2.2.1. The Common Rule

International and domestic concerns about the protection, respect, and privacy of human subjects resulted in a uniform set of regulations from the Federal agencies that fund such research known as the “Common Rule.”^{18, 19} The legal requirements of the Common Rule apply to research involving human subjects conducted or supported by the 17 Federal departments and agencies that adopted the Rule. Some of these agencies may require additional legal protections for human subjects. The HHS regulations will be used for all following references to the Common Rule.

Among these requirements is a formal written agreement, from each institution engaged in such research, to comply with the Common Rule. For human subjects research conducted or supported by most of the Federal entities that apply the Common Rule, the required agreement is called a Federalwide Assurance (FWA).²⁰ Research institutions may opt in their FWA to apply Common Rule requirements to all human subjects research activities conducted within their facilities or by their employees and agents, regardless of the source of funding. The application of Common Rule requirements to a particular registry depends on the institutional context of the registry developer, relevant institutional policies, and whether the health information contributed to the registry maintains patient identifiers.

The Office for Human Research Protections (OHRP) administers the Common Rule as it applies to human subjects research conducted or supported by HHS. Guidance published by OHRP discusses research use of identifiable private health information. This guidance makes clear that OHRP considers the creation of health information registries—containing individually identifiable, private information—for research purposes to be human subjects research for the institutions subject to its jurisdiction.²¹ The applicability of the Common Rule to research registries is discussed in more detail in Section 4.

OHRP regulations for human subjects protection require prospective review and approval of the research by an institutional review board (IRB) and the informed consent (usually written) of each of the human subjects involved in the research, unless an IRB expressly grants a waiver of informed consent requirements.²² A research project must satisfy certain regulatory conditions to obtain IRB approval of a waiver of the informed consent requirements. (See Section 3.3.5 for discussion of waivers of informed consent requirements.) A registry plan is the research “protocol” reviewed by the IRB. At a minimum, the protocol should identify (1) the research purpose of a health information registry, (2) detailed arrangements for obtaining informed consent, or detailed justifications for not obtaining informed consent, to collect health information, and (3) appropriate safeguards for protecting the confidentiality of registry data, in addition to any other information required by the IRB on the risks and benefits of the research.²³

As noted previously, for human subjects research conducted or supported by most Federal departments and agencies that have adopted the Common Rule, an FWA satisfies the requirement for an approved assurance of compliance. Some research organizations extend the application of their FWA to all research, regardless of the funding source. Under these circumstances, any patient information registry created and maintained within the organization may be subject to the Common Rule. In addition, some research organizations have explicit institutional policies and procedures that require IRB review and approval of all human subjects research.

2.2.2. The Privacy Rule

In the United States, HIPAA and its implementing regulations⁴ (here collectively called the Privacy Rule) created legal protections for the privacy of individually identifiable health information created and maintained by “covered entities” and their “business associates.” “Individually identifiable health information” is information, including demographic data, created or received by a health care provider, health plan, employer, or health care clearinghouse, that identifies an individual or could be used to identify an individual, and relates to (1) an individual's past, present, or future physical or mental health condition; (2) the provision of health care to an individual; or (3) the past, present, or future payment for health care to an individual. With certain exceptions, “individually identifiable health information” is “protected health information” (PHI) under the Privacy Rule when it is transmitted or maintained by a covered entity or a business associate on behalf of a covered entity.²⁴ Because registries may exist over long periods of time, it is important to note one exception that provides that the individually identifiable information of persons who have been deceased for more than 50 years is not considered PHI.

Covered entities are health care providers that engage in certain standard financial or administrative health care transactions electronically, health plans, and health care clearinghouses.²⁵ Business associates generally are persons or organizations, other than a member of a covered entity's workforce, that perform certain functions or services (e.g., claims processing, data analysis, data aggregation, patient safety activities) on the covered entity's behalf that involve access to protected health information.²⁶ For the purposes of this chapter, the relevant entities are covered health care providers, which may include individual health care providers (e.g., a physician, pharmacist, or physical therapist), health care insurance plans, and their business associates. The discussion in this chapter assumes that the data sources for registries are HIPAA-covered entities or their business associates, which are subject to provisions of the Privacy Rule. In the event that a registry developer intends to collect and use data from sources that are not covered entities or their business associates under the Privacy Rule, such as personal health record vendors not working on behalf of a covered entity or business associate, these sources still may be subject to other laws, such as State laws, that may govern the protection of patient information.

Although data sources are assumed to be subject to the Privacy Rule, registry developers and the associated institutions where the registry will reside may not be. Notably, the Privacy Rule does not apply to registries that reside outside of a covered entity or business associate. Within academic medical centers, for example, registry developers may be associated with units that are outside of the institutional health care component to which the Privacy Rule applies, such as a biostatistics or economics department. But because many, if not virtually all, data sources for registries are covered entities or their business associates, registry developers are likely to find themselves deeply enmeshed in the Privacy Rule. In addition, the formal agreements required by the Privacy Rule in certain circumstances in order to access, process, manage, and use certain forms of patient information impose legally enforceable continuing conditions upon data recipients under contract law. Such conditions of use also may result in direct liability under HIPAA if the registry is considered a business associate of a data source that is a covered entity (see the discussion in Section 3.4.3 below of the HITECH Act, which extended direct liability for compliance with certain requirements of the HIPAA Rules to business associates of covered entities, where before business associates were required and liable to protect the information to which they had access only through their business associate contracts with covered entities). Therefore, registry developers should be cognizant of the patient privacy considerations confronting their likely data sources—as well as themselves, if they are performing functions or services on behalf of their data sources as business associates—and should consider following certain Privacy Rule procedures, required or not, depending on their arrangements with those data sources.

In general, the Privacy Rule defines the circumstances under which covered entities (e.g., health plans and most health care providers) and their business associates may use and disclose patient information for a variety of purposes, including research. The Privacy Rule establishes a Federal baseline of protections, which do not pre-empt more stringent (more protective) State laws.²⁷ For example, the Privacy Rule requires covered entities to include certain information in patient authorizations for the use or disclosure of individually identifiable information, including an expiration date or event that can be many years in the future. The laws of the State of Maryland, however, specifically require that, absent certain exceptions, a patient's authorization may only be valid for a maximum period of 1 year.²⁸ In this case, a covered entity located in Maryland can and should satisfy both the Privacy Rule and State law requirements by complying with the State's one-year maximum expiration deadline on its patient authorization forms.

The Privacy Rule regulates the use of identifiable patient information within health care providers' organizations and health insurance plans (and within their business associates), and the disclosure of patient information to others outside of the entity.²⁹ As a result, the initial collection of registry data from covered entities or business associates is subject to Privacy Rule requirements, which may apply in different ways depending on the registry's purpose, whether the registry resides within a covered entity or outside of a covered entity, whether the registry is considered a business associate of the covered entity, and the extent to which the patient information identifies individuals. Health care providers or insurance plans, as well as their business associates, that create, use, and disclose patient information for clinical use or business purposes are subject to civil—and in some cases criminal—liability for violations of the Privacy Rule.

Registry developers should be sufficiently knowledgeable about the Privacy Rule to facilitate the necessary processes for their data sources. In developing a registry, they should expect to interact with clinicians, the privacy officer, the IRB or privacy board staff, health information system representatives, legal counsel, compliance officials, and contracting personnel. Registry developers should also maintain awareness of regulatory modifications or amendments to, or new guidance on how to comply with, the Privacy Rule, which can be expected as the use of electronic health information becomes more prevalent. For example, on January 25, 2013, HHS issued significant modifications to the Privacy Rule, many of which implemented HITECH Act requirements.³⁰ One of the most relevant modifications for registry developers, as mentioned above and discussed more fully below in Section 3.4.3, is the extension of certain Privacy Rule requirements and liability directly to business associates.³¹

Subsequent use and sharing of registry data may be affected by the regulatory conditions that apply to initial collection, as well as by other ethical concerns and legal issues. The Privacy Rule created multiple pathways by which registries can compile and use patient information. For instance, a registry within a covered entity may obtain a HIPAA authorization from each patient contributing identifiable information to a registry for a particular research project, such as the relationship between hypertension and Alzheimer's disease. If the registry subsequently seeks to use the data for another research purpose, it may do so if it obtains new authorizations or satisfies the conditions of another permission in the Privacy Rule—for example, by de-identifying the data to Privacy Rule standards. Alternatively, the registry can obtain authorizations for use and disclosure of individuals' health information for future research purposes at the same time that it obtains authorization to place the information in the registry, as long as the authorization for future research use or disclosure adequately describes the purposes of the future research such that it would be reasonable for the individual to expect that his or her information could be used or disclosed for the future research.

The authors recommend that registry developers establish a detailed tracking system, based on the extent to which registry data remain identifiable for individual patients, for the collection, uses, and disclosures of registry data. The tracking system should produce comprehensive documentation of compliance with both Privacy Rule requirements and legally binding contractual obligations to data sources.

With regard to registries developed for research purposes, the Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”³² Commentary by HHS on the Privacy Rule explicitly includes within this definition of research the development (building and maintenance) of a repository or database for future research purposes.³³ The definition of research in the Privacy Rule partially restates the definition of research in the preexisting Common Rule for the protection of human subjects, adopted by HHS and certain other Federal agencies.³⁴ Some implications of this partial restatement of the definition of research are discussed later in this chapter.

The National Institutes of Health (NIH) has published guidance, in collaboration with the Office for Civil Rights and other HHS offices and agencies, on the impact of the Privacy Rule on health services research and research databases and repositories. The NIH guidance identifies the options available to investigators under the Privacy Rule to gain access to health information held by health care providers and insurance plans.³⁵ For example, in addition to provisions for the use or disclosure of identifiable patient information for research, the Privacy Rule permits health care providers and insurance plans (and business associates on their behalf) to use or disclose patient information for certain defined public health activities.³⁶ The Privacy Rule defines a public health authority as “an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency… that is responsible for public health matters as part of its official mandate.”³² The Centers for Disease Control and Prevention and HHS have jointly published specific guidance on the Privacy Rule for public health activities.³⁷ Other Privacy Rule provisions permit the use or disclosure of patient health information as required by other laws.³⁸

The protections for patient information created by the Privacy Rule that are generally relevant to registries developed for research purposes include explicit individual patient authorization for the use or disclosure of identifiable information,³⁹ legally binding data use agreements for the release of “limited data sets” between health information sources and users,⁴⁰ the removal of specified identifiers or statistical certification to achieve de-identification of health information,⁴¹ an accounting of disclosures to be made available to patients at their request,⁴² and notification in the event of a breach of unsecured protected health information to affected individuals who may be affected by the breach. In addition, if certain criteria required by the Privacy Rule are satisfied, an IRB or privacy board may grant a waiver of individual patient authorization for the use or disclosure of health information in research.⁴³

2.2.3. FDA Regulations

U.S. Food and Drug Administration (FDA) regulatory requirements for research supporting an application for FDA approval of a product also include protections for human subjects, including specific criteria for protection of privacy and maintaining the confidentiality of research data.⁴⁴

2.2.4. Applicability of Regulations to Research; Multiple-Purpose Registries

At many institutions, the IRB or the office that provides administrative support for the IRB is the final arbiter of the activities that constitute human subjects research, and thus may itself determine what activities require IRB review. A registry developer is strongly encouraged to consult his or her organization's IRB or a central IRB, as applicable, early in the registry planning process to avoid delays and lessen the need for multiple revisions of documentation submitted to the IRB. Distinctions between research and other activities that apply scientific methodologies are frequently unclear. Such other activities include both public health practice⁴⁵ and quality-related investigations.⁴⁶ Both the ostensible primary and secondary purposes of an activity are factors considered in the determination of whether registry activities constitute research subject to the Common Rule. As interpreted by OHRP, if any secondary purpose of an activity is research, then the activity should be considered research.⁴⁷ This OHRP interpretation of research purpose differs from that of the Privacy Rule with respect to quality-related studies performed by health care providers and insurance plans. Under the Privacy Rule, only if the primary purpose of a quality-related activity is to obtain generalizable knowledge do the research provisions of the Privacy Rule apply; otherwise, the Privacy Rule defines the activity as a “health care operation.”⁴⁸

Registry developers should rely on their privacy officer's and IRB's experience and resources in defining research and other activities for their institutions and determining which activities require IRB review as research. In meeting accreditation standards, inpatient facilities typically maintain standing departmental (e.g., pediatrics) or service (e.g., pharmacy or nursing) committees to direct, review, and analyze quality-related activities. Some physician groups also establish and maintain quality-related programs, because good clinical practice includes ongoing evaluation of any substantive changes to the standard of care. These institutional quality committees can provide guidance on the activities that usually fall within their purview. Similarly, public health agencies typically maintain systematic review processes for identifying the activities that fit within their legal authority.

As mentioned previously, use of registry data for multiple research purposes may entail obtaining additional permissions from patients or satisfying different regulatory requirements for each research purpose. Standard confidentiality protections for registry data include requirements for physical, technical, and administrative safeguards to be incorporated into plans for a registry. In some instances, an IRB may not consider legally required protections for the research use of patient information sufficient to address relevant confidentiality concerns, including the Privacy Rule protections that may be applicable to registries created by or maintained within covered entities, such as health care providers and insurance plans, or business associates. For example, information about certain conditions (such as alcoholism or HIV-positive status) and certain populations (such as children) may be associated with a greater potential for harm from social stigma and discrimination. Under these circumstances, the IRB can make approval of a registry plan contingent on implementation of additional safeguards that it determines are necessary to minimize the risks to the individuals contributing health information to the registry.

3.3.1. De-Identified Patient Information

The Privacy Rule describes two methods for de-identifying health information.⁶⁸ One method requires the removal of certain data elements. The other method requires that a qualified expert certify that the potential for identifying an individual from the data elements is very small.

A qualified expert should have “appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” in order to make this determination.⁶⁹ De-identified information may include a code permitting re-identification of the original record by the data source (covered entity), provided certain conditions are met.⁷⁰ The code may not be derived from information about an individual, including hash codes,⁷¹ and should resist translation. In addition, the decoding key must remain solely with the health care provider or plan that is the source of the patient information, and the covered entity cannot use or disclose the code for any other purpose.⁷⁰

Research using existing data in which individual patients cannot be identified directly or indirectly through linked identifiers does not involve human subjects as defined by the Common Rule, and thus is not subject to the requirements of the Rule.⁶³ Refer to the discussion later in this chapter.

As a prudent business practice, each health care provider or insurance plan or their business associate that is a source of de-identified information is likely to require an enforceable legal agreement with the registry developer. It should be signed by an appropriate institutional official on behalf of the registry developer. At a minimum, this agreement will likely contain the following terms, some of which may be negotiable: the identification of the content of the data and the medium for the data; a requirement that the data recipient, and perhaps the health care provider or insurance plan or their business associate providing the data, make no attempt to identify individual patients; the setting of fees for data processing and data use; limitations on disclosure or further use of the data, if any; and an allocation of the risks of legal liability for any improper use of the data.

3.3.2. Limited Data Sets of Health Information

De-identified health information may not suffice to carry out the purposes of a registry, especially if the registry is designed to receive followup information as a result of monitoring patients over time or information from multiple sources in order to compile information on a health event (e.g., cancer incidence). Dates of service and geographic location may be crucial to achieving the purposes of the registry or to the integrity and use of the data. Health information provided to the registry that is not fully de-identified but excludes direct identifiers may constitute a limited data set as defined by the Privacy Rule.⁶⁷ A health care provider or insurance plan (or business associate on behalf of a provider or plan if permitted by the terms of the business associate agreement) may disclose a limited data set of health information for research, public health, or health care operations purposes, provided it enters into a data use agreement (DUA) with the recipient. The terms of the DUA must satisfy specific Privacy Rule requirements.⁷² Institutional officials for both the data source and the registry developer should sign the DUA so that a legal contract results. The DUA establishes the permitted uses of the limited data set by the registry developer (i.e., the creation of the registry and subsequent use of registry data for specified research purposes). The DUA may not authorize the registry developer to use or disclose the information in a way that would result in a violation of the Privacy Rule if done by the data source.⁷³ Furthermore, the DUA for a limited data set of health information must provide that the data recipient will appropriately safeguard the information and not attempt to identify individual patients or to contact those patients.⁷⁴ Certain other requirements also apply.

An investigator who works for a health care provider or insurance plan to which the Privacy Rule applies and that is the source of the health information for a registry may use a limited data set to develop a registry for its own research purpose. In these circumstances, the Privacy Rule still requires a DUA that satisfies the requirements of the Privacy Rule between the health care provider or insurance plan and the investigator. This agreement may be in the form of a written confidentiality agreement.⁷⁵

A registry developer may assist a health care provider or insurance plan or their business associate by creating the limited data set.⁶⁷ In some situations, this assistance may be crucial to ensuring that data are accessible and available to the registry. In order for the registry developer to create a limited data set on behalf of a data source, the Privacy Rule requires that the data source (the covered entity or their business associate) and the registry developer (in this instance acting as a business associate) enter into a business associate agreement that satisfies certain regulatory criteria.⁷⁶ The business associate agreement is a binding legal arrangement that should be signed by appropriate institutional officials on behalf of the data source and registry developer. This agreement contains terms for managing health information as required by the Privacy Rule.⁷⁶ Most health care providers have developed a standard business associate agreement in response to the Privacy Rule and will likely insist on using it, although some modifications may need to be negotiated in order to produce registry data. A registry developer hired to create a limited data set must return or destroy the direct identifiers once the business associate relationship formed for purposes of creating the limited data set terminates and the registry developer now wants to use the limited data set (subject to the required data use agreement) for the registry purposes.

The registry populated with a limited data set may include a coded link that connects the data back to patient records, provided the link does not replicate part of a direct identifier.⁶⁷ The key to the code (e.g., encryption key) may allow health information obtained from patients over time to supplement existing registry data or allow the combination of information from multiple sources.

If the registry data obtained by investigators constitute a limited data set, then the research does not involve human subjects, as defined by HHS regulations at 45 Code of Federal Regulations (CFR) 46.102(f), and the Common Rule requirements would not apply to the registry.⁷⁷ An IRB or an institutional official knowledgeable about the Common Rule requirements should make the determination of whether a research registry involves human subjects; frequently, a special form for this purpose is available from the IRB. The IRB (or institutional official) should provide the registry developer with documentation of its decision.

3.3.3. Direct Identifiers: Authorization and Consent

As discussed above, the Privacy Rule permits the use or disclosure of patient information for research with a valid, written authorization from each patient whose information is used or disclosed.⁷⁸ The Privacy Rule specifies the content of this authorization, which gives permission for a specified use or disclosure of the health information.⁷⁹ Health care providers and insurance plans frequently insist on using the specific authorization forms that they have developed in order to avoid additional legal review and minimize any potential liability that they believe might be associated with use of other forms.

One exception to the requirement for an authorization occurs when a health care provider or insurance plan creates a registry to support its “health care operations.”⁸⁰ The Privacy Rule's definition of “health care operations” explicitly includes quality I/A, outcomes evaluation, and the development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.³² For example, a hospital registry created to track its patient outcomes against a recognized clinical care standard as a quality improvement initiative has a health care operations purpose. The hospital would not be required to obtain authorizations from its patients for use or disclosure of the health information it tracks in this registry.

Research use of health information containing identifiable information constitutes human subjects research as defined by the Common Rule.⁶³ In general, the Common Rule requires documented, legally effective, voluntary, and informed consent of each research subject.⁸¹

Documentation of the consent process required by the Common Rule may be combined with the authorization required by the Privacy Rule for disclosure and use of health information.⁸² However, registry developers should be aware that a health care provider or insurance plan may not immediately accept the combined form as a valid authorization and may insist on legal review of the combined form before disclosing any health information.

Authorizations for the use or disclosure of health information under the Privacy Rule and informed consent to participate in research under the Common Rule must be legally effective (i.e., obtained from a legally competent subject or the subject's legally authorized representative and documented in a manner consistent with the regulations and applicable laws of the jurisdiction). Adults, defined in most States as persons who are at least 18 years old, are generally presumed legally competent in the absence of a judicially approved guardianship. Minors commonly are defined as individuals less than 18 years old and are presumed legally incompetent; therefore, a biological, adoptive, or custodial parent or guardian generally must provide consent and authorization on the minor child's behalf, unless the child has been legally emancipated or another exception applies. Registry developers should consult legal counsel about situations in which these presumptions seem inapplicable, such as when a registry is created to investigate contraceptive drug and device use by adolescents, or other situations in which State or Federal law exceptions may apply.

In addition to being voluntary and legally effective, an individual's consent should be informed about the research, including what activities are involved, as well as the expected risks and potential benefits from participation. The Common Rule requires the consent process to include specific elements of information.⁸¹ Registry developers should provide non–English-speaking patients with appropriate resources to ensure that the communication of these elements during the consent process is comprehensible. All written information for patients should be translated, or else arrangements should be made for qualified translators to assist in the consent process.

IRBs may approve waivers or alterations of both authorization (for use or disclosure of patient information for registry purposes) and consent (to registry participation), provided the research use of health information satisfies certain regulatory conditions. In addition, the Privacy Rule provides for the ability of privacy boards to approve waivers of authorization for the research use of health information where an organization does not have an IRB.⁸³ Waivers are discussed in detail below.

In certain limited circumstances, research subjects can consent to future unspecified research using their identifiable patient information. The Common Rule permits an IRB-approved consent process to be broader than a specific research project⁸¹ and to include information about research that may be done in the future. In its review of such future research, an IRB can subsequently determine that the previously obtained consent (1) satisfies or (2) does not satisfy the regulatory requirements for informed consent. If the previously obtained consent is not satisfactory, an additional consent process may be required; alternatively, the IRB may grant a waiver of consent, provided the regulatory criteria for a waiver are satisfied.

As such, an IRB-approved consent process for the creation of a research registry should include a description of the specific types of research to be conducted using registry data. For any future research that involves private identifiable information maintained by the registry, the IRB may determine that the original consent process (for the creation of the research registry) satisfies the applicable regulatory requirements because the prospect of future research and future research projects were adequately described. The specific details of that future research using registry data may not have been known when data were collected to create the registry, but that research may have been sufficiently anticipated and described to satisfy the regulatory requirements for informed consent. For consent to be informed as demanded by the ethical principle of respect for persons, however, any description of the nature and purposes of the research should be as specific as possible.

If a registry developer anticipates subsequent research use of identifiable private registry data, he or she should request an assessment by the IRB of the description of the research that will be used in the consent process for potential subjects at the time the data are initially collected. Nonetheless, in its review of any subsequent research, an IRB may require an additional consent process for each research subject or may grant a waiver for obtaining further consent.

Historically, HHS rejected broadening the description of purpose in authorizations under the Privacy Rule to allow for future unspecified research.⁸⁴ As a result, an authorization for the use or disclosure of health information to create a research registry could not also authorize the future research uses of the information if the specific details of the future studies were not known when the authorization was obtained.⁸⁵ However, under the modified HIPAA Privacy Rule released on January 25, 2013, HHS modified its prior interpretation and guidance that research authorizations must be research study specific.⁸⁶ While this modification does not make any changes to the authorization requirements at 45 CFR § 164.508, HHS no longer interprets the “purpose” provision for authorizations as permitting only study-specific descriptions. This change now allows future research to be authorized provided the authorization adequately describes the purposes of any future research such that it would be reasonable for the individual to expect that his or her health information could be used or disclosed for such future research.⁸⁷ Where an authorization for the use or disclosure of registry data for the future research does not exist, a health care provider or health insurance plan maintaining the registry may need to obtain an additional authorization for the research from individuals or seek a waiver of authorization from an IRB or privacy board. Alternatively, the use or disclosure of a limited data set or de-identified registry data can occur, provided regulatory criteria are satisfied. Registries maintained by organizations to which the Privacy Rule does not apply (e.g., funding agencies for research that are not health care providers or insurance plans, professional societies, or non-health care components of hybrid entities such as in many universities) are not legally bound by the limited purpose of any original authorization that was obtained to permit data sources to disclose identifiable patient information to the registry. However, data sources or their business associates that are subject to the Privacy Rule are unlikely to be willing to provide patient information without a written agreement with the registry developer that includes legally enforceable protections against redisclosure of identifiable patient information. Regardless of whether such a written agreement is in place, a valid authorization must contain a warning to patients that their health information may not be protected by Privacy Rule protections once disclosed to recipient organizations.⁸⁸

In addition to (or in lieu of) obtaining health information from covered entities or business associates, registry developers can request that patients obtain and share with the registry copies of their own records from their health care providers or insurance plans. This strategy can be useful for collecting data on mobile populations, such as elderly retirees who occupy different residences in winter and summer, and for collecting the health records of school children. A Federal privacy law⁸⁹ protects the health records of children that are held by schools from disclosure without explicit parental consent; thus, parents can often obtain copies of these records more easily than investigators. Alternatively, individuals can simply be asked to volunteer health information in response to an interview or survey. These information collection strategies do not require obtaining a Privacy Rule authorization from each subject; however, IRB review and other requirements of the Common Rule, including careful protections of the confidentiality of registry data still may apply to a registry project with a research purpose. Moreover, a registry developer may encounter Privacy Rule requirements for the use or disclosure of patient information by a health care provider or insurance plan for purposes of recruiting registry participants. For example, a patient authorization or waiver of authorization (discussed below) may be necessary for the disclosure of patient contact information by a health care provider or insurance plan (or their business associate) to a registry developer.

3.3.4. Certificates of Confidentiality and Other Privacy Protections

Certificates of confidentiality granted by the NIH permanently protect identifiable information about research subjects from legally compelled disclosure. For the purposes of certificates of confidentiality, identifiable information is broadly defined to include any item, or combination of items, in research data that could directly or indirectly lead to the identification of a research participant.⁹⁰ Federal law authorizes the Secretary of HHS (whose authority is delegated to NIH) to provide this privacy protection to subjects of biomedical, behavioral, clinical, and other research.⁹¹ Federal funding for the research is not a precondition for obtaining a certificate of confidentiality.⁹² An investigator whose research project has been granted a certificate of confidentiality may refuse to disclose identifying information collected for that research even though a valid subpoena demands that information for a civil, criminal, administrative, or legislative proceeding at the Federal, State, or local level. The protection provided by a certificate of confidentiality is intended to prevent the disclosure of personal information that could result in adverse effects on the social, economic, employment, or insurance status of a research subject.⁹³ Detailed information about certificates of confidentiality is available on the NIH Web site.⁹⁴

The grant of a certificate of confidentiality to a research project, however, is not intended to affect State laws requiring health care and other professionals to report certain conditions to State officials; for example, designated communicable diseases, neglect and abuse of children and the elderly, or threats of violent harm. If investigators are mandatory reporters under State law, in general, they continue to have a legal obligation to make these reports.⁹⁵ In addition, other limitations to the privacy protection provided by certificates of confidentiality exist and may be relevant to particular research projects. Information on the NIH Web site describes some of these other legal limitations.⁹⁴

Registry developers should also be aware that Federal law provides specific confidentiality protections for the identifiable information of patients in drug abuse and alcoholism treatment programs that receive Federal funding.⁹⁶ These programs may disclose identifiable information about their patients for research activities only with the documented approval of the program director or authorization of the patient.⁹⁷ The basis for the director's approval is receipt of written assurances about the qualifications of the investigator to conduct the research and the confidentiality safeguards incorporated into the research protocol, and an assurance that there will be no further disclosure of identifying information by the investigator. Moreover, an independent review of the research project should determine and verify in writing that the protocol provides adequate protection of the rights and welfare of the patients and that the benefits of the research outweigh any risks to patients.⁹⁷ Prior to submitting proposed consent documentation to an IRB, registry developers should consult legal counsel about the limitations of these confidentiality protections.

As a condition of approval, IRBs frequently require investigators to obtain a certificate of confidentiality for research involving information about substance abuse or other illegal activities (e.g., underage purchase of tobacco products), sexual attitudes and practices, and genetic information. Registry developers should consult legal counsel to determine if and how the limitations of a certificate of confidentiality may affect privacy protection planning for registry data. In all circumstances, the consent process should ensure that clear notice is given to research subjects about the extent of privacy protections they may expect for their health information when it is incorporated into a registry.

In the absence of a certificate of confidentiality, a valid subpoena or court order for registry data will usually compel disclosure of the data unless State law specifically protects the confidentiality of data. For example, Louisiana's laws specifically protect the collection of information related to tobacco use from subpoena.⁹⁸ On the other hand, a subpoena or court order may supersede State law confidentiality protections. These legal instruments can be challenged in the court having jurisdiction for the underlying legal proceeding. In some circumstances, research institutions may be willing to pursue such a challenge. The remote yet definite possibility of this sort of disclosure should be clearly communicated to research subjects as a limitation on confidentiality protections, both during the consent process and in an authorization for use or disclosure of patient information.

State law may assure the confidentiality of certain quality I/A activities performed by health care providers as peer review activities.⁹⁹ When State law protects the confidentiality of peer review activities, generally, it is implementing public policy that encourages internal activities and initiatives by health care providers to improve health care services by reducing the risks of medical errors and systematic failures. Protection by peer review statutes may limit the use of data generated by quality I/A activities for any other purposes.

3.3.5. Waivers and Alterations of Authorization and Consent

As mentioned above, the Privacy Rule provides for the ability of privacy boards and IRBs to sometimes waive or alter authorizations by individual patients for the disclosure or use of health information for research purposes. (See Case Example 13.) In addition, the Common Rule authorizes IRBs to waive or alter the consent process. It is important for registry developers to keep distinct the terms “consent” and “authorization,” as they are not interchangeable with respect to the Privacy Rule and Common Rule. As described above, authorization is the term used to describe individuals' written agreement to the use or disclosure of their health information under the Privacy Rule, while consent is the term used to describe research subjects' agreement to participate in research, as required by the Common Rule. There are separate requirements for each of these permissions.

The Privacy Rule and the Common Rule each specify the criteria under which waivers or alterations of authorization and the consent process are permitted.¹⁰⁰ There are potential risks to patients participating in the registry resulting from these waivers of permission. A waiver of authorization potentially imposes the risk of a loss of confidentiality and consequent invasion of privacy. A waiver of consent potentially imposes risks of harm from the loss of self-determination, dignity, and privacy expected under the ethical principles of respect for persons and beneficence. Acknowledging these potential risks, regulatory criteria for waiver and alterations require an IRB or privacy board to determine that risks are minimal, in addition to other criteria. This determination is a necessary condition for approval of an investigator's request for a waiver or alteration of these permissions.

The following discussion refers only to waivers; registry developers should note that privacy boards and IRBs may approve alterations to authorizations or the consent process, provided a requested alteration satisfies all of the criteria required for a waiver by the Privacy Rule or Common Rule. Alterations are generally preferable to waivers in an ethical analysis based on the principle of respect for persons, because they acknowledge the importance of self-determination. In requesting alterations to an authorization or to the consent process, registry developers should be prepared to justify each proposed change or elimination of required elements (such as description of alternative procedures, courses of treatment, or benefits). Plausible justifications include a registry to which a specific element does not apply or a registry in which one element contradicts other required information in the authorization or consent documentation. The justifications for alterations should relate as specifically and directly as possible to the regulatory criteria for IRB or privacy board approval of waivers and alterations.

The Privacy Rule permits a covered entity to obtain the approval of an IRB or privacy board for a waiver of authorization if the following criteria are met: (1) the use or disclosure involves no more than minimal risk to the privacy of individuals; (2) the research cannot practicably be conducted without the waiver; and (3) the research cannot be practicably conducted without access to, and use of, the health information. The determination of minimal risk to privacy includes several elements: an adequate plan to protect identifiers from improper use or disclosure; an adequate plan to destroy identifiers at the earliest opportunity, unless a health or research justification exists to retain them; and adequate written assurances that the health information will not be reused or disclosed to others, except as required by law, as necessary for oversight of the research, or as permitted by the Privacy Rule for other research.¹⁰¹ The registry developer should provide detailed documentation of the IRB or privacy board's decision to the health care provider or insurance plan (covered entity) that is the source of the health information for registry data.⁴³ The documentation should clearly communicate that each of the criteria for a waiver required by the Privacy Rule has been satisfied.¹⁰² The privacy board or IRB documentation should also provide a description of the health information it determined to be necessary to the conduct of the research and the procedure it used to approve the waiver.¹⁰³ A health care provider or insurance plan might insist on legal review of this documentation before disclosing any health information.

The criteria for a waiver of consent in the Common Rule are similar to those for a waiver of authorization under the Privacy Rule. An IRB should determine that: (1) the research involves no more than minimal risk to subjects; (2) the waiver will not adversely affect the rights and welfare of subjects; (3) the research cannot practicably be carried out without a waiver; and (4) whenever appropriate, subjects will be provided with additional information after participation.¹⁰⁴ The criterion for additional information can be satisfied at least in part by public disclosure of the purposes, procedures, and operations of a registry, as discussed in Section 4.1.

Some IRBs produce guidance about what constitutes “not practicable” justifications and the circumstances in which justifications are applicable. For population-based research projects, registry developers may also present the scientific justification of avoiding selection bias. A waiver permits the registry to include the health information of all patients who are eligible. An IRB may also agree to consider requests for a limited waiver of consent that applies only to those individuals who decline use of their health information in a registry project. This limited waiver of consent most often permits the collection of de-identified and specified information sufficient to characterize this particular population.

An important difference between the Common Rule and FDA regulations for the protection of human subjects involves consent to research participation. The FDA regulations require consent, except for emergency treatment or research, and do not permit the waiver or alteration of informed consent.¹⁰⁵ If registry data are intended to support the labeling of an FDA-regulated product, a registry developer should plan to obtain the documented, legally effective, voluntary, and informed consent of each individual whose health information is included in the registry.

The Common Rule also permits an IRB to waive documentation of the consent process under two different sets of regulatory criteria. The first set of conditions for approval of this limited waiver requires that the only record linking an individual subject to the research is the consent document, and that the principal risk to subjects is the potential harm from a breach of confidentiality. Each subject individually determines whether his or her consent should be documented.¹⁰⁶ Alternatively, an IRB can waive documentation of consent if the research involves no more than minimal risk of harm to subjects and entails no procedures for which written consent is normally obtained outside of a research context.¹⁰⁷ For either set of regulatory criteria, the IRB may require the investigator to provide subjects with written information about the research activities in which they participate.¹⁰⁸ The written information may be as simple as a statement of research purposes and activities, or it may be more elaborate, such as a Web site for regularly updated information describing the progress of the research project.

The Privacy Rule creates a legal right for patients to receive, upon request, an accounting of certain disclosures of their health information that are made by health care providers, insurance plans, and their business associates.¹⁰⁹ The accounting must include disclosures that occur with a waiver of authorization approved by a privacy board or IRB. The Privacy Rule specifies the information that an accounting should contain¹¹⁰ and requires it to cover a six-year period or any requested shorter period of time.¹¹¹ If multiple disclosures are made to the same recipient for a single purpose, including a research purpose, a summary of these disclosures may be made. In addition, because most waivers of authorization cover records of many individuals, and thus an individualized accounting in such circumstances may be burdensome or impossible, the Privacy Rule provides that if the covered entity has disclosed the records of 50 or more individuals for a particular research purpose, the covered entity may provide to the requestor a more general accounting, which lists the research protocols for which the requestor's information may have been disclosed, among other items.¹¹²

3.3.6. Patient Safety Organizations

The final rule (the “Patient Safety Rule”) implementing the Patient Safety and Quality Improvement Act of 2005 (PSQIA) became effective on January 19, 2009.¹¹³ The PSQIA statute was enacted in response to a 1999 report by the Institute of Medicine that identified medical errors as a leading cause of hospital deaths in the United States, with many such errors being preventable.¹¹⁴ In accordance with the statute, the Patient Safety Rule allows health care providers to voluntarily report patient safety data, known as patient safety work product (PSWP), to independent patient safety organizations (PSOs). In general, PSWP falls into three general categories: (1) information collected or developed by a provider for reporting to a PSO and actually reported; (2) information developed by the PSO itself as part of patient safety activities; and (3) information that identifies or constitutes the deliberations or analysis of, or identifies the fact of reporting to, a patient safety evaluation system.¹¹⁵ The Patient Safety Rule broadly defines PSWP to include any data, reports, records, memoranda, analyses, and statements that can improve patient safety, health care quality, or health care outcomes, provided that all such data must be developed for the purpose of reporting it to a PSO. Certain categories of information are expressly excluded from being PSWP. These include “a patient's medical record, billing and discharge information, or any other original patient or provider information…[and] information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system.”¹¹⁶

Once PSWP is received by a PSO, it may be aggregated and analyzed by the PSO to assist a provider in determining, among other things, certain quality benchmarks and underlying causes of patient risks. Under the PSQIA, PSWP is considered privileged and confidential, and it may not be disclosed unless certain requirements are met. In addition, the Privacy Rule's limitations on uses and disclosures may apply where PSWP includes PHI. Civil money penalties may be imposed for violations.¹¹⁷

The Patient Safety Rule permits PSOs to disclose PSWP—that is, they may release, transfer, provide access to, or otherwise divulge PSWP to another person—in certain circumstances, including where disclosures are authorized by the identified health care providers, limited to nonidentifiable PSWP, or made to FDA, among other specified circumstances.¹¹⁸ With respect to disclosure of PSWP for purposes of research, the regulations provide a narrow exception. The Rule allows for disclosure of identifiable PSWP to entities carrying out “research, evaluation, or demonstration projects authorized, funded, certified, or otherwise sanctioned by rule or other means by the Secretary [of Health and Human Services], for the purpose of conducting research.”¹¹⁹ Notably, the disclosure of PSWP for general research activities is not permitted under the PSQIA statute or the Patient Safety Rule.

An organization desiring to become a PSO must complete and submit a certification form to the Agency for Healthcare Research and Quality to become “listed” as a PSO.¹²⁰ A registry may choose to become listed as a PSO; however, the registry should consider whether the obligations imposed on it in its capacities as a PSO would limit or otherwise restrict its attainment of its original objectives and whether it can fully meet the regulatory requirements that apply to a PSO.¹²¹ In evaluating whether or not to be listed as a PSO, the registry developer should carefully review the registry's organizational structure and data collection processes to help ensure that there is a clear distinction between the collection of registry-related data and PSWP. For example, certain registries may publish certain information and results related to the data collected in the registry. As described above, if that registry is a PSO, then it must ensure that publication of such data does not constitute unauthorized disclosure for purposes of the PSQIA (as well as HIPAA, if applicable).

Finally, it is important for registry developers to know that, instead of becoming a PSO itself, a registry may elect to form a separate division or legal organization that it controls and segregate PSWP into that component. These types of PSOs are referred to as “Component PSOs.” By keeping registry data and PSWP separate, the registry can reduce the possibility of an impermissible disclosure of PSWP.

3.4.1. The Institute of Medicine Report

On February 4, 2009, the Institute of Medicine (IOM) published a report that examined how research was being conducted within the framework of the Privacy Rule. The IOM Report presented findings and recommendations of an IOM Committee tasked with assessing the impact of the HIPAA Privacy Rule on health research. This group had proposed recommendations to ensure that important health research might be conducted while maintaining or strengthening privacy protections for research subjects' health information.¹²² The IOM Report stated that certain Privacy Rule requirements were difficult to reconcile with other regulations governing the conduct of research, including the Common Rule and the FDA regulations, and it noted a number of inconsistencies among applicable regulations related to the de-identification of data and the ability to obtain informed consent for future research studies, among other differences.

Citing more uniform regulations in other countries, the IOM Report affirmed that “a new direction is needed, with a more uniform approach to patient protections, including privacy, in health research.”¹²³ As its primary recommendation, the IOM Committee held that Congress should authorize HHS and other Federal agencies to develop a new approach to protecting privacy that would apply uniformly to all health research and to exempt health research from the Privacy Rule when this new approach was implemented. Until such an overhaul could be accomplished, the IOM Committee called upon HHS to revise the Privacy Rule and associated guidance to address certain issues. HHS addressed some of these issues in the January 25, 2013, modifications to the Privacy Rule, such as by allowing HIPAA authorizations to encompass future research and removing prohibitions on combining certain HIPAA authorizations for multiple research studies, thereby harmonizing these HIPAA Privacy Rule requirements with the Common Rule. Nevertheless, registry operators should be aware that additional clarifications or modifications to the Privacy Rule as it relates to research activities may continue to be made in the future.

3.4.2. The Genetic Information Nondiscrimination Act of 2008

The Genetic Information Nondiscrimination Act of 2008 (GINA) was signed into law on May 21, 2008. In general, GINA prohibits discrimination in health insurance coverage (Title I) and employment (Title II) based on genetic information. GINA defines genetic information as, with respect to any individual, information about the individual's genetic tests, the genetic tests of the individual's family members, and the manifestation of a disease or disorder in the individual's family members (e.g., family health history). Title I of GINA took effect for most health insurance plans on May 22, 2009, and Title II became effective for employers on November 21, 2009. GINA also specifies that the definition of genetic information includes the genetic information of a fetus carried by a pregnant woman and an embryo legally held by an individual or family member utilizing an assisted reproductive technology. Pursuant to GINA, health insurers are prohibited from using the genetic information of individuals for underwriting purposes (e.g., determining health insurance eligibility and coverage, or premium setting), and employers are prohibited from using genetic information in making employment-related decisions.

In addition to its nondiscrimination requirements, GINA also required related amendments to the Privacy Rule to clarify that genetic information is health information for purposes of the Privacy Rule, and to prohibit certain health plans from using or disclosing genetic information for underwriting purposes.¹²⁴

3.4.3. The HITECH Act

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Funds appropriated as a result of passage of ARRA are supporting new registries developed to study comparative effectiveness of treatments and protocols. It should be noted that there are no specific exceptions to regulatory or ethical requirements for such comparative effectiveness registries. Title XIII of division A and Title IV of division B of ARRA, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) significantly modified the obligations of HIPAA covered entities and the business associates who perform certain services on behalf of covered entities.

Perhaps most significantly, the HITECH Act extends to business associates direct liability for compliance with many of the key privacy and security obligations contained in the HIPAA Rules, where before business associates were required to protect (and liable for failing to protect) the information to which they had access only through their business associate contracts with covered entities. Specifically, the HITECH Act imposed direct liability on business associates for compliance with the administrative, physical, and technical safeguard requirements for electronic protected health information under the HIPAA Security Rule, as well as for compliance with the use and disclosure provisions of the Privacy Rule and the business associate agreement. While many business associate agreements previously contained general safeguarding requirements (e.g., requiring the business associate to maintain appropriate technical safeguards), these agreements often had not imposed specific security requirements (e.g., a requirement that the business associate implement procedures to terminate an electronic session after a predetermined time of inactivity). The HITECH provisions now subject business associates to civil and criminal penalties once reserved only for covered entities under the HIPAA Rules. The HITECH Act obligations imposed on business associates were finalized through HHS rulemaking on January 25, 2013, with compliance required by September 23, 2013.³¹

The HITECH Act also created new breach notification requirements for covered entities and business associates. Following a breach of unsecured protected health information, covered entities must notify the affected individuals, HHS, and in some cases, the media. Notification must be provided without unreasonable delay but in no case later than 60 calendar days after the breach is discovered (except in cases of reports to HHS of breaches affecting less than 500 individuals, in which case, notification to HHS is required not later than 60 days after the end of the calendar year in which the breach was discovered). Depending on the circumstances, individual notification may include both direct, written notification to affected individuals via first-class mail or email, as well as substitute notice via conspicuous posting on the entity's Web site or in major print or broadcast media.

If a business associate experiences a breach of any unsecured protected health information it maintains, the business associate must provide notification to the applicable covered entity without unreasonable delay, and in no case later than 60 calendar days after the breach is discovered, so that the covered entity can provide the notifications described above with respect to the breach or delegate that responsibility to the business associate. Any notification by a business associate must include the identification of any individual(s) whose information was accessed, acquired, or disclosed during the breach. The Department issued an interim final rule to implement the breach notification requirements on August 24, 2009, which became effective on September 23, 2009. On January 25, 2013, the Department published modifications to and made permanent these breach notification requirements.¹²⁵

3.4.4. Summary of Regulatory Requirements

The use and disclosure of health information by health care providers and insurance plans for research purposes, including for registries, are assumed by the authors of this chapter to be subject to regulation under the Privacy Rule and may be subject to the Common Rule.

In general, the Privacy Rule permits a covered entity (or business associate on its behalf) to use or disclose patient information for registry purposes, subject to specific conditions, where the use or disclosure is: (1) for a registry supporting certain public health activities, including registries developed in connection with FDA-regulated products; (2) for a registry supporting the health care operations of a health care provider or insurance plan (covered entities), such as for quality I/A; (3) for a registry created by health oversight authorities for health system oversight activities authorized by law; (4) limited to de-identified health information; (5) limited to a “limited data set” of patient information that lacks specified direct identifiers, and a data use agreement is in place with the recipient; (6) pursuant to patient authorizations; or (7) consistent with a waiver or alteration of authorization by an IRB or privacy board.

The Common Rule will apply to the creation and use of registry data if (1) the registry is funded by HHS or the organization responsible for the registry has an FWA that encompasses the registry project, regardless of funding, and (2) the creation of the registry and subsequent research use of the registry data constitute nonexempt human subject research as defined by the Common Rule. As interpreted by OHRP, human subject research includes registry activities which have a research purpose, which may be in addition to the main purpose of the registry. Registry developers are strongly encouraged to consult the IRB, not only about the applicability of the Common Rule, but also about the selection of data elements, the content of the consent process or the regulatory criteria for waiver, and any anticipated future research involving identifiable registry data.

State laws regulate public health activities and may also apply in various ways to the research use of health information. NIH can issue certificates of confidentiality to particular research projects for the protection of identifiable personal information from most legally compelled disclosures. Federal law provides specific privacy protections to the health information of patients in substance abuse programs that receive Federal funding. The institutional policies of health care providers and insurance plans may also affect the use and disclosure of the health information of their patient or insured populations.

Legal requirements applying to use or disclosure of health information for research are evolving and can significantly influence the planning decisions of registry developers and investigators. It is prudent to obtain early and frequent consultation, as necessary, with institutional privacy officers, privacy board or IRB staff and members, information system representatives of health care providers and insurance plans, plus technology transfer representatives and legal counsel.

4.3.1. Health Information Ownership in General

The Privacy Rule was not intended to affect existing laws governing the ownership of health records.¹²⁸ However, multiple entities are often in a position to assert ownership claims to health information in various forms. For example, certain States have enacted laws that assign ownership of health records. At the current time, such claims of ownership are plausible, but none are known to be legally tested or recognized, with the exception of copyright claims. Entities that could claim ownership include health care providers and insurance plans, funding agencies for registry projects, research institutions, and government agencies. Notably, State law requires health care providers to maintain documentation of the services they provide. This documentation is the medical-legal record compiled on each patient who receives health care services from an individual or institutional provider. Individuals, including patients (who may have a potential liberty interest in maintaining control of its use), registry developers, and investigators, may also assert ownership claims to health information. The basis for these claims is control of the tangible expression of and access to the health information.

There is no legal basis for assertions of ownership of facts or ideas; in fact, established public policy supports the free exchange of ideas and wide dissemination of facts as fundamental to innovation and social progress.¹²⁹ However, as a tangible expression of health information moves from its creation to various derived forms under the control of successive entities, rights of ownership may be transferred (assigned), shared, or maintained, with use of the information under a license (i.e., a limited transfer of rights for use under specific terms and conditions). Currently, in each of these transactions, the rights of ownership are negotiated on a case-by-case basis and formalized in written private agreements. The funding agency for a registry may also assert claims to ownership as a matter of contract law in their sponsorship agreements with research organizations.

Many health care providers are installing systems for electronic health records at great expense. Many also are contemplating an assertion of ownership in their health records, which may include ownership of copyright. The claim to ownership by health care providers may be an overture to commercialization of their health care information in aggregate form.¹³⁰ Public knowledge of and response to such assertions of ownership are uncertain at this time. A licensing program for the use of health information may enable health care providers to recoup some of their investment costs of electronic health records including the expenses associated with the technicians engaged to maintain them. In the near future, research use of health information for a registry may require licensing, in addition to the terms and conditions in data use agreements and, if necessary, in business associate agreements required by the Privacy Rule . Subsequent research use of the registry data will likely be based on the terms of the original license.

Among the changes ARRA has made in the regulation of health care information is a prohibition on its sale, subject to certain exceptions, including a limited one for the disclosure of health information for research purposes. This exception permits covered entities to recover a reasonable cost-based fee to cover the cost for the preparation and transmittal of the health information for the research purpose.¹³¹

For academic institutions, publication rights are an important component of intellectual property rights in data. Formal institutional policies may address publication rights resulting from faculty educational and research activities. Moreover, the social utility and benefit of any registry is evaluated on the basis of its publicly known findings and any conclusions based on them. The authors strongly encourage registry developers to maximize public communication of registry findings through the customary channels of scientific conferences and peer-reviewed journals. The goal of public communication for scientific findings and conclusions applies equally to registries operated outside of academic institutions (i.e., directly by industry or professional societies). For further discussion of developing data access and publication policies for registries, see Chapter 2.

The concept of ownership does not fit comfortably in the context of health information, because it largely fails to acknowledge individual patient privacy interests in health information. An inescapable personal nexus exists between individuals and information about their health. A recent failure that illustrates this relationship, with regard to patient interests in residual tissue from clinical procedures, resulted in widely publicized litigation to determine who owned the residual tissue and how it could be used for future research.¹³² The legal concept of custody may be a useful alternative to that of ownership. Custodians have legal rights and responsibilities like those that a guardian has for a ward or parents have for their children. Custody also has a protective function, consistent with public expectations of confidentiality practices that preserve the privacy and dignity of individual patients. Custody and its associated legal rights and responsibilities are transferable from one custodian to another. The concept of custody can support health care provider investments in information systems and the licensed use of health information for multiple, socially beneficial purposes without denying patient interests in their health information.

The sharing of registry data subsequent to their collection presents special ethical challenges and legal issues.¹³³ The criteria used to determine the conditions for shared use include applicable Federal or State law as well as the regulatory requirements in place when the health information was originally obtained. These legal and regulatory requirements, as well as processing and licensing fees, claims of property rights, and concerns about legal liability, are likely to result in formal written agreements for each use of registry data. Moreover, to educate patients and establish the scientific independence of the registry, registry developers should make known the criteria under which data is used.

Currently, there are no widely accepted social or legal standards that govern property rights in health information, with the possible exception of copyright, which is discussed below. At the time of this writing, health information sources and other users privately reach agreement to manage access and control. The Privacy Rule regulates the use and disclosure of health information by covered entities (including health plans and most health care providers), plus business associates working on behalf of covered entities, without regard to ownership interests over the data; the Privacy Rule does not affect existing laws, if any, regarding property rights in health information.¹³⁴

4.3.2. Copyright Protection for Health Information Registries

In terms of copyright theory, a health information registry is likely to satisfy the statutory definition of a compilation¹³⁵ and reflect independent creativity by its developer.¹³⁶ Thus, copyright law may provide certain protections for a health information registry existing in any medium, including electronic digital media. The “facts” compiled in a health information registry, however, do not correlate closely to other compilations protected by copyright, such as telephone books or even genetic databases.¹³⁷ Instead, registry data constitute legally protected, confidential information about individual patients to which independent and varied legal protections apply. Copyright protections may marginally enhance, but do not diminish, other legal restrictions on access to and use of health information and registry data. For more information on copyright law, see Appendix B.