News & Insights  |  Newsletters

Congress, Privacy and Health Care Research

April 2015
Privacy In Focus

Congress is looking at ways to strengthen privacy and data security protections in various situations, evaluating new legislation related to data security, data breach notification, a consumer bill of rights and educational privacy, among others. Most of these provisions will expand existing protections and create new obligations for a broader range of companies across a wider range of personal data.

But there is also one area where Congress is looking at whether there are means of reducing some of the complexity of existing privacy laws, for overall public benefit. Through an ongoing project called 21st Century Cures, the Energy and Commerce Committee of the U.S. House of Representatives has been developing looking at ways to "accelerate the pace of cures in America," by "looking at the full arc of this process - from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment delivery phase." See 

One key area for this proposal involves whether the existing privacy rules for health care research - which stem from both the "Common Rule" and the HIPAA Privacy Rule - can be streamlined to facilitate better research opportunities. The idea is to improve the ability of health care researchers to use and disclose personal data, to facilitate research that will improve overall conditions across the population. While these proposals are still being developed, this idea is an important one with a broad range of implications - can we make changes that will improve important public goals, while still providing appropriate protections for individual privacy? And, are there situations where the population can benefit on a broad scale and therefore minor impacts on privacy protections are worth the trade-off?

As Congress evaluates the 21st Century Cures initiative, some of the key issue to watch are:

  • Generalizable Knowledge

The current HIPAA rules permit data analytics where a covered entity uses these analytics for its own benefit, but appears to restrict any external communication of these results, even if no personal data is included in the research results. By restricting use and disclosure of Protected Health Information (PHI) when a covered entity is "Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines" if the "primary purpose" of the activity is "generalizable knowledge," the current rules - without any real explanation - seem to impede communication of research results. These provisions permit the use of data for internal purposes, but seem to prohibit communication of these findings to others. Moreover, in practice, HIPAA covered entities often have been conservative in their view of this language, even though the rule may give more flexibility than current activities seem to indicate (for example, if internal data analysis leads to results that may be worth publishing, this publication was likely not the "primary purpose" of the initial data analysis).

Congress should fix this restriction, so that useful analytical conclusions can be disclosed on a broader basis, rather than solely used to benefit one entity. First, Congress should consider removing this "generalizable knowledge" restriction. If a hospital conducts "quality assessment and improvement" activities, and learns through its analysis some conclusion of general value to the community or other entities, the HIPAA rules should not prevent communication of these results and conclusions. Since the "use" of the patient data would be the same, there should be no additional privacy concerns in this use. Obviously, whether driven by a minimum necessary analysis or otherwise, specific PHI should not be publicly disclosed in publishing any research findings, but this would be normal behavior in any event (and could certainly be included in any regulatory revision if deemed necessary).

Second, Congress should look at how this provision is applied in practice - and may simply wish to instruct HHS to make clear (in guidance) what kinds of disclosures are in fact permitted here - by redefining or explaining when "the primary purpose" of an activity is generalizable knowledge, or clarifying that analysis for other elements of this definition (e.g., population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination) can be conducted even if there is generalizable knowledge at the end.

  • Access to Information to Develop Research Protocols

It often is difficult for researchers to identify individuals whose data should be included in research studies. Improving this matching process will make research more productive and less expensive, but can certainly come with a privacy cost. While the HIPAA rules provide some flexibility to permit researchers to identify potential research subjects, the current provision is quite limited because it is restricted to situations where a researcher reviews records on the premises of a covered entity. Congress should explore whether there are ways to replicate the protections for this "on-site" review in an electronic environment. For example, if a researcher implements appropriate security practices, reviews records and then returns them, research opportunities can be expanded with a limited impact on any privacy rights (particularly since the same records are subject to review on site). In general, this "pre-research" phase clearly can benefit from additional flexibility.

  • Encouraging Use of Limited Data Sets and De-Identified Data

In connection with research, the HIPAA rules address three categories of data - protected health information, limited data sets and de-identified data. De-identified data is PHI that has been stripped of sufficient individual identifiers (using one of the two methods spelled out in the rules) so that the information is longer "individually identifiable" and therefore is no longer subject to the HIPAA rules. De-identified data has real value in certain research contexts, and both the Committee and HHS should continue to explore means of enhancing the use and disclosure of de-identified health care data.

There also are substantial opportunities in connection with limited data sets. Limited data sets are a carefully defined term in the HIPAA rules, meaning information that has been almost de-identified, but by inclusion of certain limited data fields, remains PHI. Under the current rules, covered entities can use and disclose limited data sets for research and certain other purposes, as long as there is an appropriate data use agreement in place. The Committee should explore (or instruct HHS to explore) whether there are additional means (including additional remuneration) of encouraging covered entities to disclose limited data sets for research purposes.

  • Expand Use of Data Use Agreements Outside of Limited Data Set Context

The data use agreement concept also can be expanded. A data use agreement mirrors - in most ways - the terms of a business associate agreement. Most researchers are acting on their own, rather than as a service provider to a covered entity, and therefore are not business associates under the HIPAA rules. Currently, researchers can only receive a limited data set using this data use agreement. The Committee should encourage HHS to implement a broader disclosure rule that permits broader PHI to be disclosed to researchers consistent with the protections of a data use agreement. This data use agreement, for example, would provide appropriate protections for any "pre-research" evaluation of potential research subjects. This expansion should be explored as a viable means of expanding research opportunities, particularly for "data research," without raising many of the privacy and security concerns that accompany many other modifications to the HIPAA rules.

  • Improved Guidance on Privacy Waivers

As a general matter, while the HIPAA rules on research have been in place since 2003, there remains significant confusion about them. Most researchers are neither covered entities nor business associates, so they may have little understanding of how these rules work. In the research community, there often is little focus on how best to obtain such a waiver, little attention to the steps that should lead to a waiver, and little incentive for institutional review boards to approve waivers without clear protections. Everyone involved in this process - covered entities, researchers, IRBs and Privacy Review Boards - all would benefit from additional guidance from HHS on when a waiver of patient authorization is appropriate. HHS could consider whether there are "safe harbors" where a waiver would be presumed or automatic (e.g., data research only in a controlled and secure environment). For Congress, rather than try to define these details, Congress should direct HHS to issue additional guidance and/or clarifications to make this waiver process more efficient and to improve the ability of researchers to obtain and use data (for the benefit of the overall healthcare system) where privacy risks are small or otherwise controlled.

  • Authorization Issues

Various HHS components have been reviewing patient authorization requirements in connection with research, to streamline the elements that are required to permit PHI to be used in research. The Committee draft includes an element establishing a "one time" authorization for PHI generally. This idea makes sense, and should move forward in the legislation. This step gives patients more effective control of their data, if they wish to permit use of their data for research activities on a broad basis.

  • Harmonization of HIPAA, the Common Rule and Other Research Principles

It is clear that one of the key challenges for health care research in the United States (without even considering international opportunities and complications) is that there are multiple rules and approaches that must be addressed and understood for many projects. As with many other areas of privacy law, the mere existence of multiple overlapping, inconsistent and ambiguous regulatory requirements creates its own problems and clearly increases overall transaction costs, to the detriment of both the industry and patients. The current legislative proposal does not address this overall confusion and tension. Moreover, it likely is not an appropriate or feasible legislative step to make legislative changes to an entire series of current regulations to attempt to bring them all together under a single framework. Instead, the Energy and Commerce Committee should consider directing the Department of Health and Human Services - which oversees many of these frameworks through various different sub-agencies - to study this question of harmonization and provide to Congress a report on how a more integrated and harmonious framework can be developed, to permit research projects to be developed in a more streamlined and efficient manner. Today's rules create impediments to research based on confusion, without addressing the potential benefits of these projects. HHS should be instructed to evaluate how these confusion-oriented and duplicative impediments can be reduced or eliminated, through development of a more efficient and clearer overall process for developing beneficial research projects.  


It is clear that there are substantial benefits to better and more efficient research. The goal - for Congress and HHS - should be to facilitate more opportunities for research, provide complete opportunities for patients to agree for their data to be included in research and to provide clear guidance on how the existing rules can be used most effectively. Additional improvements also can be made to the structure of the rules to improve consistency and reduce tensions and ambiguities. On a broader level, the debate about health care research also focuses key attention on the public benefits of better research, and the opportunities tor e-evaluate the balance between aggressive protection of privacy interests at the potential expense of broader societal benefits, particularly where there are opportunities to have better research without sacrificing privacy interests.