The Department of Health and Human Services has issued an advanced notice of proposed rule-making, seeking comment on the need to make substantial enhancements to the protection of human subjects in research, including the privacy and security of research information.

Twenty years have passed since the federal Common Rule governing the protection of human subjects was adopted, the department notes in the notice, available here with publication in the Federal Register on July 26.

"The current regulations governing human subjects research were developed years ago when research was predominately conducted at universities, colleges and medical institutions, and each study generally took place at only a single site," according to the notice, which includes comment requests on dozens of questions. "Although the regulations have been amended over the years, they have not kept pace with the evolving human research enterprise, the proliferation of multi-site clinical trials and observational studies, the expansion of health services research, research in the social and behavioral sciences, and research involving databases, the Internet and biological specimen repositories, and the use of advanced technologies such as genomics."

Among the many possible changes, HHS is considering adopting the HIPAA privacy and security rules, in lieu of the Common Rule, for determining what constitutes "individually identifiable," a "limited data set" and "de-identified information."

Further, what is considered identifiable information also could be expanding: "Regardless of what information is removed, it is possible to extract DNA from a biospecimen itself and potentially link it to otherwise available data to identify individuals," the notice explains. "Consequently, we are considering categorizing all research involving the primary collection of biospecimens as well as storage and secondary analysis of existing biospecimens as research involving identifiable information."

Three specific requirements under consideration are:

* Requiring research involving the collection and use of identifiable information, as well as data in limited data set form, to adhere to standards "modeled" on the HIPAA security rule.

* Considering data as de-identified or in limited data form even if investigators see the identifiers but do not record them in a permanent research file. Many procedures now involve having trusted third parties remove identifiers prior to passing information to an investigator. But this adds another level of complexity and suggests that third parties are more trustworthy than investigators, according to the notice. If investigations adhere to HIPAA rules, there may be less need for a more complex arrangement.

* Providing for periodic random retrospective audits and additional enforcement tools.


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access