WPF advises FDA and HHS on informed consent guidance for medical research

Download Comments (PDF) April 2024

The World Privacy Forum filed detailed comments regarding draft guidance on privacy and medical research to the U.S. Department of Health and Human Services and the U.S. Food and Drug Administration. The proposed guidance, Facilitating Understanding in Informed Consent, is related to consent for human subject research (medical research) and is particularly important. The final version of the guidance will provide formal guidance to the majority of clinical researchers and human subject researchers in the United States regarding how to handle participant / patient consent for medical research.

Currently, models of consent are in the process of going digital, which has created a number of challenging problems to solve. In the comments, WPF had several recommendations to improve consent and privacy. One key recommendation is that patients who are being asked to consent to medical research should be clearly informed when their health information is protected by HIPAA, and when it is not protected. Many research participants are unaware that HIPAA privacy protections do not necessarily apply to research or clinical trial data in the U.S., depending on the use case. Clarification of legal protections available for patients in each research project is necessary and important.

Additional areas of discussion in the comments included a discussion of the necessity of taking stock of the broader consent ecosystem, and providing normative privacy rules for the researchers themselves to abide by. Most professions have some form of normative privacy law or guidance today; in countries that have GDPR or GDPR-similar legislation, research is covered under the law. The U.S. has a significant regulatory gap in this area, because the U.S. sectoral regulation on health privacy, HIPAA, applies to health care providers, health insurers, and clearinghouses. For this reason, not all human subject medical research actually falls under the purview of HIPAA, because it may take place at an entity other than a provider, insurer, or clearinghouse as defined by the law.

Additional recommendations in the draft focused on digitalization issues, scale issues, impacts on consent from Artificial Intelligence, and the need to take into account vulnerable and other impacted populations.

Related Documents: