Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Liza Dawson, "The Common Rule and Research with Data, Big and Small"


Published on

Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016.

This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S.

The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich.

Learn more at

Published in: Healthcare
  • Be the first to comment

Liza Dawson, "The Common Rule and Research with Data, Big and Small"

  2. 2. DISCLAIMER • The views presented are those of the author and do not represent any position, policy or viewpoint of the National Institutes of Health, the Department of Health and Human Services or any of its components.
  3. 3. INTRO Common Rule regulation of human subjects research is a poor fit for research involving only secondary use of data, invoking serious philosophical and public health concerns Big data research further exposes the problem of poor fit and weak ethical rationale A deeper look at the fundamental ethical issues is warranted;
  4. 4. THE COMMON RULE REACHES THE BREAKING POINT THE OLD WORLD: REGULAR DATA • In practice, a lot research done with de- identified data • Simplifies human subjects issues • Avoids extensive permission, reviews, delays • “end run” around Common Rule THE NEW WORLD: BIG DATA • Anonymizationcannot be guaranteed • Unclear boundaries of public and private information(e.g. GPS data, Facebook, shopping records) • No way to obtain consent in many cases; or consent would create extensive burdens on individuals
  5. 5. TAKING A CLOSER LOOK • Brief historical foray: why does the Common Rule apply to research with data? • Common Rule’s approach to regulating data research is a poor fit; • Big data research exemplifies problems with the Rule and exposes conceptual gaps • An alternative approach to oversight is needed
  6. 6. NATIONAL COMMISSION FOR PROTECTION OF HUMAN SUBJECTS OF BIOMEDICAL AND BEHAVIORAL RESEARCH • Commission established in 1974 as part of the Public Health Service Act (PL 93-348); • Mandate included • Considering the boundaries between biomedical or behavioral research and “accepted and routine practice of medicine” • Risk-benefit criteria in human subjects research • Selection of human subjects, informed consent, IRBs
  7. 7. BOUNDARY OF MEDICAL CARE AND RESEARCH • Morally significant: physician may depart from considering only best interests of patients if seeking generalizable knowledge. • Research may be seen as morally suspect, in relation to clinical care • Note: this is now being challenged in multiple settings (precision medicine, comparative effectiveness, learning healthcare)—but the premise was main focus in 1970’2 • Therefore, setting the scope of Common Rule also includes definition of research: “Systematic investigation….designedto developor contributeto generalizable knowledge.”
  8. 8. BOUNDARY OF COMMON RULE RELATED TO DATA • Common Rule regulates research with data that are private and identifiable, through the definition of human subject: 46.102 (f) Human subject means a living individual about whom an investigator…conducting research obtains (1) data through intervention or interaction with the individual, or (2) Identifiable private information
  9. 9. WHY DID THE NATIONAL COMMISSION INCLUDE RESEARCH WITH DATA IN THE SCOPE OF RECOMMENDED REGULATIONS? CONCERNS ABOUT PRIVACY • Concurrent with broader privacy standards in government, concerns about intrusion into lives of citizens • Privacy Act of 1974 addressed government uses of private data DECIDED TO LIMIT SCOPE OF REGULATED DATA ACTIVITIES TO RESEARCH • Staying within mandate of Commission • Concerns about research violating trust and individual rights
  10. 10. CONCEPTUAL PROBLEMS IN INCLUSION OF DATA RESEARCH IN THE COMMON RULE • In research involving medical interventions on a human subject, quest for generalizable knowledge may compromise patientcare; therefore research requires special regulation • In research involving only secondary uses of data, the use of data in systematic investigation aimed at generalizableresults does not inherently pose more privacy risks to human subjects than other uses of data; • In other words, there is no clearethicalrationale forregulation of researchwith data differentlyfrom non-researchactivities with data
  12. 12. CONCEPTUAL PROBLEM 1: NO CLEAR PRIVACY-RELATED CRITERION FOR BOUNDARY BETWEEN REGULATED AND NON-REGULATED ACTIVITY NON RESEARCH ACTIVITIES WITH PRIVATE IDENTIFIABLE DATA • Quality improvement • Lab QI/QC • Program evaluation • US census • Public health surveillance • Insurance claims • Federal and state benefits and service programs • Other private data: Passports; motor vehicle departments; tax records; RESEARCH ACTIVITIES WITH PRIVATE IDENTIFIABLE DATA • Epidemiology • Health services research • Environmental health research • Public health research
  14. 14. DO INDIVIDUALS HAVE AN INTEREST IN CONTROLLING HOW THEIR DATA ARE USED, INDEPENDENTLY OF PRIVACY ISSUES? • Analogous to current debates about research with biological specimens: some claim that individuals have an interest in control over future research, whether or not the specimens are identifiable, that should be protected in regs; • Either way, the existing Common Rule appears to prioritize privacy concerns (does not regulate research with de-identified data or specimens
  15. 15. CONCEPTUAL PROBLEM #2: UNCLEAR ETHICAL RATIONALE FOR SUBJECTS’ CLAIMS OF RIGHT TO CONTROL Ethicalunderpinningsof theseclaims needfor control are notelaborated • E.g. Wendler—specimen research: Subjects have an interest in deciding whether they will contribute to specific projects • In what sense does use of information derivedfrom a person constitute “contribution”? • Even given an interest (on the part of subjects), at what level of decision making should choices be made—e.g.policy level? Individual level? Institutional level? • Again, why should subjects have control over use of their data for research but not in, for example, quality improvement or program evaluation?
  16. 16. CONCEPTUAL PROBLEM #3: NEGLECT OF OTHER IMPORTANT ETHICAL ASPECTS OF DATA RESEARCH • A subject’s interest in privacy and/or control must be considered in light of her other interests; • Individuals’ interests are served by the benefits of research in multiple contexts; cannot evaluate quantitatively how benefits square off against privacy concerns or desire to limit or control research • Group interests (benefits, risks, harms) are important but are not addressed in the Rule; nor are they adequately represented with individual informed consent
  17. 17. DIFFERENTSYSTEMS OF REGULATION COMMON RULE—CURRENT VERSION • Determine if this is research or not (not always obvious) • Determine if data are identifiable and private • Determine if study is exempt • If non-exempt, then IRB review and informed consent are required PRIVACY REGS FOR NON RESEARCH ACTIVITIES—CURRENT SYSTEM • Diverse set of privacy standards, depending on source of data; • Some uses of data are authorized by law • Privacy protections mandated • Unauthorized disclosureof data prohibited • No informed consent • Some activities currently unregulated
  18. 18. CONCEPTUAL PROBLEM #4: IN DATA RESEARCH, INFORMED CONSENT DOES LITTLE TO PROTECT SUBJECTS’ INTERESTS OR ENHANCE TRUST • Does not guaranteeappropriate data security and privacy protections • No way to address group interests/group harms (e.g. stigmatization) • Time consuming and burdensome for individuals to learn about and evaluate each and every use of their data • Does not inform the general public about research • May create bias in research using certain kinds of datasets • Do people need nudges to consent to research they actually support? • Potential inhibition of valuable health research is also a potential harm to subjects’ interests
  19. 19. IS THERE A DIFFERENTWAY TO REGULATE? Authorized, legitimate uses of data for health research (or other socially valuable research) allowed without consent • All data research subject to same standard (whether data are identifiable or private, or not) • Researchers must address potential implications of research (e.g. group harms or stigma) if applicable Other requirements: • Specify purpose of the research • Investigators must have appropriate qualifications • Data security measures mandated • Data cannot be released to third parties • Plan for communication about research and findings • Enforcement: licensing of investigators; violators lose privileges for accessing data
  20. 20. CONCLUSION • No clear ethical rationale for regulating research with data differently from non- research activities with regard to privacy, as current regulatory structure does; • Increasing complexity of big data approaches make current regulations unworkable; • Informed consent not best mechanism to protect subjects’ privacy interests • Claims of subjects’ rights or interests in controlling research not based on convincing argument • Privacy concerns should be evaluated in context of other interests of subjects; • Group interests deserve consideration but are not addressed in current regulatory structure • New regulatory regime is needed for research with data