § 164.514(b)(2)(i)(C). Ages over 89 must be aggregated into a single 367. 368. Alan F. Karr et al., Secure Regression on Distributed Databases 370. 371. Griffin M. Weber et al., 369. M K NFORMATICS though not by more specific units. by more specific though not query to a particular state or geographic region. What We Don’t Know stitution manages and maintains control of its own database, but distrib- stitution manages and maintains control a standard web service. uted queries are possible through FORMATICS entities could fit a linear regression model Y = aX + ˆa but it proach could support analyses using a number of standard statistical techniques, would not permit investigators to employ whatever techniques they choose.example, For to their global data, consisting of entities could fit a linear regression model Y = aX + values for the predictor variable(s) X and the outcome variable Y, and share the coeffi- values for the predictor variable(s) X and the outcome variable Y, and share the cient(s) ˆ entity-level data. category of 90 or older, presumably because relatively few people reach that age range. category of 90 or older, presumably because See id. intermediate results, and return the final results to researchers.intermediate results, and return the Individ- cooperate to compute summary ual databases in the federation would individual records or sensitive statis- statistics, but they would not share organizations. tics that would identify particular TIONAL databases that participate in a federated system, using special algorithms databases that participate in a federated information. intended to prevent disclosure of sensitive 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt mit statistical queries via the Internet using software that interfaces with mit statistical queries via the Internet query service.the federated system’s distributed would service query The interact with all relevant databases health care providers in the country would participate in a comprehensive health care providers in the country systems may be created at least federated system, but smaller federated as a first step. Researchers with approved research projects system, such as the FDA’s Sentinel Initiative and DARTNet, system, such as the FDA’s Sentinel NAL race, sex, religion, and income need not be redacted from records in or- and income need not be redacted race, sex, religion, de-identified. der to render them should thus be sufficient for some studies. should thus be sufficient 3. Analysis of Distributed Databases Secure Statistical by the limited data set provision.beyond those permitted these cases, In statistical analysis of is a technique known as secure a possible alternative distributed databases. I Based Network for Observational Comparative Effectiveness Research (SHRINE): A Prototype Federated Query Tool for Clinical Data Repositiones Translational Health IT, C Y 31670-smu_65-1 Sheet No. 70 Side A 04/12/2012 11:52:32 04/12/2012 A 70 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 70 Side B 04/12/2012 11:52:32 R . M K C Y OMMS GENCY [Vol. 65 , A , 54 C 4-APR-12 14:10 Ideally, the ap- using the service. 378 377 Seq: 48 to provide the query service.These A requirement that users of the statis- A requirement that unknown 379 375 , http://ahrq.gov/qual/performance3/perfm3c.htm (last SMU LAW REVIEW UALITY . & Q notes 82–86 and accompanying text (discussing comparative ES R 376 See Hoffman & Podgurski, supra note 2, at 118–19. See David Kitte, Report of the Data Sharing and Aggregation Workshop See id. at 154–55 (discussing audit trails). See supra See Cynthia Dwork, A Firm Foundation for Private Data Analysis EALTHCARE H Statistical databases in general are not invulnerable to attack, and a Statistical databases in general are The following are two illustrations to elucidate the use of secure statis- two illustrations to elucidate the The following are Given the health information technology resources needed to support 375. 379. 376. 377. 378. visited Nov. 2, 2011). The investigator would indicate the treatments at issue, the outcome mea- The investigator would indicate the confounders, and would select the de- sures of interest, and any known sired analytical approach. Given these parameters, the query service and provide results to the re- would conduct the statistical analysis searcher.For example, the query service might select and compare two a different treatment, ensuring treatment groups, each of which received to values of known confounding that the groups are balanced with respect variables. Ultimately, the investigator would receive a numerical esti- treatment effects for the two mate of the difference in the average groups. resolved for secure statistical analysis number of technical issues must be widely applicable. of distributed databases to become FOR tical query service be authorized researchers would limit access by illicit be authorized researchers would tical query service users could be de- use of the service by authorized users, and improper interactions with the by analyzing logs recording their tected after the fact service. tical analysis of distributed databases. might submit a First, a researcher among the popula- prevalence of a particular disease query asking for the records contained in the federated sys- tion represented by the combined tem. statistical analysis, the researcher would receive an estimate After diagnosed with that disease.of the proportion of the population Second, complex CER an investigator could conduct more would provide researchers with a somewhat restricted choice of standard restricted choice with a somewhat researchers would provide for example, estimates enabling them to compute, statistical query types, and ratios and esti- subpopulation means, proportions, of population or coefficients. mates of regression 132 \\jciprod01\productn\S\SMU\65-1\SMU103.txt proach would yield useful research data by allowing original, non-re- proach would yield useful research at their facilities of origin while dacted medical records to be queried investigators would only see informa- protecting patient privacy because tion summarizing aggregate data. The participating organizations would schema, communication protocol, each need to support the same data querying interface, and security policy. it the requirements for a participating database within a federated system, to is likely that small or resource-poor health care providers would have use trusted third-party aggregators ACM 86, 86–95 (2011); Karr, supra note 374, at 202–95. effectiveness). 31670-smu_65-1 Sheet No. 70 Side B 04/12/2012 11:52:32 04/12/2012 B 70 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 71 Side A 04/12/2012 11:52:32 133 How- 380 4-APR-12 14:10 VERSIGHT Seq: 49 O ESEARCH R unknown It recommended that waivers of informed 381 TRENGTHENING supra note 9. , B. S EPORT Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing See supra Part III. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Other providers may also choose to use trusted aggregators in order to also choose to use trusted aggregators Other providers may Identity concealment is a useful safeguard against research abuses, but Identity concealment is a useful safeguard Regulations that require approval and monitoring of all studies by an Regulations that require approval and monitoring of all studies by a. IOM Proposal In 380. 381. IOM R M K providers would need to upload new and updated EHRs regularly to the EHRs regularly new and updated would need to upload providers queries themselves. not have to support statistical aggregator but would care entities con- interest among competing health avoid conflicts of oriented research.ducting commercially such entities If researchers from queries themselves directly to competitors, the had to submit queries exact nature of the research.might reveal the might Such disclosure and diminish entity to lose its competitive advantage cause the querying research discoveries.potential profits from serve can aggregators Trusted and process queries who hold copies of medical records as intermediaries without revealing them to other parties.from researchers reason, this For subject to rigorous should be government contractors the aggregators oversight. Given that there is a risk of disclosures from any database, the the control of any one aggregator maximum number of EHRs under should be limited. it cannot fully shield data subjects from harm and must be supplemented it cannot fully shield data subjects by other protections. This Article has argued that informed consent re- for all record-based studies. quirements should be suspended 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt ever, in lieu of having an opportunity to consent, data subjects should ever, in lieu of having an opportunity and feel as confident as possible enjoy the benefits of rigorous oversight efficacy.its about even studies Because of the risk of re-identification, undergo an approval procedure, using de-identified records should though it can be streamlined. pro- This section outlines a tiered review of scrutiny to all research projects.cess that would apply some degree It continuing review and offers recom- also emphasizes the importance of measures to protect EHR databases. mendations for enhanced security 1. Ethics Board Review ethics board could go far to protect data subjects from the risks of record- based research. proposal, which is de- The IOM developed a relevant scribed and critiqued. We then offer an alternative framework that would provide data subjects with more comprehensive protections. consent be granted so long as consent is replaced by other protection Health through Research, the IOM detailed a proposal to remove barriers to record-based research. C Y 31670-smu_65-1 Sheet No. 71 Side A 04/12/2012 11:52:32 04/12/2012 A 71 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 71 Side B 04/12/2012 11:52:32 M K C Y The [Vol. 65 391 4-APR-12 14:10 Seq: 50 Second, the IOM does not The IOM recommendations 388 393 392 The IOM did not recommend ethics The IOM did not plan to implement without following The board could grant waivers for The board could unknown 384 383 In addition, boards would be specifically di- In addition, boards would be specifically SMU LAW REVIEW 386 The ethics board is envisioned as scrutinizing only The ethics board is envisioned as 385 390 Accordingly, researchers who believe direct identifiers who believe direct researchers Accordingly, Third, the IOM relies excessively on pre-approval of re- Third, the IOM relies excessively 382 387 389 Id. at 34. See id. Id. Id. Id. at 265. Id. Id. Id. Id. at 264. Id. at 265. Id. See supra Part III.B.1.b.ii. b. Proposed Regulatory Approach in As detailed above, data de-identification and identity concealment However, the IOM’s proposal does not go far enough.However, the IOM’s proposal does not does it First, The IOM proposal has several strengths.The IOM proposal that ethics The IOM specifies 382. 383. 384. 385. 386. 387. 388. 389. 390. 391. 392. 393. are necessary for their studies and who do not wish to obtain consent, their studies and who do not wish are necessary for with expertise in re- from an ethics oversight board would seek approval research. viewing records-based up to ensure that they have been employed and are effective. up to ensure that they have been security measures that researchers security measures that researchers search protocols. support subjecting studies that do not involve “direct identifiers” to any support subjecting studies that do oversight. also do not take into account the highly changeable nature of security also do not take into account the threats. general do not entirely eliminate the risk of privacy violations.With of some effort, adversaries could re-identify at least a small percentage records, and this risk cannot be ignored. define the term “direct identifiers” and, thus, does not clarify which data define the term “direct identifiers” review. elements would trigger ethics board boards would need to have special expertise with respect to record-based to have special expertise with respect boards would need that often focus largely on studies in- research, unlike traditional IRBs volving clinical testing. mechanisms. 134 \\jciprod01\productn\S\SMU\65-1\SMU103.txt IOM recommendations do not take into account the multiplication of risk IOM recommendations do not take information is promulgated to more that occurs when de-identified health which is a point of potential vulnera- and more research groups, each of bility to security and privacy violations. studies using identifiable health information after considering the follow- health information after considering studies using identifiable security, (2) possi- that will be taken to safeguard data ing: (1) measures expose subjects, and inappropriate disclosure would ble harms to which benefits. (3) the study’s potential board oversight for studies in which no direct identifiers would be availa- studies in which no direct identifiers board oversight for ble to investigators. rected to scrutinize the privacy safeguards that investigators plan to rected to scrutinize the privacy implement. 31670-smu_65-1 Sheet No. 71 Side B 04/12/2012 11:52:32 04/12/2012 B 71 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 72 Side A 04/12/2012 11:52:32 R 135 4-APR-12 14:10 . 282, 284 (2004) ED M Seq: 51 NTERNAL Institutional Review Boards: Is I . 750, 761 (2007) (discussing IRBs’ EV NNALS 71, 71 (2009) (noting concern about IRB separate reviewing entities could be separate reviewing , 141 A . U. L. R unknown THICS W 394 . E Oversight of Human Participants Research: Identify- ES , 101 N . R Survey of U.S. Boards That Review Mental Health-Related The ethics board should pay particular atten- The ethics board should pay particular should undergo a thorough approval process. should undergo a thorough approval UM 396 note 153, at 169. Currently, the Common Rule does not make 395 . H ES . R See supra notes 60–61, 78 and accompanying text. MPIR Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing See supra notes 74–76 and accompanying text. Benitez & Malin, supra Consequently, this Article proposes that all record-based studies un- all record-based proposes that this Article Consequently, The degree of scrutiny that ethics boards apply to studies should de- that ethics boards apply to The degree of scrutiny If, for some reason, researchers must obtain directly identifiable data If, for some reason, researchers must view only data that are de-identified Studies in which researchers will 394. Joseph A. Catania et al., 395. 396. ranges from One study found that for limited data sets, the risk of re-identification M K dergo approval by an ethics board with expertise in non-interventional an ethics board with expertise dergo approval by research and in information security. be assigned to ex- This task could overworked and may because these bodies are already isting IRBs, but expertise, not have the requisite ing Problems to Evaluate Reform Proposals workloads); Ezekiel J. Emanuel et al., Research, 3 J. E established exclusively for record-based studies. We use the term “ethics that these must neces- but do not mean to suggest boards” in this section from IRBs. sarily be different be able to identify to which researchers or others may pend on the extent on the severity of the potential harm.patient data and using any Studies provision, includ- excluded by the HIPAA safe harbor identifiers that are ing limited data sets, Limited data sets should be subject to careful scrutiny because they can Limited data sets should be subject significantly increase the possibil- include birthdates and zip codes, which ity of re-identification. 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt 10% to 60%, depending on the information that different states make publicly available. See heavy workload). clear whether research using limited data sets would require IRB approval and consent, and the HIPAA Privacy Rule requires data use agreements but no patient authorization for such studies. (“IRBs may review research for which they lack expertise and rely on information given by (“IRBs may review research for which they lack expertise and rely on information given investigators without corroboration”); David A. Hyman, This the Least Worst We Can Do? tion to the security measures that will be implemented.tion to the security measures that It should also to ensure that they are bona fide re- verify the credentials of applicants project in mind. searchers who have a genuine research numbers, ethics boards should remain such as names or social security patient consent.free, at their discretion, to require in- example, For for a small study that allows investi- formed consent may be appropriate view sensitive medical information gators to obtain patient names and records. including psychiatric or gynecological harbor provision should undergo a in accordance with the HIPAA safe investigators register their projects streamlined process through which and their identities are confirmed.promise also should researchers The to re-identify data, will not convey in writing that they will not attempt who are not members of the re- the records they obtain to individuals using data for purposes outside the search team, and will refrain from scope of the study. In addition, researchers should commit to disposing form, of any records they have obtained in identifiable or de-identified C Y 31670-smu_65-1 Sheet No. 72 Side A 04/12/2012 11:52:32 04/12/2012 A 72 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 72 Side B 04/12/2012 11:52:32 R R R M K IN- see 401 C Y supra M , http:// [Vol. 65 ATA See id.; GOV D . 4-APR-12 14:10 397 ENSUS , C NOWLEDGE AND Seq: 52 K Researchers should be required to Researchers should NFORMATICS I 398 unknown EDICAL , M SMU LAW REVIEW INKELSTEIN We believe it would be irresponsible to allow any mem- We believe it would be irresponsible 153–54 (HsinChin Chen et al. eds., 2005). For example, if data miners had access to a database of For example, if data miners had access and they de-identified records with a 0.10% success and they de-identified records W supra note 69, at 1767. supra note 41, at 615. 402 403 404 Monitoring by the boards should be supplemented with over- boards should be supplemented Monitoring by the ETER P Ohm, 399 HHS should be authorized to conduct unannounced audits of all to conduct unannounced HHS should be authorized IOMEDICINE they would be able to de-identify EHRs of over 311,000 people. they would be able to de-identify See See 45 C.F.R. § (empowering IRBs to suspend or terminate studies 46.113 (2010) See Id. § 160.308. 400 B 405 Furthermore, it would be essential for ethics boards to conduct contin- be essential for ethics boards Furthermore, it would Ethics board oversight for all record-based studies is a novel recom- Ethics board oversight for all record-based If a large number of de-identified EHRs were to be publicly available, If a large number of de-identified 405. Benitez & Malin, supra note 153, at 169 (finding that between 0.01% and 0.25% of 404. U.S. Census Bureau, U.S. & World Population Clocks 397. 398. 45 C.F.R. § 46.103 (2010) (discussing continuing review by IRBs); Hoffman, 399. 402. Rodwin, 403. 400. 401. ac- The HIPAA Security Rule already authorizes HHS to engage in enforcement sight by HHS, which is charged with HIPAA Security Rule enforce- is charged with HIPAA Security sight by HHS, which ment. a state’s population is vulnerable to re-identification if data is de-identified in accordance with the HIPAA safe harbor provision). www.census.gov/main/www/popclock.html (last visited Nov. 10, 2011). note 17, at 738–43. uing reviews of all research studies. uing reviews of all using approved means, at the end of a designated period. the end of a designated means, at using approved HHS should also ensure that the ethics boards are responsibly fulfilling HHS should also ensure that the their duties. IOM’s more modest proposal and pro- mendation that departs from the posals made by other analysts. Professor Rodwin has suggested that after be made available to the public, per- records are fully de-identified, they haps for a fee. 136 \\jciprod01\productn\S\SMU\65-1\SMU103.txt research projects, including those using de-identified data, to ensure that including those using de-identified research projects, with appropriate security measures investigators are safeguarding privacy activities rather than misusing data. and are engaging in valid research Moreover, some data miners, such as certain commercial enterprises, may Moreover, some data miners, such rate, ING IN submit annual reports and to inform the board immediately of any ad- and to inform the board immediately submit annual reports of data to third as hacking or inappropriate disclosure verse events, such parties. may not safeguarded, ethics boards If data are not appropriately require corrective by the same investigators, may approve future studies mandate that it be approval of the study and action, or may withdraw stopped. ber of the public to access de-identified EHRs without any oversight ber of the public to access de-identified would likely lead to abuses. because, over time, such a policy for re-identification, and they could data miners would gain many targets power as they have available. expend as much time and computational may be able to re-identify a large num- Even with a low success rate, they ber of EHRs. de-identified EHRs for every person in the United States (over 311 mil- de-identified EHRs for every person lion people) also discussion infra Part VI.B.1.c (discussing security safeguards). that they approved). to all tivities, including conducting compliance reviews; this authority should be expanded research activities, including those involving databases of de-identified records. 31670-smu_65-1 Sheet No. 72 Side B 04/12/2012 11:52:32 04/12/2012 B 72 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 73 Side A 04/12/2012 11:52:32 R R 137 LGORITHMS A 4-APR-12 14:10 Should an up- AND , 407 ODELS These regulations re- , M Seq: 53 410 ONCEPTS : C unknown INING and the Medical Device User Fee and and the Medical Device User Fee M which require drug and device manufac- 408 ATA 409 406 , D Other entities are not required to employ any of Other entities are not required to 412 The Security Rule, however, applies only to health The Security Rule, however, applies 413 ANTARDZIC 411 K Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing at 359–84. A critical modification would be expanding the definition of EHMED See Ohm, supra note 69, at 1767. Id. § 379j(a). Id. Id. § 160.103; 42 U.S.C. § 17931 (2006). Id. 414 Ethics board review and supervision of all record-based projects will Ethics board review and supervision c. Security Safeguards a major concern relating to re- As emphasized throughout this Article, We have suggested improvements to the HIPAA Security Rule in prior Regulators should also consider whether research proposals should be also consider whether research Regulators should 406. M 407. 408. 21 U.S.C. § 379h (Supp. IV 2010) (detailing fees that must be paid by those sub- 409. 410. 45 C.F.R. §§ 164.302–.318411. (2010). 412. 413. Hoffman & Podgurski, supra note 127, at 344–45. 414. M K have access to external data, gleaned from various sources, that greatly various sources, gleaned from to external data, have access facilitates re-identification. “covered entities” to ensure that all researchers, as well as entities or in- “covered entities” to ensure that all researchers, as well as entities re- dividuals who operate research databases, are subject to regulatory quirements. apply to “any person who The term “covered entity” should per limit be set for the number of queries a research team submits to a the number of queries a research per limit be set for number of queries on the theory that an unreasonable statistical database purposes? the data are being used for inappropriate might indicate that who would need further study by security experts These questions require to optimize privacy of researchers against the need to balance the needs protection. approach for de-identified surely entail costs, though the streamlined records is designed to curb expenses.operations, board ethics finance To who seek project approval to federal regulations could require applicants pay a fee to HHS. A precedent for such an approach is set by the Pre- scription Drug User Fee Act Modernization Act of 2002, turers seeking FDA approval to pay certain fees. turers seeking FDA approval to pay privacy breaches.cord-based research is the risk of HHS addressed se- stored health information by curity concerns relating to electronically Rule in 2005. promulgating the HIPAA Security work. subject to further limitations. ethics boards limit the For example, should to which investigators have access? number of records 380 (2d ed. 2011). mitting human drug applications). 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt plans, health care clearinghouses, health care providers who transmit plans, health care clearinghouses, for particular purposes, and their health information in electronic form business associates. quire implementation of a variety of administrative, physical, and techni- quire implementation of a variety cal safeguards. the Rule’s security measures no matter how much health data they may the Rule’s security measures no matter store or process. C Y 31670-smu_65-1 Sheet No. 73 Side A 04/12/2012 11:52:32 04/12/2012 A 73 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 73 Side B 04/12/2012 11:52:32 R M K C Y , http:// [Vol. 65 GOV 4-APR-12 14:10 With the prolifer- 420 Seq: 54 DUCATION The regulations empower HHS Because determined adversaries Because determined E HHS states on its website that in 418 Security Rule Enforcement, HHS. there is reason to question whether there is reason to 416 419 No distinctions should be made based No distinctions should unknown 417 415 supra note 418. OTICE AND SMU LAW REVIEW C. N 421 Security Rule Enforcement, See supra Part III.B.2. Id. at 360. See 45 C.F.R. § “protected health information” as “individually 160.103 (defining See supra Part III.B.1.b.ii. To protect patient privacy, HHS will also need to enforce the HIPAA To protect patient privacy, HHS will The HIPAA Security Rule, as currently written, exempts databases of Rule, as currently written, exempts The HIPAA Security Effective protection of patient privacy through identity concealment, Effective protection of patient privacy This part proposes that notice and education replace consent in record- 419. 45 C.F.R. §§ 160.306, 160.308. 420. 421. 415. 416. 417. 418. U.S. Dep’t of Health & Hum. Servs., www.hhs.gov/ocr/privacy/hipaa/enforcement/cmsenforcemain.html (last visited Nov. 2, www.hhs.gov/ocr/privacy/hipaa/enforcement/cmsenforcemain.html (last visited Nov. 2011) [hereinafter Security Rule Enforcement]. this exemption is sound, and the matter merits further examination by sound, and the matter merits further this exemption is security experts. Security Rule aggressively. Responsibility for enforcement is delegated to the agency’s Office of Civil Rights. on the source of the health information. on the source of from complying that meet the safe harbor standard de-identified records security measures. with the specified robust oversight for all protocols, and enhanced security should consider- robust oversight for all protocols, risks of EHR-based research. ably alleviate anxiety about the potential not address concerns about the auton- But, even these measures would omy rights of data subjects. Some advocates may still favor consent as a are concerned about the potential for matter of principle or because they outcomes, and commercial group stigmatization, objectionable exploitation. based research studies. admittedly, will not enable Notice and education, in data subjects to make a choice about inclusion of their records databases. in other ways. But they can empower data subjects In a dem- knowingly stores or transmits individually identifiable health information identifiable health individually stores or transmits knowingly related to the for any business or research purpose in electronic form information.” substance of such 138 \\jciprod01\productn\S\SMU\65-1\SMU103.txt ation of EHR databases and EHR-based research projects, HHS will ation of EHR databases and EHR-based to prevent privacy abuses and need to augment its monitoring activities do so.may require additional funding to HHS will need to be ever-vigi- large databases or federated systems lant in overseeing the security of over time and often cannot be because security threats evolve rapidly anticipated. may even be able to re-identify records that are de-identified in accor- to re-identify records that are may even be able guidelines, dance with safe harbor 2008 and 2009 it conducted ten compliance reviews. 2008 and 2009 it conducted ten compliance to investigate complaints of violations and to conduct self-initiated com- to investigate complaints of violations pliance reviews of covered entities. identifiable health information”); 45 C.F.R. § 164.302 (establishing that the Security Rule applies to “electronic protected health information”). 31670-smu_65-1 Sheet No. 73 Side B 04/12/2012 11:52:32 04/12/2012 B 73 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 74 Side A 04/12/2012 11:52:32 139 4-APR-12 14:10 ARTNERSHIP FOR ., http://www.informatics-re- Seq: 55 EV R so the Privacy Rule does not entitle NFORMATICS But de-identified information is not But de-identified information is 424 unknown , I See What Is Health Literacy?, P 423 ., http://www.npsf.org/pchc/health-literacy.php (last visited Nov. 2, OMM C Permissible uses include disclosure of information for treat- include disclosure of information Permissible uses Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing 425 In addition, the notice could acknowledge that research can 422 EALTH 426 Id. §§ 164.506(c), 164.512. Id. § 164.514. Id. § 164.508(b)(3)(i). H Comprehension and Reading Level The HIPAA Privacy Rule requires that health care providers notify pa- Rule requires that health care The HIPAA Privacy We propose expanding the HIPAA Privacy Rule notice requirement to We propose expanding the HIPAA written form and also be discussed The notice should be provided in the benefits of observational studies The notice should briefly explain 426. United According to experts, the average reading comprehension level in the 422. 45 C.F.R. § 164.520. 423. 424. 425. the covered If individually identifiable information will be disclosed to researchers, M K LEAR ocratic society, an educated public can effectively dismantle policies that dismantle public can effectively an educated ocratic society, are objectionable. change by political system can bring The democratic permitting refer- with elected representatives, fostering communication government officials. using elections to replace enda, or ultimately promote autonomy and education, like consent, can Therefore, notice and respect for persons. 1. Notice instances without their data might be used in some tients that their health consent. ment, payment, health care operations, public health initiatives, law en- ment, payment, health care operations, forcement, and other purposes. ultimately lead to commercial profits that are not shared with data ultimately lead to commercial profits that are not shared with view.com/FAQ/reading.html (last visited Nov. 2, 2011) (“Research tells us that to commu- States is at most an eighth grade level. entity must currently obtain patient authorization in advance and cannot merely provide notice. patients to any notice regarding research uses of data without patients to any notice regarding identifiers. apply to all research uses. notice For research using identifiable records, authorization, and notices should also should replace requests for patient might access patient information in explain that authorized investigators de-identified form. Health care providers whose EHRs may be available and in any format should be obligated to researchers through any venue describes in general terms how and to furnish patients with a notice that might be used. under what circumstances their data physician or a knowledgeable nurse. verbally with patients by either a at least once by each health care Notice should be supplied to patients laboratory, etc., whose EHR will be provider, such as the doctor, hospital, used for research purposes. comparative effectiveness of treat- and the potential to determine the that will improve health care out- ments and achieve medical advances comes for all. explain that no individually If applicable, it should also identifiable data will be disclosed to researchers.explanations These should be written in simple language that is accessible to an average reader. C 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt 2011); covered by the privacy regulations, C Y 31670-smu_65-1 Sheet No. 74 Side A 04/12/2012 11:52:32 04/12/2012 A 74 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 74 Side B 04/12/2012 11:52:32 M K C Y 432 , July [Vol. 65 IMES 4-APR-12 14:10 , Nov. 15, 2009, at , N.Y. T In 2009, as the IMES 429 Seq: 56 , N.Y. T . 1985, 1986 (2011) (stating that ED The federal regulations require . J. M NG 433 The $640 Billion Question—Why Does Cost- E unknown EW 430 http://www.nytimes.com/2009/07/17/business/media/ In the 1990s, President Clinton’s efforts to In the 1990s, President , 364 N 428 SMU LAW REVIEW supra note 9, at 144. available at , ¨ This responsibility should be shared by HHS, private re- This responsibility should be shared EPORT 431 427 See supra notes 401–05 and accompanying text. See 21 C.F.R. § 50.23(a) (2011). See supra Part III.B.2.c. In addition, local researchers could conduct community meetings to ed- In addition, local researchers could To gain public trust, promoters of comparative effectiveness and other To gain public trust, promoters of ıve to assume that the public will automatically embrace It would be naıve to assume that 430. Earl Blumenauer, My Near Death Panel Experience 431. IOM R 432. 433. 427. 428. Victor R. Fuchs & Arnold Milstein, 429. Natasha Singer, Harry and Louise Return, with a New Message 17adco.html. search institutions, and highly respected professional organizations, such search institutions, and highly respected as the American Medical Association. Educational messages can take and news stories through me- the form of public service announcements medical websites, and e-mail.dia outlets such as television, radio, Re- updates concerning ongoing research searchers should also distribute media so that the public can remain projects and their outcomes to the are put and the new knowledge that apprised of the uses to which EHRs is acquired as a result. educational initiatives can be covered, The costs of to commercial research organi- at least in part, through user fees charged databases or federated systems. zations that apply for access to EHR WK12. country debated the merits of President Obama’s health care reform initi- country debated the merits of President would utilize “death panels” to ration ative, the idea that the government care gained surprising traction. 17, 2009, at B3, ucate the public and address concerns about EHR-based research.ucate the public and address concerns A seek a waiver of informed similar approach is used when investigators consent for research regarding emergency care in circumstances in which obtaining consent will be impossible. EHR-based research initiatives should launch their own public education EHR-based research initiatives should campaign. subjects. grade nicate effectively with a general audience in the U.S., we need to write at a 6th-8th reading level.”). Effective Care Diffuse So Slowly? 140 2. Initiatives Public Education EHR information researchers to access de-identified a policy allowing without patient consent. initiatives as Those generally resistant to federal upon individual au- “big government” and as infringing manifestations of gain support from sig- vocal in their opposition and tonomy may be very nificant segments of the population.may also be complicit in The media fueling public discontent. \\jciprod01\productn\S\SMU\65-1\SMU103.txt the media “is the principal source” of misunderstandings about “who really pays for health the media “is the principal source” of misunderstandings about “who really pays for care” and “the relative benefit of clinical interventions”). achieve health care reform were derailed by opposition from conserva- reform were derailed by opposition achieve health care care industry with the help of a highly tives, libertarians, and the health advertisement. effective “Harry and Louise” television 31670-smu_65-1 Sheet No. 74 Side B 04/12/2012 11:52:32 04/12/2012 B 74 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 75 Side A 04/12/2012 11:52:32 141 Similar 434 4-APR-12 14:10 In fact, it is more likely Seq: 57 437 436 unknown supra note 129 (reporting large privacy breaches at various 438 In addition, notice and education will enable the public to 439 Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing See supra Part IV.A. Id. § 50.24(a)(7). See supra Part II.B. See supra Part II.B. See supra Part III.B.1.a. Breaches Affecting, Health care providers can thus submit data that meet the HIPAA Health care providers can thus submit 435 Notice and education will not empower data subjects to make choices Notice and education will not empower It is also noteworthy that the law does not require physicians to seek It is also noteworthy that the law A notice mandate and public education initiatives would go far beyond A notice mandate and public education 439. 434. 435. 436. 437. 438. M K public disclosure of the project and consultation with community repre- with community and consultation of the project public disclosure be drawn. area from which the subjects will sentatives in the voice its concerns and influence research policies through the democratic process. safe harbor provision’s requirements to a research database without any safe harbor provision’s requirements free to leave data subjects in complete regulatory oversight, and they are ignorance of such research activities. health care entities). about inclusion of their records in observational studies.about inclusion of their records However, a mandate that researchers share comprehensive and truthful information with the public, together with intensified oversight, should prevent abuses and exploitation of data subjects. such abuses occurred Historically, im- when data subjects were vulnerable because of ignorance, poverty, or prisonment. patients’ permission to create medical files in the first place.patients’ permission to create medical In addition, consent to the transition from paper providers do not ask patients to records can expose patients records to EHRs, even though computerized exist when records are limited to hard- to privacy breach risks that do not in cabinets. copy files that can be locked away 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt meetings could be conducted in public libraries, community centers, and conducted in public libraries, community meetings could be observational locations to discuss EHR-based other easily accessible consent will not be sought.studies for which not would meetings These but would be that seek input from community members be consultations with researchers and the public to interact in person an opportunity for understanding of record-based research. gain an in-depth 3. Notice and Education The Benefits of with respect to de-identified data.the current regulatory mandates So disclose personally identifiable infor- long as health care providers do not Common Rule nor the HIPAA Privacy mation to researchers, neither the any information at all about stud- Rule requires that data subjects receive ies. that privacy breaches will occur in clinical settings than in the generally that privacy breaches will occur in of a research project that involves a more focused and controlled setting are dedicated to achieving accurate limited number of professionals who study outcomes. C Y 31670-smu_65-1 Sheet No. 75 Side A 04/12/2012 11:52:32 04/12/2012 A 75 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 75 Side B 04/12/2012 11:52:32 M K 440 445 . L. C Y LA [Vol. 65 , 59 A However, 4-APR-12 14:10 444 ROTECT P Seq: 58 The efficacy of these laws de- NTERESTS 443 I To illustrate, assume that research- unknown 447 AFEGUARDS TO S UBJECT As stated in Section 30 of the Helsinki As stated in Section 30 of the supra note 191, § 30. , S 446 . 1483, 1488 (2011). SMU LAW REVIEW ATA ELSINKI EV D H DDITIONAL note 87, at 450–54. L. R ARY supra D. A . & M M ECLARATION OF The statutory restrictions on how employers and insurers can use The statutory restrictions on how Many state legislatures have passed other anti-discrimination Many state legislatures have passed Id. at 308–11, 314–16. Id. at 307 (discussing the benefits of the Americans with Disabilities Act). 442 441 . 305, 307 (discussing plaintiffs’ low win rates in court and Equal Employment Oppor- There are additional steps that could protect data subjects against cer- There are additional steps that could In this final section we briefly review several laws that protect patients we briefly review several laws In this final section on biological and laws address discrimination based Federal and state 442. Sharona Hoffman, The Importance of Immutability in Employment Discrimination 440. 42 U.S.C. § 12112 (2006). 441. No. 110-223, Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. 443. Sharona Hoffman, Settling the Matter: Does Title I of the ADA Work? 444. 445. 446. Hoffman, 447. D EV health data may reduce the frequency or impact of privacy breaches be- health data may reduce the frequency less attractive to hackers or those cause it could make health information to whom they seek to sell their bounty. laws. Law, 52 W 122 Stat. 881 (2008). pends on a variety of factors, among which are judicial interpretation of pends on a variety of factors, among enforcement. statutory provisions and robust administrative tain dignitary harms associated with record-based studies.tain dignitary harms associated with Researchers in reporting research results to should be scrupulous and conscientious avoid group stigmatization. from misuse of their data by third parties.from misuse of their a few In addition, we suggest minimize the risk of that could be implemented to further interventions harm to data subjects. health-related factors. Disabilities Act prohibits em- The Americans with with disabilities. against qualified individuals ployment discrimination 142 employers and Nondiscrimination Act prohibits The Genetic Information on genetic informa- engaging in discrimination based health insurers from tion. \\jciprod01\productn\S\SMU\65-1\SMU103.txt the statutes’ existence sends an important message to those who would be the statutes’ existence sends an important to discrimination, deters at least some inclined to subject the vulnerable remedies for aggrieved individuals. misconduct, and provides potential R tunity Commission enforcement of the Americans with Disabilities Act). ers determine that a genetic abnormality exists across populations but is ers determine that a genetic abnormality individuals of a particular ancestry.somewhat more prevalent among In must clearly communicate that interviews and publications, investigators to a particular minority group and the genetic abnormality is not unique variations.accurately describe its prevalence Neither the media nor re- head- searchers should be tempted to generate sensationalist, misleading and lines that might receive public attention but be inflammatory damaging to a minority group. Declaration, authors are responsible for the accuracy and completeness Declaration, authors are responsible of their research outcome reports. 31670-smu_65-1 Sheet No. 75 Side B 04/12/2012 11:52:32 04/12/2012 B 75 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 76 Side A 04/12/2012 11:52:32 143 In the . (BNA) EP 452 R 4-APR-12 14:10 Y ’ OL . L. P ES . R Seq: 59 ED could be partially addressed could be , 10 M 448 However, it may need to be consid- However, it may unknown 449 The ANPRM represents the first effort to VII. CONCLUSION 450 It is unclear when the new rule will be finalized or 451 Balancing Privacy, Autonomy, and Scientific Needs and Scientific Privacy, Autonomy, Balancing See supra Part III.B.2.b. See supra Part IV.D. Id. The problem of offensive outcomes of offensive The problem Individual interests in privacy and autonomy may conflict with society’s Individual interests in privacy and model is inappropriate for large- The traditional autonomy-focused Notice of Proposed Rulemaking In July 2011 HHS issued an Advance 451. Jeannie Baumann, Human Subject Protection: OHRP Commended for Proposed 448. 449. 450. pts. 46, 76 Fed. Reg. 44512 (proposed July 26, 2011) (to be codified at 45 C.F.R. 452. M K modernize the research regulations in over two decades, and it generated on nearly 1,100 comments during the first comment period, which ended October 26, 2011. what its contents will be, but the process is likely to be lengthy. Changes to Common Rule; Some Areas Questioned 160, 164, and 21 C.F.R. pts. 50, 56). through regulatory intervention.through regulatory investigators Regulations could prohibit particularly contro- designated types of studies that are from undertaking will see only de- subject consent even if researchers versial without data identified information. stud- consent could be required for For example, on facilitating abortion.ies that focus directly have would approach This because it will be very small number of study categories to be limited to a integrity of research and could threaten the costly and burdensome selection bias. projects through ered to avoid public outcries and resistance to the EHR database re- outcries and resistance to the ered to avoid public search enterprise. outcomes.need for the best possible research to sought has Article This and it has proposed a multi-faceted balance competing goals and values, and to protect the valid in- approach to maximize research opportunities terests of data subjects. by EHR technology.scale, record-based research enabled Instead, the to emphasize the common good in research ethics framework must shift noninterventional research. This conceptual change must be combined replace informed consent and effec- with a variety of measures that will other dignitary interests.tively safeguard patient privacy and in- These techniques that yield adequate clude: (1) the development of research from researchers; (2) ethics board data but conceal patient identifiers including those using de-identified oversight for all record-based studies, security of databases and revision of data; (3) scrupulous attention to the notice and educational initiatives. the HIPAA Security Rule; and (4) Research Protections: Enhancing Pro- (ANPRM) titled “Human Subjects Reducing Burden, Delay, and Ambi- tections for Research Subjects and guity for Investigators.” 2012] \\jciprod01\productn\S\SMU\65-1\SMU103.txt meantime, we hope that regulators will consider the concerns we raise. 723, 723 (Nov. 2, 2011). C Y 31670-smu_65-1 Sheet No. 76 Side A 04/12/2012 11:52:32 04/12/2012 A 76 Side No. Sheet 31670-smu_65-1 31670-smu_65-1 Sheet No. 76 Side B 04/12/2012 11:52:32 M K C Y [Vol. 65 4-APR-12 14:10 Seq: 60 unknown SMU LAW REVIEW Observational research involving EHR databases is not without some is not without EHR databases research involving Observational risk of privacy violations or other dignitary harms, and these should not or other dignitary harms, risk of privacy violations be ignored.can be mini- interventions, the risks But with appropriate mized. unprece- technology creates the potential for Health information in human discoveries and dramatic improvements dented scientific health. this opportunity. Society must not squander 144 \\jciprod01\productn\S\SMU\65-1\SMU103.txt 31670-smu_65-1 Sheet No. 76 Side B 04/12/2012 11:52:32 04/12/2012 B 76 Side No. Sheet 31670-smu_65-1