THE COMMON RULE AND RESEARCH WITH DATA,BIG AND SMALLLIZA DAWSON

PETRIE–FLOM CENTER FOR HEALTH LAW POLICY,

BIOTECHNOLOGY AND BIOETHICS

CAMBRIDGE, MASS.

MAY 6TH, 2016

DISCLAIMER

• The views presented are those of the author and do not represent any position, policy or viewpoint of the National Institutes of Health, the Department of Health and Human Services or any of its components.

INTRO

Common Rule regulation of human subjects research is a poor fit for research involving only secondary use of data, invoking serious philosophical and public health concerns

Big data research further exposes the problem of poor fit and weak ethical rationale

A deeper look at the fundamental ethical issues is warranted;

THE COMMON RULE REACHES THE BREAKING POINT

THE OLD WORLD: REGULAR DATA

• In practice, a lot research done with de-identified data

• Simplifies human subjects issues

• Avoids extensive permission, reviews, delays

• “end run” around Common Rule

THE NEW WORLD: BIG DATA

• Anonymization cannot be guaranteed

• Unclear boundaries of public and private information (e.g. GPS data, Facebook, shopping records)

• No way to obtain consent in many cases; or consent would create extensive burdens on individuals

TAKING A CLOSER LOOK

• Brief historical foray: why does the Common Rule apply to research with data?

• Common Rule’s approach to regulating data research is a poor fit;

• Big data research exemplifies problems with the Rule and exposes conceptual gaps

• An alternative approach to oversight is needed

NATIONAL COMMISSION FOR PROTECTION OF HUMAN SUBJECTS OF BIOMEDICAL AND BEHAVIORAL RESEARCH

• Commission established in 1974 as part of the Public Health Service Act (PL 93-348);

• Mandate included• Considering the boundaries between biomedical or behavioral research and

“accepted and routine practice of medicine”

• Risk-benefit criteria in human subjects research

• Selection of human subjects, informed consent, IRBs

BOUNDARY OF MEDICAL CARE AND RESEARCH

• Morally significant: physician may depart from considering only best interests of patients if seeking generalizable knowledge.

• Research may be seen as morally suspect, in relation to clinical care• Note: this is now being challenged in multiple settings (precision medicine, comparative

effectiveness, learning healthcare)—but the premise was main focus in 1970’2

• Therefore, setting the scope of Common Rule also includes definition of research:

“Systematic investigation….designed to develop or contribute to generalizable knowledge.”

BOUNDARY OF COMMON RULE RELATED TO DATA

• Common Rule regulates research with data that are private and identifiable, through the definition of human subject:

46.102 (f) Human subject means a living individual about whom an investigator…conducting research obtains

(1) data through intervention or interaction with the individual, or

(2) Identifiable private information

WHY DID THE NATIONAL COMMISSION INCLUDE RESEARCH WITH DATA IN THE SCOPE OF RECOMMENDED REGULATIONS?

CONCERNS ABOUT PRIVACY

• Concurrent with broader privacy standards in government, concerns about intrusion into lives of citizens

• Privacy Act of 1974 addressed government uses of private data

DECIDED TO LIMIT SCOPE OF REGULATED DATA ACTIVITIES TO RESEARCH

• Staying within mandate of Commission

• Concerns about research violating trust and individual rights

CONCEPTUAL PROBLEMS IN INCLUSION OF DATA RESEARCH IN THE COMMON RULE

• In research involving medical interventions on a human subject, quest for generalizable knowledge may compromise patient care; therefore research requires special regulation

• In research involving only secondary uses of data, the use of data in systematic investigation aimed at generalizable results does not inherently pose more privacy risks to human subjects than other uses of data;

• In other words, there is no clear ethical rationale for regulation of research with data differently from non-research activities with data

CLINICAL RESEARCH RAISES RISK/BENEFIT CONCERNS RELATIVE TO CLINICAL CARE:

WITH DATA, RESEARCH AND NON-RESEARCH ACTIVITIES ALIKE RAISE PRIVACY CONCERNS:

CLINICAL CARE VERSUS CLINICAL RESEARCH

RESEARCH WITH DATA VERSUS OTHER USES OF DATA

CONCEPTUAL PROBLEM 1: NO CLEAR PRIVACY-RELATED CRITERION FOR BOUNDARY BETWEEN REGULATED AND NON-REGULATED ACTIVITY

NON RESEARCH ACTIVITIES WITH PRIVATE IDENTIFIABLE DATA

• Quality improvement

• Lab QI/QC

• Program evaluation

• US census

• Public health surveillance

• Insurance claims

• Federal and state benefits and service programs

• Other private data: Passports; motor vehicle departments; tax records;

RESEARCH ACTIVITIES WITH PRIVATE IDENTIFIABLE DATA

• Epidemiology

• Health services research

• Environmental health research

• Public health research

WHAT ABOUT NON-PRIVACY CONCERNS IN DATA RESEARCH?

DO INDIVIDUALS HAVE AN INTEREST IN CONTROLLING HOW THEIR DATA ARE USED, INDEPENDENTLY OF PRIVACY ISSUES?

• Analogous to current debates about research with biological specimens: some claim that individuals have an interest in control over future research, whether or not the specimens are identifiable, that should be protected in regs;

• Either way, the existing Common Rule appears to prioritize privacy concerns (does not regulate research with de-identified data or specimens

CONCEPTUAL PROBLEM #2: UNCLEAR ETHICAL RATIONALE FOR SUBJECTS’ CLAIMS OF RIGHT TO CONTROL

Ethical underpinnings of these claims need for control are not elaborated

• E.g. Wendler—specimen research: Subjects have an interest in deciding whether they will contribute to specific projects

• In what sense does use of information derived from a person constitute “contribution”?

• Even given an interest (on the part of subjects), at what level of decision making should choices be made—e.g. policy level? Individual level? Institutional level?

• Again, why should subjects have control over use of their data for research but not in, for example, quality improvement or program evaluation?

CONCEPTUAL PROBLEM #3: NEGLECT OF OTHER IMPORTANT ETHICAL ASPECTS OF DATA RESEARCH

• A subject’s interest in privacy and/or control must be considered in light of her other interests;• Individuals’ interests are served by the benefits of research in multiple contexts; cannot

evaluate quantitatively how benefits square off against privacy concerns or desire to limit or control research

• Group interests (benefits, risks, harms) are important but are not addressed in the Rule; nor are they adequately represented with individual informed consent

DIFFERENT SYSTEMS OF REGULATION

COMMON RULE—CURRENT VERSION

• Determine if this is research or not (not always obvious)

• Determine if data are identifiable and private

• Determine if study is exempt

• If non-exempt, then IRB review and informed consent are required

PRIVACY REGS FOR NON RESEARCH ACTIVITIES—CURRENT SYSTEM

• Diverse set of privacy standards, depending on source of data;

• Some uses of data are authorized by law • Privacy protections mandated• Unauthorized disclosure of data prohibited• No informed consent

• Some activities currently unregulated

CONCEPTUAL PROBLEM #4: IN DATA RESEARCH, INFORMED CONSENT DOES LITTLE TO PROTECT SUBJECTS’ INTERESTS OR ENHANCE TRUST

• Does not guarantee appropriate data security and privacy protections

• No way to address group interests/group harms (e.g. stigmatization)

• Time consuming and burdensome for individuals to learn about and evaluate each and every use of their data

• Does not inform the general public about research

• May create bias in research using certain kinds of datasets• Do people need nudges to consent to

research they actually support?

• Potential inhibition of valuable health research is also a potential harm to subjects’ interests

IS THERE A DIFFERENT WAY TO REGULATE?

Authorized, legitimate uses of data for health research (or other socially valuable research) allowed without consent

• All data research subject to same standard (whether data are identifiable or private, or not)

• Researchers must address potential implications of research (e.g. group harms or stigma) if applicable

Other requirements:• Specify purpose of the research• Investigators must have appropriate

qualifications • Data security measures mandated• Data cannot be released to third parties• Plan for communication about research

and findings

• Enforcement: licensing of investigators; violators lose privileges for accessing data

CONCLUSION

• No clear ethical rationale for regulating research with data differently from non-research activities with regard to privacy, as current regulatory structure does;

• Increasing complexity of big data approaches make current regulations unworkable;

• Informed consent not best mechanism to protect subjects’ privacy interests

• Claims of subjects’ rights or interests in controlling research not based on convincing argument

• Privacy concerns should be evaluated in context of other interests of subjects;

• Group interests deserve consideration but are not addressed in current regulatory structure

• New regulatory regime is needed for research with data