The U.S. Department of Health and Human Services (“HHS”) has announced that the federal government is contemplating establishing mandatory data security and information protection standards for identifiable information collected from human research subjects. HHS made this announcement in a July 26, 2011 Advance Notice of Proposed Rulemaking.

The “Common Rule,” 45 C.F.R. 46, is a federal policy regarding the protection of human research subjects that applies to 17 federal agencies and offices. It has been in place since 1991. In the July 26 ANPRM, HHS seeks the public’s input on an array of issues related to the ethics, safety, and oversight of human research. The federal government’s two overarching goals with respect to the Common Rule revisions it is considering are: (1) to enhance the protection of research subjects and (2) to improve the efficiency of the review process. The changes under consideration would also extend federal oversight to some non-federally funded studies.

The agency is considering adopting the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) standards of identifiability in order to harmonize definitions across federal agencies. HHS recognizes that the majority of unauthorized disclosures of identifiable health information from investigators occur due to inadequate data security. Thus the agency seeks, among other possible regulatory reforms, to establish mandatory data security and information protection standards modeled on the HIPAA Security Rule for all studies involving identifiable or potentially identifiable data. These would include: a) data encryption for electronic forms, (b) physical safeguards for paper form, (c) breach notification procedures similar to HIPAA standards, and (d) prohibition against the inappropriate re-identification of de-identified information that is collected or generated as part of a study. HHS is also considering requiring the use of periodic random retrospective audits and additional enforcement tools.

HHS foresees that implementation of these new data security and information protection standards would reduce the potential for violations of privacy and confidentiality. However, HHS is considering applying the standards only to collections of data and biospecimens taking place after the implementation of changes to the Common Rule and not retrospectively to research involving existing data.