Mary, it has been a long time since the meeting, and these comments may not be entirely accurate or complete. However, I believe they are accurate in substance. Could you see that they are forwarded to the non-NCI members o f Epi Working Group for their review and comments.

Memorandum from ACE Executive Committee

Comments from Epidemiology Working Group
NCI Conference on Confidentiality, Data Security, and Cancer Research
Bethesda, Maryland, 11/30-12/2/99

1. Definition of 'personally identifiable'. [160.103 Definitions] ‘De-identified’ information is not covered by the proposed regulation. For information to be ‘de-identified’ covered entities (1) must remove, code, or encrypt specified identifi ers; and have no reason to believe that the information can be used by recipients to identify any individual; or (2) may retain some of the identifiers if they have appropriate statistical experience and expertise, and determine that the probabili ty of identifying individuals with the retained identifiers is very low.

Epidemiologists are supportive of the recognition that data can be de-identified and still useful for research purposes. The requirement that covered entities have ‘no reason to believe’ that the information could still be used to identify specific in dividuals, however, may require entities and individuals to be a bit disingenuous. Epidemiologists do not believe the list of identifiers proposed in the NPRM (or any other list) for removal of variables would assure de-identification in all circumstance s. It may always be possible for determined scoundrels to identify individuals. Epidemiologists would be more comfortable with language that coupled 'a reasonable attempt to remove identifiers' with clear penalties for persons who attempted to re-identif y individuals. The other problem is that in many cases a dataset (e.g registry data) is only of value if individual level data on age, sex, race/ethnicity, and other variables are included. This works against extreme forms of de-identification. In this c ase, 'reasonable attempts' and penalties, coupled with a recognition that registries have (or should have) the requisite ‘statistical experience and expertise’ to reduce the probability of re-identification to a minimum, is preferable. It is critical tha t registry operations, which generally do not include informed consent unless persons are to be contacted in research, not be constrained by having to remove identifiers required by the research. The role of IRBs is, of course, critical in this area in t erms of determining 'reasonable' for any given situation.

2. Accounting for Disclosures [164.515]. Under the new regulation covered entities must document the disclosure of information on every record when identified health information is released for research without patients’ authorization. This req uirement does not pertain to deceased persons.

This could be very burdensome, without much benefit to the patient’s privacy. Audit trails to record disclosure whenever a record is used may be technically feasible with electronic media, but it is still highly likely to present a record keeping burd en that, to insure 'completeness and accuracy' would go far beyond its value in protecting the individual. This is especially of concern where only part of the record is stored electronically, yet all related paper records would still have to document th e disclosure manually. Epidemiologic datasets use many linkages and very large numbers of subjects. This provision should be modified to be restricted to only the electronic portion of an individual’s record or be completely removed.

3. A Two-tiered system for public and private research is established by the proposed regulation. Although private research would now be required to follow many of the procedures previously required of only the public sector, IRB review would o nly be required for private sector research when access to research information is to be denied until the end of the study. Furthermore, private research is required to have only Privacy Board review for research without informed consent and patient auth orization only for research with informed consent.

The rationale for a two-tiered system lacks justification. Both should be subject to equivalent IRB reviews and requirements. Private systems should not be able to work under Privacy Board review only.

4. Patient authorization. The proposed regulation introduces a requirement for a Patient Authorization in addition to informed consent in cases where researchers use individually identifiable health information with a patient’s informed consent . A Patient Authorization will need to contain: a description of the information to be disclosed, the name of the covered entity, the name of person/entity to whom the covered entity may make the disclosure, an expiration date, signature and date, and a statement that the individual has a right to revoke the authorization.

Although a patient authorization in addition to the informed consent will make the process of obtaining patient participation more difficult and could lower participation rates, the group agreed that patient authorization could be a benefit in cases w here a researcher needed to go back to a record multiple times.

5. Providing patients with research information that has uncertain meaning. The proposed regulation requires that information in a person’s health record be disclosed to the person even if this information has no validity or utility.

The Epidemiology group had concerns about this requirement because it could lead to anxiety on the part of the participant and difficulties on the part of the researcher to explain the limitations of the data. The group realizes that this may remain a requirement, but would favor adding that research data of uncertain meaning could be released to participants 'if asked'.

The new regulation's additional waiver criteria seemed to lack a strong rationale and to be very similar to the waiver critieria that already exist in the Common Rule.

The group favors retention of expedited review by IRB, but requiring that it be done by a small group rather than one person.

IRBs are overworked, and addtional requirments on them without additional support and training in privacy will be a problem. We strongly support such support and training.

8. Release of information about deceased persons. Although the 2-year rule for deceased persons creates asymmetry with the rule for living persons, this requirement does not operationally impact epidemiology substantially.

9. Notice of change in privacy practices - no comment

10. Burden of costs increased with little or no additional privacy for individuals. We strongly agree with this point.