Post on 23-Aug-2020
LEGAL/REGULATORY ISSUES AFFECTINGCLINICAL DATA REGISTRIES’ ROLE IN
ACTIVE SURVEILLANCE EFFORTS
Robert M. Portman, JD, MPProb.portman@ppsv.com
Powers Pyles Sutter & Verville, PC
This presentation is for informational purposes only and does not providelegal services or advice. Use of this information does not create anattorney-client relationship. You should not act, or refrain from acting, onthe basis of information contained herein without seeking additional legalcounsel regarding your own situation
The firm does not necessarily endorse, and is not responsible for, any third-party content that may be accessed through links or otherwise
If we can assist you or answer any questions you might have, please call usin Washington, DC at 202.466.6550, or send us an email atrob.portman@ppsv.com
© Copyright 2016, Powers Pyles Sutter & Verville PC, Washington, DC, USA
Disclaimer
21501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
General Legal and Regulatory Challenges/Hurdles Legal/Regulatory Hurdles to Participation in Active
Surveillance Efforts Physician Clinical Registry Coalition Advocacy Issues
Road Map
31501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Why Create a Medical Data Registry? Data is everything Quality improvement through benchmarking, tracking
outcomes Patient safety Medical research Scope of practice/cost effectiveness Reimbursement Condition of payment PQRS—through Qualified Registry or QCDR
41501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Key Legal/RegulatoryIssues
Key Agreements Ownership of Data Privacy/Security Discoverability Liability Risk
51501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Participation Agreement Business Associate/Data Use Agreement Agreements with outside database vendor/hosting entity Data sharing agreements Industry/govt. Researchers Other registries
Other vendors/consultants
Key Agreements
61501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Who owns the data? Entities that may claim ownership interest include: Health care providers/database participants Database creator/owner Patients Insurers Agencies or companies funding registry projects
HIPAA regulates use and disclosure, but does not affectproperty rights Must allocate /clarify rights via contract
Ownership of Data
71501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Ownership of Data Database participation agreement defines the applicable terms of participation Database participation and vendor agreements should clarify ownership of data Distinguish between raw data and the database Typically sites will retain ownership of data they submit Database owner will own: The database (including the aggregate data and subsets of data) Any reports/analysis based on the data Information derived from the data All trademarks, trade secrets, and intellectual property arising from or reflected in the
database Patients have interest in data but generally not ownership Registry funders? Check state law--http://www.healthinfolaw.org/comparative-analysis/who-
owns-medical-records-50-state-comparison
81501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy/Security HIPAA Common Rule
91501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy/Security Rules that apply will depend on what kind of data is collected PHI Limited Data Sets De-Identified
And how data will be used Health care operations Research Public health
101501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy/Security–HIPAA HIPAA Governs use and disclosure of PHI by covered entities (health
care provider, health plans, health care clearinghouses) Participants contributing data to the database will likely be covered
entities If disclosing PHI to database, participant must ensure that it obtains
necessary patient authorizations and provides required notice– UNLESS data is shared for purposes of treatment, payment, or health
care operations– Or some other exception applies
Minimum necessary standard applies regardless
111501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy/Security–HIPAA Common Data Registry Exceptions
De-identified data No limit on disclosure
Limited Data Set Partially de-identified PHI Can only be used or disclosed by a covered entity for the purposes of
research, public health, or health care operations Covered entity must enter into a data use agreement with the
limited data set recipient; very similar to BA agreement
121501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Common Data Registry Exceptions Business Associate Relationship Database owner/developer will likely be business associate of database
participants/covered entities—perform data aggregation services forparticipants in support of participants’ quality improvement efforts
HIPAA privacy regulations permit business associates to collect PHI and providedata aggregation services on behalf of covered entities that include dataanalyses relating to the health care operations of those entities. 45 CFR§ 164.504(e)(2)(i)(B)
“Health care operations” include “conducting quality assessment andimprovement activities, including outcomes evaluation and development ofclinical guidelines, provided that the obtaining of generalizable knowledge isnot the primary purpose of any studies resulting from such activities.” 45 CFR §164.501
Privacy/Security–HIPAA
131501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Business Associate Relationship (cont.)
Data registry as BA performs data aggregation services using data collectedfrom participants
Prepares reports for participants that are used for health care operationpurposes (e.g., quality improvement, utilization review, etc.)
Primary purpose is quality improvement; not research
No sharing of PHI across participants unless agreed to by participants
Hub and spokes approach
Note that HITECH Act and rules apply HIPAA requirements to BAs and sub-BAs, including breach notification rules
Privacy/Security–HIPAA
141501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy/Security–HIPAA A business associate, data use agreement, or combination BA/DU
agreement must be in place between CE and BA and between BAand all of its subcontractors/agents that handle PHI or LDS info
BA/DU agreement must: address uses and disclosures of both PHI and limited data sets (e.g.,
allow BA to use de-identified data for research, public health, and otherpurposes)
set forth obligations of each party re protecting the information;permitted uses of the information; and liability for breach of obligations
address breach notification obligations
151501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy/Security–HIPAA IRB Approval/Waiver of Authorization for Research BA may use de-identified data for research if CE permits LDS recipient may use LDS for research with DUA But, IRB approval/waiver necessary where using/disclosing full
PHI for research instead of health care operations Definition of research: “a systematic investigation, including
research development, testing, and evaluation designed todevelop or contribute to generalizable knowledge” Compare to definition of health care operations: “obtaining of
generalizable knowledge is not the primary purpose of anystudies resulting from such activities” OHRP considers developing benchmark standards to be
research—big problem; but see NPRM
161501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy/Security–HIPAA Possible Data Registry Exceptions IRB Approval/Waiver (cont.) IRB waiver is clearly-established pathway under the HIPAA rules for
collecting and analyzing fully-identified PHI for research purposeswithout individual patient authorization when impractical to obtainpatient authorization and sufficient safeguards in place
HIPAA rules do not require each participant in a data registry to obtainseparate IRB approval for the submission of data to that registry;central IRB waiver/approval provided to registry is sufficient See OCR view at
http://privacyruleandresearch.nih.gov/healthservicesprivacy.asp
171501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Possible Data Registry Exceptions IRB Approval/Waiver (cont.) But, some or most sites may seek approval from their
own institution’s IRB to be safe or to comply with localrules
Privacy/Security–HIPAA
18
Possible Data Registry Exceptions Public Health Exception Broad exception for disclosures to a public health authority
(PHA), including FDA, authorized by law to collect or receive PHIfor the purpose of preventing or controlling disease, injury, ordisability, including, but not limited to, the reporting of disease,injury, vital events such as birth or death, and the conduct ofpublic health surveillance, public health investigations, and publichealth interventions Allows disclosures to persons subject to FDA jurisdiction for
various FDA-regulated activities including MDR and post-marketsurveillance
Privacy/Security–HIPAA
19
Possible Data Registry Exceptions Public Health Exception Significantly, HIPAA rules do not create same privacy and security
obligations for PHAs as for covered entities and BAs or limiteddata set recipients
Privacy/Security–HIPAA
20
Privacy/Security–Common Rule Applies to research involving human subjects “conducted, supported or
otherwise subject to regulation by any federal department or agency.” 45 C.F.R.§ 46.101 “Subject to regulation” means “research activities for which a federal department or
agency has specific responsibility for regulating as a research activity, (for example,Investigational New Drug requirements administered by the Food and DrugAdministration).” 45 C.F.R. § 102(e)
Called the “Common Rule” because it has been adopted by 17 federal departmentsand agencies
FDA follows Common Rule through 21 CFR §§ 50, 56, 312, and 812. Research involving human subject includes collection of patient identifying
information, even if no interaction with patients Does not apply if no federal funding or regulation involved, unless Federal Wide
Assurance signed
211501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Definition of research similar to HIPAA definition
Requires written assurance that the research institution willcomply with the Common Rule requirements
IRB approval required In order to receive IRB approval for research must demonstrate that “there
are adequate provisions to protect the privacy of subjects and to maintainthe confidentiality of data.” 45 C.F.R. § 46.111
Must obtain informed consent from patients unless IRBwaiver obtained
Privacy/Security–Common Rule
221501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
OHRP has clarified that sites submitting clinical encounterdata to researchers, including registries conductingresearch, but that are not engaged in research themselves,are not subject to the Common Rule May not work for PRO projects
OHRP also supports centralized IRB review and waiver ofconsent But, again, sites may still want to obtain local IRB review
and waiver of consent (but see NPRM on this issue)
Privacy/Security–Common Rule
231501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Federal Law No general federal statutory privilege against discovery
Balancing test under federal rules of evidence—likely toprevent disclosure to third parties of patient and possiblyprovider identities; but aggregate data will be available ifcompelling litigation need shown
Discoverability of Data
241501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
HIPAA HIPAA has a liberal exception for disclosure in judicial and
administrative proceedings
Basically permits disclosure in response to court order orsubpoena that meets certain conditions, including proof ofnotice to the person whose PHI is at issue or of receipt of aqualified protective order
Discoverability of Data
251501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Patient Safety Organizations Act/Rules PSO Act does provide privilege against legal discovery of patient safety work
product (PSWP) held by PSOs; applies to subpoenas or discovery in federal orstate cases But: Must qualify as PSO and comply with PSO all requirements Registry data may not meet definition of PSWP Limits sites’ ability to use data or talk about reports from PSO Privilege is not self-enforcing and does not apply to non-identifiable patient data; so
outcome unlikely to be different than under current federal evidence rules Subject to government compliance inspections/audits Must forfeit data if PSO status terminated But, can set up component PSO
Discoverability
261501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
AHRQ-sponsored research and confidentiality provisions under42 U.S.C. § 299c-3(c) NIH Certificates of Confidentiality
Discoverability
271501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
State Law varies Illinois Medical Studies Act All information “used in the course of internal quality control or of medical study for
the purpose of reducing morbidity or mortality, or for improving patient care orincreasing organ and tissue donation, shall be privileged, strictly confidential andshall be used only for medical research, increasing organ and tissue donation, [or]the evaluation and improvement of quality care...” 735 ILCS 5/8-2101
“Such information, records, reports, statements, notes, memoranda, or other data,shall not be admissible as evidence, nor discoverable in any action of any kind inany court or before any tribunal, board, agency or person. The disclosure of anysuch information or data, whether proper, or improper, shall not waive or have anyeffect upon its confidentiality, nondiscoverability, or nonadmissibility.” 735 ILCS 5/8-2102
See also DC and California statutes; but not all states provide this level ofprotection
Discoverability
281501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Risk of liability for wrongful disclosure of data
Sanctions under HIPAA for wrongful disclosure of PHI
Civil fines of up to $25,000 imposed by the Office of Civil Rights
Criminal sanctions imposed by the DOJ- imprisonment and fines
Liability Risk
291501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Breach Notification – Requires notification of breaches ofunsecured PHI to affected individuals, the Secretary, and, incertain circumstances, to the media State Law – see peer review statutory penalties for
confidentiality breaches
Common law- claims for violation for privacy may also beavailable
Liability Risk
301501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Also possible risk of liability to third parties from wrongfuluse or disclosure of data/data analyses by registry orparticipants—e.g., patients, device/drug makers
Partially limit liability through database participationagreement Limitation of liability provision (absent gross negligence or willful
misconduct )
Indemnification provision (absent gross negligence or willfulmisconduct ) Participant to indemnify database owner as well as its independent data
warehouse service provider (if applicable) from and against any and allclaims, actions, liabilities, etc. arising or resulting in any way fromparticipant’s use of data obtained through the database
Liability Risk
311501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
FDA seeking to work with clinical data registries in providingdata to enhance agency’s pre- and post-market surveillanceefforts (including MDR reporting?) Registries provide a rich and continuous source of data Already collecting data on drugs and devices for large
percentage of total procedures using such products Able to spot trends and problems quickly Large cost savings for government and industry Industry already working with registries to provide data for
pre-market approval and post-market surveillance efforts
Active Surveillance Issues
321501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Privacy Issues FDA surveillance efforts fall under HIPAA public health
exception and FDA human subjects regulation (but only if activityclassified as a study)
But registries must have authority to submit data to FDA Registries are business associates of their members and can only use or
disclose PHI for purposes specified in their BAAs with participants No problem if data is de-identified Registries may have general permission from participants to share
Limited Data Sets for public health and research purposes Registries cannot share full PHI with third parties without
permission from participants—would need specific authorizationor amend participation agreements
Active Surveillance Issues
331501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Protection of Data Data may be subject to FOIA PHI most likely falls under Exemption 6 for personnel and medical
files Industry data likely protected by Exemption 4 for trade secrets and
commercial or financial information that is privileged andconfidential
But no guarantee that hospital and physician-specific data will beprotected from FOIA disclosure
Most registries are not PSOs
Active Surveillance Issues
341501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Protection of Data (cont.) Data may be accessed by federal law enforcement
authorities HHS OIG already looking to registries as source of data for
fraud and abuse investigations Registries may be concerned about security of data in
FDA’s hands HIPAA security rules do not apply to public health authorities
Active Surveillance Issues
351501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Ownership/Control of Data Registries need to ensure that transfer of data does not
create data rights in government other than thosespecified in data use agreement
Registries have significant IP, financial, and strategicinterests that need to be protected
Scope of Use of Data FDA wants to use data for broad purposes; registries want
to limit use of data to purposes specified in the DUA FDA must abide by HIPAA minimum necessary standard
Active Surveillance Issues
361501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
FDA Disclosures of Data/Results Registries concerned about FDA disclosure of data or
analyses based on data without registry input Cost Issues Who will pay for cost of data transfer? FDA, industry generally, specific companies? Most registries operate on very limited budgets; data
transfers like this can be expensive and require significantinfrastructure
Registries are expensive to create and operate and needto recover costs
Active Surveillance Issues
371501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Physician Clinical Registry Coalition established in Feb. 2013
22 registry members
All medical society sponsored or physician led or physiciancentric clinical data outcomes registries
Purpose is to advocate for public policies that willencourage/facilitate registry development
Registry Coalition
381501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
Top Issues: Qualified Clinical Data Registries MACRA SGR Reform Legislation—Registry Provisions OCR/OHRP HIPAA-Common Rule Issues Senate HELP Health IT Bill Access to SSDMF Data Data Protection—OIG data requests
May be ways we can work together
Registry Coalition
391501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550
QUESTIONS?
40
Robert M. Portman
PrincipalPowers Pyles Sutter &
Verville PC1501 M Street NWSeventh FloorWashington, DC 20005
202-466-6550 Main202-872-6756 DirectRob.Portman@ppsv.com
Robert M. Portman is a principal in the law firm of Powers PylesSutter and Verville PC in Washington, DC. Mr. Portmanconcentrates his practice in health and association law, focusingon legislation and regulation in the health care field, patientprivacy, governance, transactions, certification law,administrative law, antitrust, and election and lobbying law. Herepresents a wide range of non-profit health care organizationsincluding a large number of national professional societies, tradeassociations, other health care associations, voluntary healthorganizations and certification bodies, as well as numerousclinical data registries and the Physician Clinical Data RegistryCoalition. Mr. Portman also represents individual physicians,physician practice groups and other health care providers. Mr.Portman graduated magna cum laude from Harvard Law Schooland holds a masters in public policy from the Harvard KennedySchool of Government. He graduated summa cum laude fromNorthwestern University with a BA in Economics.
1501 M Street NW Seventh Floor Washington, DC 20002 202-466-6550