榴莲视频

Research using data from large numbers of people aggregated from numerous institutions is essential to understand and address the causes of health disparities affecting pregnant and LGBTQ+ individuals. Yet some people in politically vulnerable groups like these worry that data about them used for research can subject them to prosecution. Pregnant women have long been both excluded from research and prosecuted for their behavior during pregnancy, the latter risk now magnified for those living in abortion-restrictive states. Laws limiting and even criminalizing the actions of LGBTQ+ individuals and their access to health care may increase personal risk from use of data about them in research.

Thus, it is important to examine how well existing federal regulations protect research data, whether collected prospectively or derived from preexisting clinical and other data. This examination requires attention to consent requirements, definitions of identifiability, and provisions regarding law enforcement access. We start with the Common Rule for the Protection of Human Research Participants (Common Rule) and the Health Insurance Portability and Accountability Act (HIPAA), before turning to Certificates of Confidentiality (CoCs) under the 21st Century Cures Act. There has been more legislation and litigation regarding reproductive health, but many of the same issues apply to data from LGBTQ+ individuals.

Informed consent for broad sharing of data from prospective research does not protect research participants, despite claims to the contrary. When used optimally, disclosure communicates to potential contributors the risks of participation, but their only choice typically is whether to take part. If broad consent was obtained or waived in accordance with the Common Rule, institutional review boards (IRBs) can approve changes in the original research purpose without further consent if 鈥渢here are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data,鈥�¹ topics on which IRBs are not always well versed.

Moreover, many data are used for research without consent, authorization, or even notification. The Common Rule exempts research using clinically acquired data that 鈥渋s recorded by the investigator in such a manner that the identity of the human subjects cannot readily be ascertained directly or through identifiers linked to the subjects, the investigator does not contact the subjects, and the investigator will not re-identify subjects,鈥�² a relatively permissive standard that eliminates consent and IRB oversight from a huge amount of data. The HIPAA Privacy Rule, which governs health care institutions and their business associates, by contrast, does not apply if stricter, but still not absolute, standards of deidentification are met.

Recent efforts following the decision in Dobbs v Jackson Women鈥檚 Health to expand HIPAA to limit access by law enforcement to reproductive health information, sadly, fall short for pregnant individuals and their clinicians in abortion-restrictive states. Four days after Dobbs was announced, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance reminding HIPAA-covered entities that the Privacy Rule permits, but does not require, disclosure of protected health information pursuant to legal process and that it otherwise forbids disclosure of abortion unless that state鈥檚 law specifically requires reporting. Unfortunately, such guidance is not legally binding and could be overturned by a new administration, states鈥� enacting reporting requirements, or judicial decision, as occurred when a court rejected OCR鈥檚 2022 guidance for protecting gender-affirming care,³ increasing the jeopardy of LGBTQ+ people.

Thus, HHS has proposed to amend the Privacy Rule⁴ to prohibit the use or disclosure of protected health information for any legal proceeding 鈥渨here such health care is lawful under the circumstances in which it is provided鈥� or to identify the individual to be investigated. But even if finalized, these provisions would provide little protection to pregnant people and their clinicians, since the lawfulness of abortions in abortion-restrictive states is typically at issue, particularly when the life or health of the pregnant individual is at stake. This is particularly concerning since some of these people will receive care in their home state, thereby increasing the risk of research to understand the impact of these restrictions, like those faced by people receiving gender-affirming care in states where that is banned.

The most expansive statute protecting research data is the 21st Century Cures Act defining CoCs,⁵ which attach to all National Institutes of Health鈥揻unded research and are available to other researchers on request; these can provide more protection to research participants than HIPAA provides to patients. The statute defines 鈥渋dentifiable, sensitive information鈥� as information about an individual 鈥済athered or used during the course of research鈥� if the person is identified or if 鈥渢here is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.鈥� In other words, because Congress recognized the potential risk of reidentification in rich datasets, this definition applies to almost all data used in research, no matter whether collected retrospectively or prospectively, and covers more data than do HIPAA and especially the Common Rule.

This statute states that disclosure can occur if 鈥渞equired by Federal, State, or local laws鈥� but only with the consent of the person to whom the data pertains, a provision that is particularly valuable for politically vulnerable groups, such as pregnant individuals and LGBTQ+ people. To avoid subverting these provisions, research consent forms, when used, should state specifically that participants do not consent to disclosure of any data gathered or used for research in any legal proceeding.

A challenge for all these laws is enforcement. None allow persons harmed by data misuse to sue individually for damages. HHS can withdraw the federal assurance or withhold funding from an institution or stop an investigator鈥檚 research that fails to comply with the Common Rule. HIPAA violations can lead to large fines. The 21st Century Cures Act imposes the duty to protect covered information on the individuals who collect the data and the institutions where they work, but meeting these obligations could require substantial burdens in tracking and legal expense, especially when data move outside their walls, as is often needed to create large research datasets.

Fortunately, various technological solutions have been proposed to reduce individual-level data sharing, thus avoiding some of the enforcement gaps.⁶ For instance, data can be placed in virtual enclaves where investigators can compute in鈥攂ut cannot download鈥攖he data. Alternatively, secure multiparty computation techniques enable researchers to compute over encrypted datasets. And, federated learning is increasingly recognized as a framework for learning from the aggregate statistics from disparate data resources. In more conventional data sharing, institutions and data repositories increasingly recognize the importance of data protection and so require entities and investigators with whom they share information to execute data use agreements.

Research participants should be reassured that federal law, especially regarding CoCs, provides significant protection to data about them when used for research. These statutes are complemented by evolving privacy technologies, which hold great promise for data protection, and growing recognition by the research enterprise of the need to protect data to promote trust. Investigators and institutions should take advantage of these tools to ensure that research protects research participants, reduces health disparities, and advances health equity among targeted groups.

Corresponding Author: Ellen Wright Clayton, MD, JD, Center for Biomedical Ethics and Society, Vanderbilt University Medical Center and Vanderbilt University, 2525 West End Ave, Ste 400, Nashville, TN 37203 (ellen.clayton@vumc.org).

Published Online: April 15, 2024. doi:10.1001/jama.2024.4837

Conflict of Interest Disclosures: Dr Clayton reported receiving grants from the National Institutes of Health during the conduct of the study and serving on the National Academies of Sciences, Engineering, and Medicine Standing Committee on Reproductive Health, Equity, and Society. Dr Mittendorf鈥檚 spouse is owner/operator of Lavender Spectrum Health in Vancouver, Washington, which provides primary care services geared toward transgender individuals; Lavender Spectrum Health also provides abortion care. No other disclosures were reported.