Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Margaret Foster Riley, "Big Data, HIPAA, and the Common Rule: Time for Big Change?"


Published on

Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016.

This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S.

The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich.

Learn more at

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

Margaret Foster Riley, "Big Data, HIPAA, and the Common Rule: Time for Big Change?"

  1. 1. Big Data, HIPAA And The Common Rule: Time for Big Change? Margaret  Foster  Riley,  J.D. Big  Data,  Health  Law   and  Bioethics Harvard  Law  School May  6,  2016
  2. 2. THE COMMON RULE AND IRBS TWENTIETH CENTURY MODEL § Academic Centers § Phenotypic Disease Model § Traditional Clinical Trial Design § Time, place, and inclusion § Clearer Lines between Clinical Treatment and Research § Paper Record
  3. 3. HIPAA: TOO EARLY, OUT OF DATE AND WAY TOO COMPLICATED? § Pre-Genomic/Molecular/NetworkIdentifiers § TrueDe-Identification,even when HIPAA identifiers areremoved,is very difficult § But there are (sophisticated)analytics thatcan be used § Mostof theseare beyond the capabilities of most IRBs (if acting as Privacy Board) and many institutions § The morecomplex (useful!)the data,the more difficultthis may be § We want sharingbetweeninstitutions
  4. 4. NETWORKED MEDICINE A  tremendous  amount  of  this  data  comes  from  sources  outside  the typical  health  record
  5. 5. DATASOURCES IN NETWORKED MEDICINE Claims  and  Cost  Data;   depending  on  the  entity  subject   to/or  not  HIPAA                                                                                                                                                                                                                             Pharmaceutical/Laboratory  R&D;   may  be  subject  to  HIPAA;    but   depends  on  how  data  is  acquired;     Trade  Secrets  may  apply Clinical  Data  Controlled  by  Providers;   generally  subject  to  HIPAA/Digital   Ownership  Unclear Patient  Behavior  and  Preferences;   Depending  on  Source  may  be   outside  HIPAA  and  Commercially   Owned Rapidly   increasing   Commercial   Use
  6. 6. § Adaptive clinical trials § “Large Simple Studies” and “Pragmatic Trials” § Research networks INCREASINGLY DIFFICULT TO DISTINGUISH RESEARCH FROM CLINICAL CARE
  7. 7. THE DARK SIDE OF HIT § With health IT, it is now possiblefor the first time in the history of medicine to: § Violate the health privacy of millions of individuals in a matter of seconds § Steal health information without having physical access to it; and § Violate an individual’s health information privacy in a manner that makes it impossible to restore. “The Financial Impact of Breached PHI”, ANSI (March 2012)
  8. 8. BUT DOES RESEARCHADD RISKS? § Most breaches and compromise are part of the clinical process § Many of those breaches are bread and butter financial fraud § Research (sadly?) is a fairly minor application of Big Data Health Information use
  9. 9. COMMON RULE NEEDSA MAJOR OVERHAULTO DEAL WITH DATA ISSUES § Simply adding new rules does not do the trick; complicates rather than simplifies § Fundamental Disagreement is on where notice is sufficient vs. full informed consent § —Notions of Autonomy § Faden/Kass consistent w/ general privacy law (notice is sufficient) § Miller—health care is different
  10. 10. FUNDAMENTALCHARACTERISTICS OF BIG DATA CHALLENGETHE STRUCTURE OF THE COMMON RULE AND HIPAA § The analysisof Big Data is oftenfor a different purposethanthe purposefor which it was originallycollected § How does one do meaningful consent? § The volumeof data used forBig Data purposes means that it comes from many sources § Outside the purview of any single (or many) IRBs
  11. 11. A PATCHWORK SYSTEM OF PRIVACY LAW IN THE UNITED STATES § The United States does not have comprehensive federal privacy laws § Privacy Law in the United States is Sectoral (but Federal TradeCommission/OCRplay overarching regulatoryroles) § Health § Finance § Education § States also haveprivacy laws—which mayor may not be pre-empted
  12. 12. PRIVACY, CONTROLAND OWNERSHIP § Context driven privacy interests § Unclear rules on ownership § But rarely the individual that the data describes § Illusory Control
  13. 13. CENTRALPRINCIPLES FOR PRIVACY COMPLIANCE RELATING TO (ANY) DATA COLLECTION: TRANSPARENCY AND PROTECTION § Transparency § Notice -how will the data be used and shared § Choice- the individual’s desires as to that use and sharing § Access-howthe individual can implement those desires—thismeans a meaningful“opt out” § Security Protections
  14. 14. BIG DATA REALLY REQUIRESA COMPREHENSIVE (NON- SECTORAL)APPROACH § This requires us to fully examine the question: is health care really different? § If not, perhaps then we should have an data/informationalrisk scheme for research that is driven by all needs rather than tacking on HIPAA notions to other areas