April 26, 2002

The Honorable Tommy G. Thompson
Secretary, U.S. Department of Health and Human Services
Office for Civil Rights
Attention: Privacy 2
Hubert H. Humphrey Building, Room 425A
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Thompson:

The Coalition for Health Services Research (Coalition) is pleased to have the opportunity to comment upon the impact of the Department of Health and Human Services (DHHS) proposed modifications to the "Standards for Privacy of Individually Identifiable Health Information" (45 CFR parts 160-164), that appeared in the Federal Register, Volume 67, No. 59, Wednesday, March 27, 2002.

As the advocacy arm of AcademyHealth, the Coalition represents more than 3,400 individual researchers, scientists and policy experts as well as 115 organizations that produce and use health services research information including universities, providers, employers, and health plans.

In order to properly undertake research, health services researchers are frequently dependent upon using large numbers of records containing protected health information, data that would be protected by these regulations.

General Comments
The Coalition is committed to a balanced approach in developing policy regarding the confidentiality of health care information and providing researchers with access to needed data. Health services researchers are prepared to work within the confines of the regulation by utilizing the Institutional Review Board/Privacy Board (IRB/PB) process.

Health services researchers need to be able to access meaningful, non-facially identifiable data (i.e. stripped of direct identifiers) such as that described within the preamble of the proposed modifications to the regulation without having to go through the full IRB/PB review process.

The Coalition is pleased that the Secretary is willing to make the regulation more workable for health services researchers. We support the proposed modifications listed below because it appeared that health services researchers were going to have difficulties in gaining access to data, in part, because of:

• the minimum necessary requirement;
  
• perceived covered entity potential for regulatory sanction even if release of information has been approved by an IRB/PB;
  
• what information needs to be removed in order for information to be considered de-identified;
  
• the cost involved in removing identifiers to meet both the minimum necessary requirement and to de-identify the information; and
  
• how IRBs/PBs are going to handle approval of health services research projects.

I. Minimum Necessary Requirement.
The Coalition's concern with the final regulation has been that since some covered entities believe they could be held responsible by the regulator for releasing more information than may later be considered to be beyond the minimum necessary to complete a project, even when the project has been approved and is under the auspices of an IRB/PB, the covered entities would not release data. We have learned that several large health plans covering hundred of thousands of lives have reported their unwillingness to release data because of this concern. Therefore, the Coalition is very pleased that the revised preamble of the proposed modifications now provides an explicit statement making it clear that the covered entity will not be held liable to the minimum necessary standard if the release of information was based upon the approval of an IRB/PB.

The Privacy Rule permits a covered entity to reasonably rely on a researcher's documentation of approval of these waiver criteria, and a description of the data needed for the research as approved by an IRB or Privacy Board, to satisfy its obligation with respect to limiting the disclosure to the minimum necessary.

It is plainly the intent of this statement to clarify that covered entities will not be sanctioned for releasing data per an IRB/PB waiver. However, the ability of health services researchers to convince a covered entity that the release of protected health information does not subject the covered entity to potential liability requires that legal counsel for the covered entity accept that they are released from liability. DHHS could resolve this continuing problem by deeming that the release of information based upon an IRB/PB waiver of authorization meets the minimum necessary standard under the regulation. This is in keeping with the intent of the original regulation and with the explicit statement above. The Coalition proposes the following language that would amend §164.514(d)(3)(D) to that affect:

§164.514 Other Requirements relating to uses and disclosures of protected health information. …
(d)(3) Implementation specification: minimum necessary disclosures of protected health information. …
(D) Documentation or representations that comply with the applicable requirements of §164.512(i) have been provided by a person requesting the information for research purposes. A covered entity shall be deemed to be in compliance with the minimum necessary standard when the disclosure is in response to a request for the information for research purposes based upon the waiver of authorization from an Institutional Review Board/Privacy Board meeting the applicable requirements of §164.512(i).

The Coalition supports the change to §164.514(d)(1), deleting the term "reasonably ensure" to make the minimum necessary standard more consistent with the idea that the minimum necessary standard is flexible and reasonable.

The Coalition supports the judgement in the preamble that further clarification of the minimum necessary standard may be needed if the modifications do not resolve the issue of covered entities' unwillingness to release information to health services researchers based upon their understanding of the minimum necessary standard. We look forward to working with the Department to ensure the standard does not act as an inhibitor to being able to conduct research using protected health information.

II. De-identification of Protected Health Information.
As has been noted above, another area of concern of health services researchers is that of the de-identification of protected health information. Two specific concerns were raised by our researchers. First, the statistical method of de-identification as described in the final regulation was ambiguous. Because of this, it is unlikely to be used by covered entities to de-identify information. Second, removing all 18 items listed in the regulation for information to be considered as de-identified renders the information not useful for most health services research projects. For these reasons, the Coalition appreciates the acknowledgment of DHHS that "the Privacy Rule's de-identification safe harbor was not designed to be used for research purposes."

The Coalition also strongly supports the proposal by DHHS that an alternative approach be developed that would provide researchers with more readily available limited data sets and urge the Department to move forward with this proposal. The Coalition believes that the creation of such limited data sets for research would render moot our concerns about de-identifying information.

The Coalition believes that the list of items that can remain on a limited data set of de-identified information for researchers should include the information listed in the preamble including:

• Admission, discharge, and service dates;
  
• Date of death;
  
• Age (including age 90 or over);
  
• Five-digit zip code.
  In addition to the five-digit zip code, in some cases health services researchers believe that having access to other geographic units smaller than states, such as city, county, precinct, neighborhood or other such information will help with population and other small area studies.

With regards to birth dates, we do not believe that birth dates need to be included in the limited data sets. If needed, researchers can obtain this information through the IRB/PB process.

To gain access to this limited data set, health services researchers should not have to go through the full IRB/PB review process. Since that is how researchers will gain access to fully protected health information, it does not make sense to have researchers use this process to obtain this partially de-identified information. Rather, researchers should be allowed to choose between two methods of obtaining the data. The limited data set should be released to researchers:

1. after going through the expedited IRB/PB review process described in §164.512(i)(2)(iv)(C); or
2. upon establishment of a data use agreement between the covered entity and researcher stating that the information will only be used for research purposes and will not be further disclosed except as required by law, and the researcher agrees not to attempt to re-identify or contact individuals who are the subject of the information.

While the Coalition is concerned about the costs of de-identifying information and how those costs will be covered, we recognize that this issue lies beyond the scope of this regulation. We will note, however, that the federally funded research support will need to increase to cover such costs in order to assure that the intended research is able to be accomplished.

III. Criteria for Waiver of Patient Authorization by an Institutional Review Board or Privacy Board.
The Coalition has been concerned that the criteria required under the regulation for an IRB/PB to grant a waiver authorization were in conflict. We believe the revisions made to §164.512(i)(2)(ii) eliminate the conflict and brings the criteria more in line with that required by the Common Rule. The Coalition supports the modification.

Again, the Coalition appreciates the proposed modifications to the regulation to make data more accessible to health services researchers. Should you wish to discuss any of the issues raised in our letter, please contact Jon Lawniczak, Director, Government Relations, at 202.292.6743 or Jon.Lawniczak@academyhealth.org.

Sincerely,

W. David Helms
President and CEO