Congress' new infrastructural model of medical privacy.

• Author: Evans, Barbara J.

INTRODUCTION I. FDAAA SECTION 905 As AN INFRASTRUCTURE REGULATORY MANDATE A. The Section 905 Public Health Benefit Standard B. The Section 905 Patient Protection Standard II. COMPETING REGULATORY OBJECTIVES IN SECTION 905 III. THE SCOPE OF ALLOWED DATA DISCLOSURES UNDER SECTION 905 A. Keeping Data Uses Within the Scope of Section 905 B. Keeping Data Uses Within the Scope of Public Health Activities 1. Criteria for Distinguishing Public Health Uses from Research 2. Release of Identifiable Data Under HIPAA's Public Health Exception C. Ensuring Ethical Research Use of Sentinel System Data 1. HIPAA Provisions for Waiver of Privacy Authorization 2. FDA Policy on Research Use of Identified, User- Identifiable, Coded, and Anonymized Data 3. Human-Subject Protections in Research with Sentinel System Data IV. THE COERCIVE NATURE OF DECISIONS ALLOWING ACCESS TO SENTINEL SYSTEM DATA V. LESSONS FROM OTHER INFRASTRUCTURE REGULATORY CONTEXTS A. Industry Structure B. Contracts vs. Rules to Set Regulatory Standards C. Degree of Centralization of Discretionary Decisions D. Ensuring Independence and Legitimacy of Regulatory Decisionmaking and Adequate Resources for Credible Regulatory Oversight E. Appropriate Risk Sharing to Support System Financing and Privacy CONCLUSION INTRODUCTION

Efforts have been underway for several years in the private sector and in the United States Department of Health and Human Services (HHS) to conceptualize how a Nationwide Health Information Network (NHIN) would work. (1) Until recently, Congress had not authorized large-scale implementation of any concrete pieces of such infrastructure. That changed with passage of the Food and Drug Administration Amendments Act (FDAAA) in September 2007. (2) FDAAA's section 905 (3) authorizes the Food and Drug Administration (FDA) to oversee development of a nationwide data network, the Sentinel System, (4) aimed at including data for 25 million patients by July 2010 and 100 million by July 2012. (5) Speculative concerns about health database privacy suddenly are enlivened with a riveting immediacy. This is here, now. One in three Americans is slated to be inducted into this data network within four years. (6)

Section 905 responds to shortcomings in FDA's traditional approach to drug safety, which relied heavily on pre-approval clinical trials. Clinical trials, which typically test a drug on several hundred to a few thousand people (7) for fewer than twenty-four months, may fail to detect rare risks, risks that emerge only in long-term use, and risks of off-label uses not tested in the original clinical trials. (8) The 2004 scandal involving rofecoxib, which was widely marketed under the brand name Vioxx, was one in a series of instances where serious risks escaped detection in clinical trials. (9) Designed in the mid-twentieth century, FDA's drug safety regulatory framework was failing to harness modern information technology to glean additional drug safety information in the postmarket period after drugs are in wide clinical use. (10) In 2005, the HHS Secretary directed FDA to explore the potential for using information technology to improve drug safety monitoring. (11) In 2006, FDA decided to harness the power of bioinformatics as one of its top six priorities under the agency's Critical Path Initiative. (12) That same year, reports by the Institute of Medicine (13) and Government Accountability Office (14) called on Congress to grant FDA additional authority and resources to modernize its drug safety information systems. Section 905 implements recommendations in those reports. (15)

Sentinel System data will include patients' Medicare, military, and private insurance claims data, health records, pharmaceutical purchase data, and "other data as the Secretary [of HHS] deems necessary." (16) In theory, this last clause would let FDA requisition people's entire medical records or their stored tissue or tumor specimens (17) for testing to see whether patients were genetically predisposed to drug-related injuries that they suffered, although FDA has not indicated it intends to take such steps. The 25-million-person milestone initially will be met with Medicare claims data, (18) and a new regulation already has been issued to enable FDA's access to Medicare data. (19) The agency already has signed a memorandum of understanding with the Veterans' Health Administration for sharing of information. (20) The 100-million-person milestone can be met by obtaining claims data from about ten large private health insurers. (21) Including data for 200 million people, while not one of section 905's stated milestones, is regarded as technically feasible (22) and desirable. (23)

Congress intends for these data to be used in postmarket surveillance and advanced analysis of drug safety. Studying insurance claims can reveal, for example, that an individual began purchasing Cox-2 painkillers--the class of drugs that includes Vioxx--in 2003 and suffered a heart attack in 2004. On average, only two in ten such coincidences turn out, after further study, to be a drug safety issue. (24) Thus there will need to be occasional access to patients' whole medical records to pin down causes of specific suggestive coincidences, although there are no current plans for routine canvassing of people's entire medical histories. (25) As yet, FDA has not indicated any plans to obtain data from previously stored specimens, although the value of genetic studies of specimens in drug safety research is recognized. (26)

Congress authorized FDA to engage private-sector companies to help develop and operate the system infrastructure. (27) The agency also is authorized to allow access to Sentinel System data for specified uses, including certain types of studies and research, (28) by academic, private sector, and public entities. (29) Thus, FDA has the power to approve access to sensitive health data by two types of outside entity: infrastructure operators and outside data users. An unanswered question is how patients' privacy will be protected.

If transparency is conducive to public trust, then FDA arguably missed its first opportunity to cultivate public trust in the Sentinel System. The day section 905 became law, HHS issued a press release that tersely described FDA's sweeping new data-gathering powers as "activities related to medical product safety" (30)--a thing to which few Americans could object given our status as the world's most assiduous pill eaters. (31) The announcement did not elaborate that these activities involve gathering personal health data on 100 million Americans for sharing, at FDA's discretion, with outside academic and commercial entities. As read by committed privacy advocates, this press release was as transparent as stating that FDA intends to bake apple pie, not mentioning that the congressionally approved recipe calls for blood of their first-born child. The Sentinel System is intended to serve important public health objectives. Achieving these objectives entails doing things that may make many members of the public uncomfortable. Squarely recognizing what Congress has approved and openly airing the issues it presents are essential in cultivating public trust and in bringing this system--and its hoped--for benefits--to fruition.

Part I describes the Sentinel System and explores why section 905 of FDAAA amounts to an infrastructure regulatory mandate. Part II notes the inherent conflict between privacy protection and other, competing objectives Congress set out in section 905. Part III examines the breadth of FDA's power to share Sentinel System data with outside parties, assuming FDA were to go to the full limit of what section 905 allows. Decisions allowing access to Sentinel System data are coercive in their effect on persons whose data are included in the network. Part IV notes how little history FDA has had in making decisions with coercive effect on the public; the agency's existing framework of institutional protections is not suited to its new regulatory mission. Part V draws on experience of other infrastructure regulators to explore ways to promote legitimacy and public acceptability of decisions to release Sentinel System data.

1. FDAAA SECTION 905 As AN INFRASTRUCTURE REGULATORY MANDATE

   Section 905 profoundly alters the nature of FDA's regulatory mandate. While continuing its traditional product regulatory and consumer protection duties, FDA also will be an infrastructure regulator charged with overseeing construction and operation of the vast data network just described. This thrusts FDA into the ranks of infrastructure regulators like the old Interstate Commerce Commission (ICC), which regulated railroads; the Federal Energy Regulatory Commission (FERC), which regulates interstate transmission of electricity, oil, and natural gas; and the Federal Communications Commission (FCC), which regulates telecommunications. This does not mean that FDA will fulfill all the same tasks, such as regulation of pricing and industry rates of return, traditionally associated with these other regulators. Nonetheless, section 905 is an infrastructure regulatory mandate.

   Prof. Gomez-Ibanez defines infrastructure as "networks that distribute products or services over geographical space." (32) Americans traditionally have referred to their infrastructure industries as public utilities (such as electricity networks, natural gas transmission and distribution networks, and water systems) (33) and common carriers (such as telecommunications networks, railroads, airlines, trucking, and oil pipelines). (34) Infrastructure is a broader term that includes those industries, but others as well. Modern manifestations include the Internet, high-speed data transmission networks, and distributed computing networks. (35) Not all infrastructure industries exhibit natural monopoly characteristics, (36) which traditionally supplied the rationale for regulating pricing and rates of return...