New data privacy and security requirements proposed for human subjects research

The U.S. Department of Health and Human Services (HHS) published new proposed requirements for human subjects research under the Common Rule that, if adopted, would include significant new data privacy and security obligations on research entities.  HHS is considering the creation of mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data.  This could include adopting the HIPAA Privacy Rule standards for when data is deemed de-identified, as well as categorizing biospecimen research as identifiable information.  HHS also proposes to re-evaluate the HIPAA de-identification standard to ensure it reflect emerging technology and evolving informational risks.  HHS requests comment on these proposals.

HHS also proposes data security requirements for research information.  This could include a requirement that research involving the collection and use of identifiable data adhere to the HIPAA Security Rule standards as well as breach notification standards modeled on the HIPAA requirements.  For research using limited data sets or de-identified information, re-identification of individuals would be strictly prohibited. HHS would provide for additional enforcement as well as periodic random audits of research institutions.  HHS poses a number of specific questions regarding implementation of data privacy and security requirements for research entities.  This HHS issuance is in the form of an Advance Notice of Proposed Rulemaking (ANPRM), Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators.  Comments will be accepted for 60 days following publication of the ANPRM in the federal register.  The ANPRM and related information can be accessed at http://www.hhs.gov/ohrp/humansubjects/anprm2011page.html.