ebook img

Legal and Ethical Architecture for PCOR Data PDF

233 Pages·2017·12.11 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Legal and Ethical Architecture for PCOR Data

Legal and Ethical Architecture for PCOR Data Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Elizabeth Gray, JD, MHA Marie Mongeon, MPH(c) The George Washington University Milken Institute School of Public Health Department of Health Policy and Management September 28, 2017 TABLE OF CONTENTS Chapter 1: Overview of Legal and Ethical Architecture for PCOR Data Chapter 2: Legal and Ethical Significance of Data for PCOR Chapter 3: Linking Legal and Ethical Requirements to PCOR Data Chapter 4: Framework for Navigating Legal and Ethical Requirements for PCOR Chapter 5: Mapping Research Data Flows to Legal Requirements Appendix A: Statutes and Regulations Relevant To PCOR Appendix B: Assessing Potential Barriers and Ambiguity in the Legal Landscape Appendix C: Selected Federal Initiatives Appendix D: Selected Federal Resources Appendix E: Glossary Legal and Ethical Architecture for PCOR Data CHAPTER 1: OVERVIEW OF LEGAL AND ETHICAL ARCHITECTURE FOR PCOR DATA Submitted by: The George Washington University Milken Institute School of Public Health Department of Health Policy and Management TABLE OF CONTENTS INTRODUCTION ........................................................................................................... 1 BACKGROUND ............................................................................................................. 2 Key Laws for PCOR Research ............................................................................................................ 4 Content-Specific Statutes and Regulations ........................................................................................... 4 Research-Specific Statutes and Regulations ......................................................................................... 5 Setting-Specific Statutes and Regulations ............................................................................................ 5 Ethical Considerations ...................................................................................................................... 7 Prior and Related Federal Efforts ...................................................................................................... 7 Development of the Architecture ................................................................................. 8 Audience .......................................................................................................................................... 8 Process............................................................................................................................................. 8 How to navigate and use the Architecture ................................................................. 10 Architecture Structure .................................................................................................................... 11 REFERENCES .............................................................................................................. 15 Chapter 1 Overview of Legal and Ethical Architecture for PCOR Data INTRODUCTION The American healthcare system is experiencing an information revolution, rapidly approaching an age in which all patient records and related information will be maintained and accessed electronically. Volumes of data on a scale only recently imaginable are passing between individuals and institutions and are used in ways we could not predict. This “data revolution” is occurring as the U.S. healthcare delivery system undergoes a major transformation to become a more robust, evidence-based endeavor that is highly reliant on healthcare data for purposes ranging from real-time care delivery and coordination to research. At the same time, access to, use of, and release of health information, particularly individually identifiable health information, is highly regulated at both the federal and state levels. Now more than ever, the law places real as well as perceived barriers and burdens on the collection and use of health information. Important privacy and security issues arise in relation to the use of health information for research, new payment and care delivery structures, and new expectations for patient safety, high- quality care, and patient engagement in their own healthcare. These issues are particularly relevant to the expanding field of health-related research, which provides the evidence base necessary to transform the U.S. healthcare delivery system. In this dynamic environment of expanding data availability and greater technological capacity, patients and providers may access or have presented to them more health information than heretofore imagined. While the potential benefits of such information are significant, with more data come more complex legal and ethical issues. This is particularly true in the field of patient-centered outcomes research (PCOR) that requires patient-level data to improve health outcomes for individual patients as well as to provide evidence that will benefit other patients and providers. The Patient-Centered Outcomes Research Institute (PCORI) is leading efforts to identify research questions, fund patient-centered comparative effectiveness research (CER), and better disseminate findings to patients, providers, and other end users. PCORI’s work is to determine through PCOR, a type of CER, which of the many healthcare options available to patients and those who care for them work best in particular circumstances. Crucial to PCOR-related efforts is an infrastructure that ensures all parties understand the applicable legal requirements and ethical considerations when an individual’s data is accessed or used for PCOR. The incorporation of patient-level data into PCOR requires balancing both the need for sufficient information granularity to allow for meaningful research protocols and conclusions with the heightened need to protect patient privacy. An architecture is necessary to ensure patient privacy is protected and health information is appropriately secured during collection, access, use, and disclosure as required by law, regulation, and/or policy. In addition, the architecture must support a culture of trust that promotes ongoing patient participation in all forms of research-related data collection, including clinical trials, survey data collection, and re-use of routinely collected data. The PCOR Privacy and Security Research Scenario Initiative and Legal Analysis and Ethics Framework Development project, funded by the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC), supported the development of a legal Legal and Ethical Architecture for PCOR Data September 28, 2017 Chapter 1: Overview of Legal and Ethical Architecture for PCOR Data 1 and ethical architecture to enable robust PCOR while providing sufficient assurance to stakeholders that data used for PCOR and CER will be protected and secured as required by applicable laws and regulations. The final project product, this Legal and Ethical Architecture for PCOR Data (“Architecture”), is a collection of tools and resources designed to: 1. Provide a common structure and model of legal analysis of legal requirements and ethical considerations and responsibilities in research, particularly PCOR; 2. Support PCOR and CER through illustrative pathways for collecting and sharing data for research in compliance with relevant federal laws and regulations and in consideration of state law; and 3. Support a culture of trust between and among stakeholders through the application of meaningful and appropriate privacy and security parameters. The creation of a legal and ethical architecture for PCOR and CER is a multifaceted task that must occur in a dynamic and evolving environment. Historically, health information was collected primarily during a patient/physician encounter and stored in a paper medical record at the physician’s office. Administrative claims data were received and stored by relevant payers (e.g., health plans). Now, however, information is collected in a vast array of environments well beyond clinical and payment settings, including patient-generated health data captured in wearable technologies and personal health records. Furthermore, registries and health information exchanges also capture vast amounts of health information, whether required by law or through voluntary consumer participation. Finally, technology has advanced, enabling health information from different sources to be collected and aggregated virtually instantly and combined with other types of data as well. The legal framework has changed as well, largely in an attempt to better align the various legal requirements that apply to the use of patient data for research (discussed in further detail throughout the Architecture as well as in Appendix A: Summary of Statutes and Regulations Relevant to PCOR). For example, during the development of this Architecture, material changes were made to the Common Rule (governing human subjects research) and 42 C.F.R. Part 2 (confidentiality requirements governing federally supported substance use disorder programs). Researchers and other stakeholders should always monitor proposed and final changes in the legal framework as well as related guidance. The Architecture reflects the state of the legal framework as of September 2017. The focus of this Architecture is enabling researchers to obtain data for PCOR while protecting the privacy of the individuals whose data are used. This Architecture and component parts are technology- neutral and do not address or recommend any particular technical standards for a health information technology (IT) system. Nor does the Architecture provide legal advice or a single path that can be followed to comply with all requirements. Rather, the Architecture gives an overview of the legal requirements that relate to data use, sharing, and disclosure for PCOR and provides tools to help researchers and others identify issues and navigate requirements. Each research project and specific data use is different and will require individualized analysis, of course, and the Architecture can guide and support that analysis. The goal of this project is to help researchers identify and overcome real and perceived barriers to obtaining data, combining data, and using data in a meaningful way that will yield better understanding of patient outcomes to support future policy decisions. BACKGROUND Concerns regarding health care quality, patient safety, and escalating healthcare costs have led to increasing demands to understand what works in healthcare and ensure that the right patient receives Legal and Ethical Architecture for PCOR Data September 28, 2017 Chapter 1: Overview of Legal and Ethical Architecture for PCOR Data 2 the right care every time. There is thus a great need for PCOR to support better decision-making by patients and providers, as well as a more effective healthcare delivery system in general. Access to health information, particularly individually identifiable health information, is critical to PCOR and CER so that individuals can be followed over time and across settings to understand outcomes. This type of research is often hampered by real or perceived barriers that impede access to identifiable and other forms of health information. For example, health information needed for PCOR and CER is often held by different stakeholders across multiple sites, requiring researchers to interact with and align multiple sources of data. Researchers also often cite challenges associated with navigating the complex web of federal and state laws and regulations that govern health information. The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules provide a federal floor related to the disclosure and protection of health information by and among specific stakeholders, including providers and payers. Because this is the most widely referenced legal framework related to health information, this project will use the HIPAA definition of “health information” as follows: “Health information” is information (including demographic data) that relates to: • the individual’s past, present, or future physical or mental health or condition; • the provision of health care to the individual; or 1 • the past, present, or future payment for the provision of health care to the individual. However, with the increasing availability and variety of data that relate to an individual’s health and the different types of organizations and applications collecting information, that definition is becoming increasingly muddied. This has led to a challenging dynamic between HIPAA Regulated Entities and non- regulated entities that may create or collect the same types of data even if used for different purposes. Furthermore, HIPAA is not the only legal framework that governs health information. For example, the Common Rule governs federally supported human subject research of all purposes (including health- related research). Health information also may be subject to a myriad of other federal and state laws that often overlap and may appear to be or even are contradictory. Furthermore, some types of health information as well as some types of individuals are subject to additional protections under federal and state law (e.g., substance abuse information, minors). This complex legal environment is challenging for stakeholders, including researchers, providers, consumers, payers, and health information organizations, to be certain of the legal requirements that govern the health information they hold or acquire and their use and/or disclosure of that information. The uncertainty may stifle innovation and/or inhibit perfectly legitimate uses of health information for PCOR. In research, a single process may implicate many different obligations under different federal and state laws. A good example of this is patient consent for the disclosure of information (which is a separate issue from consent for treatment or for participation in research). Below is a table illustrating how the various elements of consent map to the different federal laws that impose requirements, depending on the context. Legal and Ethical Architecture for PCOR Data September 28, 2017 Chapter 1: Overview of Legal and Ethical Architecture for PCOR Data 3 Table 1: Federal Requirements for Consent to Disclose Identifiable Health Information Common Privacy 2 3 4 5 6 HIPAA Rule GINA Part 2 Act (HHS) Required elements: Patient’s name X 7 Specific description of information X X X X X Identify person(s) or entity authorized to make the X X requested disclosure Identify person(s) or entity authorized to receive the X X X X X requested information Describe the intended use(s) of the requested 8 X X X X X information The expiration date or event X X X Date signed X X X Signature (and/or electronic signature where acceptable) of the individual or his/her personal X X X representative Provide the following information: The individual’s right to withdraw authorization (if X X X any) and any applicable exceptions to that right. Whether any benefits may be conditioned on releasing the information and applicable consequences of refusal to consent. This includes X X X stating that refusal will involve no penalty or loss of benefits where relevant. The potential for re-disclosure of the information (if any). This includes stating that information may not X X X be re-disclosed without further authorization where applicable. Other requirements: The authorization must be written in plain language. X X Provide the individual with a copy of the form. X X Key Laws for PCOR Research This Architecture is designed to help stakeholders navigate the legal and ethical landscape for PCOR. At the federal level, statutes and regulations may be organized by their primary focus. For example, some statutes and regulations are specific to the types of health information content they govern; others are specific to certain activities, such as research; and still others are specific to the settings of care where care is delivered. Content-Specific Statutes and Regulations These statutes and regulations govern certain specific types of health information that may be used to support PCOR and CER, assuming the relevant requirements are met. For example, the HIPAA regulations govern protected health information. Part 2 of Title 42 of the Code of Federal Regulations (Part 2) governs substance abuse information held by federally assisted programs and the Genetic Information Nondiscrimination Act of 2008 (GINA) governs genetic information used for various purposes. These Legal and Ethical Architecture for PCOR Data September 28, 2017 Chapter 1: Overview of Legal and Ethical Architecture for PCOR Data 4 statutes and regulations are both permissive and prohibitive in nature, describing to whom and for what purposes these types of information may or may not be disclosed, as well as any other associated requirements. Other content-specific statutes and regulations include: the Patient Safety and Quality Improvement Act (PSQIA— patient safety work product); the Privacy Act of 1974 (individually identifiable information held by a federal agency); and the [federal] Freedom of Information Act (FOIA). Research-Specific Statutes and Regulations These statutes and regulations govern the health-related research enterprise, including PCOR and CER if certain requirements are met. For example, the Common Rule governs federally supported human subjects research. Similar to the Common Rule, FDA regulations govern experiments on human subjects involving products, drugs, or devices subject to FDA review and/or approval. Setting-Specific Statutes and Regulations These statutes and regulations govern health information that is collected, used, and/or disclosed by certain settings of care. For example, Title 38 of the U.S. Code governs health care delivered to veterans, Section 330 of the Public Health Services Act (PHSA) governs health care delivered in community health centers, and the Family and Education Rights and Privacy Act (FERPA) governs health information included in student education records. Table 2: Federal Laws: Primary Focus Content- Research- Setting- Specific Specific Specific Common Rule Subparts A–E X FDA Research Regulations X FERPA: Federal Educational Rights and Privacy Act X GINA: Genetic Information Nondiscrimination Act X HIPAA Administrative Regulations X 42 C.F.R. Part 2 X Public Health Services Act § 330 Grantees (Community Health Centers) X PSQIA: Patient Safety and Quality Information Act X Privacy Act of 1974/Freedom of Information Act (FOIA) X Title X Providers (Family Planning Clinics) X Veteran’s Administration Confidentiality Regulations (Title 38 USC § 7338) X At the state level, statutes and regulations that relate to health information vary greatly. For purposes of this project, the most relevant state statutes and regulations typically govern the privacy of health information for specific populations and specific types of information (e.g., individuals with HIV/AIDs, individuals with mental health conditions, and minors). For these populations, state laws may be more stringent than HIPAA requirements and thus must be followed as they relate to the collection, use, and disclosure of health information for these individuals. Below are brief descriptions of the most relevant laws or areas of law that may apply to PCOR: HIPAA, the Common Rule (Subparts A-D), 42 C.F.R. Part 2, the Genetic Information Nondiscrimination Act of 2008 (GINA), and state law. For more detailed summaries of these and other relevant laws, see Appendix A. Legal and Ethical Architecture for PCOR Data September 28, 2017 Chapter 1: Overview of Legal and Ethical Architecture for PCOR Data 5 HIPAA and its enabling regulations (the HIPAA Rules) establish a national framework for the management, transmission, and disclosure of health information. HHS has issued four sets of regulations implementing HIPAA’s provisions. These regulations (the HIPAA Rules) govern Covered Entities (health plans, healthcare clearinghouses, and most healthcare providers) and their Business Associates (entities providing certain services or functions to or on behalf of the Covered Entity) and protect individually identifiable health information. The Privacy Rule governs the privacy and confidentiality of such information and lists numerous purposes for which information may be shared, including for treatment, payment, research, and certain public health activities. The Security Rule identifies baseline administrative, physical, and technical safeguards to protect electronic health information that Covered Entities and their Business Associates must implement. The Enforcement Rule sets forth the enforcement system for all the HIPAA Rules, and the Breach Notification Rule establishes a notification and reporting protocol in the event of an unauthorized disclosure. The Common Rule sets forth a variety of requirements to ensure that research participants experience minimal risk to their health, safety, and privacy during and as a result of research. These regulations apply to all research protocols conducted, funded, or otherwise subject to regulation by any of 18 federal departments and agencies. There are four relevant sets of regulations governing research. Subpart A establishes general requirements for Institutional Review Board (IRB) structures, functions, and responsibilities and requirements governing the informed consent process. Subparts B–D add to and/or modify Subpart A requirements for certain types of research. Subpart B governs research involving pregnant women, human fetuses, neonates of uncertain viability, or nonviable neonates. Subpart C governs biomedical and behavioral research where the participants include prisoners. Subpart D governs research involving children as participants. Subpart E governs general administrative issues and has only been adopted by HHS. 42 C.F.R. Part 2 (Part 2) protects the confidentiality of substance use disorder patient records to ensure that such patients are not more vulnerable with respect to their privacy than those who do not seek treatment. This regulation applies to most substance use disorder programs receiving federal assistance, which is broadly defined, as well as recipients of Part 2 program patient records. The regulation prohibits disclosure of information that would identify a patient as having a substance use disorder without written patient consent, with limited exceptions for research, medical emergencies, and audits. GINA protects individuals’ and their family members’ genetic information in order to enable individuals to take advantage of genetic testing, technologies, research, and new therapies without fear of discrimination in employment or health insurance. GINA is comprised of two titles. Title I governs most health plans and health insurance issuers and prohibits the use of genetic information to make decisions about covered individuals and, with some exceptions, prohibits requesting or requiring that beneficiaries undergo genetic testing or provide genetic information. Title II governs most private and public employers and prohibits the use of genetic information to discriminate against employees or applicants and from acquiring employee’s or applicant’s genetic information for most purposes. Both titles contain exceptions that enable disclosure of genetic information for research purposes in certain circumstances. State laws may be more protective of patients’ rights than their federal corollary and often govern data, patients, and/or entities not regulated under existing federal laws. Generally, researchers must comply with the state law provisions that are more protective of privacy or more expansive than federal statutes and regulations in addition to meeting relevant federal requirements. Most states provide enhanced or specific protections for sensitive information (e.g., HIV/AIDS status, mental health information) and vulnerable populations (e.g., minors, legally incompetent adults). States also generally have laws governing state-based registries, mandatory health information reporting (e.g., communicable diseases Legal and Ethical Architecture for PCOR Data September 28, 2017 Chapter 1: Overview of Legal and Ethical Architecture for PCOR Data 6

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.