1 / 33

Oliver M. Johnson , II Chief Privacy Officer Merck & Co., Inc.

The Global Privacy Environment and Its Impact on Records-Based Human Subject Biomedical Research Presentation To: The National Science Foundation Center for Discrete Mathematics & Theoretical Computer Science (DIMACS) Rutgers University DIMACS Center Piscataway, NJ December 10, 2003.

gcaitlin
Download Presentation

Oliver M. Johnson , II Chief Privacy Officer Merck & Co., Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Global Privacy Environment and Its Impact on Records-Based Human Subject Biomedical ResearchPresentation To:The National Science FoundationCenter for Discrete Mathematics & Theoretical Computer Science (DIMACS)Rutgers University DIMACS CenterPiscataway, NJDecember 10, 2003 Oliver M. Johnson , II Chief Privacy Officer Merck & Co., Inc.

  2. Merck Privacy Office Overview • The Global Privacy and Data Protection Environment • Impact on Records-Based Biomedical Research • Conclusions

  3. The Global Privacy and Data Protection Environment

  4. Merck Privacy Office Definitions • Privacy: the “right to be let alone.” Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 205 (1890) • Data Protection:the administrative, technical and physical controls one uses to protect the confidentiality and ensure the proper use of personal information.

  5. Merck Privacy Office Privacy as a Social Issue • The Business Perspective • Globalization • Personalization • Data Consolidation • Personal Information a Valuable Corporate Asset • The Public Perspective • Growing Public Awareness • Strong Public Sentiment • Personal Information a Fundamental Personal Asset • We are increasingly dependent on the ability to establish understanding and trust with large numbers of people from various cultures and perspectives.

  6. Merck Privacy Office Privacy as a Cultural Issue • Europe • Personal privacy is a fundamental human right. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms • Long history and culture of protecting individuals from government and private intrusions into personal affairs. • Most EU countries have had privacy laws for decades. • Omnibus legislative approach. • U.S. • Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right. 4th Amendment to the United States Constitution • Relatively recent legislative focus on protecting individuals from private intrusions into personal affairs. • Sectoral legislative approach.

  7. Merck Privacy Office Privacy as an Ethical Issue Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret. Hippocrates (c. 400 B.C.) • World Medical Association Declaration of Helsinki (1964) • U.S. Common Rule (Established 1979 / Codified 1991) • U.S. Food and Drug Administration Regulations (1980) • OECD Privacy and Transborder Flow Guidelines (1980) • CIOMS International Biomedical Research Guidelines (1983, 1992, 2002) • CIOMS International Epidemiological Study Guidelines (1991) • ICH Good Clinical Practice Guideline (1996)

  8. Merck Privacy Office Privacy as a Legal Issue - Europe • EU Data Protection Directive of 1995 • Covers all personally identifiable information • Covers all types of entities (e.g., Research, Business, Government) • Also adopted by Iceland, Norway and Liechtenstein (EEA) • Prohibits transfers to non-EEA countries lacking “adequate” data protection • Adequacy Determinations: Canada, Hungary, Switzerland, Argentina, Guernsey, U.S. Safe Harbor, Model Contracts • National EU Data Protection Laws • Prohibit transfers to non-EU countries lacking “adequate” data protection • Member States must abide by EU Commission adequacy determinations • EU / U.S. Safe Harbor Agreement • Enables individual U.S. companies to receive EEA personal information • Applies only to transfers from EEA countries • Applies only to transfers to certified U.S. companies

  9. Merck Privacy Office Privacy as a Legal Issue - U.S. • Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations • Covered Entities: Health Care Plans, Health Care Clearinghouses, Health Care Providers • Business Associates of Covered Entities • Personally Identifiable Health Information • State Privacy Legislation • Health and Medical Information • Data Security • Genetic Research • Electronic Communications Privacy Act of 1986 (ECPA) • FTC Code of Fair Information Practices (1999) • Children’s Online Privacy Protection Act of 1998 (COPPA) • New Federal Telemarketing, Spam and Fax Laws (2003)

  10. Merck Privacy Office Legal Summary – Rest of World Privacy laws pending or enacted in: • Non-EEA Europe Albania, Bosnia, Bulgaria,Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Russia, Slovakia, Slovenia, Switzerland • Asia Pacific Australia, Hong Kong, India (pending), Japan, New Zealand, Taiwan, Thailand • Middle East / Africa Israel, South Africa • Latin America Argentina, Brazil, Chile, Mexico (pending), Paraguay, Peru • North America Canada Many of these laws are based on the European model.

  11. Merck Privacy Office Privacy as a Business Issue Laws apply common principles but create significantly different administrative requirements

  12. Merck Privacy Office Privacy Principles • Respect: Understand and respect the privacy perspectives of the individual. • Necessity: Collect personal information only for identified business purposes. To the extent possible, use non-identifiable information, and limit the personal information that is used and disclosed to that which is necessary for the identified purposes. • Notice: Provide notice to individuals regarding the information that will be collected, how it will be used, and who will have access to it. • Choice: Allow individuals to determine whether personal information about them will be collected, used and disseminated.

  13. Merck Privacy Office Data Protection Principles • Data Integrity: Use personal information in accordance with the notice given and the choices exercised. Keep personal information accurate, complete and current in regard to the purpose for which is was collected. • Access and Correction: Allow individuals reasonable access, on request, to personal information about them, and correct information that is incorrect or incomplete. • Transfers to Agents: Obtain written assurances from agents that they will collect, use, and secure personal information pursuant to Merck’s instructions. • Security: Secure personal information from loss, misuse, unauthorized access, disclosure and alteration. • Enforcement: Provide communications, training, monitoring and enforcement with respect to Merck privacy policies and procedures.

  14. Impact on Records-Based Biomedical Research

  15. Merck Privacy Office European Style Laws • Personal Information: information which identifies, or is used alone or in combination with other information to identify an individual. • Sensitive Persona Information: Personal Information relating to race, ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

  16. Merck Privacy Office Research Requirements (EU Directive, Article 8) Sensitive Personal Information may not be used unless: • Each data subject gives “explicit” consent; • The data are necessary to protect the “vital interests” of the data subject or another person and the data subject is physically or legally not able to give consent; • The data are “manifestly made public” by the data subject; or • The data are required for preventive medicine, medical diagnosis, provision of care or treatment, or management of healthcare services, provided the user is operating under rules of professional secrecy.

  17. Merck Privacy Office International Transfers(EU Directive, Articles 25, 26) No transfers of Personal Information from the European Economic Area (EEA) to non-EEA countries unless: • Each data subject consents to the transfer; • The transfer is necessary or legally required on important public interest grounds; • The transfer is necessary to protect the data subject’s “vital interests;” • The transfer is made under a “model contract” between the EEA sender and the non-EEA receiver; • The transfer is to a U.S. Safe Harbor company; or • The transfer is to Argentina, Canada, Guernsey, Hungary, or Switzerland.

  18. Merck Privacy Office Exceptions • European Union Member States may, for reasons of “substantial public interest,” create exceptions to the general rule. (EU Directive, Article 8, 4) • Some European countries, such as Italy, have laws expressly allowing epidemiologic research without data subject consent.

  19. Merck Privacy Office Practical Application • In most European countries medicine is socialized, and governments maintain comprehensive medical databases. • Most governments extract data from these databases and make them available to researchers. • Data provided typically include ages, dates, gender, race, geographic information, medical information. • Governments generally consider these data non-identifiable.

  20. Merck Privacy Office What is HIPAA? • The Health Insurance Portability and Accountability Act of 1996; and • Three sets of regulations issued by the Clinton Department of Health and Human Services in 2000: • Privacy Regulations - April 14, 2003 Compliance Deadline • Transaction Standards - October 16,2002 Compliance Deadline • Security Regulations – 2005 Compliance Deadline

  21. Merck Privacy Office Who is covered? • HIPAA “Covered Entities” • Health Care Providers that transmit health data electronically in connection with 1 or more of 8 “HIPAA Transactions” Physicians Hospitals Clinics Group Practices Pharmacies • Health Care Plans HMOs Health Insurers Medicare PBMs Group Health Plans Medicaid • Health Care Clearinghouses Entities that transmit data into a HIPAA “standard” format from a non-standard format or vice versa • “Business Associates” of HIPAA Covered Entities Entities that use protected health information (PHI) for or on behalf of covered entities

  22. Merck Privacy Office What is covered? • Protected Health Information: individually identifiable health information in the possession of a HIPAA covered entity that relates to an identifiable individual’s past, present, or future health, healthcare, or to payment for an individual’s healthcare.

  23. Merck Privacy Office Research Requirements Uses or disclosures of PHI require: • Signed, HIPAA “authorizations” from each study participant in addition to consents complying with the Common Rule and FDA Regulations; • IRB or “Privacy Board” waivers of some or all of the authorization requirements; or • “De-identification” of patient data via one of two methods: • Removing each of 18 prescribed data elements; or • Statistical Analysis and opinion.

  24. Merck Privacy Office Waivers and Alterations(HIPAA vs. CR) HIPAA45 CFR 164.512(i)(2)(ii) A. Use or disclosure involves no more than minimal risk to the privacy of individuals, as indicated by F-H below; B. Alteration or waiver will not adversely affect privacy rights and welfare of individuals; C. Research could not practicably be conducted without the alteration or waiver; D. Research could not practicably be conducted without access to and use of PHI; E. Privacy risks to individuals are reasonable in relation to the anticipated benefits if any, to the individuals, and the importance of the knowledge that may be reasonably expected to result from the research; F. Adequate plan to protect identifiers from improper use and disclosure; G. Adequate plan to destroy identifiers at the earliest opportunity, unless there is a health or research justification or legal requirement to retain them; and H. Adequate written assurances that PHI will not be reused or disclosed for other purposes. Common Rule45 CFR 46.116(d) A.Research involves no more than minimal risk to subjects; B. Waiver or alteration will not adversely affect the rights and welfare of subjects; C. Research could not practicably be carried out without the waiver or alteration; and D. Whenever appropriate, subjects will be provided with additional pertinent information after participation

  25. Merck Privacy Office De-identification(Two Methods) HIPAA Safe Harbor45 CFR 164.514(b)(2)(i) • Names • Geographic subdivisions smaller than a state • Zip codes • Dates (birth, admission, discharge, death) • Age, if over 89 • Telephone numbers • Fax numbers • E-mail addresses • Social security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate and license numbers • Vehicle identification and serial numbers • License plate numbers • Device identifiers and serial numbers • URLs • Internet Protocol address numbers • Biometric identifiers (finger and voice prints) • Full face photos and comparable images • Any other unique identifiers Statistical 45 CRF 164.514(b)(1) • A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; • Determines that the risk of re-identification of the data, alone or in combination with other reasonably available data, is very small; and • Documents the methods and results.

  26. Merck Privacy Office HIPAA Research Exceptions • Limited Data Sets • Research on Decedents • Work Preparatory to Research

  27. Merck Privacy Office Limited Data Sets Allowed • Admission Dates • Discharge Dates • Service Dates • Death Dates • Age (in hours, months or days) • Age (for those over 90) • Five Digit Zip Codes • Demographic Data Direct Identifiers Not Allowed • Names • Street Addresses • Telephone and Fax Numbers • e-Mail Addresses • Social Security Numbers • Certificate or License Numbers • Vehicle ID and Serial Numbers • URLs and IP Addresses • Full Face Photos and Comparable Images

  28. Merck Privacy Office Limited Data Sets • Data Use Agreement Required: • Data will be used only for research; • Researcher will not re-identify subjects; and • Researcher will not contact subjects. • Minimum Necessary Rule Applies • Must account for disclosures

  29. Merck Privacy Office Research Regarding Decedents • PHI regarding decedents may be used for research. • Researcher must provide to the institution: • Verification that PHI will be used and disclosed solely for research on decedents; • Representation that the PHI is necessary for the research; and • Documentation of death. • Minimum Necessary Rule applies • Must account for disclosures

  30. Merck Privacy Office Work Preparatory to Research • PHI may be used without an authorization or waiver for reviews preparatory to research. • Covered entity must obtain from the researcher representations that: • Use or disclosure of PHI is sought solely to prepare a research protocol “or for similar purposes preparatory to research.” • No PHI will be removed from the covered entity by the researcher; and • The PHI is necessary for the identified research purposes.

  31. Merck Privacy Office Work Preparatory to Research • HHS has said in commentary on HIPAA that work preparatory to research includes activities such as: • Protocol development • Patient pre-screening • Subject recruitment • Minimum Necessary Rule applies • Must account for disclosures

  32. Merck Privacy Office Summary and Conclusions • The governments of many countries with privacy and data protection laws have made special accommodations for records-based biomedical research. • HIPAA provides new rules, but reasonably practical mechanisms for records-based biomedical research. • It is important to consider state laws in the U.S., particularly in California. • Remember that all privacy legal, regulatory and ethical regimes are based on the same principles.

  33. Thank You!Oliver Johnsonoliver_johnson@merck.com908-423-7321

More Related