NPRM Symposium: Privacy and Promises, Promises, Promises

Part Two of Seven-Part Blog Series by Guest Blogger Patrick Taylor

The first blog post in this series probably provided a few surprises, but the surprises are just beginning. Can the NPRM to amend the Common Rule keep its promises?

The NPRM promises that patients will be able to consent to use of their clinical data in research, which is actually two promises, not one. The first is that the consent will be given effect. The second is that the refusal will be given effect.  As to refusal, the NPRM absolutely does not keep its promise.

The NPRM is filled with page after page of exceptions where your consent is not required. These include examples like trailing you and spying on you in public, some tests done on how to affect children’s behavior, and more.

Also, there is no apparent way to change your mind, or to reconcile or even know about differing instructions.   If you say “yes” to your primary care doctors to allow your clinical data to be used for research one year, and file a “no” with your next primary care doctor who has your previous records, how does you earlier doctor know you have changed your mind?  There is no way to give effect to your later refusal.

Then there’s scope. I have been thinking about the problem of consent for research use of clinical data since about 2008.  I spent about half my time for the last year and a half thinking about it.  Early on, I realized I needed a way to capture what data required consent before research use.   You might think that is simple – just look up the research consent statute in the mythical Lawyer’s Encyclopedia of Law, but no. Not only does no such statute exist, law doesn’t even work like that, and there are many special topic laws which implicate consent.

Here, I’m going to prove that the NPRM will not guarantee you control over research use of your medical records.  To do that, I’m going to tweak a pretty good definition of what clinical data require consent for research use, by adjusting it to include the NPRMs changes.   The pretty rough definition I started with is about like defining Pi as 3.14,instead of an infinite number; it works for every day, but it soon produces errors in special circumstances.

This suffices because the refinements do not add consent coverage, they condition and subdivide coverage this definition implies.   Take children, for example: this definition says nothing special about them and perhaps implies that the same rules govern.  If I adjust it for children, I need to distinguish areas where children can consent their own care from care their parents must consent to, then make some probability judgments about whether consent to care implicates privacy, and then some difficult judgments about whether a child could consent to the proposed consent.  None of that adds any support for the NPRM’s promise.

Even more than this one, the complete definition is mind-boggling in its complexity and its indeterminacy.  It’s the product of a simple fact: the proposed rules would not protect patient clinical data directly, wherever it may reside.  Instead they would operate only on specific actors, a small subset of the health care economy, prohibiting, requiring or permitting specific actions, and punishing them for violations, and specific research and research actors.

Under the NPRM, “clinical data requiring consent for research use” means (and this is my summary…)

personally identifiable health, historical, financial and demographic information collected from or about a living patient in the course of patient care, or from research involving diagnosis or treatment that results in clinical or research information being placed in a medical record of a provider that is a “covered entity” under HIPAA, and such data that directly or through the process of seeking payment is included in claims or other information concerning a subscriber or applicant in the possession of a payer or “clearinghouse”  that is a “covered entity” under HIPAA, and any such data and derivations in the possession of “business associates” of covered entities, and, at least with respect to clinical data acquired on or after January 2015, such data or identifiable derivations of it that are created, maintained, transmitted or in the possession of entities that engage in “data management”, now also newly termed “business associates” if and only if they are not “mere conduits” with “random and incidental”  access to the information,


(a)  in all these cases the information is in the possession or under the contractual control of the covered entity, and (b) it is from that entity or one of its business associates that the information is sought, [and, being sought for single purpose research and having been collected for a different research purpose of clinical care, it has not yet been covered by an oral consent, opt-out, or clinical consent form],  OR (a1) the information came into the possession and is in the possession legally of an entity that receives federal human research funding from a “Common Rule” agency [and was not yet banked for research pursuant to the  legally mandated template consent] AND at least one of the two clusters (c)-(e) or (f)-(i):

(c) “research use”  means whole genome research funded by the NIH , or (d) other federally-funded research  by Common Rule agencies NOT covered by any of the nonconsent pathways of regulations for the protection of human subjects, or (e) other nonfederally funded research provided that is a clinical trial not covered by FDA regulations OR

 (f) the clinical data are governed by certain, more protective state laws, when the entities possessing it are located in those states or maintain data in such states, or (g) the clinical data are the diagnostic or treatment data of certain alcohol and substance diagnostic and treatment providers governed by special federal laws requiring them to keep confidential all  identifiable alcohol and substance diagnostic and treatment information, and the research would involve the disclosure of identifiable information or patient identities, or (h) the clinical data was acquired in the course of “clinical investigations” as defined by FDA regulations, to be incorporated in the research record pursuant to an informed consent, and the consent rules out the proposed new research use, or (i) the clinical data were acquired under a research informed consent under non-FDA regulations, the consent specifies restrictions, the proposed use would violate the restrictions, and the research is not eligible for a waiver or modification of consent or authorization under the non-FDA regulations.

(The brackets are used to apply the definition to data which require consent because a major step required by the proposed regulation was not taken; however I have not cluttered the definition with the less major ways data could require consent because of a practice default.)

Who does this definition leave ungoverned? Registries, research foundations that fund their research philanthropically, and anyone who receives data but is not a party to an agreement restricting use or disclosure, many universities, many government agencies (including the NSA, the CIA, the FBI, most state and local agencies, police), pharma companies, other for-profit corporations organized for any purpose that are neither federally sponsored nor providers, the major and minor political parties, The Washington Post,  The Onion, Facebook, FOX News, PBS, most political action organizations such as the National Rifle Association and, the Ku Klux Klan, the Ladies Knitting and Investment Club, and almost every one of the millions of individual human residents of this country,  to name but a few.  Does your nosy and gossipy next-door neighbor need your consent to do research using your medical data on the telltale signs of you being an incipient psychopath?  No.  Can the Department of the Interior fund research that purchases medical data obtained by the police during investigations, without consent, and research how many gun owners have had marital counseling, venereal disease, or have ever taken a drink?  Yes.  Or how many patients who admit to smoking marijuana to their doctor have never received addiction treatment  but have ever driven with the parking brake on, raised their voices, complained of dizziness or headaches or suffered an injury of any sort in their lives?   Yes.

In the next two forthcoming posts, we will look at a basic question: is the NPRM consistent with the idea of giving to each person “equal protection of the laws”, not on some lawyers’ technical sense, but in the common intuitive sense?    The proposed regulations do not give individuals plenary control over research uses at all.   They just act as if big actors in the health care, research, general and identity-theft economies do not exist.  Then they basically let your information go.

The Petrie-Flom Center Staff

The Petrie-Flom Center staff often posts updates, announcements, and guests posts on behalf of others.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.