Part of the "2016 Annual Conference: Big Data, Health Law, and Bioethics" held at Harvard Law School on May 6, 2016. This conference aimed to: (1) identify the various ways in which law and ethics intersect with the use of big data in health care and health research, particularly in the United States; (2) understand the way U.S. law (and potentially other legal systems) currently promotes or stands as an obstacle to these potential uses; (3) determine what might be learned from the legal and ethical treatment of uses of big data in other sectors and countries; and (4) examine potential solutions (industry best practices, common law, legislative, executive, domestic and international) for better use of big data in health care and health research in the U.S. The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School 2016 annual conference was organized in collaboration with the Berkman Center for Internet & Society at Harvard University and the Health Ethics and Policy Lab, University of Zurich. Learn more at http://petrieflom.law.harvard.edu/events/details/2016-annual-conference.

1. THE COMMON RULE AND
RESEARCH WITH DATA,
BIG AND SMALL
LIZA DAWSON
PETRIE–FLOM CENTER FOR HEALTH LAW POLICY,
BIOTECHNOLOGY AND BIOETHICS
CAMBRIDGE, MASS.
MAY 6TH, 2016

2. DISCLAIMER
• The views presented are those of the author
and do not represent any position, policy or
viewpoint of the National Institutes of Health,
the Department of Health and Human
Services or any of its components.

3. INTRO
Common Rule regulation of human subjects research is a poor fit for research
involving only secondary use of data, invoking serious philosophical and public
health concerns
Big data research further exposes the problem of poor fit and weak ethical
rationale
A deeper look at the fundamental ethical issues is warranted;

4. THE COMMON RULE
REACHES THE
BREAKING POINT
THE OLD WORLD: REGULAR DATA
• In practice, a lot research done with de-
identified data
• Simplifies human subjects issues
• Avoids extensive permission, reviews,
delays
• “end run” around Common Rule
THE NEW WORLD: BIG DATA
• Anonymizationcannot be guaranteed
• Unclear boundaries of public and
private information(e.g. GPS data,
Facebook, shopping records)
• No way to obtain consent in many
cases; or consent would create
extensive burdens on individuals

5. TAKING A CLOSER
LOOK
• Brief historical foray: why does the Common
Rule apply to research with data?
• Common Rule’s approach to regulating data
research is a poor fit;
• Big data research exemplifies problems with
the Rule and exposes conceptual gaps
• An alternative approach to oversight is
needed

6. NATIONAL COMMISSION FOR PROTECTION OF HUMAN
SUBJECTS OF BIOMEDICAL AND BEHAVIORAL RESEARCH
• Commission established in 1974 as part of the Public Health Service Act (PL
93-348);
• Mandate included
• Considering the boundaries between biomedical or behavioral research and
“accepted and routine practice of medicine”
• Risk-benefit criteria in human subjects research
• Selection of human subjects, informed consent, IRBs

7. BOUNDARY OF MEDICAL CARE AND RESEARCH
• Morally significant: physician may depart from considering only best interests of
patients if seeking generalizable knowledge.
• Research may be seen as morally suspect, in relation to clinical care
• Note: this is now being challenged in multiple settings (precision medicine, comparative
effectiveness, learning healthcare)—but the premise was main focus in 1970’2
• Therefore, setting the scope of Common Rule also includes definition of research:
“Systematic investigation….designedto developor contributeto
generalizable knowledge.”

8. BOUNDARY OF COMMON RULE RELATED TO DATA
• Common Rule regulates research with data that are private and identifiable,
through the definition of human subject:
46.102 (f) Human subject means a living individual about whom an
investigator…conducting research obtains
(1) data through intervention or interaction with the individual, or
(2) Identifiable private information

9. WHY DID THE NATIONAL COMMISSION INCLUDE
RESEARCH WITH DATA IN THE SCOPE OF RECOMMENDED
REGULATIONS?
CONCERNS ABOUT PRIVACY
• Concurrent with broader privacy
standards in government, concerns
about intrusion into lives of citizens
• Privacy Act of 1974 addressed
government uses of private data
DECIDED TO LIMIT SCOPE OF
REGULATED DATA ACTIVITIES TO
RESEARCH
• Staying within mandate of
Commission
• Concerns about research violating
trust and individual rights

10. CONCEPTUAL PROBLEMS IN INCLUSION OF DATA
RESEARCH IN THE COMMON RULE
• In research involving medical interventions on a human subject, quest for
generalizable knowledge may compromise patientcare; therefore research requires
special regulation
• In research involving only secondary uses of data, the use of data in systematic
investigation aimed at generalizableresults does not inherently pose more privacy
risks to human subjects than other uses of data;
• In other words, there is no clearethicalrationale forregulation of researchwith
data differentlyfrom non-researchactivities with data

11. CLINICAL RESEARCH RAISES
RISK/BENEFIT CONCERNS
RELATIVE TO CLINICAL CARE:
WITH DATA, RESEARCH AND NON-
RESEARCH ACTIVITIES ALIKE RAISE
PRIVACY CONCERNS:
CLINICAL CARE
VERSUS CLINICAL RESEARCH
RESEARCH WITH DATA
VERSUS OTHER USES OF DATA

12. CONCEPTUAL PROBLEM 1: NO CLEAR PRIVACY-RELATED
CRITERION FOR BOUNDARY BETWEEN REGULATED AND
NON-REGULATED ACTIVITY
NON RESEARCH ACTIVITIES WITH
PRIVATE IDENTIFIABLE DATA
• Quality improvement
• Lab QI/QC
• Program evaluation
• US census
• Public health
surveillance
• Insurance claims
• Federal and state
benefits and service
programs
• Other private data:
Passports; motor vehicle
departments; tax records;
RESEARCH ACTIVITIES WITH
PRIVATE IDENTIFIABLE DATA
• Epidemiology
• Health services
research
• Environmental health
research
• Public health
research

13. WHAT ABOUT NON-PRIVACYCONCERNS IN DATA
RESEARCH?

14. DO INDIVIDUALS HAVE AN INTEREST IN CONTROLLING
HOW THEIR DATA ARE USED, INDEPENDENTLY OF PRIVACY
ISSUES?
• Analogous to current debates about research with biological specimens: some
claim that individuals have an interest in control over future research, whether
or not the specimens are identifiable, that should be protected in regs;
• Either way, the existing Common Rule appears to prioritize privacy
concerns (does not regulate research with de-identified data or specimens

15. CONCEPTUAL PROBLEM #2: UNCLEAR ETHICAL
RATIONALE FOR SUBJECTS’ CLAIMS OF RIGHT TO
CONTROL
Ethicalunderpinningsof theseclaims needfor control are notelaborated
• E.g. Wendler—specimen research: Subjects have an interest in deciding whether they
will contribute to specific projects
• In what sense does use of information derivedfrom a person constitute
“contribution”?
• Even given an interest (on the part of subjects), at what level of decision making
should choices be made—e.g.policy level? Individual level? Institutional level?
• Again, why should subjects have control over use of their data for research but not in,
for example, quality improvement or program evaluation?

16. CONCEPTUAL PROBLEM #3: NEGLECT OF OTHER
IMPORTANT ETHICAL ASPECTS OF DATA RESEARCH
• A subject’s interest in privacy and/or control must be considered in light of her
other interests;
• Individuals’ interests are served by the benefits of research in multiple contexts; cannot
evaluate quantitatively how benefits square off against privacy concerns or desire to limit
or control research
• Group interests (benefits, risks, harms) are important but are not addressed in
the Rule; nor are they adequately represented with individual informed
consent

17. DIFFERENTSYSTEMS OF REGULATION
COMMON RULE—CURRENT
VERSION
• Determine if this is research or not (not
always obvious)
• Determine if data are identifiable and
private
• Determine if study is exempt
• If non-exempt, then IRB review and
informed consent are required
PRIVACY REGS FOR NON RESEARCH
ACTIVITIES—CURRENT SYSTEM
• Diverse set of privacy standards,
depending on source of data;
• Some uses of data are authorized by law
• Privacy protections mandated
• Unauthorized disclosureof data prohibited
• No informed consent
• Some activities currently unregulated

18. CONCEPTUAL PROBLEM #4: IN DATA RESEARCH,
INFORMED CONSENT DOES LITTLE TO PROTECT SUBJECTS’
INTERESTS OR ENHANCE TRUST
• Does not guaranteeappropriate data
security and privacy protections
• No way to address group
interests/group harms (e.g.
stigmatization)
• Time consuming and burdensome for
individuals to learn about and evaluate
each and every use of their data
• Does not inform the general public
about research
• May create bias in research using
certain kinds of datasets
• Do people need nudges to consent to
research they actually support?
• Potential inhibition of valuable health
research is also a potential harm to
subjects’ interests

19. IS THERE A DIFFERENTWAY TO REGULATE?
Authorized, legitimate uses of data for
health research (or other socially valuable
research) allowed without consent
• All data research subject to same
standard (whether data are identifiable
or private, or not)
• Researchers must address potential
implications of research (e.g. group
harms or stigma) if applicable
Other requirements:
• Specify purpose of the research
• Investigators must have appropriate
qualifications
• Data security measures mandated
• Data cannot be released to third parties
• Plan for communication about research
and findings
• Enforcement: licensing of investigators;
violators lose privileges for accessing
data

20. CONCLUSION
• No clear ethical rationale for regulating
research with data differently from non-
research activities with regard to privacy,
as current regulatory structure does;
• Increasing complexity of big data
approaches make current regulations
unworkable;
• Informed consent not best mechanism to
protect subjects’ privacy interests
• Claims of subjects’ rights or interests in
controlling research not based on convincing
argument
• Privacy concerns should be evaluated in
context of other interests of subjects;
• Group interests deserve consideration but
are not addressed in current regulatory
structure
• New regulatory regime is needed for
research with data