[This Transcript is Unedited]
Silver Spring Hilton Hotel
8727 Colesville Road
Silver Spring, Maryland
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein, and I am the Director of the Institute for Bio-Ethics Health Policy and Law at the University of Louisville, School of Medicine, and I am Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
The NCVHS is a federal advisory committee consisting of private citizens, which makes recommendations to Congress and the Secretary of HHS on health information policy, including issues related to HIPAA.
On behalf of the subcommittee and staff, I want to welcome you to the second in a series of hearings on implementation issues under the HIPAA privacy rule.
I also want to note that our Internet connection is slightly delayed this morning and will be hooked up momentarily. So I'll defer welcoming those who are listening on the Internet, because, at the moment, no one is listening on the Internet.
As is customary at the beginning of each of our hearings, we begin with introductions, starting with members of the subcommittee and staff.
I would also invite subcommittee members to disclose any conflicts of interest that they have.
I'll begin by noting my conflict, that I am a member of the Ad Hoc Committee on HIPAA of the American Society of Human Genetics, and in the second panel we will hear from the Executive Vice President of ASHG.
MS. FYFFE: Kathleen Fyffe. I work for the Department of Health and Human Services in ASPI(?), and I am lead staff to the Privacy Subcommittee, and, today, I am also the timekeeper for your testimony, and I'll give you a three-minute warning, a one-minute warning and a zero-minute warning. So if you could please keep your testimony - your oral testimony to no more than 15 minutes, we would appreciate it.
MR. ZUBELDIA: I'm Kepa Zubeldia with Claredi Corporation. I'm a member of the committee and the subcommittee; and Kathleen has a button here with an ejector seat for the zero-minute warning. (Laughter).
SPEAKER: That's for the members. (Laughter).
MR. HOUSTON: I'm John Houston. I'm with the University of Pittsburgh Medical Center. I'm a member of the committee, as well as a member of its subcommittee.
DR. HARDING: I'm Richard Harding. I'm the Chair of Neuropsychiatry at the University of South Carolina, a member of the committee and subcommittee.
MS. HORLICK: I'm Gail Horlick from the Centers for Disease Control and Prevention and staff to the subcommittee.
MR. FANNING: I'm John Fanning from the Office of the Assistant Secretary for Planning and Evaluation at HHS, and additional staff to the subcommittee.
MS. EHRINGHAUS: I'm Susan Ehringhaus, the Associate General Counsel for Regulatory Affairs at the Association of American Medical Colleges.
DR. LINET: I'm Martha Linet, President Elect of the American College of Epidemiology.
MS. GONZALES: I'm Marcia Gonzales. I'm the Compliance Officer and Privacy Officer at the Indiana University School of Medicine.
MS. BIZILA: I'm Shelley Bizila. I'm the Director of Research Compliance at Indiana University.
MS. YAEGER: I'm Maryann Yaeger(?) from Emerson Strategic Group.
MS. BOFFMAN: Joan Boffman(?), Executive Vice President, American Society of Human Genetics.
MS. MOSS: I'm Kathy Moss from the National Center for Health Statistics.
MS. NOLAN Martha Nolan, Vice President of Public Policy, Society for Women's Health Research.
DR. ROBERTS: James Roberts of Magee-Womens Research Institute at the University of Pittsburgh.
MS. STONE: Suzanne Stone, Society for Women's Health Research.
MR. LAWNICZAK: I'm Jon Lawniczak, Director of Government Relations for the Coalition for Health Services Research.
MS. BICKFORD: Carol Bickford, American Nurses Association.
MR. ROTHSTEIN: Welcome to all of you.
By way of introduction, I want to remind the subcommittee members and tell the members of the audience that in 2001 and 2002 before the privacy rule went into effect, we had a variety of hearings on a variety of topics. One of the most important of those, and certainly the most troubling of those involved the issue of research, where we heard testimony from the research community about great concerns that they had that the privacy rule would somehow seriously undermine the ability to conduct research, and, today, we are going to try to make some sort of determination of whether those fears and concerns have materialized and, if so, in what way, how to resolve some of the issues that they raise.
I want to remind the witnesses, that we have time constraints, and to please keep their testimony to 15 minutes. Kathleen is vicious in enforcing those rules, and we use our extra time for discussion. So after the witnesses from each of the panel conclude their testimony, we will have broader questions and discussions.
I note that you have submitted written testimony. I would invite you to submit additional testimony, if you are so inclined within two weeks to Marietta Squire.
I would also request that witnesses and guests please turn off their cell phones.
And, finally, because we will imminently be connected to the Internet – I'll let you know when that happens – I would ask you to speak clearly into your microphone when speaking, and just give Dr. Cohen a chance to introduce himself before we get started.
DR. COHN: Good morning. Sorry for being tardy.
I'm Simon Cohen. I'm a member of the committee and National Director for Health Information Policy for Kaiser Permanente.
MR. ROTHSTEIN: And, Walter, you are just in time for introductions. Would you introduce yourself?
MR. STONE: Yes. I'm Walter Stone. I'm with the - staff, CMS.
MR. ROTHSTEIN: Thank you.
So we are ready now to begin with Panel Number 1, and I will go by the order that is on my list, which would mean Marcia Gonzales.
Agenda Item: Research - Panel 1
MS. GONZALES: Thank you. Thank you for this very important opportunity to speak on behalf of the Indiana University School of Medicine and the research community at Indiana University, Purdue University, Indianapolis, also known as IUPY.
Under the privacy rule, Indiana University is considered a hybrid entity. The School of Medicine, which is the second-largest medical school in the nation, does not meet the definition of a health-care component.
The research community at IUPY, like most academic medical centers, includes both covered and non-covered entities. Research is one of the core missions and defining characteristics of most, if not all, academic medical centers.
The School of Medicine either controls or is affiliated with at least 25 research centers on campus, some of which are not part of a covered entity. The research at the IU Medical Center campus is governed by the Federal-wide assurance with Indiana University and its affiliated hospitals. Five different institutional review boards oversee approximately 3,500 research studies annually. Eighty percent of these studies are conducted by a faculty member or individual affiliated with the School of Medicine.
I currently serve as the privacy officer and have worked very closely with the director of the IUPY Office of Research Compliance, Shelley Bizila, who is here with me today, whose office administers the IRBs.
As part of our implementation efforts, we enlisted the help of a HIPAA consultant, Emerson Strategic Group, and convened a HIPAA research task force.
Over the last 12 to 18 months, more than 700 hours were spent evaluating HIPAA's impact on research -
SPEAKER: Internet.
MS. GONZALES: - and the School of Medicine has expended over a quarter of a million dollars towards this effort. It is expected that another quarter of a million dollars will be spent over the next two years.
The focus of this testimony will address three areas - the increased level of privacy protection, current best practices and areas of clarification and barriers to research.
Overall, it is without doubt that there has been an increase in the levels of protections. I have provided to the subcommittee a flow chart illustrating the layers of safeguards effecting research more specifically as it applies to the school of medicine. This would be Exhibit A.
In large part, the increased level of protection is more likely attributed to the numerous hours of face-to-face training conducted prior to the effective date of the privacy rule.
As part of our implementation, we modified existing IRB forms that were already familiar to our research community, and a recruitment checklist was created to aid researchers and providers to determine if use, access or disclosure of PHI was appropriate. A list of forms reviewed has been provided as well, and it is Exhibit B.
Examples of best practices include training. Training was tailored to address specific needs of the research community, and then smaller groups proved to be more successful, because it allowed for individual questions to be addressed.
Institution-specific ethnic - were created from questions posed during the group training sessions.
Early and specific communications were also found to be best practices.
Once, prior to the implementation, researchers were informed of compliance expectations and provided with specific directions and tools to guide them towards compliance.
While the training did, indeed, result in heightened awareness and the implementation of additional layers of safeguards, barriers now exist in our ability to effectively and efficiently conduct research.
While other issues exist, our testimony will focus on two particular issues - barriers to collaboration for research purposes and barriers to future uses of protected health information or future research.
With regard to barriers to collaboration, one of the goals of the National Institutes of Health includes the - quote - expansion of the knowledge base in medical and associated sciences in order to ensure a continued high return on the public investment in research, closed quote.
Each year, millions of dollars are invested by public and private resources to further research at academic institutions like the IU Medical Center.
In order to maximize these research investments, the NIH has strongly encouraged collaborative approaches to research, specifically, the NIH states, “The scale and complexity of today's biomedical research problems increasingly demands that scientists move beyond the confines of their own discipline and explore new organizational models for team science. Many scientists will continue to pursue individual research projects. However, they will be encouraged to make changes in the way they approach the scientific enterprise.”
In contrast, the privacy rules focus on structure versus safeguards discourages this “model for team science,” as illustrated in Exhibit C, which is a comparison of the access to PHI for research purposes.
We will discuss three specific examples of how compliance with the privacy rule has resulted in activities inconsistent with the goals of the NIH roadmap.
First, recruitment issues between separate covered entities. Recruitment problems arise when members of a research team are not considered part of the same covered entity. Because PHI relevant to the research protocol must cross this imaginary covered entity line from one team member to another, additional administrative requirements apply. However, this distinction is neither consistent with patient perception nor the manner in which research is conducted.
Consistent with the “model of team science” approach, human disease is approached in a multi-disciplinary fashion. For example, our lung-cancer clinic may include a pulmonologist, an oncologist, a radiation oncologist and a cardio-thorasic surgeon. However, not all of these specialists are treating providers. These specialists may also be part of at least three covered entities.
To a patient with lung cancer who is interested in a clinical trial about a new surgery-chemotherapy regimen or radiation therapy, these providers are part of the team of doctors at the clinic. The patient only sees one provider team, one entity.
These providers may have collaborative discussions regarding treatment. They even share a research coordinator, but neither a research coordinator nor a non-treating provider can review patient records to identify or contact potential candidates for research purposes without an authorization or waiver of authorization regardless of the number of safeguards that may be present.
Furthermore, treating providers are also reticent to send out information to principal investigators regarding potential candidates' research or treatment alternative, because they are concerned about violating HIPAA. The end result is an impediment to the study activities due to the artificial boundaries that HIPAA imposes around covered entities.
Shelley Bizila, now, will discuss recruitment issues between non-covered and covered entities.
MS. BIZILA: Thank you.
On campus, we have an NIH-funded general clinical research center, the GCRC, that is not a part of any covered entity, but is funded for the specific purpose of aiding principal investigators with research-related tasks.
A common scenario is when a principal investigator is a member of a covered entity, but the research coordinator assisting the principal investigator with recruitment is not.
In order to allow the GCRC research coordinator to provide recruitment assistance to the principal investigator, at least two waivers and/or authorizations must be obtained, one to access the data and one to enroll subjects. The principal investigator would be required to track disclosures made to the research coordinator, a person he or she would consider as a member of their workforce.
If a research coordinator is not utilized, the principal investigator must personally perform the recruitment process. While alternatives exist through the IRB waiver process, this process only delays the research unnecessarily.
Barriers to collaboration also are present with multi-center trials. For example, a multi-center genetic study involving a number of research centers from around the country recently met at our university to discuss how recruitment and data collection would occur. Each center presented different interpretations for how recruitment and data collection would be done, based on their institution structure and their interpretation of the privacy rule. Even if each entity had a similar set of safeguards, recruitment and data collection would still be inconsistent, simply because the privacy rule is driven by the structure of the organizations and not on how PHI is protected. Thus, compliance with the privacy rule creates barriers toward advancing research and is fundamentally at odds with the goals of NIH for advancing health and research.
So we offer possible solutions.
Number one, third-party research personnel could be considered part of the covered entity's workforce. Research staff members that are not part of the principal investigator's covered entity – i.e., research coordinators who perform no TPO functions - cannot access the principal investigator's patient information without authorization or waiver of authorization.
Allowing research team members to be considered workforce members of the principal investigator's covered entity will alleviate both the IRB and the principal investigator from the authorization and/or waiver process, as well as having to account for disclosures.
Principal investigator and the research staff are already subject to internal HIPAA policies and research standard operating procedures.
Our second solution is IRB approval of written assurances for access in recruitment purposes.
Under the privacy rule, the use of a business associate agreement with its required safeguard language is appropriate for treatment, payment and health-care operations. However, these safeguards are not acceptable for similar relationships in the research arena, such as between a principle investigator and a clinical research organization, et cetera, despite the fact that research incorporates more layers of safeguards.
Again, see our Exhibit A, which outlines the HIPAA implementation and safeguards affecting research.
The IRB should be given the discretion to determine if the appropriate safeguards are in place when a principal investigator utilizes a third party for research-specific support, and this permission should only be sought once.
Criteria to determine the existence of these safeguards could be based on the criteria established for business-associate agreements.
This process would alleviate the repeated need for waivers of authorization in the accounting for disclosures among research team members affiliated and working in the same academic and research community.
And the third option would be recruitment assistance with approved members of the research team could be considered part of treatment and/or health-care operations.
Research at academic medical institutions involves treatment, quality assessment and population-based activities. When a patient enters an academic institution, it is recognized that research is the primary mission. The patient comes to the institution with the hope and understanding that they will have access to the latest innovations in health care due to that institution's research endeavors.
Research is very much a health-care operation at an academic medical center. Under the privacy rule, patients may be denied the opportunity to be considered for a research study that could enhance the treatment they are being offered. If adequate safeguards are present and institutional privacy requirements are met as approved by the IRB, recruitment should be permitted by approved members of the research team without an authorization or waiver of authorization.
Next, we'll talk about barriers to future uses of protected health information.
The final rule permits covered entities to rely on an express legal permission, informed consent or IRB-approved waiver of informed consent for future unspecified research obtained prior to the compliance data.
It is important to note that after April 14, 2003, more safeguards exist. However, the privacy rule prevents future uses of data collected after the effective date by requiring authorization forms to be research-study specific.
Access to the data for future research is beneficial in performing a similar or related study. Access to this information is extremely valuable for population-based studies in genetic research.
As discoveries are made, new opportunities arise for reviewing existing databases and/or samples containing PHI.
We will discuss two specific examples of how compliance with the privacy rule has created barriers to utilizing existing research data for future purposes.
In reference to the multi-center example previously discussed, there was no consensus among the IRBs at the different research centers as to whether future uses for existing genetic data collected for research purposes is allowed under HIPAA, if subjects consent and authorize to such use.
Since uniformity cannot be reached, data collection could differ at each center and could materially effect study results.
HIPAA doesn't apply to all research-related entities that access PHI. Use of research data for future uses is currently permissible for non-covered entities, such as pharmaceutical companies, CROs, other sponsors, et cetera.
Research institutions like the IU School of medicine are often pressed by these non-covered entities to include future uses in the informed consent or authorization form. IRBs are reluctant to allow these types of uses in the informed consent or authorization form. IRBs are reluctant to allow these types of uses because it is inconsistent with the privacy-rules requirements.
Although both parties recognize that future uses of existing research data is beneficial to new developments in health care, no consensus can be reached.
So our possible solutions: Number one, covered entities should be permitted to include future uses in the consent and or authorization as determined by the IRB. This will help create consistency with research sponsors who are already permitted to use research data for future studies.
If future uses cannot be included in the consent and/or authorization, we request clarification and guidance regarding the use of existing research data for related future studies.
In conclusion, ultimately, the privacy rules should emphasize whether the PHI is safeguarded, rather than where the PHI is held.
The IU School of Medicine has demonstrated a significant to compliance and we will continue to work diligently to protect the confidentiality and security of PHI use for research purposes.
We believe that if HHS provides some additional focus guidance and addresses some complexities presented by the rule, the privacy rule can be workable for research.
Thank you.
MR. ROTHSTEIN: Well, thank you. Thank you very much. I've got an unlimited number of questions to ask that I will defer to the discussion session.
Ms. Ehringhaus.
MS. EHRINGHAUS: Thank you.
Mr. Chairman and members of the committee, thank you for the opportunity to testify today.
As you will be able to tell – probably already can tell - I am a Southerner, and as I have thought about this testimony, I thought of a Southern metaphor. If you are a Southerner or if you have ever been in the South and you know anything about possums, you know that road kill is a frequent phenomenon, and as I think about research and the impact of some of the HIPAA research provisions on research, I think about road kill, because is the case with the possum, it is not really the intended victim, but it is just as negatively effected, and with that digression let me start my testimony.
I am Susan Ehringhaus, Associate General Counsel for Regulatory Affairs at the Association of American Medical Colleges. The AAMC represents the nation's 126 accredited medical schools, over 400 affiliated teaching hospitals and 94 academic societies representing nearly 105,000 faculty members.
I am pleased to be on a panel today with my colleagues from Indiana University School of Medicine and the American College of Epidemiology.
Our members conduct much of the nation's biomedical and behavioral research and share profound interest in protections for research participants, including protections for the privacy of individual volunteers for research and the confidentiality of research data.
The features of the final privacy rule that we will identify today do not reserve essential research activity on which the health and well being of all members of the public depends, nor do they add marginally to the protection of privacy and confidentiality of medical information.
Examples of types of research particularly affected by the privacy rules research provisions are provided in the written testimony that I hope you have in front of you. Do you have copies in front of you?
SPEAKER: Yes.
MS. EHRINGHAUS: Briefly, they include the following: Population-based research, including epidemiologic research, health-services research, environmental and occupational-health research, and post-marketing studies of drugs and medical devices, long-term medical outcomes research, registry research, public-health research and genetic-longitudinal research.
In many types of research, subject recruitment has become a thicket of regulatory ambiguity.
Let me summarize our concerns. AAMC today presents on behalf of its members concerns and recommendations in four categories, and, today, our concerns are not just informed predictions and projections, as comments leading up to the final rule necessarily have to be, but whether they are based on actual experiences with the privacy rule's research impact as revealed in the responses to the AEMC survey that I will describe here.
Our concerns are directed at the following provisions of the privacy rule, which provisions singly and collectively have already had a profoundly negative impact on research, we believe, without enhancing patient privacy.
They are: Accounting for disclosures, authorizations in waivers, the identification standard and the emphasis in HIPAA on organization versus function, and, as my colleagues from Indiana referred to it, structure versus safeguards.
Taken together, the experiences of our community suggest the following negative consequences for research:
Number one, the addition of the authorization requirement to established informed-consent protections has confused the informed-consent process for both patients and researchers.
Two, research management and oversight is burdened with expensive privacy-rule requirements.
Number three, disclosure documentation and accounting liabilities create research-related burdens that many are unable or unwilling to accept, thus diminishing the research subject base, slowing the progress of research and impeding the access of patients to research.
Number four, new burdens are placed on the entire process by which biomedical and health-sciences research is conducted, thereby increasing the disincentives to engage in such research, and we know the necessity for producing more clinician scientists.
The AEMC survey is our next topic.
In an effort to monitor and document the effects of HIPAA's privacy rule on biomedical and health-sciences research, the AEMC undertook in Spring 2003 to create a database of case reports documenting research affected, delayed, hindered, benefitted, abandoned or forgone.
The purpose of this survey was to enable the AEMC reliably to report to interested members of the research community and to government and related bodies, including your subcommittee, actual experience with the privacy rule of researchers and those engaged in managing and overseeing research process.
The survey steering committee included some of the most distinguished professional organizations in the country. I don't want to mention all of them, but I don't want to fail to mention the American College of Epidemiology, the American Academy of Pediatrics, the American College of Cardiology, the American Society of Clinical Oncology and the Association of Schools of Public Health.
The resulting data present a troubling picture of the privacy rule's bite on the academic medical-research community and on the huge portion of the nation's biomedical and health-sciences research enterprise.
We understand that early results can simply reflect unfamiliarity with procedural intricacies, conservative interpretations of requirements and other phenomenon that could lessen or disappear with time.
Though in the interests of time, we are only going to give you a snapshot today, we believe that what we report here cannot be dismissed as mere unfamiliarity with a rule that will abate over time.
I call your attention to page 4 of the written testimony in front of you, where you will see graphically depicted a chart based on 331 responses of the types of research our community tells us are effected by the HIPAA research provisions, and you see 72 percent of our respondents say that clinical research is effected, and you can look at the other numbers.
On the next page - page 5 in your written survey - Chart 2 illustrates research functions effected by HIPAA's research provisions based on a total, again, of 331 responses to date.
And if you will look at those numbers, we think they are really quite chilling in terms of patient recruitment, data access, data acquisition and data retention.
Responses to our survey question on types of research function include the following on the topic of subject recruitment:
“Additional consent forms tends to confuse more than inform participants.”
“Subjects are overwhelmed by the added link to consent form and repetition of several points already made in the body of the main consent.”
On the subject of informed consent, the responses include the following:
“My greatest concern is that the requirements for all these various authorizations to be signed overshadows the importance of the research informed consent documentation and process.”
Another quote: “I am worried, actually, that subjects are now paying less attention to the consent process because they are given so many pages to read and sign.”
On the subject of research collaborations, I quote: “The major difficulty for us has been establishing multi-site trials and getting everyone to collaborate.”
I quote: “Many health-care providers no longer participate or submit data to several observational pregnancy-exposure registries, as a result of HIPAA.”
And, finally, on the subject of bias, one respondent observed, “The complexity of the authorization form intimidates some potential participants. My concern is that by not including those people in the study, we are not including a true cross section of the population. Will this lead to only college-educated people in studies ‘form comprehension bias'?”
Our data contain literally hundreds of similar examples of profound concerns with the impact of the final privacy rule on research. These are just representative.
In summary, our survey provides clear early signals of the adverse effects of the privacy rule on key areas of research activity. Significantly, our findings are consistent with those of the National Cancer Advisory Board's feedback from the NCI Cancer Centers, cooperative groups and specialized programs of research excellence, which project was undertaken similarly to assess the impact of HIPAA.
Findings consistent across both surveys are the following: The negative impact on the informed-consent process, the confusion of subjects, the negative impact on subject recruitment, selection bias, alteration or abandoned research direction, inability or impaired ability to collaborate and so on.
Our initial results suggest the following provisions constitute the most problematic barriers to research:
Number one, accounting of disclosures. Our early responses suggest that, in particular, community providers and hospitals that do not view research as one of their primary missions are reluctant to assume the burden and unwilling to make patient records available to researchers. This impedes and may prevent much valuable epidemiologic and health-services research to the great detriment of patients whose care is enhanced by new medical knowledge.
A recommendation is the accounting of disclosures for research should be eliminated altogether. We believe that the regulatory burden is unreasonable and the incremental privacy protection is minimal to non-existent.
Authorizations and waivers. In addition to technical and legal ambiguities in practice, the impact of these requirements demonstrates a uselessness. It is practically inconceivable that a researcher who has presented a good-faith justification for request for waiver would have the request turned down by our privacy board or IRB, and we think the requirement for authorizations and waivers of authorizations for disclosure should be eliminated for research uses.
AEMC continues to believe that human subjects who also happen to be health-care consumers are fully and appropriately covered under existing current federal regulations governing human subjects research.
We believe that the authorization or waiver of authorization does not add to protections and does add a necessary complexity and confusion.
The D identification standard is equally troubling for us.
The real question here is whether or not the privacy's identification standard represents the appropriate mechanism to address the problem. We believe it's not, because the burden on research is disproportionate in terms of additive privacy protections and because there are other mechanisms that are less burdensome.
We urge – this is our recommendation - that the D identification standard be simplified and adapted for biomedical and health-sciences research purposes and not tailored, as it currently is, to accommodate the most extreme cases of misuse of medical information. Such misuse is, in fact, better addressed through other regulatory mechanisms.
And, finally, organizational structure. Ms. Gonzales has already indicated their concern with structure versus safeguards. We would like to align ourselves with those comments and suggest that both text and interpretations of HIPAA's research provisions must shift from organizational form to function served.
In conclusion, the AEMC's position is that research must be conducted ethically and with scientific integrity, and the protection of human subjects is a paramount obligation of researchers and their institutions. Protecting medical information from harmful use or inappropriate release is crucial to fulfilling that duty.
AEMC appreciates the willingness of the Department of Health and Human Services to increase the privacy rule's workability. The AEMC continues, however, to strongly believe that strong protections for the privacy of medical information can be accomplished without jeopardizing health research.
We emphasize that with respect to the research provisions identified in this testimony and reported in our survey modifications are essential if the vitality of the research enterprise is to be retained.
On behalf of the AEMC, I would like, again, to thank the committee and its subcommittee for giving us the opportunity to present our concerns.
Thank you, Mr. Chairman.
MR. ROTHSTEIN: Thank you very much.
I suppose once you hit a range of infinite number of questions, you can't add any additional ones. So I have just hit infinite number of questions.
Dr. Linet, please.
DR. LINET: Thank you very much. I'm Martha Linet, President Elect of the American College of Epidemiology.
My other hat, I am the Chief of the Radiation Epidemiology Branch at the National Cancer Institute. So I have been a researcher myself for 25 years and would like to present to you some of the concerns of my fellow researchers in the college, which is an organization of 1,000-plus epidemiologists.
Epidemiologic research evaluates postulated risk factors for disease, ascertain etiology, and to identify preventable causes. Among the enormous contributions to public health, epidemiologists have elucidated the consumption of contaminated water as the cause of cholera centuries before the discovery of the causal infectious organization, have identified cigarette smoking as the major cause of lung cancer, delineated the risk factors accounting for the majority of cardiovascular diseases and clarified the role of folic acid in the etiology of neural-tube defects.
We have our testimony here that I believe you all have, and, in lieu of Power Point slides, I brought my little group of slides here. So if you want to just - this really follows the testimony.
In the presentation, I would like to touch on four areas: Early experiments of epidemiologists and problems in four particular areas, some of the cross-cutting issues, the impact on participation rates, financial and legal issues, the college's plans to conduct ongoing assessment of the impact of HIPAA, and, in an effort to be constructive, we, too, as my colleagues here, suggest some remediation measures.
Well, from the point of view of epidemiologic studies, which often take 10 years from the time of conception until we have produced the final papers, this is early days. Only six months have passed.
Reports are mixed. Ongoing studies may be less influenced. Industry appears to be perhaps less impacted. The new studies are encountering some difficulty.
One of our biggest problems is the different and variable interpretation by IRBs in hospitals.
Let me move on to four particular problems, some of which have been covered beautifully by my colleagues here.
Prior to HIPAA, one could identify controls from the Centers for Medicare and Medicaid services. This is the problem of database access restriction, and one was able to identify subjects from hospital records or lists of patients, of discharge diagnoses.
Since implementation of HIPAA, access has been denied. The CMS database is for control selection and to hospital records without a waiver. This puts U.S. researchers at a major disadvantage compared to researchers from, for example, the Nordic countries, the UK, many other places where these databases remain accessible.
The second major problem I would like to touch upon is variable access to medical records of individual subjects.
Prior to HIPAA, a universal, simple release form was generally accepted, but epidemiologic studies were already being impacted by the requirement for signed release effective for shorter and shorter intervals and increasing costs to obtain records.
Since HIPAA, there has been variable access to records, notable complexity of release forms and increased requirements for subjects to designate the specific record components for release, absolve hospitals from liabilities, responsibilities, damages and claims arising from release of record information and to recognize a hospital's right to deny or revoke a release, and I think this is really nicely illustrated, the before and after, by Attachment A to my testimony. If you look at the form on the sixth page from the Sloane Epidemiology Center, this is an example of the before consent for release. Very simple. Straightforward. Used universally.
Attachment A on the next page shows you the major change required. Every one is different for a different hospital used by the Sloane Epidemiology Center. It's much longer, much more complex, all kinds of language that is really quite scary to patients and to researchers and much more complicated. I think it really shows you – illustrates this beautifully.
The third problem I would like to touch on is the increasing length and complexity of consent forms.
Prior to HIPAA, consent forms were generally simpler, more standardized, fewer legal requirements.
Since implementation of HIPAA, the forms include more institution-specific and/or expanded wording. Increased requirements for witness, notarization, proof of kinship, power of attorney, copies of protocols, dates of treatment, expiration of authorization.
We illustrate this in Attachment B to our testimony. This, the original form used by one of my colleagues was 2-1/2 pages long. Post-HIPAA consent form is now four pages long. The changes, the additions are highlighted in grey, and I think you can see that it is just really forbidding for subjects, and difficult for researchers to walk through all four of these pages and explain each part of it. When the encounter with the subject is optimally less than an hour long, one can spend just a huge amount of time going through this.
The fourth problem which I don't believe any of my colleagues have touched on is really expanded disclosure of confidential data to more entities, and this may be an interpretation of some of the IRBs.
Prior to HIPAA, access to confidential data was restricted to the investigators directly involved in a research project.
Since implementation of HIPAA, in some research organizations, there has been an expansion of the entities to which confidential data from subjects can be disclosed, including the IRBs, the funding agencies, adjunct investigators.
In the testimony, I cite an example form one of my colleagues doing research of Native Americans who had been assured prior to HIPAA that confidential information would not leave the reservation. Since then, the researcher has had to inform them that this type of confidential information can be released to the IRBs, the funding agencies, et cetera.
Now, I would like to move on to two cross-cutting issues, which I think all of these problems and others that I don't have time to elaborate on in ways they may impact, and this has been mentioned by my colleagues.
Among the factors that can cause declines in participation, which is a major problem in epidemiologic studies, is unwillingness of IRBs to grant waivers. The investigator can't identify eligible subjects in this type of situation. Lack of access to medical records. The investigator can't confirm the diagnosis, ascertain the exposure. The length and complexity of the consent form. The subject may not understand or may object to one component, and the expanded disclosure of confidential information, subject may just absolutely refuse participation on this basis.
In addition, also mentioned is the financial and the legal impact. What is already - epidemiologic studies are extremely expensive and cost in the neighborhood, many of them, millions of dollars, and on top of this, we need to add increased costs from the additional time for designing forms, training staff and HIPAA requirements, preparing additional materials required for the IRB packages, answering subject queries, obtaining the agreement of hospitals that provide records, and, of course, the legal requirements. Some hospitals had expressed concern about the risk of a Federal audit and are just completely refusing to participate in our studies.
College plans to continue to evaluate the experiences of individual investigators. Our goal is to see if we can identify more patterns. Subsequently, like the AAMC, we plan to conduct a survey, and the goal would be to prepare and administer the standardized data-collection survey instrument when more of the patterns have become apparent in are studies.
We will continue to try to communicate broadly with members of not only the American College, but other epidemiologic associations.
In terms of possible remediation measures, I have listed them on the last two slides shown.
The first problem of database access, I would urge that there be some reexamination of granting access to the databases.
The issue of complexity of consent forms. It would be very helpful if a simplified template or universal record release could be prepared by HHS that was HIPAA compliant. This would help enormously.
The problem of too many parties given access to confidential information. I think it is very important that we limit the parties given access. There is no need for the IRB or funding agencies to have access to subject information.
The problem of differential interpretation of HIPAA requirements. Obviously, there needs to be clearer communication of these requirements, and this needs to be an ongoing process.
Falling participation rates. I think DHHS could hopefully provide more guidance to IRBs and hospitals.
And then institutional unwillingness to grant waivers, I think DHHS must proactively reassure institutions that by granting the waivers that this will not make them more liable to serious problems. I think the institutions just don't really understand the problem.
The college appreciates the opportunity to present some of our concerns to you.
MR. ROTHSTEIN: Thank you very much.
I want to thank all four of our presenters. You have raised some very important issues that I hope we can explore in our question-and-answer session.
Before we get to that, I want to recognize and invite to the table Julie Kanishira, who is the policy team leader from the Office for Human Research Protections, and she has graciously agreed to help answer some of the questions that will – can you - can we get a – oh, here is a seat next to - Yes. Right. We can sit - yes, and there is a microphone for you.
Thank you.
And she is at HHS and at OHRP, and will help to answer some of the questions, in the event that any of the subcommittee members have any questions.
So who would like to begin?
SPEAKER: We all probably have questions -
MR. ROTHSTEIN: Well, I'm down to only two or three pages, so do you want to go first?
MR. HOUSTON: I would love going first.
MR. ROTHSTEIN: Okay. How about if we each go just one question and so that - and then we'll come back around again. Okay?
MR. HOUSTON: Well, first, I just want to acknowledge that, thank God, I'm not the only one who had the same perception of the issues with regards to the research role, and I know we are having a lot of the same types of problems with an organization I work in, and it's, in one sense, reassuring to know that other people have the same interpretation, and, at the same time, it's sort of sad that it's - collectively, it's - I think we are where we are at.
One of the questions that I have – and I'm glad somebody from OHRP is here – specifically relates to what seems to be varying guidance from OHRP with regards to things like waivers, and I would be interested in knowing whether - you know - what is your opinion with regards to granting waivers and additional criteria from OHRP, and whether your organization has encountered this, because I know this happens to be one of the issues that our IRB has indicated is a great issue which is - the HIPAA waiver requirements, we can get past, but the additional requirements that predate HIPAA for granting waivers are still there and prevent us from granting waivers typically, and I would just like to understand exactly what your opinions are regarding that.
MS. BIZILA: I mean, I would say that at our university, we probably look at - about a third of the studies that are presented to us are accompanied with a waiver of authorization for recruitment purposes, because we deal so much with an outpatient clinical research facility that just does recruitment and they are not a part of any covered entity, and the GCRC issue, plus some other issues.
So I think our IRB is very cognizant of the fact that that research probably could not practicably be done if those waivers weren't granted.
So we spend a lot of time in meetings just going over those waiver requirements for research, and they, pretty much 100 percent of the time, get granted.
So our IRBs don't struggle with that just because of the nature of our structure. It's the time burden that they have to go through, and, essentially, not rubber stamp, but you know, they know the situation. They know the structure on campus, and they know that that's the way data has to be accessed. So it is really - as Susan was saying - it's almost a worthless sort of process to have to go through, because it is pretty much going to be granted every time.
But I'm not sure that that – I mean, are you talking about the waiver of informed consent kinds of issues?
MR. HOUSTON: Well, I think - both, and, again, I think our IRB experience is the exact opposite, which is they rarely want to grant them, and they feel like they can't meet - they can't meet all the criteria necessary to grant a waiver, and, again, I think there is an issue between what HIPAA says needs to be done, what OHRP seems to say needs to be done and this inconsistency. In fact, the NIH Website, sort of has some differing opinions with regards to waivers as occurs with regards to - also in regards to research recruitment than what is on the OCR Website, and I think that's sort of a source of issue that I see, and I am just sort of interested in knowing whether you see the same types of things.
MS. EHRINGHAUS: It seems to me - am I on? It seems to me that you have put your finger on a very important phenomenon, that has occurred, and that is the blurring and confusion of the requirements for waiver of informed consent with the requirements for waiver - the HIPAA waiver, and that is the problem as far as we are concerned.
Our experience within single institutions is as Indiana has reported; that is, that it is almost inconceivable that a waiver of authorization wouldn't be granted. That has to be distinguished very carefully from a waiver of informed consent, which is not the norm, as you know.
I think Martha has reported experience based on multiple institutions collaborating, which is different, of course, and, again, seems to me that we are not making additive privacy on incremental privacy protections. What we are doing is confusing a process that is informed-consent process, which has an integrity and a rationality associated with it, with something really that is - it seems to us to be an overlay, mal-adapted -
MS. GONZALES: I think it is also indicative of the fact that the different IRBs are interpreting it. I mean, as the example that Shelley stated earlier with regard to the multi-center study, every IRB is going to interpret the rule differently, depending on safeguards and structure, and without guidance, I think that is going to continue.
DR. LINET: Wearing my NIH hat, listening to the experience at Indiana, when we have a choice of which institutions to collaborate with, we are going to Indiana. We are not going to go to those institutions that never grant waivers.
So that really puts institutions at a major disadvantage. I think it is a huge problem.
MR. ROTHSTEIN: Thank you.
DR. HARDING: Richard Harding.
Maybe Dr. Linet, you could help me understand something that was confusing to me. How does HIPAA expand disclosures?
DR. LINET: I think the problem is variable interpretation and confusion on the part of the IRBs. I mean, this was a report from one of our major, long-time epidemiologist collaborators, whose IRB has decided that - you know - as a covered entity they have to cover multiple groups - affiliates, adjuncts and so on - with their institutions. So prior to HIPAA, my colleague was in charge and was able to tell subjects that confidentiality was, of course, paramount and that disclosure would only be possible to the researchers in the project.
IRB has taken on the interpretation. You can see it right in the changed consent form that all of the collaborating adjuncts and associates plus the IRB and the funding agencies might have access.
I think there is confusion. I am not sure that it is HIPAA itself. I think part of the problem is the confusion in the interpretation.
SPEAKER: TPO and business associates, that part of HIPAA makes it available for everybody in that institution?
DR. LINET: It's a matter of interpretation by her IRB. This is really a huge problem.
MR. FANNING: I wonder whether this is a case of expanded access or simply being more honest with the subjects about an access that has existed all along.
Certainly, the funding agency could order the research and the institutional review board, in its obligation for ongoing supervision, had access to this material before. Is that not true?
DR. LINET: Well, had some access. I think - you know - in a more limited way, but in terms of putting all these matters into the consent form. I mean -
MR. FANNING: Well, I think what is being done now is that the subjects are being told what the access is. The Food and Drug Administration regulation for drug trials has always required that people be told that there would be audit review. The regulation generally doesn't say that.
DR. LINET: Usually, it was a more limited phrase, as required by law, that covered basically the same thing. Now, it is spelled out in such gory detail that I think subjects fixate on this.
MR. ROTHSTEIN: Well, let me – Julie, would you like to respond to that?
MS. KANISHIRA: I was just going to add to John's comments there. I mean, from the perspective of our office and in looking at informed-consent documents through our reviews, I think we would resonate to John's point that often the confidentiality statements that existed in informed-consent documents, prior to HIPAA, often were overstatements, assurances of confidentiality, that really, when teased apart, turned out to be not so absolute as they first appeared to be, and that, oftentimes, there is a need for folks outside of the research team to have access to research data, and I think that what we are seeing with HIPAA is that that is just really coming into the sunshine and that people are now having to think about, prospectively, who is going to need access or who may possibly or likely need access to this research data as the trial proceeds, and that will be the IRB, oftentimes, that would be the sponsor of their research, that would be FDA, that would be OHOP, on occasion, if we are going in to do a compliance visit.
So I think, while I absolutely agree that language is adding a lot more complexity to the informed-consent documents, I think perhaps it also is making a more honest statement for participants to see up front.
MR. ROTHSTEIN: I want to ask a question. I'll see what the panelists think of this.
In drafting the privacy rule provisions regarding research, it was intent, I believe, of the Department to minimize the burden on researchers by trying to align the HIPAA requirements with common rule requirements as much as possible, and one example of that would be that institutions are permitted to have a single document that is an informed consent document, and an authorization for HIPAA purposes, and, in fact, I have drafted these, and including the HIPAA required language takes about six sentences in the entire document spaced throughout and adds very little to the overall document if you wanted to integrate the two, but, as a matter of fact, most of the institutions with which I am familiar do not permit that, and, in fact, require separate informed-consent and authorization documents.
So my question is are some fo the complexities and redundancies and difficulties of the institutions brought on themselves by not taking advantage of the opportunities that the rule provides in these integrated functions.
MS. GONZALES: I think it is important, then, when we talk about the authorizations and informed consents is that we bear in mind the other parties involved in that process. There are the pharmaceutical organizations and other research sponsors. There are the medical records people who have to pull that. There are other people who have to speak to the subject regarding that informed consent.
In order for that process to run smoothly, these individuals have to be taken into account. One of our biggest problems is that many pharmaceutical organizations want specialized language into the informed consent, and it's not consistent across the board. A lot of people - we decided to do a separate authorization from the informed consent because if these consents are provided to the medical records people - be it hospitals, be it practice plans, other organizations that may hold these health records - the medical records personnel is not educated enough to determine whether or not that consent complies with HIPAA to determine whether or not that disclosure is appropriate. I mean, they may see a form, but do they know that it's the right thing to do. I mean, we already get questioned as it is now. I work in the compliance office and we have to audit medical records, and that is their job to safeguard that PHI, and so we wanted to streamline that process.
But the biggest problem is the fact that sponsors want specialized language, and in order to - I spent a lot of my time trying to negotiate that, and it's more than six lines. Some places want three or four pages of documentation stapled to the informed consent, and it varies -
MR. ROTHSTEIN(?): Excuse me. Some places? What do you mean by -
MS. GONZALES: Some sponsors - I'm sorry – want three or three pages included - future uses to be included. That's a huge issue, because although as non-covered entities they may be allowed to do that, I sense that they think that, at some point, HIPAA may apply to them and that they won't be able to obtain that information going down the road. So I don't know, but, consistently, everybody wants future uses into the informed consent or in the authorization, and so -
MR. ROTHSTEIN: But that would be the case even if HIPAA were repealed tomorrow, right?
MS. GONZALES: The future uses?
MR. ROTHSTEIN: Yes, if they want informed consent to cover future uses, so that they could set up a bio-bank, for example. You'd have to have these additional documents. So it's not HIPAA per se. It's the fact that they want to do more stuff with -
MS. GONZALES: Well, HIPAA is effected because you have to deal with the authorization part. They want to put it in the authorization. You know, a lot of it is does this go into the authorization? Does this go into the informed consent? And, as my colleague from the AAMC has pointed out, there is confusion with regard to the documents to delay in recruiting individuals as well, because it's yet – you know, one would think that the authorization would be one page. In fact, it's not. You know, some places it may be two to three or four pages, and it is very difficult to pear down. So -
MS. BIZILA: I would comment, though, that one of the other reasons that we did decide to go with a separate authorization is that as those forms are getting faxed back and forth, as they are getting sent in the mail, as they are getting transmitted in whatever way, we decided to limit the authorization to very sort of broad kind of language. So if it was – for whatever reason – intercepted that the person on the other end wouldn't know anything about that subject in terms of they have schizophrenia, they are an AIDS patient. Has all that information in an informed consent. It talks about diagnosis and the kind of drugs they are going to be getting. So we actually did it to both protect the confidentiality of the sponsor and their drug proprietary information - because the authorization says nothing about that information - and to protect the identity of the subject's diagnosis by not having any of that information in the authorization, which could be in the - which is in the consent form. So we actually had a separate document for that purpose.
MR. ROTHSTEIN: So what did you do before when you had no HIPAA requirement, basically, you had one document. You would have to fax and whatever the entire stuff that you now don't want to do, because it has confidential information on it.
MS. BIZILA: No, I mean, I don't know that we are necessarily saying that we want to do away with the authorization, but it's another thing. As Julie said, it has raised awareness in the types of practices that we were doing, the types of practices that pharmaceutical companies were - they have always been using that information for future uses. Now, it's brought more to the forefront. They are thinking about it. We are thinking about it. We are putting sort of controls in place that we never had put in place before. So we thought about all those things being transmitted now, where we hadn't thought about it before. So we tried to create this sort of barrier between the authorization and the consent for that purpose.
MR. ROTHSTEIN: Ms. Ehringhaus, did you want to comment?
MS. EHRINGHAUS: I do.
Number one, I think the AAMC's position all along has been that the contents of the informed-consent document should be candid and complete, and, thus, potential disclosures that may be made with private information must be in the informed-consent document, and that has been our position and continues to be our position, and so I would like to align us with the comments made on that.
I think the concern is the - before I went to the AAMC, I was a general counsel of a major research university for 30 years, and six lines may do it, but there were certainly - in my 30 years of experience, there were many times when the IRB did not listen to its lawyer, and believed, appropriately, that it knew better, because that was its role of how to carry out its responsibilities under the common rule, and I think that the reason that you don't see more people taking advantage of the ability to collapse the two forms into one - I think we have heard some of the reasons here, but I also think that the IRBs have a very real stake in the integrity of their own process, and - I mean, one has only to attend a primer meeting - and I'm sure that you have all been there - to understand the commitment that is boundless that those people have to what their responsibilities are and to meeting them in the way they themselves decide best serves the terms of the common rule.
So it is not surprising to me that IRBs might prefer to see separate HIPAA authorization forms, because the HIPAA authorization forms, in the minds of some, really do contaminate the IRB consent process, which has an integrity of its own.
The other difficulty is in multi-institution collaboration. There, you inevitability will get at least two sets of legal - as well as two IRBs, and they may well not accept - in fact, they don't, is our experience – accept the same language.
So I would - I don't think the authorization is serving a useful privacy purpose. If it is the mechanism by which people are finally telling the truth about what is going to happen, that is another matter entirely, but that is a problem with the informed-consent process and not the authorization requirement.
I also think that it is important that we remember the FDA has just declared that IRBs, now, contrary to rule, don't even have to review authorizations, which is, to me, an acknowledgment that they are not serving a particularly useful role in educating potential subjects about what is going on.
MS. KANISHIRA: You actually picked up on something I was going to comment on, that, you know, under the privacy rule, as well as under our regulations – HHS human-subject protection regulations and the FDA human-subject protection regulations – there actually is not a requirement for IRB review or privacy-board review of the authorization forms if there are stand-alone documents, meaning not combined with the informed-consent document.
So I actually thought maybe that was one of the reasons why your institution had decided to keep the document separate, but I know that even in many cases where institutions are deciding to keep them separate, they are still undergoing IRB review, even though that is not a regulatory requirement. It's a policy requirement on the part of the institutions.
So - just be interested, actually, if you wouldn't mind just sort of addressing that point a bit at your institution if you are keeping them separate, are you having IRB review of those documents and just some of the rational for that.
MS. GONZALES: Actually, the IRB doesn't review those documents. Our office usually does it as the Office of Compliance Services. However, they don't go ahead and approve that protocol or study until they hear from our office, and then that, again, delays the research approval, not only because our office has to review, but we then have to hear back from the attorneys at the pharmaceutical companies or the other sponsors, because almost all the time they have unique language they want to include, and it is not always future uses. It's just they want to cover their entity. We certainly want to keep our authorization consistent and cover our needs as well, and so although the IRB itself doesn't review those authorizations, a delay, in fact, occurs.
MR. ROTHSTEIN: Okay. Ready for another sort of brief round of questions - brief questions, brief answers.
MR. HOUSTON: I'm never brief, so -
MR. ROTHSTEIN: Well, it's a goal. (Laughter).
MR. HOUSTON: Back to recruitment for a second.
One of the issues that is coming up within my institution relates to verbal consent to approach a patient regarding recruitment into a study, and being the University of Pittsburgh Medical Center is not part of the University of Pittsburgh, we have achieved fairly clear corporate lines, not just a decision to break us apart as a hybrid entity, but that one of the issues is is that in the past they would get a verbal consent to have the research study approach a patient about potential inclusion in a research study, which is - under HIPAA, the interpretation at least now is is that can't occur, and I guess my thought is - and I'd be interested in knowing your opinion on this – is that, clearly - if the patient has verbally consented, clearly, there is at least an intent - the patient would have to be contacted and there is very little risk that some type of privacy issue is going to arise simply by being contacted.
Do you think it would be reasonable or workable to develop some type of verbal-consent exclusion or ability within HIPAA in order to do recruitment activity, so that, frankly, the researcher or the physician, all they would need to do is document in the record the fact that the patient has provided verbal authorization and that that was the basis for providing information to the study, which, again, would not necessarily be part of the covered entity?
MS. BIZILA: I think our issue has more been actually having access to that patient data, rather than approaching that patient to get verbal authorization. So it's -
MR. HOUSTON: Well, go down that road, then, too, because that actually is part of it, too. Do you see a verbal consent capability would be helpful, and do you believe that there would be any harmful effect of doing that?
MS. BIZILA: I think - I guess it depends on where it happens in the process, because the way that it usually works at our university and probably most universities is that the investigator uses a research coordinator who is probably not a part of that covered entity to actually go into their records and identify people. Then, we actually have our principal investigators get authorization at that point.
So it is not a matter of somebody else approaching the patient usually. It is usually the treating provider approaching the patient. So I'm not sure that option would work for us. It is actually the assistance of the research coordinator to get into that data to be able to say to the physician, okay, I have identified these 50 people who you might want to talk to. These are your patients, but I have identified these people. It's actually getting the research coordinator that access to that data that we have to grant a waiver of authorization for, and I don't think a verbal authorization would help us in that sense, unless – I mean, are you talking about the physician doing it absolutely every time someone comes through the doorway –
MR. HOUSTON: Right. I think the issue in our institution is often a physician would know of a study, see a candidate, would want to refer the candidate to the study and can't do it absent a written authorization, which is burdensome, and, frankly, to facilitate that, the thought was is if they, again, continue - to get verbal consent, document it in the record and then allow - you know, forward the information on to the study so that they could review the patient for potential, you know, inclusion in the study and then potentially contact them. I mean, I think that is the process that I hear as being one that people would like to see, and I'm just - again – interested in seeing whether that works.
MS. GONZALES: I think that would be extremely helpful, because, as we stated in our testimony, many treating providers are reticent in referring potential candidates to another provider, because they are afraid they may be violating HIPAA, and they know that they may have to get a waiver of - I'm sorry - an authorization signed, and, you know, when you have patients lined up one right after the other, there isn't any time to do that, and so if they could get a verbal authorization, I think you would see a lot more potential subjects being referred across those boundaries.
MR. ROTHSTEIN: With the indulgence of my colleagues, I would like to jump the queue to ask my question as a followup to John's.
MR. HOUSTON: That's his way of stopping me from talking. No.
MR. ROTHSTEIN: No. Well, one of the ways. (Laughter).
And that is, I think, in this area, one could make the argument that the HIPAA privacy rule is insufficiently protective of the rights of research subjects, and let me give you the following scenario, and it involves review in contemplation of research.
Under the privacy rule, researchers are allowed to review protected health information and medical records without IRB approval, without privacy board approval, without authorization to determine the feasibility of conducting research studies.
So I might want to do a study, but I don't know whether we have enough cases in the institution to actually make this feasible. So it allows me to comb through the records as a researcher, and, now, I have identified we do, in fact, have 100 people that have been treated for a certain condition over the last decade, and it is feasible to do this study.
The interpretation from OCR is, at that point, once I have identified people who could be in the study without IRB approval, without any approval whatsoever, I am now allowed to go out and contact these people and recruit them to participate in the study, according to the OCR interpretation, and that, of course, would, I think, make IRB members and anyone who has given any thought to this issue rather uncomfortable, because recruitment, as you know, is research, and I could come up with a totally unethical research protocol that would never reach IRB approval, and according to the interpretation from OCR, I can just go out and do it.
So the question that I have is wouldn't you agree that this kind of activity would indicate an area in which the privacy rule, as interpreted by OCR is insufficiently protective?
MR. HOUSTON: And, Mark, let me add that NIH actually, on the Website, with regards to privacy, has some - what I believe is very contradicting guidance specifically with regard to this issue.
MR. ROTHSTEIN: This is the December guidance document issued by OCR.
MS. BIZILA: We haven't interpreted it that way. We have interpreted it that you can look and get numbers, for example, that so many people have this GI disease, so I think I can support the fact that I can easily do this study, but we do not allow investigators to obtain any contact information without IRB approval for that purpose. They cannot record anything. They can only access it, get aggregate sort of information, but they cannot obtain any direct contact information for that purpose.
MR. ROTHSTEIN: Well, I think - the point that I am trying to make is that the privacy rule represents, in many ways, a floor and not a ceiling for protections and that you need to consider the common rule and other - and professional statements and ethics and so forth, and I would be concerned if we were going to race to the bottom of the - sort of the floor that HIPAA provides.
MR. EHRINGHAUS: Well, except that your comment that there are other protections available, I think the common rule addresses that squarely, and Julie can do it with far more authority than I can, but we would prevent the researcher from making any contact with the subject, until the IRB had reviewed it, approved it or declared it exempt or it had gone through expedited review, for whatever reason.
MS. KANISHIRA: I'll just say that, yes, under our regulations, the human-subject-protection regulations, recruitment activity for research actually is considered one of the research activities covered by our regulations, and we do believe that would require IRB review and either informed consent of the individual or a waiver.
In most cases, a waiver would be appropriate, given that sort of a chicken-and-egg scenario. You have to actually know who you need to contact before you can contact them, even if you plan to contact them for informed consent to participate in the study as a whole. So that is an area, though, that I think HIPAA has also shined more light on, under our regulations, that we are aware that many actually have not thought that that kind of recruitment activity constituted research, under our regulations, and, you know, weren't having IRB review and approval specifically for that activity or a waiver of informed consent for that activity.
MR. ROTHSTEIN: So I hear no objection to a recommendation, perhaps, that this guidance be rethought for the future.
MR. HOUSTON: But the issue is - I hate to say that there is a lot of institutions that take the contrary view, and it's interesting, because where I'm at there is actually a number of IRBs who, I think, have interpreted this a little bit different, and I have heard - you know - mention of the fact that - you know – they look at the OCR guidance as being dispositive, don't want to even look any further than that to the common rule and the guidance out of NIH, and I think that this does present problems. It really does, and I think the OCR guidance is incomplete, and I think it needs to take into consideration or needs to be rethought as to how it is worded, because recruitment - clearly people think that the OCR guidance goes as far as, say, you can go to contact patients. You can do whatever you want to do and it doesn't - research.
MS. KANISHIRA: I was just going to point out in recent guidance that was issued by the department via the NIH in August, there actually is a Q and A on the point of contact, and what OCR has clarified here is that actual activity of making contact with an individual to seek their authorization actually is not a preparatory-to-research-function, but is perhaps a health-care operations function, if the researcher is an employee or workforce member of the covered entity or perhaps acting as a business associate of the covered entity to make contact with those individuals on behalf of the covered entity for recruitment purposes.
Alternatively, OCR clarified that if the covered entity obtains documentation of a partial waiver of authorization by an IRB or privacy board simply for the recruitment phase of this study, that that is another mechanism by which contact information could be disclosed to a researcher for the purpose of initiating that contact with prospective subjects.
MR. ROTHSTEIN: Okay. Richard.
DR. HARDING: I have a different subject -
MR. ROTHSTEIN: Sure. No. No, no, no. I think we're exhausted on that subject. (Laughter).
DR. HARDING: John Fanning and I were talking just before the start of the testimony about the issue of identifiable information and the standardization of that across many Federal agencies and so forth.
One of the things that Susan recommended was that the standard for de-identification be lowered in some way.
When this was all being discussed, in ancient times, five years ago and all, we were greatly influenced by an individual - I remember Tonya Sweeney(?). Some of you may remember an individual who came in and showed us how she could reidentify anything. I mean, anything, and name the person who had this - it was impressive, and I think that the level of de-identification was set at a very high standard because of that.
I have always hoped that things could be de-identified and that would take care of a lot of the stuff that we are trying to deal with here in other ways, but is there a feeling among all of you that de-identification is at too high a standard, that it should be lowered, that that wouldn't cause any good or bad effects one way or the other or do you have any thoughts about that standard of de-identification?
MS. BIZILA: I think that our comments would align with what the AAMC has said is that it is very difficult for a study to reach that standard, and I think it has been a hindrance for people to be able to reach that standard.
MS. EHRINGHAUS: It is quite expensive. So if you talk about community providers - our data suggests that some community providers simply refuse to do it because it's expensive, it's burdensome, and they are concerned about possible liability.
The AAMC position is that it doesn't make sense to regulate to the point - whatever the percentage is - instance of gross misuse or intense curiosity or whatever the motivation is that is inappropriate, that it makes sense to regulate for the vast majority of the population that is presumed to be behaving responsibly, but to put in place serious interventions for those who don't, and so our position is not that de-identified data isn't a good thing to encourage - I mean, we have encouraged that throughout the gestation of the rule.
Our point is that the standard is not adapted to many kinds of population-based research, and Martha can speak to that far more knowledgeably.
MS. LINET: I think it is always possible to work your way back. I mean, the Nordic countries have come to grips with this because they are so small, and so they have set standards that, you know, if there are fewer than so many subjects with a given disease - the problems we encounter are more the very rare diseases that we study - childhood cancer, for example - and general abnormalities. So this is a particular problem when looking at those very rare conditions, and, of course, as you know, people with these diseases have banned together - the Orphan Drug Act, so on and so forth. I mean, we don't want to not study certain conditions because it is more easy to identify people. So I think it is a very difficult standard that has been set.
MR. ROTHSTEIN: Let me just add parenthetically that my own research involving studying what research participants actually want in the way of protections suggests that those of us who are interested in, quote, privacy, and those of us who are doing the actual research and think that no one is going to enroll in our study unless we promise them anonymity or whatever, are at a serious disconnect with what the participants actually want. They don't really care about anonymity to the degree that we think they do. What they want – and they are happy to authorize the use of their clinical records, their name, et cetera, so long as the researchers honestly indicate who is going to have access to it and the conditions under which it is going to be used, and if they are engaging in an act of altruism by participating in research, that includes allowing their name to be used, and it varies by age group, mostly, on these views, but sometimes I think we place a higher value on anonymity than the actual research participants do.
So with that editorial, we are going to take a 15-minute break and have Panel Number 2 at 10:15, and I'm sure we'll continue with many of these issues.
Thank you very much to all panel members and also to Julie for helping us out.
(10:00 a.m.)
(10:19 a.m.)
MR. ROTHSTEIN: We are back on the Internet as well as live here, and I want to welcome our listeners as we begin our final panel of the six that we have held in the last day-and-a-half, the second panel this morning dealing with the subject of research.
I want to welcome our three new panelists and ask if Dr. Roberts would please begin.
Agenda Item: Research - Panel 2
DR. ROBERTS: Thank you.
I am James Roberts, and I am the Director of the Magee-Women's Research Institute in Pittsburgh, Pennsylvania.
Magee-Women's Research Institute is the largest research center in the country whose efforts are directed solely at improving the health of women and their infants.
I also should point out I am an active investigator, being principal investigator on large local studies, as well as some large multi-center national studies, and much of what I present today will have been touched on by others, but I think my view is, I guess to a certain extent, the view from the trenches.
At Magee, we have a very large clinical research program, and this includes membership in several NIH networks for clinical trials. These networks include the Maternal Fetal Medicine Network of the NICHD, the Gynecological, Urological Network and the Pelvic Surgery Network.
All of these networks were designed by the NIH to use a large multi-center strategy to rapidly answer questions that will improve the health of women and their babies. They demand adequate enrollment for continued participation.
These programs and the other clinical research projects at Magee have been devastated by the new HIPAA regulations.
I thank the Society for Women's Health Research for the opportunity to address the problems associated with these regulations and their specific impact on our institution.
The mission of the society is to advocate research to improve the health of women, and these issues are of obvious importance to them.
I am certain that the authors of HIPAA regulations had no idea of the adverse effect these regulations would have on clinical research. In fact, I read quotes stating the authors felt the regulations would help research because subjects would be more confident of the privacy of their records. Improved recruitment has certainly not been the result of the first six months of HIPAA regulations. The reasons for this, I think, have been pointed out. They are fairly obvious. In fact, many of these were pointed out before the regulations went into effect.
One problem is the mandate that the patient cannot be approached about a research project without first giving written permission to a member of the clinical team providing care. This puts an additional burden on the already over-tasked care-providing team, whose first interests and responsibility is not research, but patient care and providing this in a safe, efficient, economical manner. One solution is to bring on more staff to take care of this issue, and this has been the approach of many institutions.
Another major problem we have dealt with is the impact of the HIPAA regulations as they have been pointed out previously on retrospective chart reviews. In years past, an important and economical source of information were the medical records of patients previously cared for at an institution. To acquire preliminary data, for example, about preventable risk factors for disease, records of patients with the disease would be reviewed and the relationships of the disease to some behavior, metabolic or genetic factor would be examined.
It was this type of information that gave the initial hints at the relationship between smoking and lung cancer, estrogen and breast cancer and lipids, obesity related to heart disease.
If strong relations were identified in these studies, larger studies would be carried out, including clinical trials, and the answer would be established.
These chart-review studies can no longer be performed, as you know, without permission to review charts from all of the involved patients, even those cared for years previously. This is difficult to impossible to accomplish.
Another problem that has been pointed out is that regulations are also subject to very different interpretations. For example, one of the points that was discussed earlier was the regulations in relationship to preparation for research, and according to this regulation, the covered entity may give researcher access if the researcher provides assurance, one, that the use, disclosure is to prepare for research; two, that the protected health information may not be recorded or removed, and, three, that such access must be necessary for research purposes.
This has been actually interpreted by some organizations as allowing pre-screening by individual investigators to identify subjects eligible for research.
Conversely, others have concluded that the pre-screening can only be used for such things as to determine the frequency of the disease in a hospital population.
In fact, if the regulations are very strictly interpreted, it also suggests that to acquire more complex information prepatory to research – for example, how many African-Americans versus Caucasians have a disease or how often the disease occurs at different ages – it'll be necessary for the reviewer to have a very good memory, indeed, since no written information is allowed to be taken from the review setting.
Since penalties for not complying with these regulations are severe - fines and imprisonment - the interpretation is quite important and has, in many instances, tended towards the conservative.
A particular - feature to me, as a clinical investigator, is the so-called TPO provision that charts can be reviewed for treatment - T purposes - payment - P - billing purposes and organizational purposes without prior approval. Missing from the list is research, which has, for many years, had many regulations in place to protect patient privacy and that I would contend is at least as important to the healthcare of our patients as billing.
What are the current approaches to work through these problems to maintain clinical research? A general approach that has a potential to solve all of these problems is a research registry. Patients are asked to be part of this registry in which they will give permission to be approached for research, to have current and prior records available for research.
However, as attractive as this sounds, it has not worked in many settings. First, the registry must be disease specific and the patient must, therefore, give permission for many registries. This also prevents a simple research clause and general HIPAA information forms.
Furthermore, the person approaching the potential research registrant cannot be an investigator unless that investigator is a member of the care-providing team. As I pointed out, the demand for the care providers to get this permission taxes an already busy group of individuals whose primary orientation is not research.
The use of care providers only works in slow offices or in very busy offices where people hope no one will read the forms that are provided to them. This is obviously not an ideal solution.
Chart reviews can be carried out with permission, as has been pointed out, if they are de-identified. This requires, as you had pointed out, the removal of 18 items ranging from the names to dates and dates of birth. We have estimated that it will take an abstractor 2-1/2 hours - to remove this information from every page. Charts, especially of patients with long history of care or complex diseases, can be many inches thick, and this is an obvious expense. Electronic records make this de-identification much faster and much easier and much less expensive. In our experience, removal of dates can sometimes dramatically reduce the value of the information. It is at least mandatory to put in pseudo-dates that are separated by the appropriate - to judge disease progression rate or recurrence rate. An approach that is widely used around the country takes advantage of the way the authorization be given by the institutional review board.
Requirements for the waiver include, one, that research cannot be done without the waiver, and, two, the risks that the patient privacy will be violated is slight.
Again, we have problems with interpretation that is very different in different settings.
Some IRBs conclude that all IRB-approved protocols meet these requirements. Others, undoubtedly influenced by the possibilities of fines and imprisonment, conclude the wording is too vague to allow them to give any waivers.
How are we personally doing at Magee? We instituted a research registry with the enrollment by care providers at the institution of the HIPAA regulations.
In the first six months after the institution of the regulations, this did well, as I pointed out, in slow settings, but in our busy clinics, enrollment is less than 10 percent, and, in fact, in our last - it was six percent and raises an issue, I think, that was raised earlier about possible patient bias depending on where they happen to be seeking care.
We also do not have electronic medical records before 1997 and our records are incomplete even after 1997. Thus, chart-review studies have almost stopped.
We have been warned by the NIH that we must increase our recruiting and our funding for ongoing research in jeopardy. I think Dr. Linet's point earlier that if she had her choice who she is going to work with the NIH, somebody who gives waivers and gets a good enrollment or somebody who doesn't, is very pertinent to us.
We continue to commit an enormous amount of time and energy to get around the regulations legally. Our most recent strategy has been to institute IRB waivers that allow the investigative team to pre-screen charts for eligibility for specific studies, and these are IRB-approved protocols.
If the patient is eligible for study and the waiver has been granted, a permit for the approach to a specific study is placed in the chart. Care providers, however, must still get the patient to sign the waiver to be approached. However, since we feel this is much less complex and time consuming than explaining a registry, we are optimistic that this will increase the participation of the care providers in getting permission for patients to be approached.
The idea, then, is that once the patient has been signed, the appropriate investigator will approach the individual about their subject and - even more importantly - will recruit them into the research registry.
It remains to be seen if this will solve our problem. This has only been in place for about four weeks, but, unfortunately, things, so far, do not seem incredibly encouraging.
It is also important to point out - as was discussed earlier - that we are - have the potential to be part of the University of Pittsburgh review system very shortly. We currently have our own IRB, and where our IRB has granted a waiver, we have no guarantee that waiver will, in fact, be carried forward when we go to the University of Pittsburgh, who has been very reluctant to grant waivers. We may be back to square one.
In summary, I think if we remember the purpose of the HIPAA regulations is to protect patient privacy, and the purpose of medical research, which is to improve the health of our patients, it seems clear that something must be done to make the letter of the law consistent with the spirit. I'm sure HIPAA was never intended to eliminate or hinder clinical research, such as we are performing - to improve the health of women and their children.
There are some obvious solutions. Most appropriate, I believe, will be the inclusion of research as part of the treatment - TPO exclusion, allowing research to be designated as a use of medical records without prior approval.
Research, unlike any of the other uses of patient data already has extensive rules in place to prevent patient privacy.
Failing this - and perhaps the generalization of the approval for research use of medical information by patients could go from disease specific to all research, which would then permit inclusion of research in the general HIPAA approval.
We must modify the HIPAA regulations to preserve clinical research for the good of our patients and for improvement of their future healthcare.
MR. ROTHSTEIN: Thank you very much, and we'll have questions for you.
Yes, certainly. Dr. Harding.
DR. HARDING: You said, on the fourth page, that in the first six months after HIPAA regulations that in your busy clinics enrollment was less than 10 percent.
DR. ROBERTS: That's right.
DR. HARDING: In the previous six months, what was the typical percentage that you -
DR. ROBERTS: We didn't have a research registry prior to that time. It wasn't necessary, but in, for example, the studies that I was involved in, we had 80 to 90 percent participation in the majority of studies.
DR. HARDING: So it was -
DR. ROBERTS: An enormous difference.
DR. HARDING: - a marked difference.
DR. ROBERTS: Enormous difference.
DR. HARDING: Okay. Thank you.
MR. ROTHSTEIN: Mr. Lawniczak.
MR. LAWNICZAK: Thank you, Mr. Chairman, good morning, and thanks to you and to members of the committee and subcommittee for this opportunity to testify today on how the privacy rule has impacted health-services research.
I am Jon Lawniczak, Director of Government Relations for the Coalition for Health Services Research, which is the advocacy arm of Academy Health, the professional home for health-services researchers, policy analysts and practitioners.
Through Academy Health, the Coalition represents more than 3,700 individual researchers, scientists and policy experts, as well as 125 organizations that produce and use health-services-research information, including universities, providers, employers and health plans.
Our members conduct much of this nation's health-services research and share in the overall goals of the regulation in protecting the confidentiality of identifiable health information by sustaining the vitality of research.
Today, I am going to talk generally about the impact the regulation has had as a whole on researchers conducting health services research and discuss specific areas where problems have occurred and how they were corrected, and, finally, I will talk about some concerns that can only be addressed through modifications of the regulations or by clarifications issued by the department.
These comments are based upon interviews I have had with health-services researchers who have attempted to collect data from covered entities since April 14, 2003.
Before discussing the areas of concerns raised by researchers regarding the privacy rules, I do want to thank the Secretary and the department for crafting a rule that has, for the most part, been workable, and by workable, what I mean by is our researchers are able to access data. That was our primary concern going into this, whether covered entities would release data to health-services researchers, and we have found that – actually, that no one has been denied data. There have been a lot of steps and a lot of hoops that they have had to go through, and we'll get into that in a minute, but, overall, data has been obtained by the researchers in order to conduct their studies.
At this early stage of its implementation, we do have to state that this is very early and pretty preliminary data and not every one of our researchers has had to go back and go - and gain data through the HIPAA process. A lot are still grandfathered in from older studies and things like that, but it appears that the privacy rule has now placed insurmountable burdens and barriers in the path of conducting health-services research, and I specifically want to thank the Secretary for the development of the limited data sets, which has prevented untold difficulties for conducting health-services research, and for this we are grateful that this change was made last summer - or the summer before, actually.
So the long and short of it is are health-services researchers getting data? Yes. Are there problem areas that need to be clarified? The answer to that is still yes as well.
So the good news is is that many of the larger concerns that we had going into HIPAA and the regulation didn't occur. One of the big areas of concern we had was minimum necessary requirement and how that would limit and perhaps hinder the access of data and how that would apply, especially for health-services researchers who use large data sets and need to take those who would need to didact that information and bring it down, and the cost and expense and time that has already been mentioned to that, and so far, in my discussions with health-services researchers, this has not been an issue.
One area that our researchers were also concerned about was allowing covered entities the ability to review an IRB approval with their own IRBs. While this has created complications and concerns, it hasn't been, again, an insurmountable burden that we can tell at this time.
So, in general, the use of the IRB system seems to have been a sensible course for assuring that research protects the confidentiality of individual, identifiable information while still allowing researchers access to the data.
We have not seen any instances in which the use of multiple IRBs have prevented a researcher from obtaining data, but it has definitely slowed the process down, and in slowing the process down, you add cost to the research.
Multiple IRBs slow the process down because the IRBs often present conflicting requirements. You go to your institutional IRB, they say, well, we want you to take this approach. Then you go to the covered entity and the covered entity says, well, that is not quite what we want you to do. We need you to do this instead.
Some of these problems get resolved by simply adopting the most onerous requirements and then going back to the other IRBs in the process and saying, well, is this fine? And, generally, they look at the data and go, wow, they are really going to make you do this? The answer is yes. And they say, well, okay. If that's what you have to do, that's what you have to do.
But there are other times when these conflicts tend to be incompatible, and what you end up doing is having to negotiate between all the IRBs, and, of course, you can't sit - you know - one institution's IRB down at the same place and location as the other institution's IRB and just hammer things out in 20 minutes or so. You have to be the go between. The researcher has to be the go between between these IRBs, and they have to end up negotiating, which can really drag and slow the process down, and, again, what you end up with is you end up with staff sitting there waiting to start conducting the research, waiting for the approvals, and they are not doing anything, because you can't access any data or anything until you have the IRB approval. So you end up paying your staff for sitting there. You can't not pay them, because they are going to go find another job, clearly, and so the costs mount and the time added in really drags it down.
And, unfortunately, as we all know, Congress certainly has not increased research budgets to accommodate these new requirements of working under the privacy rule. So these costs have to be absorbed somehow, and, generally, they absorbed by less research, actually, being conducted, because the monetary amounts stay the same.
Now, clearly, some IRBs are actually more knowledgeable about the privacy rule than others, and this is an issue of concern with our researchers, and those IRBs that work with researchers on a continuum basis generally are well informed about the privacy rule and how it applies to research and sets the rules for the conduct of research accordingly, but, generally speaking, those covered entities associated with smaller entities, smaller institutions, are not as knowledgeable about the research requirements of the privacy regulation, and, thus, they tend to overestimate what needs to be done which places great burdens on researchers than those that are mandated by the regulation.
Again, this is an issue that can be resolved with greater technical assistance, greater education of these IRBs and these entities.
As I mentioned before, no one I had spoken with had either been denied data from a covered entity or had heard of anyone who had been, but attaining data still requires resolving several obstacles that were not in place as of last April.
As with the IRBs, it appears that the smaller the covered entity, the less knowledge they have regarding the provisions of the privacy rule that do not directly impact that entity. So researchers going out to individual doctor's office, for example, are often told that, no, HIPAA does not allow the release of data for research, and they, then, have to go and educate these covered entities as to what the privacy rule actually states, and, again, this slows the process down. It puts this burden on the research community, and we don't think that is where the burden should be, and we also don't think that the researcher should be the group that is responsible for educating these covered entities, irrespective of their size.
So we recommend that the Office of Civil Rights place a greater emphasis on educating and providing technical assistance to smaller covered entities as to the privacy rule requirements about research.
We have also heard from researchers who are concerned that it appears that the implications of HIPAA and the privacy rule may be particularly complicated for Federal agencies that are simultaneously covered entities, data sources and research sites themselves.
Our researchers believe it would be helpful for the Office of Civil Rights to assist other units within the department and throughout the government in understanding how they can most effectively release their data for research while complying with the privacy regulations.
Now, there are some issues of concern that we think actually require more than just technical assistance or education on the privacy rule.
The next section deals with the waiver-of-authorization forms and consent forms, and since we have already talked about that, I am just going to kind of skip by that, since our issues tend to be the same as everyone else's issues regarding this, and the fact that the new forms, according to our researchers, have hurt recruitment, and the fact that you can't look at the people that haven't signed up to determine what the selection bias is and what their biases are, and you can't, then, therefore, account for that within your study presents a problem for our researchers.
But to move on, as you know, the privacy rule - to get to the point about de-identifying information - there's two methods for de-identifying information, actually, in the privacy rule. You have the safe harbor method where you remove the 18 identifiers, and there is also the ability to use statistically sound principles to determine which fields may be removed to render the information unidentifiable or de-identified.
In reviewing these two approaches, health-services researchers have felt, on a whole, that only the safe-harbor mechanism would be used, because the requirements for statistical de-identification were too vague and subject to interpretation.
During my conversations with these researchers, I could find no one who was using the second method, the statistical method for de-identifying information, and, yet, there are those who appreciate the fact that the effort went into developing this method and would like to be able to use it as a method for de-identifying information.
Unfortunately, no one suggested a direct solution to this problem, but we do have a proposed way of perhaps solving this, and that is if the Agency for Health Care Research and Quality and the NIH, or whomever else the department felt would be helpful in doing this, worked together with the statisticians to recommend a specific method for the statistical de-identification of health information, such as statistical summit could occur every four to five years to address changing technologies and advancements in the area of statistics. That would provide people with a uniform method that they knew was approved of by the department in order to statistically de-identify health information.
At this time, our researchers - certainly, the health-services researchers - have had little interaction between state laws and the privacy rule, but they are concerned that this interaction could grow and present significant new challenges to those needing to obtain data, and, therefore, we recommend that the department reexamine the preemption clause and clarify what state laws are preempted by the privacy rule.
In addition, our researchers have had difficulties on occasion when they have attempted to gain access to data held by what would be considered to be a public-health entity, only to be told that a HIPAA authorization is needed because they are a covered entity, and so we would appreciate it if the department could clarify the difference between a covered entity and a public-health entity, and we understand that there is confusion about this issue with the public-health entities as well, and I'm sure you heard all about that yesterday when you talked to them.
In conclusion, I would just like to say that the Secretary and the department, again, are to be congratulated for crafting a regulation that appears, at this point, to allow researchers access to the data they need to conduct their studies.
While it is still too early to know if the privacy rule functions as intended, apparently, most of the problems regarding the research on the privacy rule are being resolved through the education of covered entities and IRBs.
The point, though, that I would like to make about that is that our researchers do not see this as being a one-time-only fix, that once everybody is up to snuff that this problem will go away. They think that since they are going to be dealing with new covered entities all the time, they are going to be dealing with new physician offices and other offices that aren't familiar with the research requirements, that this is going to be an ongoing difficulty, and, thus, the request for further technical assistance and education by the department on this.
It would also be helpful if Congress would recognize the increased cost for researchers due to the privacy requirements and make a corresponding increase in the funding available for grants.
And, again, the recommendations that we made in our earlier testimony are right here in the conclusions, so I'll just leave those to you.
These changes, though, we feel would go a long way toward completing a privacy rule that is designed to protect the confidentiality of information while allowing researchers access to data they need to improve our health care.
MR. ROTHSTEIN: Thank you very much. I hear no objections to increased funding for research. (Laughter).
Dr. Boughman.
DR. BOUGHMAN: Thank you very much, and I would like to thank the subcommittee for inviting us to come here and share our perspectives with you.
My name is Joann Boughman, and I now serve as Executive Vice President of the American Society of Human Genetics, an organization with about 8,000 members. I'm a board-certified Ph.D. medical geneticist with research experience in population and epidemiological genetics, and given some of the conversations today, I think I am glad I am a former researcher doing those kinds of studies.
As a full-time member of the faculty at the University of Maryland and serve there also as the Vice President for Research, Dean of the Graduate School and then as the Vice President for Academic Affairs or essentially Provost and given some of the things I have heard today, I am glad I am no longer in that position. However, the challenges still remain.
Today, I would like to share the perspective of the research community or researchers in the trenches, and especially point out some of the issues from the genetics research community or the geneticists.
Research geneticists have raised several concerns about the implementation and interpretation of HIPAA, and those concerns have been sufficiently intense that the organization, ASHG and its president, Dr. David Balley(?) appointed an ad-hoc committee to look at several aspects of HIPAA and its implementation from the genetics point of view.
The committee of six people has only begun to work, really, but we are looking forward to, in fact, putting out a very positive and affirmative statement with several different aspects, once again reaffirming the importance of patients or subjects interest or desire to do responsible research and inform and assert what we believe geneticists are allowed to do in the process of their basic and clinical research in the form of potentially guidance for principals that might help clarify some of these processes for institutions.
Further, we would like to point out where we believe the privacy rule is vague, especially in areas such as contact with relatives, some of the registry issues that we have already heard about today and family studies, and, here, we would also like to put forward some language in the form of guidance or suggestions that we think is important.
As I said, the committee is really just starting to work, but we will be happy to share those results, as soon as we have those comments approved by our board.
From here on, that was wearing my official ASHG Executive Vice President hat. Now, I am just going to be talking to you from my own perceptions in talking to my colleagues in the research community, so the rest of these comments really do not reflect any position of our society as a whole.
I would like to address several points, some of which will be duplicative, but I will just kind of smooth over those to reaffirm their importance.
First of all, researchers have been following the common rule, and geneticists, I believe, have demonstrated a special interest in the implications and consequences of their research by their participation and generation of the ethical, legal and social issues program in genetics. So I think that our track record from the subject's interest point of view is a good one.
Once HIPAA was made formal in April, we recognized that now we were going to have to undergo more training as researchers in the process of providing HIPAA authorization forms, recognizing when we ourselves as a researcher are a member of a covered entity or not, which, as you have already heard, in some complex academics institutions may not be as simple a question as it may seem.
Understanding the HIPAA approach to de-identifying data – and I'll come back to that later – knowing the definition of limited data sets may be extremely important to geneticists, and recognizing the separate, intertwining and overlapping arenas of informed consent and HIPAA regulations, especially when you are doing multi-center kinds of studies.
The financial costs you have already heard a little bit about, but the biggest one, of course, is the researcher's time in trying to do things correctly, and every hour that a researcher must spend in going from IRB to IRB is an hour not spent actually doing the research or taking care of their patients.
An additional hidden cost, we believe, is the disincentive of additional regulation on clinical investigation, especially resulting in reduced research, although HIPAA was very clear in stating it was not - to impede research in any way.
The cost of this unperformed research is ultimately paid by the patients who would be the ones to stand to benefit the most, and this is especially true in the case of rare disorders or clinical trials that require a multi-institutional approach.
Institutions, as we have heard very well this morning, have to have a variety of new processes put in place, and tracking systems available to them to assure compliances which is an institutional cost that, once again, serves from the perspective of the institution, if you will, as an unfunded mandate, and, as a matter of course and convenience, each institution will make the choices that is best for them. From the researcher point of view, I can't tell whether it is my institution that is putting in the process or the regulation that I have to follow, whether it is a larger part of the university entity of which I am a part, whether it might be an NIH rule, for example, or whether, in fact, it is the legislation itself. It is just they are imposing on me as a researcher.
So I recognize and I think all of us around the table recognize that things are variable from point to point.
I would like to comment quickly - although you have already heard about this - about cross-sectional or longitudinal epidemiological studies and a couple of issues there.
One, I am going to label the fear factor that really responds to what we just heard a few moments ago about the smaller entities that don't have the same amount of experience, so that they - nursing homes and other - different kinds of smaller institutions that might have served previously as primary data sources or community-based studies have just become reluctant to release data. They don't understand the entire process, and so they, in fact, decline, or they take a very, very narrow view and then confound the problem by saying, well, we might be able to do this, but you would have to take on the liability, which, in fact, then creates another set of conversations, of course.
Then, there is the hassle factor, even for those that understand there would be increased paperwork and this is difficult to impose upon these hospitals or nursing homes that are really volunteering out of their own patient-care time to be a part of a larger, greater goal of research.
While some of these fears and hassles may be reduced as time passes, and we certainly hope they will, it will create new costs for the entire system, and it may be that we need to step back and look at some of these potential liability issues and even create newer innovative ways to address those processes themselves.
I would like to move on to de-identification of data, and especially in rare disorders, birth defects – remember, I am a geneticist, so birth defects and dis-morphology would fall into the area of many of the kinds of work that our members do, and even twin studies. When you are talking about de-identifying twins, just remember if you went to school with a twin pair how often you called them by name individually or just referred to them as the twins, so that it is one of those kinds of de-identification processes that hasn't - happens or doesn't happen every day, but that just is an awareness-raising issue.
The clarify of the language in HIPAA is not at question here. It is very straightforward that you can go either through the de-identification process with the Big 18, as I call it, or possibly this alternative of the statistical approach.
But removal of all 18 elements may seem like it would not create serious impediments to researchers. However, I would like to point out two of the Big 18, number 16, by metric identifiers and number 17 images, if, in fact, geneticists cannot use images or identifiable images, then, in fact, some of the studies done in dis-morphology are, in fact, groundless, because unless you can identify the criteria for the dismorphic syndrome, then, in fact, you can't assess the study or any of its conclusions.
Now, it may be the full-face photos might not be required, but non-identifiable images in the spirit of HIPAA would be extremely difficult to bypass. So we have a conflict here between intent or spirit, I think, and the letter of that rule.
Also, there is a challenge that I'll repeat a couple of times that HIPAA, in fact, applies to deceased individuals as well, which is a change from our mind set in informed consent in the common rule, such that HIPAA might, in fact, impede research, at least in many of the genetic disorders. If we want to ascertain information on deceased individuals, under the category of biometric identifiers, fingerprints and voice prints are specifically listed as two of the examples.
Let's imagine a study for a moment, and what I want to do as a geneticist is evaluate the personal impact of determining carrier status of a cancer gene in three different ethnic groups.
DNA tests would be performed on everybody, and then I am going to do a taped interview with the subjects in the study and ask them, before I do the DNA test, immediately after the test is done and their carrier status is disclosed to them, and then six months later, and ask a series of standard questions of all three groups about the impact it has had on some of the decisions that they might make about sensitive issues like reproduction.
Under HIPAA, intertwined with informed consent, could any of these data - the DNA results, the DNA samples, the taped interviews - be shared with researchers at another institution after the study is completed. These are, indeed, taped interviews, so, therefore, they are voice prints and identifiable, technically, under the rule. Would sharing these nameless, faceless voices and DNA results really defy the spirit of HIPAA, and I would contend that I don't believe that that was the intent of HIPAA, but here we have, again, an institution that has to be careful about its job of protecting and complying with versus the challenges of the researchers.
And one area that I am almost reluctant to raise, but I think is a very important issue, if fingerprints and voice prints are considered demographic identifiers, what is a DNA profile?
And, as a geneticist, if a DNA sample or DNA profile is an identifier in and of itself, how can genetic studies be done at all, if, in fact, you want to use the identified data? It becomes a conundrum that is an insurmountable challenge under these rules and regulations.
Now, once again, in the intent of HIPAA, if I have a sample for which I have no name and other information, then, under reasonable activities, that DNA sample could not be identified, but this is today and I want us to think about what may be happening in the future with DNA data bases and other available matching systems that might come forward.
Then, we have the additional complexity of a family structure, and the pedigree structure in which we work. So if I have not one DNA sample in my study, but I have 50 DNA samples from one family and 50 samples from 10 other families as well, are they now de-identifiable, because I can at least put them into family groups, because, after all, as a geneticist, I can - once again, it's one of these challenges that I could at least put them into the appropriate group, not unlike the comments about there are experts out there that can identify almost anything.
The pedigree structure problem goes further than just the DNA samples themselves, though, with regard to identification and whether complex pedigree structures, even in public patients, let the individuals who have a specific disease or are listed is that truly de-identified or not, and I think that remains a challenge for us.
One more challenge we have in genetic testing certainly in moving from the research lab into the clinical lab, the genetics research community has become very, very well aware of the CLEA(?) implications. Research laboratories that do laboratory samples by clear regulations - the Clinical Laboratory Improvement Act - are stated that they cannot return those results to the individual. They are research results. They have not been done in a CLEA-certified lab.
Clinical labs, on the other hand, that do have CLEA certification have certain clear regulations that they must apply to themselves, including not performing tests on unidentified samples. They must have the clinical background for the identification of those samples.
So we have a situation, potentially, where somebody who complies with HIPAA is in conflict with CLEA or vice versa, and although this may be a small point, I think, once again, emphasizes the degree of confusion and challenge that the individual researcher is finding as they scratch their heads and do their research.
I would like to just mention for a moment the questions about family studies, including the contact with relatives. If contact with individual subjects - as has been pointed out – is a challenge, imagine this scenario using family history as an entry criteria to a study.
Researchers design a study which, in fact, is looking at the extent to which, let's say, Tamoxifin alters the frequency and/or age of development of breast cancer - and, for a moment, let's assume we don't know this purportedly magical 80 percent - have an 80 percent chance to develop breast cancer regardless of family history.
My study calls for 50 women who have the BRCA-1 gene. They are BRCA-1 positive, but have no family history of breast cancer, and 50 women who have BRCA-1 and have at least three relatives with breast cancer, and, now, I am going to look at the Tamoxifin effects and the prevention of breast cancer in these two groups.
If, in fact, I have to gather family history from my subjects, yet that subject is in a clinical situation, and/or any of their relatives have been in that clinical situation, it could be that I would be required to get information or get authorization or permission - expressly signed permission - from every relative to say that even the subject could enter into the study.
Now, that is a very strict reading of HIPAA, but, in fact, in this ascertainment through smaller hospitals, it can be - or at least has been – interpreted that strictly.
Let's go on a little bit further and say - talk about a family history from a different perspective. Family history, if a geneticist has only one piece of information that they can get on an individual it would be family history, and, now, with the explosion in genetic information, internists, pediatricians and all physicians and health-care workers are going to more highly value that family-history data. It's going to become a way of life.
But, for example, let's look at a family history now as a part of - not just an entry criteria, but a part of the study, and let's imagine creating a registry of patients with retinitis pigmintosa where each patient has been well defined, contacted under all of the appropriate regulatory mechanisms, but each person is asked to provide family history of blindness, aggressive visual loss and recognized hearing loss.
Is that amount of information patient information or are we now gathering information on those other individuals? It is one set of questions with regard to secondary subjects and third parties under informed-consent rules. It can become another set of issues under HIPAA authorizations as we try and get any clinical information.
Certainly for release of records, contact with those individuals, they would then become a subject in the study and then the rules more easily apply, but, in fact, the set of privacy information is a real challenge.
We hope that over the next several months we can, through the group at ASHG and others, get some clarifications on this.
I would simply close by saying that I have served on national advisory committees such as this, and I understand some of the dilemmas you have and the challenges you have, but, hopefully, the testimony of myself and others on these panels will at least give you enough grist for the mill that you can start approaching some of these challenges, and we in the research community and the clinical community really appreciate your time and effort in trying to help us clarify these issues.
Thank you.
MR. ROTHSTEIN: Thank you very much. Grist is not a problem. (Laughter). We are well stocked in grist.
And let's start on this side. Dick Harding, want to begin?
DR. HARDING: Give me just a minute here -
MR. ROTHSTEIN: Well, how about if we come back -
DR. HARDING: Okay.
MR. HOUSTON: I actually wanted to ask one clarifying piece of information from Joann? Was it Joan?
DR. BOUGHMAN: Joann.
MR. HOUSTON: Joann.
DR. BOUGHMAN: I'll answer –
MR. HOUSTON: Excuse me?
DR. BOUGHMAN: I'll answer to almost anything.
MR. HOUSTON: Okay. When you were talking about the breast-cancer study where you would – you know, one of the criteria was whether any members of the family - or three members of the family had had breast cancer, was the information you were concerned about - just to clarify - was that being gathered from an H and P or from a survey to the patient herself or -
DR. BOUGHMAN: This was actually a theoretical that was a compilation of individual stories that I had received from the research community. So it could have been either one.
Often, if we are just asking family history and I would challenge you do you really know what your grandparents died of, and often we don't. So that it might, in fact, require the checking of a medical record to confirm a thought about the entry criteria, but the challenge we have now with HIPAA is that if that grandmother, as many of ours might be deceased, we run into a brick wall.
MR. HOUSTON: Okay.
DR. BOUGHMAN: Whereas, under the common rule, we would not run into that brick wall.
MR. HOUSTON: Unless there was some state law that was at issue -
DR. BOUGHMAN: Right. Right.
MR. HOUSTON: Then I have a question of Dr. Roberts.
You talked about registries and the hope of registries being more beneficial or useful than, I guess, an actual practice have been. Do you have any thoughts on what could be done to improve the registry environment, as a possible cure to some of your issues?
DR. ROBERTS: I think one of the real problems that we face is that the people approaching patients for entry to the registry are people who really are not necessarily committed to getting patients into the registry, because they don't happen to be the investigators themselves. In our setting, that is especially a problem because, in obstetrics, we have, you know, hundreds and hundreds of patients coming through, and so, in the past, I alluded to the fact that we have recruitments in some studies of pregnant women of - you know - 60, 70, 80, 90 percent. These are slipping past us now, because it is the clinical care-providing team that is actually approaching them.
MR. HOUSTON: But assuming - it sounds like a registry system would have a great merit, but is there a way to make it more - I mean, obviously the way it is structured now, you are saying it really isn't useable or isn't being effective, but are there specific things you can think of that if the rules were changed to make registries more - you know - useable or something that - you know - would be more easy to recruit patients into, would there be specific things you would think would work to make it more useable?
DR. ROBERTS: First of all, I think once the patients are in the registry and - it's worked very well, and especially as we have moved towards electronic information, once we can tag a patient, we know - that that woman wants to agree to be part of it, and it works great.
It's the issue of getting there, and it's as I said before, it's the issue of approaching the woman and having enough time to explain to her what this means and that just doesn't exist in the busy clinical setting. So if the investigators or the investigators' staff were allowed to approach the patient without being part of the care-providing team, I think this would solve 90 percent of the problem.
MR. ROTHSTEIN: May I follow up on that? So your point is, if I read you correctly, that HIPAA precludes the investigators who are putting the registries together from approaching the potential subjects, because they are not in, quote, health care, is that what you are saying?
DR. ROBERTS: What I was saying is that the regulations, as they are interpreted at our institution, are that in order to be able to approach a patient for participation in research registry or to be approached for a research study, to know that the patient is, in fact, eligible for the study, first of all, you have to be a member of the care-providing team to know that, and, secondly, the first contact has to be by a member of someone involved in the care - It doesn't have to be a physician. It can go from the registrar to the nurse to the resident to the medical student, but it's people who are not necessarily involved in the particular project or in research at all.
MR. ROTHSTEIN: And what would your ideal situation be? I mean, who do you want to - I'm very confused -
DR. ROBERTS: Yes, I'm sorry. I didn't mean to confuse you. I think the issue would be we have a very large staff of say nurses who are involved in recruiting patients in individual studies. If they could have permission to approach patients to explain to them what our registry was and with these motivated people who, you know, are actually being paid to do those things, as the point person, I think we would do much better.
MR. ROTHSTEIN: And it's your institution's view that HIPAA precludes that from taking place. Is that correct?
DR. ROBERTS: Yes, that's right. If that is incorrect, I would love to hear it.
MR. HOUSTON: I think it is compounded by two issues. I think one where an organization, again, is either a hybrid entity or the research arm is not part of the covered entity, that causes problems. That is the first thing, and I know that, in addition to HIPAA, I know the IRB at the University of Pittsburgh has - precludes cold calling, which I think would be implicated here, potentially, which, though it is not necessarily a HIPAA issue, it does impact anybody other than the clinicians going back to the patient in order to get them to be able to enroll in a registry.
MR. ROTHSTEIN: See, it does raise for me an important conflict that we need to figure out what to do, and that is the only alternative, if this is the state of things, is that the recruitment is going to be done by the clinician, which, in my IRB hat, I have a problem with because of coercion, and so that doesn't - if we have a problem allowing non-treating personnel recruiting potential participants because of HIPAA, I don't like the alternative. I like the alternative even less.
DR. ROBERTS: I agree.
It isn't quite as bad as it sounds, because, essentially, in recruiting somebody to register, you are just asking them whether they would be willing to participate in research as opposed to any specific project, but I think the element of coercion is implicit even in that.
MR. ROTHSTEIN: Yes, and it depends, of course, on the research. If you are talking – for example, if you are talking about psychiatric genetics research and you're going to have the psychiatrist doing the recruiting, I mean, that's, I think, problematic, which brings us to Dr. Harding. (Laughter).
SPEAKER: Being problematic or being a psychiatrist?
MR. ROTHSTEIN: Well, take your pick. Those aren't mutually exclusive, you know. (Laughter).
DR. HARDING: Dr. Roberts, one of the statements that you made on page 4 there - and being a doctor, I think I kind of know what you mean on some of the others, too - was the idea we continue to commit an enormous amount of time and energy to get around the regulations legally. (Laughter).
Now, I know what you mean by that, and I know that -
DR. ROBERTS: I was hoping - legally helped on that.
SPEAKER: He's not even an attorney.
DR. HARDING: Researchers and doctors are pretty good at dealing with new regulations and so forth and they figure out a way to get around. Of course, the concern would be that it would get around the ideal of HIPAA as opposed to maybe something else.
I mean, you don't have to tell us any secrets here, but what type of things are you thinking about to get around?
DR. ROBERTS: Okay. Yes, get around is probably a bad choice, but the issue was to try to stay within the spirit of the law, even if we had to do some fancy footwork to get around the letter of the law.
So, for example, in individuals who answer advertisements for research, we have our privacy office, if allowed, the investigator, even if that person is not a member of the care-providing team, to invite that woman to become part of a general registry, even though they had - you know - they are not a member of that team, with the idea that if the woman was interested enough in research to answer an ad, this probably is not violating her privacy in any way.
DR. HARDING: So stretching, but -
DR. ROBERTS: Yes.
DR. HARDING – in the spirit of the law.
DR. ROBERTS: We have tried very hard with our privacy office to get them convinced that the spirit of the law is what really matters, which I think is probably true.
DR. BOUGHMAN: Yes, I would just add that it is the liberal versus very conservative interpretation of the law and the way that the process is implemented at the institution that, from a researcher's point of view, if they happen to be at one of those institutions, that, in fact, has somehow figured out a very smooth system within the institution, that may be terrific, but the moment they go to a multi-institutional study, it goes down to the, if not lowest, narrowest common denominator, which is - may or may not be the best approach with regard to a certain kind of situation, especially when you have the situation where you could ask verbally an individual would you consider doing this or when, via a letter that comes in or a patient-advocacy organization that has a registry where they have given some sort of implied consent, at least to be a part of this kind of registry, even if they have not signed certain strict forms, so that they – you could once again get an idea of distribution or even if it's not named data, some sort of picture of what is going on out there.
DR. HARDING: Most research being conducted in multi-centered -
DR. BOUGHMAN: More and more I think that its true, and especially in our field of genetics. You need to go to multiple institutions to get the right kind of family structure and the right kind of - now that we are getting to the point where we can separate disorders into smaller and smaller groups, and, therefore, want to do comparative and contrastive studies.
DR. HARDING: Do you have any solution for that issue of different levels of conservative, liberal interpretation in multi- - I mean, are you saying that there should be one standard?
DR. BOUGHMAN: I think time is going to help, as - and best-practices models get shared among organizations, so that the researchers and an organization that have developed a good working model and good language or ways to integrate. Whether it's put the informed consent and HIPAA together or to leave it apart, at least people will know and understand, at the legal level, between IRBs and among investigators, will be able to recognize more clearly and more quickly the challenges that we have. It's the same thing with any other aspect of research, even grants and funding mechanisms. There are certain institutions that are much easier to work with than others.
MR. LAWNICZAK: And this will also be true as IRBs also get used to working with each other and trusting each other, and, you know, yes, I have dealt with the University of Pittsburgh IRB before, so I know they do a good job in reviewing the study, so we can just do - you know - a quick once over to take a look at this, instead of having to check every single detail, but you still end up with a question of the smaller institutions that don't deal with research on a day-to-day basis and are going to have these conflicts come up, and so the only way to really resolve this – I mean, there's two actual ways that I have thought of resolving the problem. One is you have to educate them more into it. The other is by changing the requirement within the regulation that allows the current entity to make the researcher go through the IRB process again.
If you could - I don't know, mandate is kind of a strong word, but if you could modify the reg in such a way that the institutional IRB can serve as a primary IRB and then the other entities be seen as sort of secondary and allowed to do a cursory review – cursory is, again, not the right word – but to do the more modified review to speed the process through, I think would be a big help as well.
But it's going through your first institutional IRB, running through the process, and then having to do the exact same process all over again from start when you go to a covered entity and they say you have to do this, that is what slows the process down, that's what makes this a lot more costly, and that's where you get into these conflicting requirements.
MR. FANNING: Apart from the situation of the small covered entity, is not the problem of differing responses from different IRBs common to all multi-site studies? Has that not been an ongoing issue? What does HIPAA do to make it worse?
MR. LAWNICZAK: What HIPAA does for health-services research is that the common rule didn't apply to most health-services research, because we weren't dealing with human subject directly. We were dealing with large databases that you go and you collect from all these different entities, and so for a lot of researchers, they didn't have to go through an IRB, unless their institution, like the University of California system, says that all research has to go through their IRB. So some health-services researchers were used to going through the IRB, but they didn't have to go through a covered entity IRB, because they are just collecting medical records, for example.
MR. FANNING: Medical records with identifiers?
MR. LAWNICZAK: If you didn't have - my understanding is if you didn't have the direct patient contact and you weren't treating a patient and you were just collecting information to look at - okay - hospital discharge data for whatever, the common rule didn't apply, and so you didn't have to go through - for these types of studies, you didn't have to go through the IRB process, unless your institution specifically stated that all research has to go through their institution. So you would get your IRB approval from your institution, but the covered entity wouldn't necessarily require you to have to go through this. So this is a whole new process and a whole new step for health-services researchers, certainly.
MR. FANNING: Well, lucky for us we have the definitive word on whether that statement is actually correct. Julie.
MS. KANISHIRA: Well, I can speak, at least for HHS's human-subject protection regulations and what is covered there, and they are, as you point out, adopted by many of the other agencies under the common rule.
Under our regulations, actually, it applies to human-subjects research, and human-subjects research actually includes any intervention or interaction, which is the part, I think, that you were referring to, but it also includes the obtaining of private identifiable information for research purposes. So it actually would apply to the use of identifiable medical records to conduct epidemiological study, for example.
In regards to the applicability to all of the research conducted at an institution, I think you might be referencing our assurance mechanism, which allows institutions to voluntarily apply the human-subject protection regulations to all of their research, regardless of funding source.
The regulations that I am talking about strictly apply just to HHS-conducted or -funded research, and so an institution would not necessarily have to extend those protections to all the research it conducts. So what you might be seeing is that many institutions or some institutions have actually decided not to apply our HHS human-subject protection regulations to all of their research, but because HIPAA, in its provisions, doesn't make this distinction about source of funding and has - sort of mirrors the requirements under the common rule of IRB review in certain circumstances that what you are seeing is that there is this perceived extension of IRB review beyond what typically has been covered.
MR. LAWNICZAK: Right, and I'm willing to admit, as a non-researcher, that I can be certainly confused about the requirements that researchers have to undergo for this, but there is a large part of health-services research that is funded through private foundations. When we ask our members where they get their grant money, about half of their projects come from places like the Robert Wood Johnson Foundation and other private foundations that certainly wouldn't fall under that rule, and so, therefore, would require the steps that are now required under HIPAA regardless of funding source.
DR. ROBERTS: I wonder if I might comment on the unique problems that have - introduced by HIPAA that you ask about.
We are part – I mentioned - of the NICHD Maternal Fetal Medicine Network, which is 15 medical centers throughout the country, and in some of these settings there were basically no problem at all, we felt, with complying with HIPAA regulations, and in others, like ours, we have had a very difficult time, and I think part of the explanation has to do with what I have alluded to previously which is having the research team have access to patients, and I think, in some places, for example - I won't mention names, because it might not be the right thing to do - they are considering that when someone signs a regular - the regular information about HIPAA that that includes research, so, immediately, the people can take part.
In others, since their office is in the building in which the care is provided, they, therefore, must be part of the healthcare-providing team, and a lot of the issue, I think, that HIPAA has provided some difficulties with is preventing the people doing research from having contact with patients without first being approved by someone who is on the care-providing team, and how that is interpreted, I think, has made the difference in different places as to how difficult this problem has been.
MR. HOUSTON: I guess this is a question, actually, somebody from even the prior panel, if they want to answer, too, I would be interested.
I guess the question is prior to HIPAA and then post-HIPAA, did any of the organizations have serious concerns raised by patients being recruited into studies or were there issues before and did the frequency go down, is it the same or simply isn't there that much outcry from personal experience? I know this is anecdotal, but I would be interested to know whether – is there a problem here that they tried to solve?
DR. ROBERTS: I can answer it anecdotally, but I think your - earlier was valuable.
That is not one of the complaints we have had about research, and we have had complaints of people who were approached by too many people, who were approached cold, without having permitted themselves - but the issue of their privacy being a problem is not something that has come up - again, anecdotally, in my experience.
MR. ROTHSTEIN: I want to ask a question that relates to testimony from several of the panelists this afternoon, and that is the problem of lack of knowledge of HIPAA requirements by IRBs and I think you, Mr. Lawniczak, especially mentioned small institutions, but I think arguably you could make the case for even some larger institutions, and your recommendation was that OCR needs to do more education and so forth.
Given the constraints on OCR, in terms of the budget in human resources and all the demands in terms of education and outreach, do you have any sort of suggestion, in terms of kind of innovative ways in which we could get some sort of education component into IRB, training or so on, maybe working with OHRP, maybe working with Primer(?) or some other groups so that we could, in some way, lessen the institutional obstacles that are being erected to research in the name of HIPAA, when maybe HIPAA doesn't really even require that. Can you help us at all with some suggestions?
MR. LAWNICZAK: Well, first, let me say I think with the resources that OCR has had, they have done a tremendous job. We would like to see those resources increased, if at all possible. We do think that Congress needs to step up to the plate, and if they want this to be a serious part of the laws and regulations of the land, they should certainly help fund the education part of it and take care of the part - the extra costs under researchers.
I mean, I would have to go back and talk to our folks, and I'm happy to do that, as to what ideas they can come up with how to get the word out to the IRBs and other - and covered entities about the research requirements in a stronger, more viable manner. I mean, working with Arena and Prima(?) I think would be - Primer would be a great opportunity. I actually am not that familiar with the steps you have all taken so far. So it is sort of hard to comment on what else needs to be done, but, certainly, reaching out to them would be really helpful.
I'm trying to remember if you have specific guidance for IRBs. I know you do for researchers. I know that a lot of it falls - there's a lot of Q&As that deal with the IRB process, but not off the top of my head, other than the need for more outreach nothing is really hopping into my brain, but I'll get back to my folks -
MR. ROTHSTEIN: Okay.
MR. LAWNICZAK: - and we'll talk about it and hash it out.
DR. ROBERTS: I think one of the issues is the differences in interpretation in individual places in the vagueness of the rulings, and I almost hate to say anything good about the Commonwealth of Pennsylvania, but one of the things that they have done in relationship to certain grants they have had out is to have a session where people send in questions and then those questions are answered and left on the Internet, so that once a question has been answered, that is a fact. I don't know if that could be done or not, but I think there is a lot of concern in a lot of the minds of the people who are interpreting these things that if they go too far, they are going to be in big trouble, and so why take a chance, and other people think it is worth taking a chance. It would be awfully nice to know, you know, where the line is actually drawn, if that could be clarified, and maybe that is one strategy.
MS. LINET: As you probably know, researchers have to take Web-based modular courses. At NIH, we take a course in ethics every year with a module, and they are dumbed down, so the lowest common denominator among us can understand them, a lot of pictures, a lot of Q&As, and I don't understand why these Web-based learning modules aren't requirements for IRBs, and, as part of the modules, you could have sample forms that could be used, you know, universal, simple forms that would fulfill the requirements of HIPAA and serve as a kind of a starting point that could be used to educate particularly the smaller covered entities. Why not the bigger ones as well? HIPAA-approved forms to make things more standardized.
I mean, I can't tell you how much more pleasurable – and I hate to say this - doing research in China and the Nordic countries is than doing research in this country, where everything looks the same from place to place, you know. It's just so much easier, and I don't really follow the argument why all these endless deliberations by IRBs comes up with a better result than - you know - a designation of one particular, thoughtful, helpful IRB is this is approved and this is a great idea. Why not?
MR. HOUSTON: And I can add that at the University of Pittsburgh that they have a substantial Web-based training program which all researchers must go through, and based upon who you are, you might have to take one of probably up to a half a dozen modules, including modules related to HIPAA, and they actually have segmented the HIPAA modules into ones related to research staff versus researchers versus students. So I know there is in some areas a great desire to try to do education and not just on HIPAA, but literally on all the IRB requirements, and they have to build a test to that before they can submit a protocol. They have to build - go on the Website, complete the courses, take tests, which certifies them to having completed the training, and until that occurs, they are not - they can't submit a protocol for review. So that works very well, I know, to ensure that there is a sort of a base level of knowledge with regards to training.
MR. ROTHSTEIN: Well, I would say that the online courses, both the basic human-subjects courses and the HIPAA courses vary very widely in their quality, and having taken many of them, I just think we can do a lot better.
MR. FANNING: The IRBs now under the common rule are under some obligation to take into account the particular circumstances of the community where the research is conducted. Do you think that differing answers from differing IRBs genuinely reflect differing situations which need to be taken into account when giving out information or are they sort of random differences?
DR. ROBERTS: We're two blocks from the University of Pittsburgh and we have our own IRB and our answers have been very different to a number of things than theirs have, and it is presenting a problem, because we'll now be merged into the University of Pittsburgh IRB and all the rules will change again, but I don't think it necessarily - I'm certain that there's part of it that reflects the community, but I think part of it reflects the philosophy of the people in charge.
DR. BOUGHMAN: I was going to say the same thing, that while during IRB review, I think very often, if not nearly always or always, there is some - and there has been more attention paid to the sensitivities of the groups and the populations in which a study might be done, and this is certainly true, not only with inner-institutional, but, now, to a great extent, with internationally-based research, and a great deal more discussion is about all of that.
Fortunately or unfortunately, I think the position that the IRB takes may not, in the end, reflect that or the intent or spirit of either the common rule or the privacy rule, but the interpretations of the institution on the safest - you know – once again, the narrowest common denominator, and I would just like to say that I think one of the very positive aspects of HIPAA is that it has brought back to the fore and into the essence of many discussions things that had been slipping to the background about privacy issues, and, unfortunately, I think HIPAA itself, the letter of the rule gets the short end of the stick, because we should have been talking about a lot of these things for a long time, and it's a focus and a refocusing, and we are just in the process of getting that lense in focus, and I hope it does smooth out, but, now, during this process - I mean, even in - and the complicated aspects of it may be worse in the academic institutions in figuring out what hat I am wearing today and whether I am really in the covered entity or not in the covered entity. Am I a clinician today or a researcher today? Am I both?
So, you know, I think that the fact that we have HIPAA and the common rule and all of these processes seen as separate because they came in at different times is complicating and confounding the issues.
MS. KANISHIRA: I was just going to point out that under HIPAA, as well as the common rule, there actually is the ability to have a central IRB review or single IRB review for a project. So, you know, there are good reasons why institutions want to have local IRB review, but it's actually not a requirement under our regulations and we are well aware of the problems with instituting central IRB review. As many of you probably know, we had a pilot ongoing, the National Cancer Institute, where this was being done and there are certainly issues that have come up through that pile that we need to address, but, certainly, our office would not discourage the use of central IRB review where institutions deem it is important to do.
MR. ROTHSTEIN: Well, I want to thank all the members of the panel, and, indeed, all the panels over the last day-and-a-half for their excellent testimony, and I want to thank my colleagues on the subcommittee and staff as well, and, Julie, thank you especially for helping us out.
MS. KANISHIRA: Pleasure.
MR. ROTHSTEIN: This concludes our hearing for today and for this session.
As mentioned, we will continue these hearings next year, and if the members of the subcommittee would hang around for just a few minutes, we have a little bit of business to take care of. I know you've got trains and planes and things to get to.
Agenda Item: Subcommittee Discussion
MR. ROTHSTEIN: We have scheduled our next -
SPEAKER: Nobody needs to leave, though, this is still an open meeting.
MR. ROTHSTEIN: Oh, this is open to the public.
SPEAKER: It's still an open meeting.
MR. ROTHSTEIN: So any masochists in the audience -
welcome.
Okay. So we have agreed that our hearings will be February 18th and 19th, and all that I wanted settled today is to get an agreement on the topics, so that we can begin locating witnesses.
The hearings we are going to try to schedule at the Humphrey Building, and so we'll notify you if we can do that, and, if not, what the alternate location is.
So if I can go back to our last, I think, conference call on the topics that we selected for today's hearing and review those other topics that were on our list that we have not yet dealt with, the issues that we had identified as being of high priority are genetics in schools and also the issue of minors, so that's one. The issue of law enforcement and how it is handled under HIPAA. Banking issues under HIPAA, and the other one was the - and I never know what to call this. It's the payment stream.
MS. FYFFE: The payment chain -
MR. ROTHSTEIN: Chain.
MS. FYFFE: – which would include a few different organizations or types of organizations, third-party administrators, employers, health plans, health-insurance brokers and reinsurers.
MR. ROTHSTEIN: Right.
MR. ZUBELDIA: And there is going to be a presentation on that this afternoon during the effect(?) meeting in D.C. So I'm going to go from here right to that meeting, because -
MR. ROTHSTEIN: Okay. So maybe you can line up some folks for us.
MS. FYFFE: Yes.
MR. ZUBELDIA: I know John Casillas(?) will be discussing it in that meeting.
MR. ROTHSTEIN: So those were the four that are next on our list of issues to consider. Let me go over those again. It was minors and schools, all the FRERPA(?) issues, et cetera; law enforcement and how it is treated under the privacy rule; banking and the payment chain. So if we did all four of those, that would be a full two-day hearing with presumably a half day, two panels on each of those topics.
MR. HOUSTON: Banking and the payment chain are separate.
MR. ROTHSTEIN: Yes.
MS. FYFFE: Yes, they are.
MR. ZUBELDIA: The payment chain includes TPAs, PPOs, reinsurance, other non-covered entities that are, in fact, involved in processing claims.
MS. FYFFE: Employers, brokers. Whereas, the banking issue has to do with banks as clearing houses and Gramlige-Bliley(?) and some of the issues that Kappa(?) had brought up.
MR. HOUSTON: And is law enforcement also going to include judicial and -
MR. ROTHSTEIN: It would be, I suppose, both - I mean, we can include anything we want. So we can talk about law enforcement in sort of the criminal sense. We can also - we might have one panel on criminal investigations. We might have another one on judicial enforcement and civil cases.
MR. FANNING: I mean, it might be interesting to have a panel regarding issues related to subpoenas and court orders and requirements and things, because I know that is an issue that -
MR. ROTHSTEIN: We could do subpoenas. We could do a whole range of things. We could do - I'm blanking on - you know, the HHS privacy - help me, John. What are the orders you get from HHS that -
MS. FYFFE: Administrative subpoenas?
MR. ROTHSTEIN: No, that prevent disclosure – certificate of confidentiality.
MR. FANNING: Yes, protection of research data.
MR. ROTHSTEIN: Oh, man. Don't get old, doc. (Laughter).
Right. So we could also deal with certificates of confidentiality and the civil side as well. So if that's one of the things that you want to put on the list, I think we can do that. We can do - we can have, for example, FBI, a representative of state and local law enforcement and maybe privacy advocates on one panel. We can have on the other panel take up the subpoena issue and so forth.
Yes.
MS. BICKFORD: Carol Bickford, the American Nurses Association.
When you are talking about law enforcement, I would invite you to consider the corrections industry as part of this. They have unique issues in the fact that the health care is within an environment which is not focused on health care. You would certainly want to be looking at how the nurses are having to deal with that, because they are the primary-care providers in the corrections environment, and what that means -
MR. ROTHSTEIN: Well, one of the things – before you get to the next point. I think my preference would be not to do that then, but to have separate hearings on corrections, because under the privacy rule, correctional health care is entirely exempt and there is no HIPAA protection to records that are generated in the health-care setting – sorry, in the correctional setting, and, arguably, there is lots of things that are produced there that -
SPEAKER: You disagree.
MR. FANNING: No, I think that may be somewhat overstating it, but it's - you know – the correctional authorities can get the information.
MR. ROTHSTEIN: Correct.
MR. FANNING: But I think more generally, there are restrictions on it.
MR. ROTHSTEIN: Right. But what I'm saying is correctional authorities can get access to everything regardless of whether they are in a health-care - providing health-care services, et cetera.
MS. BICKFORD: Well, that, in itself, has unique issues in relation to health care, and then you have the health care provided in external facilities or the tele-health(?) initiatives. So how does that fit in this discussion?
And the next item I have is in relation to your breakout of minors and schools. What about those who are not minors? For example, the college – community colleges, academic settings, where they also have health-care issues in relation to privacy, confidentiality, both from the standpoint of faculty, but also from the students, and it's not minors in that setting.
MR. ROTHSTEIN: Well, I think that is an interesting suggestion. It is one of the things we talked about. There is a very significant problem in college campuses where, for example, the student health service or the university health service provides services to students as well as to faculty and staff, and half of them has to comply with HIPAA and half of their patients are covered under FERPA(?) or other protection. So it is an issue that we have identified before and I think would be certainly appropriate for our discussion in February, and I thank you for mentioning those, and I'm sure we would have no trouble getting folks from the colleges and their association of health providers.
Other specific kinds of things? And this is very helpful, I think.
DR. HARDING: The only other thing that I would like to - at some point - doesn't have to be in February – but to get back to a reassessment of employer access. Do you feel that fits in to some of those -
MR. ROTHSTEIN: I think we are going to deal with the issue of employers only in the context that employers are payers - that is, that they are involved in the payment chain, so employers, in the sense that they are providers of health benefits - but I think your point is a good one, and we can put it off to the - I mean, we need a separate hearing on the issue, I believe, of employer access to employee and applicant health information.
DR. HARDING: Because in the past, we had some wrenching testimony from occupation nursing and occupational medicine of the tremendous binds, and I would like to see how it's going now, you know, after this has come in and how they are feeling about that.
MR. ROTHSTEIN: So I think that, without objection, we can sort of mentally or intangibly start making the list for the third round of hearings, which would include, so far, employers and correctional facilities, jails, prisons -
MR. HOUSTON: And, again, I'm going to renew my concern, because I hear very regularly that there are still issues with fund raising that -
MR. ROTHSTEIN: Somehow - that was going to be –
MR. HOUSTON: It's between research and fund raising. They are both enormous issues, and though it may not - I see it as a huge issue.
MR. ROTHSTEIN: Okay. Well, we know the people to talk to, because they have all testified before us in the past, but that was pre-April 14th and we want to know what's happening. Are things better or worse than they thought they would be?
MR. HOUSTON: I mean, I can only speak anecdotally, but there are great issues with regards to fund raising, and I think we probably have enough history now – well, actually, we may not quite yet as to actual fund-raising success and efforts and how much money is being pulled in, but I'm just hearing it is really impacting - substantially impacting -
MR. ROTHSTEIN: The other issue that was mentioned yesterday by Richard that we may want to put on the list and that is the offshore medical contracting, and I think we need to consider that.
MR. GELLMAN: Well, I just - make a suggestion - suggest an issue for down the road, and that is health-care providers who are not covered by HIPAA. There are more and more free clinics, other kinds of circumstances in which people provide health care and are not subject to HIPAA, because they do not bill somebody electronically, and I think that is likely to be a growing segment, and the question is is that going to start to create problems, because you have significant provider institutions that look just the same to patients, except the only way they can tell they are not covered by HIPAA is they didn't get a HIPAA notice when they walked in the door, and that is not much of a signal.
MR. ROTHSTEIN: Right. Yesterday, that was one of the things that was mentioned to us, the sort of flu-shot-health-fair situation. There are lots of home test-kit -
MR. ZUBELDIA: Cholesterol screening in the malls and all that.
MR. ROTHSTEIN: Right.
MR. ZUBELDIA: So it brings up the topic we discussed yesterday. Would it be appropriate for NCHS to look at the possibility of expanding the scope of HIPAA to all health-care settings and a make a recommendation to the Secretary to pursue some changes to the legislation to expand to all health-care information? Would that be an appropriate activity for -
MR. HOUSTON: Actually, let me rephrase that: Do we want to look at, more generally, how to expand the scope of HIPAA, not just for all health care, but, you know, there was a discussion yesterday about business associates, and is there a better structural way to deal with business associates, and I guess it's fair game to say - you know - when you expand HIPAA, do you want to expand it in a way that effectively covers business associates that may simply handle information -
MS. GREENBERG: I think any of these things are in scope for - you know, that are relevant to the privacy of health information, even, you know, HIPAA, not HIPAA, and in your report - I mean, it's not within the power of the department to expand the scope of HIPAA, but you do report to Congress - the committee does report to Congress every year as well on the impact of HIPAA and problems, et cetera. So it is certainly within - you know - within scope.
MR. ZUBELDIA: So would it be appropriate to make a recommendation like that, if appropriate, to the Secretary to pursue in Congress?
MS. GREENBERG: Right. And you do actually report to Congress as well -
MR. ROTHSTEIN: Right. Right.
Richard -
DR. HARDING: I'm not sure that expanding HIPAA right now would be a very politically - (laughter) –
MS. GREENBERG(?): Well, there might be a different way to phrase it.
DR. HARDING: – sound measure.
But the question that I had was what is the timetable for the annual review of HIPAA, where, you know, you can make changes and so forth once a year or something like that? Isn't there some kind of - what - if we were to make recommendations, what would be the timetable -
MR. FANNING: I don't know. I think that these things take so long that it would not be wise to try to gauge your attention to it on the basis of a deadline or -
MS. FYFFE: Yes, I think the statute permits one modification per year, but that doesn't mean that there is going to be a modification.
MR. HOUSTON: That also doesn't mean that you - it isn't accomplished through clarification, that - I mean, that's - I think that is what OCR has tried to do on a number of fronts, especially as it relates to accounting(?) disclosures, where, you know, you are doing a periodic regular disclosure. I think they have tried to deal with the accounting issue by simply saying, oh, if they are regular disclosures you can simply account for them by type and frequency, things like that.
MR. ROTHSTEIN: I want to at least resolve this issue today, and this is a very important one for us. We have zoomed through hearing number two. We've got more than enough already for hearing number three. In 15 minutes, we could be up to hearing number seven. The question is how the subcommittee wants to handle the letters to the Secretary. I mean, at what point do we think it is - should we have - in other words, should we have a letter per hearing cycle or should we have a letter at the end of X number of hearings?
MS. GREENBERG: Well, I wasn't able to be here yesterday afternoon, but one question I had was - I mean, you had two panels yesterday on public health and two this morning on research and, you know, some obviously common issues and some separate issues, and I guess yesterday afternoon was more general.
MR. ROTHSTEIN: Right.
MS. GREENBERG: But do you feel you would need to hear from more testifiers related to public health and research or that in - I mean, I look at law enforcement, banking, payment chain. These really don't seem to have much to do with public health or research, though schools - certainly could.
So the question - you know - did anything come up - I mean, I think that's at least worth discussing right now when it's all fresh that you feel like, well, we really – because sometimes that happens -
MR. ROTHSTEIN: Right.
MS. GREENBERG: - where we really need to hear from X group. I mean, I haven't – didn't – you know, I'm not thinking - this isn't a trick question, but before we could identify, yes, that there are issues for public health and research that either need more guidance, more clarification or that might even need to be looked at as amendments to the rule, and if so, then I think those - you know - if not - if so, then those groups should be brought in sooner, maybe, rather than later to kind of complete the picture of the current status, and, of course, this is a moving target, as people said, even if things aren't going badly now or if they are going badly now, things could change in six months for a variety of reasons. People wake up and realize certain things or they learn more about it, but I think if you feel you have heard adequately on a subject, I think that is a good time to at least talk about and think about what you - you know - might want to then report about, and I can't see waiting ‘til - you know - ‘til four or five hearings are done before you do that, because, frankly - I mean, it's also a question of could things be addressed now that would be fruitful, like additional guidance or what have you?
If you wait too long, it's sort of like people were saying to the - you know - quality work group - you got that testimony two years ago. Are these recommendations still relevant? Are these problems still going on?
So I'm not necessarily saying a letter after each one, but I do think that - you know - it's important after each round of hearings to identify whether you need to hear from other people on this subject, and, if not, what you would want to say about it.
MR. HOUSTON: I think we heard pretty clear discussion, testimony today regarding issues related to research. I would think that based upon what - there were some very common themes today that it would be appropriate to try to put something together, a letter with regards to research, as soon as possible. I think what we are hearing is there is substantial impact on research, and it warrants doing something sooner rather than later. I think we may find that other issues we can table into a variety of recommendations later, but, again, where something as big as what I think we heard today came up, I think it behooves us to act and enact in a focused letter -
MR. ROTHSTEIN: What about public health? Do you feel the same way about -
MR. HOUSTON: Maybe it's because it's fresh in my mind, research, today, I'm less sensitized towards the public-health issues, not that you might not think that they equally deserve - you know - a letter, but I can definitely say that research, in my mind, deserves a focus letter immediately, based upon what we heard today. I'll reserve to the rest of the subcommittee - the public health.
MS. FYFFE: Given that the compliance date with the rule was April 14, 2003, it might make sense to have at least one letter to the Secretary by April 14, 2004, and I don't know how that works in with the timing of the NCVHS subcommittee meetings, but I think that if you go very far beyond - one year beyond the compliance date that the value of the letter might change. Might be a strange way of looking at it, but to give us some time frame.
MS. GREENBERG: Well, the next –
SPEAKER: The next meeting is the 4th and 5th of March.
MS. GREENBERG: Yes, there is potentially a short meeting, you recall, at the end of January, because of certain issues that needed to be addressed. So some may participate by phone and others in person, if there were something - you know - compelling, but I think - I would think March 4th, 5th would be the -
MS. FYFFE: Okay. Which -
MS. GREENBERG: - the target, and then you will have heard from the schools as well, which I think might play in, as I said, with the public health and with the research. I don't know about the other issues, but –
MR. ROTHSTEIN: Of course, if we wait until after the 18th and 19th of February hearings, then we'll have only –
MS. GREENBERG: I thought they were the 3rd and the 4th.
MR. ROTHSTEIN: No, we've moved them back.
MS. FYFFE: We changed those.
MS. GREENBERG: What are they now?
MR. ROTHSTEIN: 18th and 19th.
MS. FYFFE: February 18 and 19.
MR. ROTHSTEIN: There was a conflict with some members. So we moved them back. So, now, we are going to be sort of - a little –
MS. GREENBERG: I didn't realize that.
MR. ROTHSTEIN: Yes.
Dan, did you want to -
MR. RODE: Dan Rode, American Health Information Management Association.
A number of the groups yesterday wrote up the issue of accounting for disclosures. This is a very expensive process. It is also a process that appears not to have been completely implemented across the board, and people are waiting to figure out a way to do it at the least possible expense.
If you wait too long, we are going to be a year out, and we are going to have to find another mechanism rather than coming to the committee to seek some kind of a solution to that problem. I don't know if you need more information, and I could certainly understand that you may want more information, but to ignore that problem, I think, would not be good, because it was something that has consistently come out of the provider community.
MR. ROTHSTEIN: Thank you.
Yes, there are actually a couple of other issues that were brought up consistently at the general session that we may want to consider as well.
So what is the - I hear somewhat of a consensus that we should not adopt the strategy of waiting until all these hearings are completed before we produce a letter. So we're in the - sort of the chain of letter -
DR. HARDING: I think we ought to have a letter prepared for the next committee meeting.
MR. ROTHSTEIN: Right. In March.
DR. HARDING: If that is the next committee meeting.
MR. ROTHSTEIN: And to do so, we would probably need to see if we could schedule a series of conference calls to -
MR. HOUSTON: Why don't we also look at this testimony in February, maybe an evening meeting or some type of working meeting at the February meeting to try to -
MR. ROTHSTEIN: Well, we could -
MS. FYFFE: We could shorten the meeting to - well, we could have a two-day meeting and only have three panels and have a half day of deliberations regarding our recommendations.
MS. GREENBERG: Yes, particularly if you are going to have - you know - discussions by conference call where it is really hard to bring in the public and all of that. I mean, it's possible -
MR. ROTHSTEIN: Yes.
MS. GREENBERG: - but I think if those - if then you had the discussion - you know - further discussion of the letter at the meeting, that would work well.
MR. ROTHSTEIN: All right. So suppose that for the March - I'm sorry the February 18th and 19th meeting - the dates won't work to go a third day - instead of four topics we go with three topics, save the fourth slot for like an all-afternoon committee discussion about the issues that we heard today, as well as what we are going to hear February 18th and 19th.
What we would need to do is take one of the four topics off the table and defer it to the session that we have yet to schedule. Maybe April.
DR. HARDING: Maybe we can leave that to the wisdom of the chair and our able staff to determine three out of four.
MR. HOUSTON: May I suggest one other thing, too, is that we take – on the second day - we'll assume there's two panels on the first day. On the second day, we reserve the beginning of the morning, like 8:30 to 10:00 for work on the letter, hear the two panels on the one topic during the next two sessions and then reserve the end session, then, for work on the letter again. What that would allow is if somebody - if there was a letter and somebody needed to do some authoring or some rewording, we could actually break it up into two pieces where we could talk, let somebody do some reauthoring, and then sit back down and discuss - or, as an alternative, do something on the first day, second day.
MS. FYFFE: You could have one panel immediately before lunch and one panel immediately after lunch.
MR. HOUSTON: Right.
MS. FYFFE: And have the beginning and the ending of the day be -
MR. ROTHSTEIN: Well, the fact of the matter is we are not going to be able to draft anything then. What we would do is get agreement from the committee members about the topics that we wanted to include and generally what we wanted to say. It's not really very productive for the committee to take - you know - to start marking up a letter at that stage.
So what we could do is - you know - say, okay. In public health here are the five things we want to talk about, in research here are the five things, and then we would draft a letter. We could schedule a conference call to review the draft letter, put it into some better shape, then have it as a draft for the full committee for the first go around.
Marjorie –
MS. GREENBERG: Well, I actually was thinking something a little different, but –
MR. ROTHSTEIN: Okay.
MS. GREENBERG: That if you don't feel you need to hear from additional people on public health and research that you could have a conference call to identify the issues, and that maybe then a letter on those issues could be drafted prior to the February 19th, 20 or 18, 19th -
MR. ROTHSTEIN: 18, 19, yes.
MS. GREENBERG: – meeting and then you could actually go over that draft.
Now, of course, anything you heard on the 18th or 19th, if you wanted to include it in the letter, you would –
MS. FYFFE: It would be an addition in the letter.
MS. GREENBERG: It would be an addition, but I wouldn't wait until the February 18, 19 meeting to identify the issues you want to -
MR. ROTHSTEIN: Talk about today.
MS. GREENBERG: - talk about from the last two days.
MS. HORLICK: I was just going to suggest almost the same thing. I mean, essentially, we might conclude that we heard all we need on research and that might not come up on that - so we could have that part of a letter done. We could do the public-health part of the letter and possibly revise it based on the issue with schools or minors or something like that or at least flesh it out, I think, as much as we can do ahead of that meeting.
Then, we could use the time on the 18th and 19th to even, you know, get some consensus on what we heard that day, also, when it's fresh in our mind.
MR. ROTHSTEIN: Right. Okay. So when do you want to have the conference call on today's stuff -
SPEAKER: Yesterday and today.
MR. ROTHSTEIN: Yes, yesterday and today, the two - so should we try to schedule it as soon as possible -
Okay. Well, we don't have - you know - Simon and Russ here. Shall we just try to come up with something in their absence?
MS. GREENBERG(?): I don't think Russell is actually on the subcommittee, though he is more than welcome to -
MR. ROTHSTEIN: He's not on the subcommittee? No. Oh, I see. Okay. Well -
MS. GREENBERG(?): But, I mean, he can participate -
SPEAKER: He can participate if he wants.
MS. GREENBERG(?): And since he attended yesterday, we probably want to invite him.
MR. ROTHSTEIN: Okay. Well, let's - what about the week of December 1st?
SPEAKER: That's fine.
SPEAKER: It's fine with me.
MR. ROTHSTEIN: Some time in that -
SPEAKER: Fine with me.
SPEAKER: Yes -
SPEAKER: Yes.
MS. FYFFE: Okay.
SPEAKER: Okay. So for me that would be the 3rd, 4th or 5th would be best.
MS. FYFFE(?): And how long?
MR. ROTHSTEIN: Well, I think we better schedule -
MS. FYFFE: Ninety minutes?
MR. ROTHSTEIN: Yes, that's, I think, the max that people can take.
MS. FYFFE: Yes.
SPEAKER: How much?
MR. ROTHSTEIN: Ninety minutes.
MS. FYFFE: Ninety minutes.
SPEAKER: Yes.
SPEAKER: Yes, those days look pretty –
MS. GREENBERG: If you give dates to your availability, Mark, to Marietta, then she can call everyone or unless you want to try to decide right now.
MR. ROTHSTEIN: Well, I think we have agreed that some time that week. We'll have to ask Simon, but the dates we are talking about are the 3rd, 4th or 5th of December.
MS. GREENBERG: Okay.
MR. ROTHSTEIN: And then we will take up the issues of public health, research and the general stuff, which would include the accounting for disclosures and other issues that we want -
MS. GREENBERG: Accounting for disclosures was a big issue with public health.
MR. ROTHSTEIN: It was a big issue everywhere.
SPEAKER: Everywhere.
MR. HOUSTON: Could I say this: Right now, the 4th and 5th for me there's nothing on my schedule that I can't move right now.
MR. ROTHSTEIN: Okay. We need to check with Simon.
MR. HOUSTON: Right.
MS. GREENBERG: What did you say, John?
MR. HOUSTON: There's nothing on my schedule for the 4th and 5th I can't move, and the 3rd is a little more tight. I have two or three things on there I have committed to.
MS. FYFFE: What about you -
MR. ZUBELDIA: I'm open all week.
MR. ROTHSTEIN: Okay. So we'll check with Simon. We can check with him tonight or tomorrow or -
Okay. Thank you very much, and for those of you who are remaining, good to see you, and we are adjourned.
(12:08 p.m.)