New regulations governing the use of personal health information and medical records will impact researchers if passed according to a proposed federal ruling published last month. Clinical researchers concerned about how the regulations will affect them have until 3 January to comment.

On 3 November, Department of Health and Human Services (HHS) Secretary Donna Shalala proposed new regulations that researchers must follow in order to access and use electronic human subject information--to offer federal protection of medical and health research data generated, stored, or transmitted electronically. Currently, researchers who use human subjects or records must receive external approval from review boards before their research can proceed or before they can receive federal funding. Under the new guidelines, researchers wishing to use medical information without seeking patient consent will have to ensure that certain additional procedures, such as safeguarding the confidentiality of human samples and destroying identifiers that could be used to trace individuals, are followed. Researchers who perform any therapeutic or diagnostic tests in clinical trials will be considered to be providing health care and so will be subject to all the proposed regulations regarding personal health information. There are 24 days remaining in which to comment on Secretary Shalala's "Standards for Privacy of Individually Identifiable Health Information" published in the Federal Register.

The rulings stem from the need to improve access to, as well as the security and confidentiality of, medical information and scientific findings that are maintained electronically. The proposed legislation will regulate access to such information as well as how it is shared, used, and disclosed by scientists who are considered to be health care providers--the proposed regulations only apply to health providers, health plans, and health clearinghouses. Researchers categorized as providers must gain approval from institutional review boards of an additional four new criteria before they can use electronic records or research data without the consent of the individuals involved. Scientists will have to explain why it would be impracticable to conduct their research without the health information; prove that the importance of their project outweighs the intrusion into the privacy of the individuals concerned; show that they have an adequate plan to protect identifiable information such as names and Social Security numbers; and show that there exist adequate plans to destroy identifiers at the earliest opportunity. Both federally- and privately funded researchers would be subject to the regulations.

The health care definition of "treatment" has also been changed to include clinical trial research: Any researcher who provides health care to the subjects of research, such as administering drugs or collecting blood or tissue samples, would be required to comply with all the provisions of the rule. A definition of "coded information" is in conflict with definitions cited in the Common Rule--the law that protects human subjects in research--that researchers must adhere to. Currently, information that can be traced to an individual through a code is considered identifiable, but in the proposed regulations, encrypted data are regarded as unidentifiable and can be disclosed as long as the code or key is not revealed. This is an important distinction, because the proposed regulations only apply to the protection of identifiable health information.

"The new rulings do not cover the samples," clarifies a National Institutes of Health (NIH) official; "they cover the information about the sample and only if the information has been electronically maintained at one point." Any information relating to health care that is entered into a computer is considered electronic--records or research findings that have been and always will be paper are not covered.

Release of the regulations by the current Administration comes after Congress failed to propose its own legislation before 21 August, even though Secretary Shalala submitted her original recommendations to them for consideration in 1997. Through the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Secretary Shalala was authorized to draw up her own set of regulations governing access to electronic medical records if the August deadline was missed by Congress. "Until today, Americans had no federal privacy protections of their medical records," Secretary Shalala said upon the release of the standards, which have the full backing of the current Administration. President Clinton acknowledged that recent surveys show that "two-thirds of adults say that they don't trust that their medical records will be kept safe." The regulations are meant to provide federal protection and to reassure the public that their health and research information are safe, but at the same time the proposal also calls for the exchange of data without patient consent for "national priority activities"--which include research.

Becoming compliant with the proposed ruling could, according to one HHS official, drive up the cost of doing large-scale trials or surveys because of the extra work involved in ensuring that projects meet the standards required. This could mean extra paperwork for grant applicants who require review board approval as well as additional administrative burdens on individual researchers fulfilling their new role as health care providers.

Of the criteria that involve destroying information that can be linked to a person, Robert Levine, chair of Yale University's institutional review board, believes that destruction of identifiers could have "very serious implications for the possibilities of future research," because investigators often return to stored samples and data many years after their original studies to accommodate new findings or to use the samples for new research. Making samples and data completely anonymous would also make it impossible to verify information or contact participants who might qualify for future treatment. Many researchers already build into their protocols measures to "anonymize" samples and patient information, but some scientists question how their interaction with collaborators will be affected if they wish to share medical records or research findings with one another under the proposed regulations.

The people who evaluate human subject research are also concerned about the practicalities of the proposed rulings. Gary Ellis, director of the Office for Protection from Research Risks at NIH, warns review boards that "if it wasn't documented, it wasn't done," meaning that reviewers should provide detailed documentation to show precisely how and by whom a research proposal was handled and discussed. Even though Ellis believes this is not "an inappropriately bureaucratic emphasis on mountains of paperwork," Levine remarks that "people on IRBs are not upset about requirements to do things that contribute to the protection of research subjects; they are much more concerned with the burgeoning paperwork requirements." Beverly Woodward, an associate professor of bioethics at Brandeis University in Waltham, Massachusetts, agrees that review boards have some "inherent weaknesses" and are already "overwhelmed by the quantity of protocols that are presented for review" in a recent paper in the Journal of the American Medical Association.

As a deterrent to foreseeable abuses of someone's medical records or clinical trial research results, Secretary Shalala's proposed legislation is backed up with hefty criminal and civil penalties for violations and improper disclosure of patient records and research information: up to a $100,000 fine and up to 5 years in prison for obtaining protected health information under "false pretenses," and up to a $250,000 fine and up to a 10-year prison sentence for selling or using that information for commercial or personal gain.

Michelle Russell-Einhorn, director of regulatory affairs in the Office for Protection from Research Risks, whose offices dealt with some research aspects of the regulations, believes the next few weeks are a crucial time for researchers. "It is very important to pay attention to this rule and see how it affects you," she urges. "Researchers should read the HIPAA regulations very carefully and provide their department with conscientious and critical comments on how it should be changed or implemented." There is some urgency, she says, because there is not much time left to thoroughly read and comment on the regulations, which will be accepted by the HHS until 3 January 2000. Secretary Shalala then has until February 2000 to finalize the regulations and implement the legislation nationwide over a 2-year period.

Read Secretary Shalala's proposed regulations at HHS's Administrative Simplification Web site. Comments can be submitted through that site also.

The deadline for comments has been extended: Comments will be accepted until February 17th, 2000.