The Global Privacy Environment and Its Impact on Records-Based Human Subject Biomedical Research Presentation To: The National Science Foundation Center for Discrete Mathematics & Theoretical Computer Science (DIMACS) Rutgers University DIMACS Center Piscataway, NJ December 10, 2003 Oliver M. Johnson , II Chief Privacy Officer Merck & Co., Inc. Overview Merck Privacy Office • The Global Privacy and Data Protection Environment • Impact on Records-Based Biomedical Research • Conclusions 2 The Global Privacy and Data Protection Environment 3 Definitions Merck Privacy Office • Privacy: the “right to be let alone.” Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 205 (1890) • Data Protection: the administrative, technical and physical controls one uses to protect the confidentiality and ensure the proper use of personal information. 4 Privacy as a Social Issue Merck Privacy Office • The Business Perspective – – – – Globalization Personalization Data Consolidation Personal Information a Valuable Corporate Asset • The Public Perspective – Growing Public Awareness – Strong Public Sentiment – Personal Information a Fundamental Personal Asset • We are increasingly dependent on the ability to establish understanding and trust with large numbers of people from various cultures and perspectives. 5 Privacy as a Cultural Issue Merck Privacy Office • Europe – Personal privacy is a fundamental human right. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms – Long history and culture of protecting individuals from government and private intrusions into personal affairs. – Most EU countries have had privacy laws for decades. – Omnibus legislative approach. • U.S. – Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right. 4th Amendment to the United States Constitution – Relatively recent legislative focus on protecting individuals from private intrusions into personal affairs. – Sectoral legislative approach. 6 Privacy as an Ethical Issue Merck Privacy Office Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret. Hippocrates (c. 400 B.C.) • • • • • • • World Medical Association Declaration of Helsinki (1964) U.S. Common Rule (Established 1979 / Codified 1991) U.S. Food and Drug Administration Regulations (1980) OECD Privacy and Transborder Flow Guidelines (1980) CIOMS International Biomedical Research Guidelines (1983, 1992, 2002) CIOMS International Epidemiological Study Guidelines (1991) ICH Good Clinical Practice Guideline (1996) 7 Privacy as a Legal Issue - Europe Merck Privacy Office • EU Data Protection Directive of 1995 – – – – Covers all personally identifiable information Covers all types of entities (e.g., Research, Business, Government) Also adopted by Iceland, Norway and Liechtenstein (EEA) Prohibits transfers to non-EEA countries lacking “adequate” data protection – Adequacy Determinations: Canada, Hungary, Switzerland, Argentina, Guernsey, U.S. Safe Harbor, Model Contracts • National EU Data Protection Laws – Prohibit transfers to non-EU countries lacking “adequate” data protection – Member States must abide by EU Commission adequacy determinations • EU / U.S. Safe Harbor Agreement – Enables individual U.S. companies to receive EEA personal information – Applies only to transfers from EEA countries – Applies only to transfers to certified U.S. companies 8 Privacy as a Legal Issue - U.S. Merck Privacy Office • Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations – Covered Entities: Health Care Plans, Health Care Clearinghouses, Health Care Providers – Business Associates of Covered Entities – Personally Identifiable Health Information • State Privacy Legislation – Health and Medical Information – Data Security – Genetic Research • • • • Electronic Communications Privacy Act of 1986 (ECPA) FTC Code of Fair Information Practices (1999) Children’s Online Privacy Protection Act of 1998 (COPPA) New Federal Telemarketing, Spam and Fax Laws (2003) 9 Legal Summary – Rest of World Merck Privacy Office Privacy laws pending or enacted in: • Non-EEA Europe Albania, Bosnia, Bulgaria, Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Russia, Slovakia, Slovenia, Switzerland • Asia Pacific Australia, Hong Kong, India (pending), Japan, New Zealand, Taiwan, Thailand • Middle East / Africa Israel, South Africa • Latin America Argentina, Brazil, Chile, Mexico (pending), Paraguay, Peru • North America Canada Many of these laws are based on the European model. 10 Privacy as a Business Issue Merck Privacy Office Laws apply common principles but create significantly different administrative requirements 11 Privacy Principles Merck Privacy Office • Respect: Understand and respect the privacy perspectives of the individual. • Necessity: Collect personal information only for identified business purposes. To the extent possible, use nonidentifiable information, and limit the personal information that is used and disclosed to that which is necessary for the identified purposes. • Notice: Provide notice to individuals regarding the information that will be collected, how it will be used, and who will have access to it. • Choice: Allow individuals to determine whether personal information about them will be collected, used and disseminated. 12 Data Protection Principles Merck Privacy Office • Data Integrity: Use personal information in accordance with the notice given and the choices exercised. Keep personal information accurate, complete and current in regard to the purpose for which is was collected. • Access and Correction: Allow individuals reasonable access, on request, to personal information about them, and correct information that is incorrect or incomplete. • Transfers to Agents: Obtain written assurances from agents that they will collect, use, and secure personal information pursuant to Merck’s instructions. • Security: Secure personal information from loss, misuse, unauthorized access, disclosure and alteration. • Enforcement: Provide communications, training, monitoring and enforcement with respect to Merck privacy policies and procedures. 13 Impact on Records-Based Biomedical Research 14 European Style Laws Merck Privacy Office • Personal Information: information which identifies, or is used alone or in combination with other information to identify an individual. • Sensitive Persona Information: Personal Information relating to race, ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. 15 Research Requirements (EU Directive, Article 8) Merck Privacy Office Sensitive Personal Information may not be used unless: • Each data subject gives “explicit” consent; • The data are necessary to protect the “vital interests” of the data subject or another person and the data subject is physically or legally not able to give consent; • The data are “manifestly made public” by the data subject; or • The data are required for preventive medicine, medical diagnosis, provision of care or treatment, or management of healthcare services, provided the user is operating under rules of professional secrecy. 16 International Transfers (EU Directive, Articles 25, 26) Merck Privacy Office No transfers of Personal Information from the European Economic Area (EEA) to non-EEA countries unless: • Each data subject consents to the transfer; • The transfer is necessary or legally required on important public interest grounds; • The transfer is necessary to protect the data subject’s “vital interests;” • The transfer is made under a “model contract” between the EEA sender and the non-EEA receiver; • The transfer is to a U.S. Safe Harbor company; or • The transfer is to Argentina, Canada, Guernsey, Hungary, or Switzerland. 17 Exceptions Merck Privacy Office • European Union Member States may, for reasons of “substantial public interest,” create exceptions to the general rule. (EU Directive, Article 8, 4) • Some European countries, such as Italy, have laws expressly allowing epidemiologic research without data subject consent. 18 Practical Application Merck Privacy Office • In most European countries medicine is socialized, and governments maintain comprehensive medical databases. • Most governments extract data from these databases and make them available to researchers. • Data provided typically include ages, dates, gender, race, geographic information, medical information. • Governments generally consider these data nonidentifiable. 19 What is HIPAA? Merck Privacy Office • The Health Insurance Portability and Accountability Act of 1996; and • Three sets of regulations issued by the Clinton Department of Health and Human Services in 2000: – Privacy Regulations - April 14, 2003 Compliance Deadline – Transaction Standards - October 16,2002 Compliance Deadline – Security Regulations – 2005 Compliance Deadline 20 Merck Privacy Office Who is covered? • HIPAA “Covered Entities” – Health Care Providers that transmit health data electronically in connection with 1 or more of 8 “HIPAA Transactions” Physicians Group Practices Hospitals Pharmacies Clinics – Health Care Plans HMOs PBMs Health Insurers Group Health Plans Medicare Medicaid – Health Care Clearinghouses Entities that transmit data into a HIPAA “standard” format from a non-standard format or vice versa • “Business Associates” of HIPAA Covered Entities Entities that use protected health information (PHI) for or on behalf of covered entities 21 What is covered? Merck Privacy Office • Protected Health Information: individually identifiable health information in the possession of a HIPAA covered entity that relates to an identifiable individual’s past, present, or future health, healthcare, or to payment for an individual’s healthcare. 22 Research Requirements Merck Privacy Office Uses or disclosures of PHI require: • Signed, HIPAA “authorizations” from each study participant in addition to consents complying with the Common Rule and FDA Regulations; • IRB or “Privacy Board” waivers of some or all of the authorization requirements; or • “De-identification” of patient data via one of two methods: – Removing each of 18 prescribed data elements; or – Statistical Analysis and opinion. 23 Waivers and Alterations (HIPAA vs. CR) HIPAA 45 CFR 164.512(i)(2)(ii) A. Use or disclosure involves no more than minimal risk to the privacy of individuals, as indicated by F-H below; B. Alteration or waiver will not adversely affect privacy rights and welfare of individuals; C. Research could not practicably be conducted without the alteration or waiver; D. Research could not practicably be conducted without access to and use of PHI; E. Privacy risks to individuals are reasonable in relation to the anticipated benefits if any, to the individuals, and the importance of the knowledge that may be reasonably expected to result from the research; F. Adequate plan to protect identifiers from improper use and disclosure; G. Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and H. Adequate written assurances that PHI will not be reused or disclosed for other purposes. Merck Privacy Office Common Rule 45 CFR 46.116(d) A. Research involves no more than minimal risk to subjects; B. Waiver or alteration will not adversely affect the rights and welfare of subjects; C. Research could not practicably be carried out without the waiver or alteration; and D. Whenever appropriate, subjects will be provided with additional pertinent information after participation 24 Merck Privacy Office De-identification (Two Methods) HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i) • • • • • • • • • • • • • • • • • • • • • Names Geographic subdivisions smaller than a state Zip codes Dates (birth, admission, discharge, death) Age, if over 89 Telephone numbers Fax numbers E-mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate and license numbers Vehicle identification and serial numbers License plate numbers Device identifiers and serial numbers URLs Internet Protocol address numbers Biometric identifiers (finger and voice prints) Full face photos and comparable images Any other unique identifiers Statistical 45 CRF 164.514(b)(1) • • • A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and Documents the methods and results. 25 HIPAA Research Exceptions Merck Privacy Office • Limited Data Sets • Research on Decedents • Work Preparatory to Research 26 Limited Data Sets Allowed • • • • • Admission Dates Discharge Dates Service Dates Death Dates Age (in hours, months or days) • Age (for those over 90) • Five Digit Zip Codes • Demographic Data Merck Privacy Office Direct Identifiers Not Allowed • Names • Street Addresses • Telephone and Fax Numbers • e-Mail Addresses • Social Security Numbers • Certificate or License Numbers • Vehicle ID and Serial Numbers • URLs and IP Addresses • Full Face Photos and Comparable Images 27 Limited Data Sets Merck Privacy Office • Data Use Agreement Required: – Data will be used only for research; – Researcher will not re-identify subjects; and – Researcher will not contact subjects. • Minimum Necessary Rule Applies • Must account for disclosures 28 Research Regarding Decedents Merck Privacy Office • PHI regarding decedents may be used for research. • Researcher must provide to the institution: – Verification that PHI will be used and disclosed solely for research on decedents; – Representation that the PHI is necessary for the research; and – Documentation of death. • Minimum Necessary Rule applies • Must account for disclosures 29 Work Preparatory to Research Merck Privacy Office • PHI may be used without an authorization or waiver for reviews preparatory to research. • Covered entity must obtain from the researcher representations that: – Use or disclosure of PHI is sought solely to prepare a research protocol “or for similar purposes preparatory to research.” – No PHI will be removed from the covered entity by the researcher; and – The PHI is necessary for the identified research purposes. 30 Work Preparatory to Research Merck Privacy Office • HHS has said in commentary on HIPAA that work preparatory to research includes activities such as: – Protocol development – Patient pre-screening – Subject recruitment • Minimum Necessary Rule applies • Must account for disclosures 31 Summary and Conclusions Merck Privacy Office • The governments of many countries with privacy and data protection laws have made special accommodations for records-based biomedical research. • HIPAA provides new rules, but reasonably practical mechanisms for records-based biomedical research. • It is important to consider state laws in the U.S., particularly in California. • Remember that all privacy legal, regulatory and ethical regimes are based on the same principles. 32 Thank You! Oliver Johnson oliver_johnson@merck.com 908-423-7321 33