SPECIAL REPORT: Common Rule Changes

[Editor’s note: This is the first in an occasionally reoccurring series of reports about the proposed changes to the Common Rule. As the U.S. Department of Health and Human Services (HHS) receives and posts comments, Clinical Trials Administrator will provide more in-depth coverage of what these changes might mean to research organizations.]

HHS: expand Common Rule privacy protection

HIPAA would cover just about all CTs

Clinical trial investigators soon will need to follow more stringent data security and information protection standards, according to a notice of proposed rulemaking, published in the Federal Register, July 26, 2011.

The U.S. Department of Health and Human Services (HHS) has proposed a number of changes to human subjects research protections and what is called the Common Rule. One of the most significant changes involves establishing mandatory data security and information protection standards for identifiable information.

HIPAA’s reach would be expanded under the proposal to cover studies that now are exempt from the regulations.

"The HIPAA rules apply to the use of protected health information’ by covered entities,’" says Jerry Menikoff, MD, JD, director of the Office for Human Research Protection (OHRP).

"Many research studies either do not use protected health information or do not involve covered entities," he adds. "Subjects participating in those studies deserve to have appropriate protections."

Specifically, the proposed change calls for the establishment of mandatory data security and information protection standards for all studies that involve identifiable or potentially identifiable data.

HHS is considering three specific requirements to strengthen the protection for research studies that pose informational risks, the proposed rule states.

These are as follows:

• Research that involves the collection of identifiable data, including data in a limited data set form, could be required to adhere to data security standards modeled on HIPAA.

"For research using limited data sets or de-identified information, investigators would be strictly prohibited from attempting to re-identify the subjects of the information," the proposal states. "Requiring that investigators implement and adhere to these standard data security and information protection measures would lessen the need for investigators to enter into data use agreements to protect the limited data set, as is currently required under the HIPAA Privacy Rule."

• The new proposal would have data considered de-identified even if investigators see the identifiers but do not record them in the permanent research file.

• HHS is considering strengthening the Common Rule enforcement mechanisms by having periodic random retrospective audits.

Patient privacy is one of the biggest issues in new technology, notes T. J. Milling, MD, FACEP, director of medical research at Hospital Physicians Clinical Research (HPCR) in Austin, TX.

"We have to be very careful with the security of email and texting," Milling adds. "Emails are secured and encrypted with no patient identifiers."

Some technology organizations already meet the most stringent privacy and security standards, says Dan Kerpelman, chief executive officer of Bio-Optronics Inc. of Rochester, NY.

"The Common Rule changes would apply to HIPAA, and we’ve been following HIPAA and Safe Harbor for European organizations," he says. "Most providers would do the same.

One change might require a technology focus, and that’s the area of focusing on de-identified data and following new standards in using it, Kerpelman says.

It’s not a major technology challenge, however, he adds.

"Our technology can allow the contract research organization to see the status patient by patient of a trial without identifying a single patient or characteristics, and the way de-identification is done is bulletproof," he says. "But if the standard calls for a specific recipe for de-identification, we’d have to make sure our approach is compliant with that."

Bio-Optronics and other technology companies will be watching the Common Rule changes unfold to see how detailed they become, he adds.

[Editor’s note: Clinical research professionals who would like to comment on the proposed changes to the Common Rule can submit comments through the Federal eRulemaking Portal at http://www.regulations.gov or by mailing their comments to Jerry Menikoff, MD, JD, OHRP, 1101 Wootton Parkway, Suite 200, Rockville, MD 20852.]