To former U.S. Sen. Tom Coburn's credit, in his op-ed in the Wall Street Journal on Thursday, he didn't reflexively take a partisan whack at President Barack Obama's call this week for a federal blitz to end cancer.
Nor did Coburn, a three-time cancer survivor, swing at the fat pitch of Obama appointing former senator and now Vice President Joe Biden, a popular guy amongst Republicans and Democrats, to head up what Biden described as the administration's “moonshot” cancer initiative.
The often iconoclastic Republican conservative physician from Oklahoma instead hopefully called the Obama utterance “a bold goal—but one within our grasp.”
What Coburn instead attacked, haphazardly, according to a privacy legal expert, and egregiously, according to a leading privacy advocate, were federal health information privacy laws, mentioning specifically the key federal law, HIPAA.
“(We're) handicapping ourselves in the war on cancer, in part because of a web of privacy regulations like the Health Insurance Portability and Accountability Act,” Coburn wrote.
“HIPAA makes it difficult for researchers to tap into large caches of clinical and genomic data shared across multiple institutions or firms, and then share their findings more broadly,” he said.
“The law,” Coburn added, “allows some research uses, but only if the uses (and informed patient consent) are specified in advance. As one analyst put it, 'because obtaining (consent) from huge numbers of people or (institutional review board) waivers ranges from the impracticable to the impossible, important research has gone undone and important findings unshared.'
“Giving patients rather than regulators power to control their own data, deciding whom to share it with, and when, would help break down the barriers that prevent data sharing,” he said.
Coburn offered no specific legal revisions to HIPAA or any other privacy law, saying only broadly that Congress should unleash big data in America's moonshot on cancer, giving patients and physicians the tools they need to gain the most precious commodity of all—more time.
He did favorably reference the 21st Century Cures Act, which passed the House last year. It calls for adding “data research” to a long list of HIPAA exemptions commonly known as “other healthcare operations.” Activities on the HIPAA exemptions list, which also include treatment and payment, don't require a provider or another HIPAA-covered entity, such as an insurance company or claims clearinghouse, to obtain a patient's consent prior to their disclosing or sharing of patient information.
Healthcare privacy lawyer Kirk Nahra, a partner at Wiley Rein in Washington, D.C., said Coburn is confusing research governed under the Common Rule, which pre-dates HIPAA, and privacy protections under HIPAA itself.
“The Common Rule was designed so American health research didn't follow Nazi Germany,” Nahra said, adding that it focuses on drugs or procedures that affect the body. “We could legitimately debate whether the Common Rule should have anything to do with data, because it's not touching the body."
On the other hand, if a large healthcare organization, such as Sloan-Kettering, wanted to analyze data from all the patients in its database, under HIPAA, “they're allowed to do that,” Nahra said. The organization could use those findings internally to improve patient care, but they may not be allowed to publish the results. “That's stupid,” he said, so “there are some tweaks (to HIPAA) you can do that would not hurt privacy.”
“If what he's saying is the regulations are too complicated, I'm generally agreeing with that,” Nahra said. But Coburn "seems to be espousing a position here where he says we're going to abandon individual privacy rights because the government can do research that helps people. That's a bit of a surprising position,” given Coburn's conservative philosophy, he said. “But there are ways of doing that that don't abandon individual privacy rights.”
“There's only one thing he got correct, and that is patients need their data and haven't been able to get it,” said Dr. Deborah Peel, founder and CEO of Patient Privacy Rights, Austin, Texas, a patient advocacy group. Coburn references an analyst's opinion that obtaining consent from institutional review board range from the impractical to the impossible, but, “That's not true. It's a complete lie.”
“IRBs have always given away data because they don't view it as a threat,” Peel said. “The main purpose of IRBs is to look for harms, if something is done to your body, but they don't understand at all the issues of trust and the hidden uses of data.”
Peel also took issue with the assertion that big data is difficult to obtain for insurance companies and drug marketers.
“The problem is they do have big data, and they've had big data for two decades and there is no impediment for insurance companies in the use of big data,” Peel said. “They use it, they share it, they sell it, but nobody knew." But they use it to price products and services,” not for clinical research.