On April 3, 2019, the Association of German Supervisory Authorities (“Datenschutzkonferenz” or “DSK”) issued a paper (available here in German) on the interpretation of “broad consent” for scientific research in Recital 33 of the GDPR and the interplay with the definition of consent  and the principle of purpose limitation.

According to the DSK, broad consent

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule contains major changes to the HIPAA requirements for research authorizations.  Specifically, as described below, HHS has loosened the current restrictions on “compound authorizations” for research purposes, and is now interpreting the HIPAA Privacy Rule to allow authorizations for future research.  These changes could have a tremendous impact on the manner in which  informed consent for clinical trials is documented in the United States and on the availability of clinical trial data for future research.

Compound Authorizations.  The HIPAA Privacy Rule generally prohibits “compound authorizations,” which are authorizations that are combined with any other legal permission.  An exception allows the combining of an authorization for a research study with written permission for the same study, usually found in an informed consent form.  But under the current rules, this exception is not available if one authorization conditions treatment, payment, enrollment in a health plan, or eligibility for benefits on the individual providing an authorization (conditioned authorization) and the other authorization does not contain such conditions (unconditioned authorization).  This prevents a covered entity from, for example, using a single authorization for a research study that covers both treatment as part of a clinical study and tissue banking of specimens for future research.  Many groups have informed HHS that this lack of integration is inconsistent with the Common Rule (45 C.F.R. Part 46) and creates unnecessary documentation burdens.Continue Reading HITECH Update #4: HHS Relaxes HIPAA Requirements for Research Authorizations

Jonathan Mayer of Stanford’s Center for Internet and Society unveiled the Center’s latest research report, “Tracking the Trackers: Where Everybody Knows Your Username,” at the National Press Club Tuesday morning. The event also featured remarks from Federal Trade Commission Chairman Jon Leibowitz and Senior Counsel to the U.S. Senate Committee on Commerce, Science and Transportation Christian Fjeld and a panel discussion on potential harms facing users from data collection.

In the study, Mayer and his fellow researchers looked at whether data collected and shared by major websites remained anonymous. The team specifically looked for evidence of “leakage,” that is, the sharing of identifying information that can connect browsing activity with a user account or discrete individual. Where such a connection can be made, Mayer says, the information collected is no longer anonymous, or solely indicative of browsing activity in a particular moment in time. It is instead “pseudonymous,” because it is connected in a “clickstream” to past and future browsing activity.

The team opened user accounts with 185 websites to analyze the data provided by those websites to third parties (for example, advertising and data collection partners). The team found that 113 websites, or 61%, shared a username or user ID when sharing browsing data. Mayer noted that this sharing may be in conflict with some of the websites’ privacy policies, which disclaim the sharing of user information linked to “personally identifiable information.”

Mayer emphasized that there was no indication any of the sharing uncovered was intentional; in fact, he said it was “reasonable to infer that in the majority of cases it wasn’t intentional.” The study’s take away, Mayer said, is that “the web is suffused with identity,” and industry and consumers should recognize that this sort of sharing occurs.Continue Reading Stanford Researcher Unveils Latest Internet Privacy Study

This is the fourth in our series on provisions of the Department of Health and Human Services (HHS) proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  We previously covered HHS’s proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, and authorizations for future research.

Today we will address how HHS may relax the current restrictions on “compound authorizations” for research purposes.

Compound Authorizations

HHS is proposing to amend the compound authorization requirements under the HIPAA Privacy Rule, which currently prohibit combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be condition.  HHS recognized that the excess paperwork that results from this restriction has been found to be burdensome and potentially confusing to patients, as well as administratively burdensome for clinical researchers.Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 4 of 5)

In this third post on the forthcoming HIPAA/HITECH regulations, we will discuss potential modifications to the rules regarding authorization for future research.  In earlier posts, we covered the Department of Health and Human Service’s (HHS) proposed treatment of communications about currently prescribed drugs and remunerated treatment communications

Future Research

In the proposed rule issued last July, HHS stated that it is “considering whether to modify its interpretation that an authorization for the use or disclosure of protected health information for research be research-study specific.”  The agency was prompted to revisit this issue after hearing concerns from covered entities and researchers about how the current interpretation encumbers secondary research, results in individuals being re-contacted to sign multiple authorization forms at different points in the future, and is inconsistent with the Common Rule.Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 3 of 5)