Privacy advocates fear Common Rule could shortchange patient rights
A primary purpose of the Common Rule governing how medical research is done is protection of humans participating in such research, and the rule is applicable whenever federal funds support research involving human subjects, according to Rebecca Herold, CEO at The Privacy Professor, a consultancy, and President at SIMBUS360.com, a cloud services corporation.
But Herold worries that privacy and security considerations often are secondary when human research is being conducted. “There has been great concern since the initial final rule was published about the lack of clarity and specifics within the final rule, and also the ways in which the wording could allow for use of patient data in research without the associated individuals’ true consent or even knowledge,” she contends.
A new interim final rule issued recently would supersede provisions of the initial final rule, but the privacy and security concerns remain valid.
A requirement to provide to patients a concise summary of the impact of and information within the consent form is worrisome to many research organizations, she adds. “They worry about the costs involved in updating their forms, how to get the forms to research subjects and how to handle existing consents for current research projects. So they have been lobbying to get more details and guidance for these issues.”
Privacy proponents also seek guidance on handling generally vague requirements and are concerned that institutional review boards have been given more leeway to allow for use of personal data without getting subject consents, particularly for vulnerable individuals such as minority groups, those with a genetic pre-disposition for certain diseases, or those with certain religions or sexual orientations.
Another worry of Herold and other advocates is that the interim final rule would change continuing review by researchers to annually assess situations to determine if they still are meeting privacy and security requirements. “Without details or specifics about this discontinuation, many fear that this would allow for wholesale access to patient data involved,” she says.
The rule brings significant changes to policies long in place, but it doesn’t contain the details for how to make the changes and a lack of clarity on how to comply with new requirements, Herold concludes.