: HIPAA is often described as a privacy rule. It is not. In fact, HIPAA is a disclosure regulation, and it has effectively dismantled the longstanding moral and legal tradition of patient confidentiality. By permitting broad and easy dissemination of patients’ medical information, with no audit trails for most disclosures, it has undermined both medical ethics and the effectiveness of medical care.

The HIPAA Rules continue to support and bolster the importance of protecting the privacy and security of patients' protected health information. The HIPAA training requirements are at the cornerstone of meaningful implementation and provide a ripe opportunity for critical education.

On January 25, 2013, the Federal Register published the Department of Health and Human Services omnibus amendments to the Health Insurance Portability and Accountability Act Privacy, Security, Enforcement, and Breach Notification Rules. These modifications also include the final versions of the HIPAA regulation amendments mandated by the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act. Although the amended rules were effective on March 26, 2013, covered entities and their business associates have a (...) compliance date of September 23, 2013.It has been 10 years since the April 14, 2003 compliance date for the original HIPAA Privacy Rule. Despite HHS’ clarification of some issues by posting answers to frequently asked questions, there have been no significant amendments to the Privacy Rule since 2003. (shrink)

On January 25, 2013, theFederal Registerpublished the Department of Health and Human Services omnibus amendments to the Health Insurance Portability and Accountability Act Privacy, Security, Enforcement, and Breach Notification Rules. These modifications also include the final versions of the HIPAA regulation amendments mandated by the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act. Although the amended rules were effective on March 26, 2013, covered entities and their business associates have a compliance date (...) of September 23, 2013.It has been 10 years since the April 14, 2003 compliance date for the original HIPAA Privacy Rule. Despite HHS’ clarification of some issues by posting answers to frequently asked questions, there have been no significant amendments to the Privacy Rule since 2003. (shrink)

Current economic conditions have coincided with the implementation of the Health Insurance Portability and Accountability Act and forced public health officials to consider how to ethically incorporate compliance into their already strained budgets, while maintaining the integrity and intent of the legislation.As of April 14, 2003, the HIPAA Privacy Rule provides a new federal floor of protections for personal health information. The Privacy Rule establishes standards for the protection of health information held by many physicians’ offices, health plans, and (...) health care clearinghouses. The Rule protects personal health information by establishing conditions regulating the use and disclosure of individually identifiable health information by these entities, also referred to as covered entities. The Rule does not prevent the daily operations of health care establishments. (shrink)

The HIPAA Privacy Rule is notoriously weak because of its incomplete coverage, numerous exclusions and exemptions, and limited rights for individuals. The three areas in which it provides the most protection are fundraising, marketing, and research. Provisions of the 21st Century Cures Act, pending in Congress, and the Notice of Proposed Rulemaking to amend the federal research regulations, awaiting final regulatory action, would weaken the privacy protections for research. If these measures are adopted, the HIPAA Privacy Rule would (...) have so little value that it might not be worth the aggravation and burden. (shrink)

Protecting the privacy of individually-identifiable health data and promoting the public’s health often seem at odds. Privacy advocates consistently seek to limit the acquisition, use, and disclosure of identifiable health information in governmental and private sector settings. Their concerns relate to misuses or wrongful disclosures of sensitive health data that can lead to discrimination and stigmatization against individuals. Public health practitioners, on the other hand, seek regular, ongoing access to and use of identifiable health information to accomplish important public health (...) objectives. The collection and use of identifiable health data by federal, tribal, state, and local health authorities support nearly all public health functions and goals.Identifiable health data are the lifeblood of public health practice. When aggregated, these data help authorities monitor the incidence, patterns, and trends of injury and disease in populations. Health data are acquired by public health authorities through testing, screening, and treatment programs. (shrink)

Developers and vendors of large language models (“LLMs”) — such as ChatGPT, Google Bard, and Microsoft’s Bing at the forefront—can be subject to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) when they process protected health information (“PHI”) on behalf of the HIPAA covered entities. In doing so, they become business associates or subcontractors of a business associate under HIPAA.

The use of medical records in research can yield information that is difficult to obtain by other means. When such records are released to investigators in identifiable form, however, substantial privacy and confidentiality risks may be created. These risks become more common and more serious as medical records move to an electronic format. In 1996, the state of Minnesota enacted legislation with respect to consent requirements for the use of medical records in research. This legislation has been widely criticized because—it (...) is claimed—it creates an unnecessary impediment to research. In this article, we show that these arguments rest upon misinterpretation and/or misrepresentation of the 1996 legislation. A consent requirement had actually been present in Minnesota since 1976 (though codified in a patient rights statute rather than a privacy statute). The 1996 law does not require specific consent, as often claimed, but rather only a general authorization. The campaign against the Minnesota legislation appears to have been motivated by concern with respect to the then impending federal privacy rule. The HIPAA rule, as enacted, is in fact less stringent with respect to consent than the Minnesota consent law. On the other hand, the Minnesota consent law has not been effectively applied or enforced. As we change the way we manage sensitive medical information, new efforts are needed to provide protection against the confidentiality risks in research. Patient consent is an important tool in this regard. New instrumentalities are needed to solicit and document consent. (shrink)

For nearly twenty-five years, federal regulation of privacy issues in research involving human subjects was the primary province of the federal rule for Protection of Human Subjects. As of April 14, 2003, the compliance date for the Privacy Rule of the Health Insurance Portability and Accountability Act, however, the Common Rule and the Privacy Rule jointly regulate research privacy. Although, in theory, the Privacy Rule is intended to complement the Common Rule, there are several areas in which the rules diverge. (...) In some instances the inconsistencies result in gaps in privacy protection; in other instances the inconsistencies result in added burdens on researchers without additional privacy protections. In all instances, the lack of harmonization of these rules has created confusion, frustration, and misunderstanding by researchers, research subjects, and institutional review boards. In this article, I review the major provisions of the Privacy Rule for research, explain the areas in which the Privacy Rule and Common Rule differ, and conclude that the two rules should be revised to promote consistency and maximize privacy protections while minimizing the burdens on research. (shrink)

Increasingly, medical records are being stored in computer databases that allow for efficiencies in providing treatment and in the processing of clinical and financial services. Computerization of medical records has also diminished patient privacy and, in particular, has increased the potential for misuse, especially in the form of nonconsensual secondary use of personally identifiable records. Organizations that store and use medical records have had to establish security measures, prompted partially by an inconsistent patchwork of legal standards that vary from state (...) to state. There is widespread appreciation among policy makers regarding the need for legal reform. The Health Information and Portability Accountability Act of 1996 mandated that the Administration develop regulations regarding the control of medical records. The Administration has offered regulations from the Department of Health and Human Services. Survey data reveal what healthcare professionals who have access to sensitive medical records believe are the greatest threats to patients' privacy. The overlap between Administration proposals and the responses of healthcare professionals is striking. (shrink)

The American Journal of Bioethics, Volume 12, Issue 10, Page 16-17, October 2012.

When Congress passed HIPAA, it did not intend to constrain public health's data sharing in the same way as clinical or payers. In fact, HIPAA recognizes data sharing with public health as a matter of national priority and shields this function from its reach. However, a health department may offer services that bring it within HIPAA's purview, such as running a Children's Health Insurance Program or a laboratory that bills electronically. When this is the case, HIPAA (...) requires all information and departments be subject to HIPAA unless the public health authority chooses to hybridize. Health departments might re-assess their coverage and elect to become a hybrid entity, thereby restricting HIPAA to only where required and removing barriers to information sharing with communities. (shrink)

IntroductionThe idea of video recording in the operating room with panoramic cameras and microphones is a new concept that is changing the approach to medical activities in the OR. However, VR in the OR has brought up many concerns regarding patient privacy and has highlighted legal and ethical issues that were never previously exposed.AimTo review the literature concerning these aspects and provide a better ethical and legal understanding of the new challenges concerning VR in the OR.ConclusionsThere is a disparity between (...) the two main legal models concerning VR in the OR, namely the European legal system ) and the American legal framework ). This difference mainly deals with two distinct bioethical paradigms: GDPR places a strong emphasis on protecting patients’ privacy to improve the public health system, whereas HIPAA indicates the need to generate protocols to safeguard the risks connected to medical activity and patient privacy. Following from this point, we may argue that, at the ethical and bioethical level, GDPR and HIPAA depend mainly on two different ethical models: a perspective based on moral acquaintances and weak proceduralism, respectively. It is worth noting the importance of developing additional guidelines concerning different world regions to avoid the ethical problems that may emerge when simply applying a foreign paradigm to a very different culture. (shrink)

Privacy is protected in biobank-based research in the US primarily by the Health Insurance Portability and Accountability Act Privacy Rule and the Federal Policy for Protection of Human Subjects. Neither rule, however, was created to function in the unique context of biobank research, and therefore neither applies to all biobank-based research. Not only is it challenging to determine when the HIPAA Privacy Rule or the Common Rule apply, but these laws apply different standards to protect privacy. In addition, many (...) other federal and state laws may be applicable to a particular biobank, researcher, or project. US law also does not directly address international sharing of data or specimens outside of the EU–US Safe Harbor Agreement, which only applies to receipt of data by certain US entities from EU countries, and is in the process of revision. Although new rules would help clarify privacy protections in biobanking, any implemented changes should be studied to determine the sufficiency of the protections as well as its ability to facilitate or hinder international collaborations. (shrink)

In 2011, the Department of Health and Human Services proposed changes to the regulations that govern human subjects protection in federally funded research. The proposed changes involve modifying inclusion standards for minimal-risk research and removing the necessity of review from certain categories of noninvasive research. All studies would instead be required to comply with privacy protections as initiated by the Health Information Portability and Accountability Act . We argue that relying on HIPAA to protect participants from participation-related risks in (...) noninvasive research is insufficient to protect the autonomy and psychological health of potential research participants. Instead, we suggest a streamlined review format for these categories of research. (shrink)

The individual right of access to one’s own data is a crucial privacy protection long recognized in U.S. federal privacy laws. Mobile health devices and research software used in citizen science often fall outside the HIPAA Privacy Rule, leaving participants without HIPAA’s right of access to one’s own data. Absent state laws requiring access, the law of contract, as reflected in end-user agreements and terms of service, governs individuals’ ability to find out how much data is being stored (...) and how it might be shared with third parties. Efforts to address this problem by establishing norms of individual access to data from mobile health research unfortunately can run afoul of the FDA’s investigational device exemption requirements. (shrink)

The health care industry will be a large customer of big data while predictive analytics already underlie important health care and public health initiatives. Yet big data are not benign. For example, data brokers, the businesses that buy, process, and sell “big data” are performing an end-run around health data protection by creating data “proxies” outside of HIPAA-protected space. From 2012-14 various branches of the federal government published five major reports on privacy. All five were in favor of increased (...) regulation of data brokers. However, their recommendations for legislative or regulatory intervention were quite diverse. This essay describes the various proposals and offers a critical synthesis. (shrink)

Learn how to think beyond the theoretical in any environment. "Ethics & Issues in Contemporary Nursing, 1st Edition" examines the latest trends, principles, theories, and models in patient care to help you learn how to make ethically sound decisions in complex and often controversial situations. Written from a global perspective, examples throughout the text reflect current national and international issues inviting you to explore cases considering socio-cultural influences, personal values, and professional ethics. Historical examples demonstrate how to think critically while (...) upholding moral and professional standards, as well as the law. Key topics throughout explore advocacy and rights, diversity, nurse burnout, mass casualty events, social media, violence in the workplace, medication error prevention, opioid and other substance use, HIPAA, and healthcare reform. In addition, this new title contains supplemental case studies and review questions to further challenge and prepare you to make morally sound decisions in any healthcare setting. -- From product description. (shrink)

In lieu of an abstract, here is a brief excerpt of the content:Kennedy Institute of Ethics Journal 12.3 (2002) 299-303 [Access article in PDF] Bioethics Inside the Beltway What Should IRBs Consider When Applying the Privacy Rule to Research? Julie Waltz Gerlach In 1996, Congress mandated the establishment of standards for the privacy of individually identifiable health information through the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). Until the establishment of HIPAA, personal health information could (...) be distributed without notice or consent for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. Patient information held by a health plan could be passed on to a lender who then might deny the patient's application for a home mortgage or a credit card or to an employer who might use it for personnel decisions. Congress failed to meet its 21 August 1996 deadline established by HIPAA to pass privacy legislation; the Act passed the responsibility to Department of Health and Human Services (DHHS). On 28 December 2000, the Secretary of Health and Human Services released final privacy regulations relating to the protection of patients' individually identifiable health information. The "Standards for Privacy of Individually Identifiable Health Information" (Privacy Rule/current) took effect 14 April 2001. As required by HIPAA, the Privacy Rule established conditions for the collection, use, and disclosure of protected health information by covered entities for research purposes. Covered entities, defined as health plans, health care clearinghouses, and health care providers that engage electronically in a wide range of financial and administrative transactions related to payment and reimbursement, must comply by 14 April 2003 (DHHS 2000, p. 82462). To ensure that the provisions of the final rule provide strong privacy protection without hindering access to health care, the Department of Health and Human Services (DHHS 2002, p. 14776) has proposed modifications to the Privacy Rule.The final Privacy Rule (DHHS 2001) grants substantial rights to individuals/research participants to be informed of how their protected health information is maintained and how that information may be used or disclosed. It also defines individual's/research participants' rights with regard to gaining access to information about themselves, when such information is held by covered entities. [End Page 299]The Privacy Rule requires researchers either to receive authorization from individuals/research participants to collect, use, and disclose protected health information, or to obtain a waiver of authorization that is approved by an institutional review board (IRB) or Privacy Board, or to use de-identified data. Section 164.508 of the Privacy Rule, entitled "Use and Disclosures for Which an Authorization Is Required," describes how IRBs will be directly affected. The rule focuses not just on research but on the overall privacy of all identifiable health information. Institutions have the option of adding these required duties to IRBs or establishing "privacy boards." Privacy boards, as defined by the Privacy Rule, are to be composed of members with varying backgrounds and professional competency to review the effect of the research protocol on the individual/research participant's privacy rights. The board must include at least one member who is not affiliated with the covered entity, or any entity conducting or sponsoring the research, and not related to any person who is affiliated with such entities. Board members cannot participate in the review of any research project in which the member has a conflict of interest.The basic concepts and tenets of privacy and confidentiality are well known to IRBs in the United States, which operate under the Common Rule (45 CFR 46) and/or the Food and Drug Administration's (FDA) human subject protection regulations. Both sets of regulations require IRBs to ensure that risks (including privacy risks) are minimized. Under these regulations, IRBs must consider the confidentiality of research data and whether researchers should have access to confidential medical information. IRBs also must review the consent form as a process of communication that will inform research subjects about the research study.One noteworthy aspect of the Privacy Rule is its application to all research regardless of funding source. Currently, research funded by... (shrink)

One of the early, non-financial uses of blockchain technologies around which several startups have developed was to help manage, monetize, and make the sharing of genomic data more private. Because deidentified genomic data are excluded from HIPAA and many other regulatory contexts worldwide—and is already a widely traded commodity for science valued in the hundreds of millions over the past decade—genomic blockchains proved a promising entry point for using the benefits of blockchains for dissemination and remuneration of data. Several (...) models have been tried, and most have touted their abilities to make users the “owners” of the genomic data in ways in which current models fail. This paper will explore the various existing and potential models for genomic blockchains, review some shortcomings and unmet needs, and explain why no technical solution alone will fulfill the promise of genomic data ownership without regulation. (shrink)

Re-assent of adolescent females enrolled in clinical research through the onset of puberty is necessary to respect their rights to access sexual and reproductive health information, their rights under HIPAA as well as assuring compliance with the Common Rule.

The genetic testing industry is in a period of potentially major structural change driven by several factors. These include weaker patent protections after Association for Molecular Pathology v. Myriad Genetics and Mayo Collaborative Services v. Prometheus Laboratories, Inc.; a continuing shift from single-gene tests to genome-scale sequencing; and a set of February 2014 amendments to the Clinical Laboratory Improvement Amendments of 1988 regulations and the Health Insurance Portability and Accountability Act Privacy Rule. This article explores the nature of these changes (...) and why they strain existing regulatory frameworks for protecting patients, research subjects, and other consumers who receive genetic testing.Oversight of genetic testing has, at least to date, had two major thrusts: privacy and ethical protections and traditional consumer health and safety regulations. Examples of the first are the Genetic Information Nondiscrimination Act and the HIPAA Privacy Rule, which after 2013 amendments expressly protects genetic privacy as well as other medical privacy. (shrink)

Heath services come with the promise of confidentiality.1 The ethical mandate to safeguard the confidentiality of personal health information aligns with legal mandates to do the same. Numerous state and federal laws demand one form of health data confidentiality or another, best illustrated by the Health Insurance Portability and Accountability Act.2 In early 2011, the Department of Health and Human Services decided to take a tougher stand against HIPAA violators, utilizing powers created by the Health Information Technology for Economic (...) and Clinical Health Act.3 Ushering in a new era, the U.S. Department of Health and Human Services imposed an unprecedented civil penalty of $4.3 million on Cignet Health of .. (shrink)

Given narrow operating margins, health care organizations are increasingly relying on philanthropy to fund operations. Since individuals provide the majority of philanthropic support, many organizations have expanded their “grateful patient fundraising” programs to include current inpatients, both established donors as well as persons of wealth. While this is legally permissible under HIPAA, it raises substantial ethical concerns for potential coercion of vulnerable patients, as well as unequal care stemming from preferential treatment and provided “amenities.” While some have drawn the (...) analogy to the additional comforts provided to first-class airline passengers, this analogy is flawed because of the potential clinical impact of the opportunities and services provided, especially to merely potential donors. From an ethical perspective, such programs should only provide non-clinical amenities to established donors, and at the same time strive for maximal transparency whereby all patients are assured of equal care and are fully informed of the specific benefits associated with any potential donation. (shrink)

This guide accompanies the following article(s): ‘Full Disclosure of the “Raw Data” of Research on Humans: Citizens’ Rights, Product Manufacturer’s Obligations and the Quality of the Scientific Database.’Philosophy Compass 6/2 (2011): 90–99. doi: 10.1111/j.1747‐9991.2010.00376.x Author’s Introduction Securing consent (and informed consent) from patients and research study participants is a key concern in patient care and research on humans. Yet, the legal doctrines of consent and informed consent differ in their applications. In patient care, the judicial doctrines of consent and informed (...) consent are disclosure doctrines based on the obligation of physicians to inform their patients of the following types of information: the nature of the procedure the physician is recommending in the patent’s care (P), the alternatives to the physician‐recommendation (A), and the risks of procedure and its alternatives (R). In addition, the physician must provide truthful answers to the patient’s questions (Q) to the best of the physician’s abilities. In research on humans, the onus of disclosure by study sponsors and principal investigators is much greater than in patient care precisely because the purpose of research is not patient care. The purpose of research is the identification and development of new generalizable knowledge. Thus, participation in a research study or trial may not benefit the study volunteer at all. In addition, the participant may carry a heavy risk burden in relationship to any testing of a newly designed drug or device as part of their experiences in the research study. Presently, despite the risks borne by the research study participant, the raw data collected from volunteers in research trials are treated by courts as if they were the private property of the study sponsor rather than generally owed to the public as would be expected by an effort like research participation aimed at contributing to the development of generalizable knowledge. This paper reviews the obligations that study sponsors owe to their study participants based on the very definition of research as a systematic activity whose purpose is to develop generalizable knowledge to help all humans. Author Recommends Court cases Canterbury v. Spence, United States Court of Appeals, District of Columbia Circuit 464 F.2d 772 (1972). (Federal appellate decision heard in the District of Columbia, USA) Reibl v. Hughes, 2 S.C.R. 880 (1980). (Supreme Court of Canada) Rogers v. Whitaker, 175 C.L. R. 479 (1992). (High Court of Australia) Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985) (House of Lords) Canterbury v. Spence is the landmark Federal informed consent case in the United States heard in the District of Columbia. In this case, Judge Spottswood Robinson articulated the reasonable person standard of informed consent. This standard was subsequently adopted by the Supreme Court of Canada (Reibl v. Hughes, 2 S.C.R. 880 (1980)) and the High Court of Australia (Rogers v. Whitaker, 175 C.L. R. 479 (1992)). The House of Lords rejected the reasonable person standard in England in Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985). Book Mazur, Dennis J. The Science and Ethics of Research on Humans. Baltimore, MD: Johns Hopkins University Press, 2007. This book is a detailed guide for the review of scientific and ethical aspects of research on humans contained in the research study protocols and research informed consent forms which need to be submitted by study sponsors and principal investigators to institutional review boards (IRBs) for IRB review before a research study can receive approval to be conducted within a human study population in those institutions over which the IRB has authority. It also presents basic definitions in the area of research on humans and basic approaches to help conduct a deep review of the underlying scientific and ethical issues that are present within a research study protocol and its accompanying research informed consent form. Report National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. The Belmont Report: Ethical Guidelines for the Protection of Human Subjects of Research. Washington, DC: DHEW Publications, 1978 (78‐0012). This U.S. National Commission in the Belmont Report argued for the necessity of a reasonable volunteer standard in research on humans in the United States. Arguing that the professional standard and the reasonable person standard of consent and informed consent were insufficient to base a disclosure standard in research on humans, this National Commission developed the reasonable volunteer standard where a study participant is to be approached in research informed consent with that information that a reasonable volunteer would want to know. Online Materials Belmont Report: Syllabus Topics for Lecture and Discussion Week I: Introduction and Overview Readings: Rogers v. Whitaker, 175 C.L.R. 479 (1992). (High Court of Australia) Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985) (House of Lords) Week II: The Different Standards of Consent and Informed Consent Readings: Canterbury v. Spence, 464 F.2d 772 (1972). (Federal appellate opinion heard in the District of Columbia) Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985) (House of Lords) Week III: Definition of Research Reading: Mazur, Dennis J. The Science and Ethics of Research on Humans. Baltimore, MD: Johns Hopkins University Press, 2007. (Especially Chapters 2 and 3) Week IV: How to Review a Research Study Protocol and Research Informed Consent Form Reading: Mazur, Dennis J. The Science and Ethics of Research on Humans. Baltimore, MD: Johns Hopkins University Press, 2007. (Especially Chapters 4–6, 10, and 12–14) Week V: Obligations in Research of Humans Versus Patient Care Reading: National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. The Belmont Report: Ethical Guidelines for the Protection of Human Subjects of Research. Washington, DC: DHEW Publications, 1978 (78‐0012). Focus Questions • How do the judicial doctrines of consent in England and Australia compare to the judicial doctrines of informed consent in the United States and Canada? • How does a professional standard of disclosure differ from a reasonable person standard of disclosure? • What is the definition of research? • How is a research study (study proposal and research informed consent form) reviewed from scientific and ethical bases for considerations of approval by an IRB? • How do the obligations of a study sponsor, a principal investigator, and a research team conducting a research trial on human study participants differ from the obligations of a physician caring for a patient? • Should all raw data of research derived from humans be made available to the public for use in developing generalizable knowledge to help others, or should raw data be considered the private property of the study sponsors (for example, prescription drug manufacturers), who fund the research trials? Seminar/project Idea Draw a timeline of the development of the basic concepts of consent and informed consent in patient care and in patient research. On this timeline, first place the dates of the key court cases in England, the United States, Canada, and Australia on consent and informed consent. Then place the date of the development of the Belmont Report. Why do differences exist between these four countries in terms of the legal requirements of informedness of a patient (in medical care) and a study participant (in medical research)? What roles if any do the concepts of self‐determination and self‐decision have in consent and informed consent in patient care and in informed consent in research on humans among the four countries of interest? What are the realities of research on human participants that require a new standard of informed consent, the reasonable volunteer standard, to be developed beyond the two standards in patient care, the professional standard, and the reasonable person standard? Counterpoint Arguments The following are counterpoint arguments that need to be appreciated to more fully understand the concepts that impact the thesis that ‘raw data’ should be open to the public to allow the opportunity of checking of the results of its associated scientific paper and for further analysis. De‐Identified (Anonymized) Raw Data A current approach to identifying (anonymizinig) raw data is based on the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104‐191). HIPAA was enacted by the U.S. Congress in 1996 to keep a person’s medical information private. In a research study, a person’s private medical information can become research data. HIPAA’s Privacy Rule allows a covered entity to de‐identify data by removing all 18 elements that could be used to identify the individual or the individual’s relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity must also have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information. Under this method, the identifiers that must be removed are the following: 1 Names. 2 All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: 2a. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people. 2b. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000. 3 All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 4 Telephone numbers. 5 Facsimile numbers. 6 Electronic mail addresses. 7 Social security numbers. 8 Medical record numbers. 9 Health plan beneficiary numbers. 10 Account numbers. 11 Certificate/license numbers. 12 Vehicle identifiers and serial numbers, including license plate numbers. 13 Device identifiers and serial numbers. 14 Web universal resource locators (URLs). 15 Internet protocol (IP) address numbers. 16 Biometric identifiers, including fingerprints and voiceprints. 17 Full‐face photographic images and any comparable images. 18 Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re‐identification. Even though ‘raw data’ can be de‐identified (anonymized) so that there is no way to trace back the data to the study participant from which it was drawn, there are still questions whether the ‘de‐identified raw data’ can be given to other researchers or made public without the original study participant’s approval. It may be the case that this approval could be done at the start of any research study where the individual considering study participation would be counseled on what the process of de‐identification consists of and would be asked whether the participant would allow use of the data by other researchers or made available to the public in a de‐identified state. However, there may be questions of the study participants as to whether the data are truly de‐identified and untraceable back to the study participant since the participant would not be able to see the process actually being carried out in detail in all relevant circumstances. Using Raw Data in Context Simply being in possession of raw data is never enough to build on that data from a research perspective. Researchers need to understand the context of the scientific research study in which the data were collected. This research context includes (but is not limited to): (i) the scientific hypothesis of the research study, (ii) the inclusion and exclusion criteria selected by the research designers of the study to determine which study participants were included and which were excluded from the study, (iii) the methods used to collect the data and possibilities of errors in the data collection processes, and (iv) answers to questions regarding whether any data were excluded from the study data and why these data were excluded. Ownership Rights Over Data There are ownership rights over data. Ownership rights include court decision making related to the question which parties are to be considered as the owners of the data. Possible owners here include (but are not limited to) (i) the study sponsor whose only role was to fund that study, (ii) the principal investigator(s) who developed the scientific hypothesis, and (iii) individual study participants through special contracts made by individual participants who negotiate such contracts with study sponsors and principal investigators to share in the ownership of data. Examples of such data are participant sources of unique gene lines or unique cell lines to be used in future research. Objections to Data Sharing Finally, individual researchers may simply object to sharing data. A researcher’s arguments here may be simply stating that he or she has a right to fully analyze the data since the collection of the data was the researchers’ idea in the first place. These researchers may argue that they have the right to mine the data as fully as they can before deciding to make the data open to the public for others to analyze. Works Cited 1 Kaiser, J. ‘Making Clinical Data Widely Available.’Science 322.5899 (10 Oct. 2008): 217–8. 2 de Lusignan, S., J.F. Metsemakers, P. Houwink, V. Gunnarsdottir, and J. van der Lei. ‘Routinely Collected General Practice Data: Goldmines for Research? A Report of the European Federation for Medical Informatics Primary Care Informatics Working Group (EFMI PCIWG) from MIE2006, Maastricht, The Netherlands.’Informatics in Primary Care 14.3 (2006): 203–9. 3 Sim, I. ‘Human Studies Database Project’, CTSA Data Repositories Symposium (17 Oct. 2008). 23 Nov. 2010. 4 Sim, I., C.G. Chute, H. Lehmann, R. Nagarajan, M. Nahm, and R.H. Scheuermann. ‘Keeping Raw Data in Context.’Science 323.5915 (6 Feb. 2009): 713. 5 U.S. Department of Health and Human Services, National Institutes of Health, HIPAA Privacy Rule, Information for Researchers. 13 Nov. 2010. 6 Wilczynski, N.L., R.B. Haynes, and Hedges Team. ‘EMBASE Search Strategies for Identifying Methodologically Sound Diagnostic Studies for Use by Clinicians and Researchers.’BMC Medicine 29.3 (March 2005): 7. (shrink)

This guide accompanies the following article(s): ‘Full Disclosure of the “Raw Data” of Research on Humans: Citizens’ Rights, Product Manufacturer’s Obligations and the Quality of the Scientific Database.’Philosophy Compass 6/2 (2011): 90–99. doi: 10.1111/j.1747‐9991.2010.00376.x Author’s Introduction Securing consent (and informed consent) from patients and research study participants is a key concern in patient care and research on humans. Yet, the legal doctrines of consent and informed consent differ in their applications. In patient care, the judicial doctrines of consent and informed (...) consent are disclosure doctrines based on the obligation of physicians to inform their patients of the following types of information: the nature of the procedure the physician is recommending in the patent’s care (P), the alternatives to the physician‐recommendation (A), and the risks of procedure and its alternatives (R). In addition, the physician must provide truthful answers to the patient’s questions (Q) to the best of the physician’s abilities. In research on humans, the onus of disclosure by study sponsors and principal investigators is much greater than in patient care precisely because the purpose of research is not patient care. The purpose of research is the identification and development of new generalizable knowledge. Thus, participation in a research study or trial may not benefit the study volunteer at all. In addition, the participant may carry a heavy risk burden in relationship to any testing of a newly designed drug or device as part of their experiences in the research study. Presently, despite the risks borne by the research study participant, the raw data collected from volunteers in research trials are treated by courts as if they were the private property of the study sponsor rather than generally owed to the public as would be expected by an effort like research participation aimed at contributing to the development of generalizable knowledge. This paper reviews the obligations that study sponsors owe to their study participants based on the very definition of research as a systematic activity whose purpose is to develop generalizable knowledge to help all humans. Author Recommends Court cases Canterbury v. Spence, United States Court of Appeals, District of Columbia Circuit 464 F.2d 772 (1972). (Federal appellate decision heard in the District of Columbia, USA) Reibl v. Hughes, 2 S.C.R. 880 (1980). (Supreme Court of Canada) Rogers v. Whitaker, 175 C.L. R. 479 (1992). (High Court of Australia) Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985) (House of Lords) Canterbury v. Spence is the landmark Federal informed consent case in the United States heard in the District of Columbia. In this case, Judge Spottswood Robinson articulated the reasonable person standard of informed consent. This standard was subsequently adopted by the Supreme Court of Canada (Reibl v. Hughes, 2 S.C.R. 880 (1980)) and the High Court of Australia (Rogers v. Whitaker, 175 C.L. R. 479 (1992)). The House of Lords rejected the reasonable person standard in England in Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985). Book Mazur, Dennis J. The Science and Ethics of Research on Humans. Baltimore, MD: Johns Hopkins University Press, 2007. This book is a detailed guide for the review of scientific and ethical aspects of research on humans contained in the research study protocols and research informed consent forms which need to be submitted by study sponsors and principal investigators to institutional review boards (IRBs) for IRB review before a research study can receive approval to be conducted within a human study population in those institutions over which the IRB has authority. It also presents basic definitions in the area of research on humans and basic approaches to help conduct a deep review of the underlying scientific and ethical issues that are present within a research study protocol and its accompanying research informed consent form. Report National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. The Belmont Report: Ethical Guidelines for the Protection of Human Subjects of Research. Washington, DC: DHEW Publications, 1978 (78‐0012). This U.S. National Commission in the Belmont Report argued for the necessity of a reasonable volunteer standard in research on humans in the United States. Arguing that the professional standard and the reasonable person standard of consent and informed consent were insufficient to base a disclosure standard in research on humans, this National Commission developed the reasonable volunteer standard where a study participant is to be approached in research informed consent with that information that a reasonable volunteer would want to know. Online Materials Belmont Report: Syllabus Topics for Lecture and Discussion Week I: Introduction and Overview Readings: Rogers v. Whitaker, 175 C.L.R. 479 (1992). (High Court of Australia) Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985) (House of Lords) Week II: The Different Standards of Consent and Informed Consent Readings: Canterbury v. Spence, 464 F.2d 772 (1972). (Federal appellate opinion heard in the District of Columbia) Sidaway v. Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital and Others. 1 A.C. 871 (1985) (House of Lords) Week III: Definition of Research Reading: Mazur, Dennis J. The Science and Ethics of Research on Humans. Baltimore, MD: Johns Hopkins University Press, 2007. (Especially Chapters 2 and 3) Week IV: How to Review a Research Study Protocol and Research Informed Consent Form Reading: Mazur, Dennis J. The Science and Ethics of Research on Humans. Baltimore, MD: Johns Hopkins University Press, 2007. (Especially Chapters 4–6, 10, and 12–14) Week V: Obligations in Research of Humans Versus Patient Care Reading: National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. The Belmont Report: Ethical Guidelines for the Protection of Human Subjects of Research. Washington, DC: DHEW Publications, 1978 (78‐0012). Focus Questions • How do the judicial doctrines of consent in England and Australia compare to the judicial doctrines of informed consent in the United States and Canada? • How does a professional standard of disclosure differ from a reasonable person standard of disclosure? • What is the definition of research? • How is a research study (study proposal and research informed consent form) reviewed from scientific and ethical bases for considerations of approval by an IRB? • How do the obligations of a study sponsor, a principal investigator, and a research team conducting a research trial on human study participants differ from the obligations of a physician caring for a patient? • Should all raw data of research derived from humans be made available to the public for use in developing generalizable knowledge to help others, or should raw data be considered the private property of the study sponsors (for example, prescription drug manufacturers), who fund the research trials? Seminar/project Idea Draw a timeline of the development of the basic concepts of consent and informed consent in patient care and in patient research. On this timeline, first place the dates of the key court cases in England, the United States, Canada, and Australia on consent and informed consent. Then place the date of the development of the Belmont Report. Why do differences exist between these four countries in terms of the legal requirements of informedness of a patient (in medical care) and a study participant (in medical research)? What roles if any do the concepts of self‐determination and self‐decision have in consent and informed consent in patient care and in informed consent in research on humans among the four countries of interest? What are the realities of research on human participants that require a new standard of informed consent, the reasonable volunteer standard, to be developed beyond the two standards in patient care, the professional standard, and the reasonable person standard? Counterpoint Arguments The following are counterpoint arguments that need to be appreciated to more fully understand the concepts that impact the thesis that ‘raw data’ should be open to the public to allow the opportunity of checking of the results of its associated scientific paper and for further analysis. De‐Identified (Anonymized) Raw Data A current approach to identifying (anonymizinig) raw data is based on the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104‐191). HIPAA was enacted by the U.S. Congress in 1996 to keep a person’s medical information private. In a research study, a person’s private medical information can become research data. HIPAA’s Privacy Rule allows a covered entity to de‐identify data by removing all 18 elements that could be used to identify the individual or the individual’s relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity must also have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information. Under this method, the identifiers that must be removed are the following: 1 Names. 2 All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: 2a. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people. 2b. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000. 3 All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 4 Telephone numbers. 5 Facsimile numbers. 6 Electronic mail addresses. 7 Social security numbers. 8 Medical record numbers. 9 Health plan beneficiary numbers. 10 Account numbers. 11 Certificate/license numbers. 12 Vehicle identifiers and serial numbers, including license plate numbers. 13 Device identifiers and serial numbers. 14 Web universal resource locators (URLs). 15 Internet protocol (IP) address numbers. 16 Biometric identifiers, including fingerprints and voiceprints. 17 Full‐face photographic images and any comparable images. 18 Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re‐identification. Even though ‘raw data’ can be de‐identified (anonymized) so that there is no way to trace back the data to the study participant from which it was drawn, there are still questions whether the ‘de‐identified raw data’ can be given to other researchers or made public without the original study participant’s approval. It may be the case that this approval could be done at the start of any research study where the individual considering study participation would be counseled on what the process of de‐identification consists of and would be asked whether the participant would allow use of the data by other researchers or made available to the public in a de‐identified state. However, there may be questions of the study participants as to whether the data are truly de‐identified and untraceable back to the study participant since the participant would not be able to see the process actually being carried out in detail in all relevant circumstances. Using Raw Data in Context Simply being in possession of raw data is never enough to build on that data from a research perspective. Researchers need to understand the context of the scientific research study in which the data were collected. This research context includes (but is not limited to): (i) the scientific hypothesis of the research study, (ii) the inclusion and exclusion criteria selected by the research designers of the study to determine which study participants were included and which were excluded from the study, (iii) the methods used to collect the data and possibilities of errors in the data collection processes, and (iv) answers to questions regarding whether any data were excluded from the study data and why these data were excluded. Ownership Rights Over Data There are ownership rights over data. Ownership rights include court decision making related to the question which parties are to be considered as the owners of the data. Possible owners here include (but are not limited to) (i) the study sponsor whose only role was to fund that study, (ii) the principal investigator(s) who developed the scientific hypothesis, and (iii) individual study participants through special contracts made by individual participants who negotiate such contracts with study sponsors and principal investigators to share in the ownership of data. Examples of such data are participant sources of unique gene lines or unique cell lines to be used in future research. Objections to Data Sharing Finally, individual researchers may simply object to sharing data. A researcher’s arguments here may be simply stating that he or she has a right to fully analyze the data since the collection of the data was the researchers’ idea in the first place. These researchers may argue that they have the right to mine the data as fully as they can before deciding to make the data open to the public for others to analyze. Works Cited 1 Kaiser, J. ‘Making Clinical Data Widely Available.’Science 322.5899 (10 Oct. 2008): 217–8. 2 de Lusignan, S., J.F. Metsemakers, P. Houwink, V. Gunnarsdottir, and J. van der Lei. ‘Routinely Collected General Practice Data: Goldmines for Research? A Report of the European Federation for Medical Informatics Primary Care Informatics Working Group (EFMI PCIWG) from MIE2006, Maastricht, The Netherlands.’Informatics in Primary Care 14.3 (2006): 203–9. 3 Sim, I. ‘Human Studies Database Project’, CTSA Data Repositories Symposium (17 Oct. 2008). 23 Nov. 2010. 4 Sim, I., C.G. Chute, H. Lehmann, R. Nagarajan, M. Nahm, and R.H. Scheuermann. ‘Keeping Raw Data in Context.’Science 323.5915 (6 Feb. 2009): 713. 5 U.S. Department of Health and Human Services, National Institutes of Health, HIPAA Privacy Rule, Information for Researchers. 13 Nov. 2010. 6 Wilczynski, N.L., R.B. Haynes, and Hedges Team. ‘EMBASE Search Strategies for Identifying Methodologically Sound Diagnostic Studies for Use by Clinicians and Researchers.’BMC Medicine 29.3 (March 2005): 7. (shrink)

The increased use of health information technology is a common element of nearly every health reform proposal because it has the potential to decrease costs, improve health outcomes, coordinate care, and improve public health. However, it raises concerns about security and privacy of medical information. This paper examines some of the “gaps” in privacy protections that arise out of the current federal health privacy standard, the Health Insurance Portability and Accountability Privacy Rule, which is the main federal law that governs (...) the use and disclosure of health information. Additionally, it puts forth a range of possible solutions, accompanied by arguments for and against each, to strengthen the current legal framework of privacy protections in order to build public trust in health IT and facilitate its use for health reform. The American Recovery and Reinvestment Act , enacted in February 2009, includes a number of changes to HIPAA and its regulations, and those changes are clearly noted among the list of solutions. (shrink)

This paper provides an overview of the societal impact of a rising dementia population and examines the legal and ethical implications posed by voluntary registries as a community-oriented solution to improve interactions between law enforcement and individuals with dementia. It provides a survey of active voluntary registries across the United States, with a focus on Arizona, which has the highest projected growth for individuals living with dementia in the country.

Surveillance capitalism companies, such as Google and Facebook, have substantially increased the amount of information collected, analyzed, and monetized, including health information increasingly used in precision medicine research, thereby presenting great challenges for health privacy.