Healthcare Information Security

Patient Privacy News

Will Common Rule Changes Impact Health Data Security?

AMIA continues to support the proposed delay to the Common Rule, a move that could affect certain aspects to health data security.

health data security affected with proposed common rule changes

Source: Thinkstock

By Elizabeth Snell

- The American Medical Informatics Association (AMIA) reiterated its support of considered changes to the Federal Policy for the Protection of Human Subjects, or the Common Rule. Adjustments to the Common Rule could also have an impact on certain provisions to health data security.

HHS recently proposed a year-long delay to the Common Rule, a move that AMIA claimed is necessary.

“In the last several years, a paradigm shift has occurred in the nature, scope and frequency of research involving human subjects, their biospecimens, and their data,” AMIA said in a statement on its website. “Combined with rapid adoption of electronic health records (EHRs) by care providers and dramatic improvements in computing technology, we believe the final revisions to the Common Rule are necessary to improve discovery of new health insights and advance healthcare transformation.”

A revised Common Rule will also help translate healthcare discoveries into better patient care, the group added.

“We have been advocating on behalf of members both publicly and through contacts with the administration since the transition early this year to gain clarity on the Common Rule revisions’ status,” AMIA wrote. “AMIA looks forward to working further with HHS and the Office of Human Research Protections to ensure this rule is implemented effectively.”

READ MORE: Implementing Cybersecurity Frameworks in Healthcare Settings

HHS first proposed a change in January 2017, explaining that when the Common Rule creation was before the use of digital data and when the majority of research projects were performed at universities and medical institutions.

“The new rule strengthens protections for people who volunteer to participate in research, while ensuring that the oversight system does not add inappropriate administrative burdens, particularly to low-risk research,” HHS said in a statement. “It also allows more flexibility in keeping with today’s dynamic research environment.”

An exemption for secondary research was also included in that proposal, with research involving identifiable private information if the research is HIPAA regulated and participants are protected under HIPAA.

Researchers would still not required to obtain consent for studies on non-identified stored data or biospecimens, but would have the option “of relying on broad consent obtained for future research as an alternative to seeking IRB approval to waive the consent requirement.”

In June 2017, AMIA wrote a letter to HHS that called for more information being added to the Common Rule.

READ MORE: Data Security Considerations in Healthcare Interoperability

AMIA maintained that the updated rule’s effective date of January 19, 2018 must stand. The rule’s compliance date should also remain June 19, 2018, “to give regulated industry time to harmonize old and new provisions.”

“The final revisions to the Common Rule reflect the kind of transparent, deliberate, and constructive process we all seek in government regulation,” the letter explained. “This process, which began more than five years ago and is meant to advance clinical research in the United States for years to come, must be carried through to completion.”

Furthermore, allowing for more secondary research of EHR data by exempting certain low-risk studies conducted by HIPAA covered entities is an important aspect to the proposed rule.

In terms of health data security though, organizations should ensure they understand how certain areas of research (i.e. genetic research) could be impacted by the updated Common Rule.

Exempt categories of research, dependent on the level of risk they pose to participants, were part of the proposed changes. An exemption for secondary research involving identifiable private information was added, which includes when the research is HIPAA regulated and participants are protected under HIPAA.

READ MORE: ONC Reiterates Healthcare Data Privacy, Security Need in PMI

“The new rule strengthens protections for people who volunteer to participate in research, while ensuring that the oversight system does not add inappropriate administrative burdens, particularly to low-risk research,” HHS said in a statement when the rule was finalized. “It also allows more flexibility in keeping with today’s dynamic research environment.”

Reducing health data sharing barriers is becoming an increasingly popular issue in healthcare, with some stakeholders maintaining that such a move will help improve patient care, along with aiding research.

Certain HIPAA regulations restrict patient data sharing for “health care operations,” which can include quality assessment and improvement activities, such as outcomes evaluation, AHA said in an August 2017 letter to Congress.

“The challenge that strict regulatory prohibition poses in the integrated care setting is that patients frequently do not have a relationship with all of the providers among whom information should be coordinated,” AHA stated. “A clinically integrated setting and each of its participating providers must focus on and be accountable for all patients.”

Participating providers should be able to share and conduct population-based data analyses to achieve meaningful quality and efficiency improvements, the letter continued.

“Congress should require that the HIPAA medical privacy regulation enforced by the Office for Civil Rights permit a patient’s medical information to be used by and disclosed to all participant providers in an integrated care setting without requiring that individual patients have a direct relationship with all of the organizations and providers that technically ‘use’ and have access to the data.”

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy


no, thanks

Continue to site...