Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The	
  Tension	
  between	
  Societal	
  
Lapses	
  in	
  Protecting	
  the	
  Privacy	
  of	
  
Individuals	
  and	
  the...
Disclaimer
• This	
  presentation	
  does	
  not	
  constitute	
  legal	
  
advice.	
  	
  The	
  views	
  expressed	
  ar...
Big	
  data	
  health	
  research	
  and	
  privacy
• Health	
  data	
  is	
  presumptively	
  sensitive
• The	
  research...
What	
  risk	
  does	
  big	
  data	
  health	
  research	
  
pose	
  to	
  subjects?
• Informational	
  risk
– Unauthoriz...
IRB	
  review	
  of	
  big	
  data	
  health	
  research
• Anecdotal	
  evidence	
  suggests	
  IRBs	
  find	
  it	
  diff...
Common	
  Rule	
  definition	
  of	
  minimal	
  risk
• The	
  Common	
  Rule	
  defines	
  minimal	
  risk	
  as	
  the:
...
IRB	
  assessment	
  of	
  minimal	
  risk
• The	
  variability	
  in	
  IRB	
  assessment	
  of	
  minimal	
  
risk	
  is...
Key	
  Questions
• How	
  should	
  the	
  Common	
  Rule	
  minimal	
  risk	
  
standard	
  apply	
  to	
  big	
  data	
 ...
Assessing	
  minimal	
  risk	
  involves	
  
comparison
• “Probability”	
  (likelihood)	
  and	
  “magnitude”	
  (level	
 ...
The	
  minimal	
  risk	
  threshold
• Daily	
  life	
  activities	
  pose	
  different	
  levels	
  of	
  
risk	
  – there...
Which	
  comparator	
  risks	
  of	
  daily	
  life	
  
activities	
  should	
  be	
  included	
  in	
  the	
  range?
• Ri...
Conceptions	
  of	
  daily	
  life	
  risk	
  standard:	
  	
  
What	
  comparator	
  risks?	
  	
  Whose	
  life?
• Unifo...
Content modifiedfrom DavidStrauss
SACHRP presentation(2006)
Minimal	
  risk	
  thresholds	
  compared
Healthy  
Subjects
C...
The	
  uniform	
  standard,	
  considering	
  risks	
  
of	
  big	
  data	
  research	
  as	
  additional	
  to	
  
daily	...
“Background	
  risks”	
  vs.	
  uniform	
  daily	
  
life	
  risks
• Under	
  a	
  uniform	
  standard,	
  elevated	
  con...
Uniform	
  standard,	
  considering	
  risks	
  presented	
  
by	
  big	
  data	
  research	
  to	
  be	
  risks	
  of	
  ...
Constraints
• General	
  acceptance	
  of	
  an	
  ethical	
  framework	
  for	
  
assessing	
  what	
  may	
  be	
  consi...
Conclusions
• An	
  IRB	
  may	
  reasonably	
  determine	
  that	
  big	
  data	
  
health	
  research	
  presents	
  no	...
Upcoming SlideShare
Loading in …5
×

Laura Odwazny, 'Regulations Are Not the Barrier to Use of Big Data in Health Research: Tensions Between Privacy Lapses and “Minimal Risk”'

260 views

Published on

Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016.

This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S.

The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich.

Learn more at http://petrieflom.law.harvard.edu/events/details/2016-annual-conference.

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

Laura Odwazny, 'Regulations Are Not the Barrier to Use of Big Data in Health Research: Tensions Between Privacy Lapses and “Minimal Risk”'

  1. 1. The  Tension  between  Societal   Lapses  in  Protecting  the  Privacy  of   Individuals  and  the  Regulatory   Definition  of  “Minimal  Risk” Laura  Odwazny Office  of  the  General  Counsel,  HHS
  2. 2. Disclaimer • This  presentation  does  not  constitute  legal   advice.    The  views  expressed  are  the   presenter’s  own,  and  do  not  bind  the  U.S.   Department  of  Health  and  Human  Services  or   its  components. • OHRP  may  or  may  not  agree  with  some  of  my   ideas.
  3. 3. Big  data  health  research  and  privacy • Health  data  is  presumptively  sensitive • The  research  use  of  sensitive  information  can   impact  privacy  interests  of  individuals • The  Federal  Common  Rule  applies  to  secondary   use  research  of  individually  identifiable  private   information  (secondary  use  =  use  of  information   already  obtained  from  the  individual  for  another   purpose) • Big  data  health  research  does  not  involve  human   subjects  if  researchers  do  not  collect  subject  data   through  intervention  or  interaction  with  subjects,   or  obtain  individually  identifiable  private   information
  4. 4. What  risk  does  big  data  health  research   pose  to  subjects? • Informational  risk – Unauthorized  or  inappropriate  use/disclosure  of  information,  in   ways  harmful  to  research  subjects  (e.g.,  disclosure  of  illegal   activities,  contagious  disease,  substance  abuse,  or  chronic  illness   might  jeopardize  employment,  injure  reputation,  cause   emotional  harm) – Correlated  with  nature  of  the  information  and  degree  of   identifiability  of  the  information • Risk  of  dignitary  harm – Disclosure  harmful  per  se  as  injury  to  “social  personality” • [Others?]
  5. 5. IRB  review  of  big  data  health  research • Anecdotal  evidence  suggests  IRBs  find  it  difficult  to   apply  Common  Rule  standards  to  big  data  health   research,  including  risk  assessment • IRBs  may  be  uncomfortable  deeming  big  data  health   research  to  involve  minimal  risk  to  subjects – Ability  to  protect  subjects’  privacy  via  deidentification   challenged  by  well-­‐publicized  “proof  of  concept”   reidentification  projects – No  comprehensive  extra-­‐regulatory  scheme  for  protecting   privacy  interests  of  individuals  whose  health  information   may  be  used  in  big  data  research – IRB  assessment  of  risk  varies  and  may  not  be  evidence-­‐ based:    reliance  on  intuition,  familiarity,  control    (Wendler,   Hirshon,  Shah)
  6. 6. Common  Rule  definition  of  minimal  risk • The  Common  Rule  defines  minimal  risk  as  the: “probability  and  magnitude  of  harm  or   discomfort  anticipated  in  the  research  are  not   greater  in  and  of  themselves  than  those   ordinarily  encountered  in  daily  life  or  during   the  performance  of  routine  physical  or   psychological  examinations  or  tests”   45  CFR  46.102(i) • “Minimal  risk”  =  threshold  determination  for   certain  Common  Rule  flexibilities,  including   waiver  of  informed  consent
  7. 7. IRB  assessment  of  minimal  risk • The  variability  in  IRB  assessment  of  minimal   risk  is  well-­‐documented.  (See  Hirshon  (2002),   Shah  (2004)) • OHRP  has  no  published  guidance  on  the   appropriate  application  of  the  definition  of   minimal  risk. • SACHRP  has  provided  recommendations  to   the  Secretary  of  HHS  on  how  minimal  risk   should  be  assessed  – but  these  are  not  agency   guidance.
  8. 8. Key  Questions • How  should  the  Common  Rule  minimal  risk   standard  apply  to  big  data  health  research? – Comparison  to  “daily  life  risks” – [Comparison  to  routine  physical  or  psychological   examinations/tests] • How  do  the  informational  risks  and  risks  of   dignitary  harm  presented  by  daily  life   activities  inform  consideration  of  risks  of  big   data  health  research?  
  9. 9. Assessing  minimal  risk  involves   comparison • “Probability”  (likelihood)  and  “magnitude”  (level  of   severity)  of  harm  anticipated  in  research  compared  to   likelihood  of  risk  of  the  same  magnitude  posed  by  daily   life  activities • May,  but  need  not,  be  a  1:1  comparison  of  types  of   activities – Risks  of  research  survey  may  be  compared  with  risks  of   questionnaire  given  in  schools – Non-­‐sedation  MRI  may  not  be  a  daily  life  activity,  but   risks  still  may  fall  below  the  upper  boundary  of   probability  and  magnitude  of  risks  of  daily  life  activities  
  10. 10. The  minimal  risk  threshold • Daily  life  activities  pose  different  levels  of   risk  – there  is  a  range  of  daily  life  risks • SACHRP  recommends  minimal  risk   threshold  is  fixed  at  upper  boundary  of   harms  and  discomforts  ordinarily   encountered,  reflecting  familiar  and   routine  background  risks  for  average   person  in  the  general  population
  11. 11. Which  comparator  risks  of  daily  life   activities  should  be  included  in  the  range? • Risks  ordinarily  encountered  by  healthy  people   engaging  in  most  risky  daily  life  activities? – E.g.,  free  climbing,  riding  a  motorcycle • Socially  acceptable  risks  healthy  individuals   encounter? – E.g.,  tackle  football   • Risks  healthy  individuals  living  in  safe   environments  generally  have  in  common? – E.g.,  crossing  a  busy  street,  telephone  surveys,   driving  to  work
  12. 12. Conceptions  of  daily  life  risk  standard:     What  comparator  risks?    Whose  life? • Uniform  standard – Daily  life  risks  of  average  healthy  individuals  living  in  safe   environments • Relative  standard – Daily  life  risks  of  subject  population • Modified  objective  standard  (Wendler  2004) – Relevance,  scientific  necessity,  sufficient  benefit,   nonmaleficence  informs  whether  any  added  risks  of  the   research;  any  added  risks  evaluated  under  uniform   standard • [Charitable  participation  standard  (Wendler  2005,   2015) – Risks  acceptable  in  the  context  of  activities  designed  to   benefit  others]
  13. 13. Content modifiedfrom DavidStrauss SACHRP presentation(2006) Minimal  risk  thresholds  compared Healthy   Subjects Cocaine   Abusers Cocaine   abusers with additional confidentiality protections Probability and magnitude of harm and discomfort from the research, for the study population Uniform, and modified objective assessment of added research risks Relative standard
  14. 14. The  uniform  standard,  considering  risks   of  big  data  research  as  additional  to   daily  life  risks Healthy   subjects   Subjects           with  sensitive   health   condition Subjects  with   sensitive   health   condition Content modifiedfrom DavidStrauss SACHRP presentation(2006) with additional confidentiality protections Probability and magnitude of harm and discomfort from big data health research, for the study population Estimate of probability and magnitude of the harm and discomfort of daily life of average healthy individuals living in safe environments= the minimal risk uniform threshold
  15. 15. “Background  risks”  vs.  uniform  daily   life  risks • Under  a  uniform  standard,  elevated  contextual   background  risks  for  subjects  (e.g.,  civil  war)   should  not  affect  minimal  risk  threshold • Question:    how  do  daily  life  risks  move  from  the   “contextual  background”  to  the  common? • Have  informational  risks  and  risks  of  dignitary   harm  become  so  prevalent  that  they  have   transcended  the  experiences  of  the  subject   population  of  big  data  research,  and  are  best   considered  risks  of  daily  life  common  among   healthy  individuals  living  in  safe  environments?    
  16. 16. Uniform  standard,  considering  risks  presented   by  big  data  research  to  be  risks  of  daily  life  (in   nature,  probability,  and  magnitude) Healthy   Subjects Subjects           with  sensitive   health   condition Subjects  with   sensitive   health   condition Content modifiedfrom DavidStrauss SACHRP presentation(2006) with additional confidentiality protections Probability and magnitude of harm and discomfort from big data health research, for the study population Estimate of the probability and magnitude of the harm and discomfort of daily life of average healthy individuals living in safe environments= the minimal risk threshold
  17. 17. Constraints • General  acceptance  of  an  ethical  framework  for   assessing  what  may  be  considered  common  daily   life  risks  of  healthy  individuals  living  in  safe   environments  would  help  ensure  consistency  in   minimal  risk  determinations • Data  on  reports  of  injury  resulting  from  daily  life   informational  risks  or  risks  of  dignitary  harm     would  be  useful – Literature  search – Survey  of  human  subjects  research  experts  and   ethicists – Survey  of  investigators  and  research  subjects
  18. 18. Conclusions • An  IRB  may  reasonably  determine  that  big  data   health  research  presents  no  more  than  minimal   risk  to  subjects  under  several  conceptions  of  the   daily  life  risks  minimal  risk  standard • Guidance  from  Federal  agencies  could  be  helpful • Interesting  questions  beyond  the  scope  of  this   analysis: – When  informed  consent  for  minimal  risk  research   ought  to  be  obtained  for  ethical  considerations – Is  there  something  particular  to  big  health  data  that   warrants  added  protections  for  its  research  use  (such   as  informed  consent)

×