Data security is costly, complicated & Common Rule changes may not help

HIPAA would be model for all studies

The proposed changes to the Common Rule address an issue that clinical trial organizations have raised since HIPAA's privacy provisions went into effect, but it appears to make the situation even more difficult, some experts say in comments to the U.S. Department of Health and Human Services (HHS).

These proposed changes were published in the Federal Register, on July 25, 2011, as part of an Advanced Notice of Proposed Rulemaking (ANPRM). The Office for Human Research Protections (OHRP) published public comme nts to the ANPRM online at

HHS proposes these three specific requirements to strengthen protections against informational risks:

1. Data security standards in the HIPAA Security Rule would be the model for research involving identifiable data and data in limited data set form. This means that research with individually identifiable information, including all biospecimens and limited data sets, would need to follow data security standards in using encryption processes and provide safeguards for paper data, as well. When investigators used limited data sets or de-identified information, they would be strictly prohibited from attempting to re-identify the subjects.

2. If investigators see the identifiers but do not record them in the permanent research file, they are considered de-identified or in limited data set form. Using a trusted third party to remove identifiers prior to passing on information to an investigator adds additional complexity and trust issues. "If investigators adhere to the standards for data security and information protection there may be less need for these complex third party relationships," the proposed changes state.

3. HHS would strengthen the enforcement mechanisms under the Common Rule by providing for periodic random retrospective audits and other enforcement tools.

HIPAA's rules for de-identified datasets are too restrictive and hinder the ability to share data for research purposes, writes Roy Beck, MD, PhD, executive director of the Jaeb Center for Health Research in Tampa, FL.

"The biggest aspect of the de-identified dataset we have difficulty with is dates," Beck says. "The de-identified dataset could not have a date of a lab test or visit unless one went through a statistical exercise that showed that within your dataset the probability of someone using that date to track it back to someone is infinitesimally small."

The problem is that it's unclear how to do that.

"So you have to pull the dates out and put in some code to get them in order, but there are certain circumstances where you need to know how one date relates to another date," Beck says. "For example, you need to know the date the person took a medicine and the date of the adverse event."

It's challenging to come up with a scheme where an investigator could replace the dates with some type of number and keep these in sequence with other events, he adds.

"That's what I was responding in terms of it being restrictive," Beck says. "The rest we can handle okay in a de-identified dataset, and we don't have too many problems with it."

According to one physician who commented on the proposed Common Rule changes, the HIPAA Security Rule results in major impediments in day-to-day epidemiological research study activities because of excessively stringent security requirements on computers.

"For this reason, the Department of Epidemiology and Public Health (EPH) at Yale was reviewed and deemed not to be part of the clinical function of the medical school or Yale-New Haven Hospital and its HIPAA coverage severed, so it is no longer considered a HIPAA covered entity," writes Harvey A. Risch, MD, PhD, professor of epidemiology at Yale School of Public Health in New Haven, CT.

"This allows EPH-based studies to use standard, good-practices confidentiality and related measures in large-scale epidemiologic studies," Risch continues in his comment. "If HIPAA-standard full computer encryption is required for computers either (a) storing any study data, or (b) even working on data stored elsewhere (e.g., university secure servers), those computers become severely limited in the applications that they can run."

This change would strongly interfere with the ability to conduct high-quality research, Risch concludes.

Another person commenting on the proposed changes notes that it has become very costly to do research precisely because of data protection and analysis.

"How can new investigators afford to do any research if they need to hire a third party to de-identify their data and analyze it?" writes Marcelle Baaklini, MA, CCRP, research educator and quality manager at the Cleveland Clinic in Cleveland, OH.

Investigators often need input from information technology experts in order to meet the data security rules, or they need to purchase very costly data security software and services.

"I understand that we need to protect the subject and their public health information, but we need to find ways to help our researchers do this in a less expensive manner so they are able to continue their research," Baaklini adds in her comments to HHS.

Investigators who have done research for decades recall a time when the regulatory process was simpler, Baaklini says.

"They still took care to make sure subjects were protected," she adds.

"Now it's so advanced," she says. "I see where it's headed, and it's very costly."

One issue is that principal investigator (PI)-initiated studies are the wave of the future, and, yet, the stringent de-identification and data security requirements create high hurdles for researchers, she notes.

"We desperately need more of those investigator-initiated studies," she says. "We need to find ways to keep research going and make it simpler."

ANPRM suggests the research community comment on specific questions throughout the proposed changes. One question involving informational risks asks if study subjects would be sufficiently protected if investigators are required to adhere to a strict set of data security and information protection standards modeled on the HIPAA rules. The question asks if such standards are appropriate for all types of studies, including social and behavioral research, or whether a better system might employ different standards.

Beck responded with a comment about how the rules for a limited dataset are more reasonable and should be considered instead of the strict set of data security standards modeled on HIPAA's de-identified data set.

HIPAA's definition of what is called a limited data set is not as restrictive as its definition of a de-identified data set, Beck notes.

"It shares a lot of the same aspects of what you cannot include," he adds. "But there are a few you can include: in a limited data set, you can include date of birth or event and their zip code."

Overall, the proposed changes to the Common Rule will be helpful to research organizations, but the changes regarding data security need to be reconsidered, Beck says.