Regulatory status of human genetics research Mason W. Freeman, MD MGH-PGA, Parabiosys April 11, 2001

Partner’s Web Site for Educational Material Relating to Clinical Research

Governing Regulations The “Common Rule” The “Common Rule” –Title 45 Code of Federal Regulations, Part 46 –These are the rules governing clinical research at all federally funded organizations –They mandate IRB approval and empower local authorities to make key judgements about clinical research protocols Health Insurance Portability and Accountability Act (HIPAA-1996) Health Insurance Portability and Accountability Act (HIPAA-1996) –When Congress did not pass comprehensive legislature by 1999 the task then fell to DHHS to draft regulations, which it did. –Clinton admin. announced their publication in Dec 2000, but new DHHS Secty (Thompson) announced that they would be re-examined and opened for comment –Comment period ended 3/30/01, regulations scheduled to take effect April 14, 2001 –Political opposition has been very active and there is a 2 yr implementation period –“Privacy Rule”- HIPAA’s regulations governing the privacy of patient information encompasses research using that information

Brief history of Human Research protections governance July 12, the National Research Act was signed into law July 12, the National Research Act was signed into law –It created the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research –The Commission was charged with identifying the basic ethical principles that should underlie the conduct of human research February, the Commission convenes a four day conference in the Belmont Conference Center at the Smithsonian Institution February, the Commission convenes a four day conference in the Belmont Conference Center at the Smithsonian Institution –The final report of the Commission is therefore called the Belmont Report –The Dept of HEW, now the DHHS, adopts the Belmont report as a statement of its policy governing human research in IRB’s are mandated –The Belmont report is a statement of ethical principles, while the Code of Federal Regulations Title 45 part 46 is the actual policy governing the way federally sponsored research must be conducted (it was revised in 1991) June, the Office for Human Research Protections established in the Sect’y of DHHS office- it creates the National Human Research Protections Advisory Committee to advise the OHRP June, the Office for Human Research Protections established in the Sect’y of DHHS office- it creates the National Human Research Protections Advisory Committee to advise the OHRP

What constitutes human subjects research ? Human subject is identified as “ a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information this means that a study involving tissues that come from a patient whose medical record has been used to obtain data used in the research constitutes human subjects research. Human subject is identified as “ a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information this means that a study involving tissues that come from a patient whose medical record has been used to obtain data used in the research constitutes human subjects research. If the research involves no patient identification information, it may be exempted from IRB review, but most institutions require that the IRB Chair or his/her designate grant the exemption after reviewing the proposed research plan, ie the investigator is not permitted to conclude that his/her own research is exempt. If the research involves no patient identification information, it may be exempted from IRB review, but most institutions require that the IRB Chair or his/her designate grant the exemption after reviewing the proposed research plan, ie the investigator is not permitted to conclude that his/her own research is exempt.

Privacy Rule as defined by HIPAA These regulations cover information, not tissue samples, except to the extent that any identified medical information is attached to a tissue sample These regulations cover information, not tissue samples, except to the extent that any identified medical information is attached to a tissue sample Genetic information is not provided a higher standard of privacy protection in the HIPAA regulations Genetic information is not provided a higher standard of privacy protection in the HIPAA regulations The regulations only cover individually identifiable information and they provide a very strict definition of what it means to de-identify information (18 criteria). The complete regulations are ~ 375 pages in length. The regulations only cover individually identifiable information and they provide a very strict definition of what it means to de-identify information (18 criteria). The complete regulations are ~ 375 pages in length. The Common Rule and the Privacy Rule appear not to agree on the issue of coding of information- the Common Rule says if there is an encryption process that still permits an investigator to identify a patient, the information is identifiable. The Privacy Rule seems to accept encoding of 18 identifiers as a method of de-identifying someone. The Common Rule and the Privacy Rule appear not to agree on the issue of coding of information- the Common Rule says if there is an encryption process that still permits an investigator to identify a patient, the information is identifiable. The Privacy Rule seems to accept encoding of 18 identifiers as a method of de-identifying someone. All information that is generated in a research protocol in which some health care is given falls under the rubric of private health information (PHI), e.g. if you give a bronchodilator to patients to test an asthma susceptibility gene, all data is PHI All information that is generated in a research protocol in which some health care is given falls under the rubric of private health information (PHI), e.g. if you give a bronchodilator to patients to test an asthma susceptibility gene, all data is PHI

Implications of HIPAA for PGA research The HIPAA regulations could substantially increase the work of clinical research groups who want to access patient medical records in order to correlate genetic or microarray data with clinical phenotypes. This is because the privacy regs state that only “ the minimum necessary information” can be disclosed from a patient’s private healthcare record. Investigators may have to define in detail the information they are seeking to get from a record and then limit their inquiries to those things they have defined. Each institutional IRB may cope with how to interpret this stipulation The HIPAA regulations could substantially increase the work of clinical research groups who want to access patient medical records in order to correlate genetic or microarray data with clinical phenotypes. This is because the privacy regs state that only “ the minimum necessary information” can be disclosed from a patient’s private healthcare record. Investigators may have to define in detail the information they are seeking to get from a record and then limit their inquiries to those things they have defined. Each institutional IRB may cope with how to interpret this stipulation Waivers of the requirement to obtain informed consent will now have to meet the 4 criteria established by the Common Rule and the 8 criteria established by the Privacy Rule. Waivers of the requirement to obtain informed consent will now have to meet the 4 criteria established by the Common Rule and the 8 criteria established by the Privacy Rule.

Prepared by Pearl O’Rourke of the Partner’s administrative staff

Summary If you strip all identifiers from your work, you can avoid the requirements for consent and for the handling of private healthcare information- an IRB waiver would still be required to do this, but it should be a routine request. If you strip all identifiers from your work, you can avoid the requirements for consent and for the handling of private healthcare information- an IRB waiver would still be required to do this, but it should be a routine request. IRB’s are tip-toeing through genetics research without definitive guidelines- this means there will be institutional variability. National guidelines for genetics research could make consortium arrangements much easier, but it is not clear if a consensus on those guidelines will be easily reached. Many IRBs do view genetic data as being different and in need of greater protection. Your own local IRB will likely have a plan for dealing with genetic research, but state and federal regulations on this issue are in flux and the rules may change IRB’s are tip-toeing through genetics research without definitive guidelines- this means there will be institutional variability. National guidelines for genetics research could make consortium arrangements much easier, but it is not clear if a consensus on those guidelines will be easily reached. Many IRBs do view genetic data as being different and in need of greater protection. Your own local IRB will likely have a plan for dealing with genetic research, but state and federal regulations on this issue are in flux and the rules may change You must meet the new NIH clinical research educational requirements if you wish to renew a grant (competing or non-competing) or obtain new funding on a project that involves human subject research. Most institutions have a certification quiz that allows you to meet this requirement. You must meet the new NIH clinical research educational requirements if you wish to renew a grant (competing or non-competing) or obtain new funding on a project that involves human subject research. Most institutions have a certification quiz that allows you to meet this requirement.

HIPAA de-identification process Names Names All geographic subdivisions smaller than a state- the first 3 digits of zip code can be used if more than 20k people live in that geocode All geographic subdivisions smaller than a state- the first 3 digits of zip code can be used if more than 20k people live in that geocode All elements of dates except year (eg, birth date, admission date, discharge date). If > 90 yrs old, birth year can’t be used. All elements of dates except year (eg, birth date, admission date, discharge date). If > 90 yrs old, birth year can’t be used. Telephone numbers Telephone numbers FAX numbers FAX numbers Electronic mail addresses Electronic mail addresses SSN SSN Medical record numbers Medical record numbers Health plan beneficiary numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers/serial numbers Device identifiers and serial numbers Web URLs IP addresses Biometric identifiers, including finger or voice prints Full face photos or comparable images Any unique identifying number, characteristic, or code and There is no actual knowledge that the information presented could be used alone or in combination with other information to identify the individual

Waiver requirements to eliminate informed consent Common rule (CFR45p46) Common rule (CFR45p46) –The research involves no more than minimal risk to subjects –The waiver or alteration will not adversely affect the rights and welfare of the subjects –The research could not practicably be carried out without the waiver –When appropriate, the subjects will be provided with additional pertinent information after participation Privacy Rule (HIPAA) –Use disclosure involves no more than minimal risk to individuals –Waiver will not adversely affect individual’s privacy rights and welfare –Research could not be practicably done without the waiver –Research could not be practicably done without the private healthcare information (PHI) –Privacy risks are reasonable in relation to the anticipated benefits of the research –Adequate plan is in place to protect identifiers from improper use and disclosure –Adequate plan in place to destroy identifiers ASAP consistent with intent of research, unless there is a health or legal reason not to –Adequate written assurances the PHI will not be reused or disclosed except as required by law

Botkin, JR. Protecting the Privacy of Family Members in Survey and Pedigree Research. JAMA;285: ;2001 Useful reference