In the US, research with data only qualifies as human subjects research and triggers protections, such as ethics board review and informed consent, when those data are identifiable, defined as “information for which the identity of the subject is or may readily be ascertained by the investigator or associated with the information” (45 CFR 46.102(e)(5)). The process of deidentification of data involves removing explicit identifiers such that the data cannot be readily linked to an individual; deidentified data is no longer considered protected health information subject to the protections of the Privacy Rule, implemented in response to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Deidentified data, therefore, can be used without consent, without review by an IRB or ethics committee, and without oversight by a Privacy Board.
In the approximately 30 years since the passage of HIPAA and even in the 5 years since the issuance of the Common Rule, technology has advanced. The concept of deidentification may no longer be relevant. Numerous studies have demonstrated that it is relatively easy to re-identify individuals from seemingly deidentified data sets, particularly when these data are triangulated with publicly available data sources. The increasing use and sophistication of Artificial Intelligence (AI) further exacerbates this situation, raising questions about whether any types of data are beyond re-identification or fail to meet the regulatory definition of “identifiable.” Other countries (e.g., EU/EEA, China, India, and others) and even US States (e.g., California) have adopted this position and, unlike the US, have substantiated data protections and personal rights to privacy through the law.
Eliminating the concept of deidentification[1] (a concept that the HHS Office of Human Research Protections promises to review periodically) would have profound effects on clinical research, including impact on IT infrastructure, data repositories, secondary use of data, consent paradigms, and scientific discovery. But given the current ease of reidentification, might it be time to retire the concept of deidentification in the service of privacy, autonomy, and respect for persons?
[1] The HHS Office of Human Research Protections promises to review the concept of identifiability periodically, although that has not yet occurred in the five years since the effective date of the 2019 Final Common Rule. If OHRP changes its definition, FDA is likely to reconsider its interpretation of identifiability.
This meeting is open to sponsors of the Bioethics Collaborative. For more information about the Bioethics Collaborative and how to become a sponsor, click here.