Privacy and Security Tiger Team Plans to Address Secondary Use of Data

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

The Office of the National Coordinator for Health Information Technology's privacy and security “tiger team” Aug. 5 discussed plans to make recommendations on secondary use of electronic health data for research purposes, in light of a recently released proposed rule from the Food and Drug Administration.

FDA published an advance notice of proposed rulemaking in the July 26 Federal Register (76 Fed. Reg. 44512) requesting comments on how current regulations for protecting human subjects who participate in research might be modernized and revised to be more effective. Comments on the ruONe are due Sept. 26.

The FDA notice included changes to the Federal Policy for the Protection of Human Subjects, or the “Common Rule,” which are meant to align the research rules with Health Insurance Portability and Accountability Act privacy policies.

ONC has requested that the tiger team address provisions with a direct impact on ONC programs, specifically the rules surrounding the research uses of health information initially collected by electronic health records for another purpose, such as information initially collected by providers for treatment purposes, Paul Egerman, co-chair of the tiger team and health IT consultant, said.

The tiger team has previously made recommendations on secondary use of data for research purposes. The recommendations stated that all entities involved in health information exchange should follow fair information practices when handling personally identifiable health information. Specifically, those policies should be open and transparent, limit collection use and disclosure of personal information, and have “reasonable security safeguards,” Egerman said.

In regard to consent recommendations, the tiger team proposed that patient consent not be required in direct exchange, but when the decision to disclose or exchange information is not in control of the provider (or the provider's organized health care arrangement). Furthermore, when giving consent to disclose pieces of health information, patients should be completely informed of the risk, the tiger team recommended.

Issues Team Should Address

The tiger team plans to address the Common Rule and the advance proposed rulemaking's definitions of what constitutes “research,” develop patient consent policies, and identify potential security measures similar to what is in the HIPAA Security Rule.

Additionally, the tiger team plans to make recommendations on provisions regarding the transparency of research policies to the public. Currently, research using existing data does not require any independent approval, Egerman said. The advance notice of proposed rulemaking, however, would require both auditing and monitoring of such research to ensure that patient information remains private and secure.

The tiger team plans to discuss whether this policy change provides sufficient transparency to inform the public about research using existing data, and if ONC should require researchers to submit more detailed information on their privacy and security protections, as well as the scope of research and perceived risks and benefits.

Presentations and other meeting materials from the tiger team are available at by clicking on the August 5 privacy and security tiger team meeting entry on the ONC federal advisory committee calendar and clicking on the meetings link.