Skip Navigation

Logo: caBIG: cancer Biomedical Informatics Grid, an initiative of the National Cancer Institute

June 4, 2007

Mr. Steven Posnack

Office of the National Coordinator (ONC)

30 C Street, SW, Suite 4090

Washington, DC 20201

cps-wkg@hsrnet.com

RE: CPS June 2007 Public Comment

This letter is filed on behalf of the Data Sharing and Intellectual Capital (DSIC) Workspace of the cancer Biomedical Informatics Grid™ initiative (caBIG™) in response to the American Health Information Community Confidentiality, Privacy, and Security (CPS) workgroup’s request for public feedback on its working hypothesis that:

All persons and entities excluding consumers that participate in an electronic health information exchange network at a local, state, regional or nationwide level, through which individually identifiable electronic health information is stored, compiled, transmitted, or accessed, should be required to meet privacy and security criteria at least equivalent to relevant Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule requirements.

caBIG™ is a voluntary network or grid connecting individuals and institutions to enable the sharing of data and tools in order to speed the delivery of innovative approaches for the prevention and treatment of cancer (www.cabig.nci.nih.gov ). Participants in the caBIG™ initiative have been grappling with some of the same issues implicated by the CPS WG working hypothesis through activities in the DSIC Workspace. Members of the DSIC Workspace include intellectual property and regulatory attorneys, patient advocates, policy specialists, biomedical researchers, bioethicists, bioinformaticists, experts in technology transfer, and others. The DSIC Workspace seeks to facilitate data sharing between and among caBIG™ participants by addressing legal, regulatory, and proprietary barriers to research data exchange. Among these issues are the privacy and security of data exchanged under federal and state regulatory frameworks, including the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules; ownership and access rights of data contributors, human participants, and entities using data; the terms and conditions imposed by research sponsors; and the requirements for abiding by ethical standards embodied in part in federal law and regulations, such as the Common Rule for Human Subjects Research, the FDA Regulations on Human Subjects, and state, local, and institutional requirements.

caBIG™ is developing a framework for managing data exchange, which may provide a useful national model. This approach recognizes that there are varying levels of sensitivity of health information and that many data exchange require agreements, validation of users, authorization of intended uses, etc. Because the Grid technology is premised on the concept of federation, individual entities that control access to data are responsible for allocating the risk and consequent protection required for any given data set. Thus, a considerable amount of data can be exchanged using common sets of template agreements or contractual provisions that reflect input from a diverse group of stakeholders. This approach leaves room for those data sets which require the more intensive investment of effort reflected in individualized data exchange situations, including contractual negotiations. As the caBIG™ DSIC Workspace has been considering some of the same issues that are raised in the CPS WG request for feedback, we offer our perspective.

We appreciate the CPS WG’s effort to clarify the vexing issues relating to privacy and security and believe that their resolution is critical to the development of an effective system for deploying systems of electronic health records. The DSIC Workspace would be supportive of a broader application of the HIPAA Privacy Rule to entities receiving individually identifiable health information if the regulation were amended to expressly acknowledge that clinical research, including the re-use of data collected in clinical research settings, is included within the definition of health care operations as long as such research is subject to review by an OHRP-registered IRB with an approved Federalwide Assurance (FWA). Such acknowledgment would recognize research as an essential component of the health care delivery system, and thus cover research activities in a way that is administratively much more manageable than the current regulatory scheme.

However, in the event that the foregoing approach is not pursued, we strongly recommend that any solutions proposed by the CPS WG acknowledge the need publicly articulated during the promulgation of the HIPAA Privacy Rule to facilitate data exchange among organizations already regulated by the federal government as well as entities working to pursue knowledge to improve human health and to reduce the burdens resulting from disease and disability.[FN1] There have been many research-related issues identified as related to the interpretation and implementation of the HIPAA Privacy Rule, particularly at academic medical centers. It would be useful to clarify these issues in the HIPAA Privacy Rule before discussing whether it should be extended. In addition, it will be important to clarify the definitions of some of the terms used in the CPS WG’s working hypothesis, in particular, the concept of an electronic health information exchange network, the parameters of the definition of a business associate, and the notion as to what constitutes identifiable information. Accordingly we would urge the WG to ensure that its hypothesis explicitly enables the use and disclosure of health information for research. At a minimum, we urge the WG to assure that any revision of the Privacy Rule maintains, at a minimum, existing exceptions to avoid having an unintended but seriously negative impact on national, state and local public health activities.

The DSIC Workspace appreciates your consideration of these comments. We would be very interested in working with the WG as it develops its working hypothesis and outcomes so that data exchange not only protects individuals, but also accelerates the results of research activities.

Elaine Brock, J.D.

University of Michigan

DSIC Workspace Regulatory SIG Lead

Deborah Collyar

Patient Advocates in Research (PAIR)

DSIC Workspace Regulatory SIG Member

Rachel Nosowsky, J.D.

University of Michigan

DSIC Workspace Regulatory SIG Member

Wendy Patterson, J.D.

National Cancer Institute

NCI Facilitator for the DSIC Workspace

Marsha Young, J.D.

DSIC Workspace Lead

Booz Allen Hamilton (General Contractor for caBIG™)

1. R. Nosowsky and T. Giordano, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for Clinical Research, 57 Annu. Rev. Med. 575, 576-77 (2006).