The Global Privacy Environment and Its

advertisement
The Global Privacy Environment and Its
Impact on Records-Based Human Subject
Biomedical Research
Presentation To:
The National Science Foundation
Center for Discrete Mathematics & Theoretical Computer
Science (DIMACS)
Rutgers University DIMACS Center
Piscataway, NJ
December 10, 2003
Oliver M. Johnson , II
Chief Privacy Officer
Merck & Co., Inc.
Overview
Merck Privacy
Office
• The Global Privacy and Data Protection
Environment
• Impact on Records-Based Biomedical Research
• Conclusions
2
The Global Privacy and Data
Protection Environment
3
Definitions
Merck Privacy
Office
• Privacy: the “right to be let alone.”
Samuel
D. Warren & Louis D. Brandeis, The Right to
Privacy, 4 HARV. L. REV. 193, 205 (1890)
• Data Protection: the administrative,
technical and physical controls one uses to
protect the confidentiality and ensure the
proper use of personal information.
4
Privacy as a Social Issue
Merck Privacy
Office
• The Business Perspective
–
–
–
–
Globalization
Personalization
Data Consolidation
Personal Information a Valuable Corporate Asset
• The Public Perspective
– Growing Public Awareness
– Strong Public Sentiment
– Personal Information a Fundamental Personal Asset
• We are increasingly dependent on the ability to
establish understanding and trust with large numbers
of people from various cultures and perspectives.
5
Privacy as a Cultural Issue
Merck Privacy
Office
• Europe
– Personal privacy is a fundamental human right. Article 8 of
the European Convention for the Protection of Human Rights and
Fundamental Freedoms
– Long history and culture of protecting individuals from
government and private intrusions into personal affairs.
– Most EU countries have had privacy laws for decades.
– Omnibus legislative approach.
• U.S.
– Freedom from unreasonable government intrusion into
personal affairs is a fundamental Constitutional right. 4th
Amendment to the United States Constitution
– Relatively recent legislative focus on protecting
individuals from private intrusions into personal affairs.
– Sectoral legislative approach.
6
Privacy as an Ethical Issue
Merck Privacy
Office
Whatever, in connection with my professional
practice, or not in connection with it, I see or hear,
in the life of men, which ought not to be spoken of
abroad, I will not divulge, as reckoning that all
such should be kept secret.
Hippocrates (c. 400 B.C.)
•
•
•
•
•
•
•
World Medical Association Declaration of Helsinki (1964)
U.S. Common Rule (Established 1979 / Codified 1991)
U.S. Food and Drug Administration Regulations (1980)
OECD Privacy and Transborder Flow Guidelines (1980)
CIOMS International Biomedical Research Guidelines (1983, 1992, 2002)
CIOMS International Epidemiological Study Guidelines (1991)
ICH Good Clinical Practice Guideline (1996)
7
Privacy as a Legal Issue - Europe
Merck Privacy
Office
• EU Data Protection Directive of 1995
–
–
–
–
Covers all personally identifiable information
Covers all types of entities (e.g., Research, Business, Government)
Also adopted by Iceland, Norway and Liechtenstein (EEA)
Prohibits transfers to non-EEA countries lacking “adequate” data
protection
– Adequacy Determinations: Canada, Hungary, Switzerland, Argentina,
Guernsey, U.S. Safe Harbor, Model Contracts
• National EU Data Protection Laws
– Prohibit transfers to non-EU countries lacking “adequate” data protection
– Member States must abide by EU Commission adequacy determinations
• EU / U.S. Safe Harbor Agreement
– Enables individual U.S. companies to receive EEA personal information
– Applies only to transfers from EEA countries
– Applies only to transfers to certified U.S. companies
8
Privacy as a Legal Issue - U.S.
Merck Privacy
Office
• Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy Regulations
– Covered Entities: Health Care Plans, Health Care Clearinghouses, Health
Care Providers
– Business Associates of Covered Entities
– Personally Identifiable Health Information
• State Privacy Legislation
– Health and Medical Information
– Data Security
– Genetic Research
•
•
•
•
Electronic Communications Privacy Act of 1986 (ECPA)
FTC Code of Fair Information Practices (1999)
Children’s Online Privacy Protection Act of 1998 (COPPA)
New Federal Telemarketing, Spam and Fax Laws (2003)
9
Legal Summary – Rest of World
Merck Privacy
Office
Privacy laws pending or enacted in:
• Non-EEA Europe
Albania, Bosnia, Bulgaria, Cyprus, Czech Republic, Estonia, Hungary,
Latvia, Lithuania, Poland, Romania, Russia, Slovakia, Slovenia, Switzerland
• Asia Pacific
Australia, Hong Kong, India (pending), Japan, New Zealand, Taiwan,
Thailand
• Middle East / Africa
Israel, South Africa
• Latin America
Argentina, Brazil, Chile, Mexico (pending), Paraguay, Peru
• North America
Canada
Many of these laws are based on the European model.
10
Privacy as a Business Issue
Merck Privacy
Office
Laws apply common principles but
create significantly different
administrative requirements
11
Privacy Principles
Merck Privacy
Office
• Respect: Understand and respect the privacy perspectives of
the individual.
• Necessity: Collect personal information only for identified
business purposes. To the extent possible, use nonidentifiable information, and limit the personal information
that is used and disclosed to that which is necessary for the
identified purposes.
• Notice: Provide notice to individuals regarding the
information that will be collected, how it will be used, and
who will have access to it.
• Choice: Allow individuals to determine whether personal
information about them will be collected, used and
disseminated.
12
Data Protection Principles
Merck Privacy
Office
• Data Integrity: Use personal information in accordance with
the notice given and the choices exercised. Keep personal
information accurate, complete and current in regard to the
purpose for which is was collected.
• Access and Correction: Allow individuals reasonable access,
on request, to personal information about them, and correct
information that is incorrect or incomplete.
• Transfers to Agents: Obtain written assurances from agents
that they will collect, use, and secure personal information
pursuant to Merck’s instructions.
• Security: Secure personal information from loss, misuse,
unauthorized access, disclosure and alteration.
• Enforcement: Provide communications, training, monitoring
and enforcement with respect to Merck privacy policies and
procedures.
13
Impact on Records-Based
Biomedical Research
14
European Style Laws
Merck Privacy
Office
• Personal Information: information which
identifies, or is used alone or in combination
with other information to identify an
individual.
• Sensitive Persona Information: Personal
Information relating to race, ethnicity, political
opinions, religious or philosophical beliefs,
trade-union membership, health or sex life.
15
Research Requirements (EU Directive, Article 8)
Merck Privacy
Office
Sensitive Personal Information may not be used
unless:
• Each data subject gives “explicit” consent;
• The data are necessary to protect the “vital interests”
of the data subject or another person and the data
subject is physically or legally not able to give
consent;
• The data are “manifestly made public” by the data
subject; or
• The data are required for preventive medicine, medical
diagnosis, provision of care or treatment, or
management of healthcare services, provided the user
is operating under rules of professional secrecy.
16
International Transfers (EU Directive, Articles 25, 26)
Merck Privacy
Office
No transfers of Personal Information from the
European Economic Area (EEA) to non-EEA
countries unless:
• Each data subject consents to the transfer;
• The transfer is necessary or legally required on
important public interest grounds;
• The transfer is necessary to protect the data subject’s
“vital interests;”
• The transfer is made under a “model contract” between
the EEA sender and the non-EEA receiver;
• The transfer is to a U.S. Safe Harbor company; or
• The transfer is to Argentina, Canada, Guernsey,
Hungary, or Switzerland.
17
Exceptions
Merck Privacy
Office
• European Union Member States may, for reasons
of “substantial public interest,” create exceptions
to the general rule. (EU Directive, Article 8, 4)
• Some European countries, such as Italy, have
laws expressly allowing epidemiologic research
without data subject consent.
18
Practical Application
Merck Privacy
Office
• In most European countries medicine is socialized,
and governments maintain comprehensive medical
databases.
• Most governments extract data from these databases
and make them available to researchers.
• Data provided typically include ages, dates, gender,
race, geographic information, medical information.
• Governments generally consider these data nonidentifiable.
19
What is HIPAA?
Merck Privacy
Office
• The Health Insurance Portability and
Accountability Act of 1996; and
• Three sets of regulations issued by the Clinton
Department of Health and Human Services in
2000:
– Privacy Regulations - April 14, 2003 Compliance
Deadline
– Transaction Standards - October 16,2002 Compliance
Deadline
– Security Regulations – 2005 Compliance Deadline
20
Merck Privacy
Office
Who is covered?
• HIPAA “Covered Entities”
– Health Care Providers that transmit health data
electronically in connection with 1 or more of 8 “HIPAA
Transactions”
Physicians
Group Practices
Hospitals
Pharmacies
Clinics
– Health Care Plans
HMOs
PBMs
Health Insurers
Group Health Plans
Medicare
Medicaid
– Health Care Clearinghouses
Entities that transmit data into a HIPAA “standard” format from a
non-standard format or vice versa
• “Business Associates” of HIPAA Covered Entities
Entities that use protected health information (PHI) for or on behalf of
covered entities
21
What is covered?
Merck Privacy
Office
• Protected Health Information: individually
identifiable health information in the possession of a
HIPAA covered entity that relates to an identifiable
individual’s past, present, or future health, healthcare,
or to payment for an individual’s healthcare.
22
Research Requirements
Merck Privacy
Office
Uses or disclosures of PHI require:
• Signed, HIPAA “authorizations” from each study
participant in addition to consents complying
with the Common Rule and FDA Regulations;
• IRB or “Privacy Board” waivers of some or all
of the authorization requirements; or
• “De-identification” of patient data via one of two
methods:
– Removing each of 18 prescribed data elements; or
– Statistical Analysis and opinion.
23
Waivers and Alterations (HIPAA vs. CR)
HIPAA 45 CFR 164.512(i)(2)(ii)
A. Use or disclosure involves no more than minimal risk
to the privacy of individuals, as indicated by F-H
below;
B. Alteration or waiver will not adversely affect privacy
rights and welfare of individuals;
C. Research could not practicably be conducted without
the alteration or waiver;
D. Research could not practicably be conducted without
access to and use of PHI;
E. Privacy risks to individuals are reasonable in relation
to the anticipated benefits if any, to the individuals,
and the importance of the knowledge that may be
reasonably expected to result from the research;
F. Adequate plan to protect identifiers from improper
use and disclosure;
G. Adequate plan to destroy identifiers at the earliest
opportunity, unless there is a health or research
justification or legal requirement to retain them; and
H. Adequate written assurances that PHI will not be
reused or disclosed for other purposes.
Merck Privacy
Office
Common Rule
45 CFR
46.116(d)
A. Research involves no
more than minimal risk
to subjects;
B. Waiver or alteration
will not adversely affect
the rights and welfare
of subjects;
C. Research could not
practicably be carried
out without the waiver
or alteration; and
D. Whenever appropriate,
subjects will be
provided with
additional pertinent
information after
participation
24
Merck Privacy
Office
De-identification (Two Methods)
HIPAA Safe Harbor 45 CFR 164.514(b)(2)(i)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Names
Geographic subdivisions smaller than a state
Zip codes
Dates (birth, admission, discharge, death)
Age, if over 89
Telephone numbers
Fax numbers
E-mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate and license numbers
Vehicle identification and serial numbers
License plate numbers
Device identifiers and serial numbers
URLs
Internet Protocol address numbers
Biometric identifiers (finger and voice prints)
Full face photos and comparable images
Any other unique identifiers
Statistical 45 CRF 164.514(b)(1)
•
•
•
A person with appropriate
knowledge of and
experience with generally
accepted statistical and
scientific principles and
methods for rendering
information not individually
identifiable;
Determines that the risk of
re-identification of the data,
alone or in combination with
other reasonably available
data, is very small; and
Documents the methods and
results.
25
HIPAA Research Exceptions
Merck Privacy
Office
• Limited Data Sets
• Research on Decedents
• Work Preparatory to Research
26
Limited Data Sets
Allowed
•
•
•
•
•
Admission Dates
Discharge Dates
Service Dates
Death Dates
Age (in hours,
months or days)
• Age (for those over
90)
• Five Digit Zip
Codes
• Demographic Data
Merck Privacy
Office
Direct Identifiers Not Allowed
• Names
• Street Addresses
• Telephone and Fax Numbers
• e-Mail Addresses
• Social Security Numbers
• Certificate or License
Numbers
• Vehicle ID and Serial
Numbers
• URLs and IP Addresses
• Full Face Photos and
Comparable Images
27
Limited Data Sets
Merck Privacy
Office
• Data Use Agreement Required:
– Data will be used only for research;
– Researcher will not re-identify subjects; and
– Researcher will not contact subjects.
• Minimum Necessary Rule Applies
• Must account for disclosures
28
Research Regarding Decedents
Merck Privacy
Office
• PHI regarding decedents may be used for
research.
• Researcher must provide to the institution:
– Verification that PHI will be used and disclosed
solely for research on decedents;
– Representation that the PHI is necessary for the
research; and
– Documentation of death.
• Minimum Necessary Rule applies
• Must account for disclosures
29
Work Preparatory to Research
Merck Privacy
Office
• PHI may be used without an authorization or
waiver for reviews preparatory to research.
• Covered entity must obtain from the researcher
representations that:
– Use or disclosure of PHI is sought solely to
prepare a research protocol “or for similar
purposes preparatory to research.”
– No PHI will be removed from the covered entity
by the researcher; and
– The PHI is necessary for the identified research
purposes.
30
Work Preparatory to Research
Merck Privacy
Office
• HHS has said in commentary on HIPAA that
work preparatory to research includes
activities such as:
– Protocol development
– Patient pre-screening
– Subject recruitment
• Minimum Necessary Rule applies
• Must account for disclosures
31
Summary and Conclusions
Merck Privacy
Office
• The governments of many countries with privacy and
data protection laws have made special
accommodations for records-based biomedical
research.
• HIPAA provides new rules, but reasonably practical
mechanisms for records-based biomedical research.
• It is important to consider state laws in the U.S.,
particularly in California.
• Remember that all privacy legal, regulatory and
ethical regimes are based on the same principles.
32
Thank You!
Oliver Johnson
oliver_johnson@merck.com
908-423-7321
33
Download