The National Institutes of Health and the Centers for Medicare and Medicaid Services are working together to build what they're calling a "real-world data platform" that can be used to research claims information, electronic medical records and consumer wearable data – all with the goal, according to the U.S. Department of Health and Human Services, to "advance understanding of autism."
The data use agreement announced Wednesday was touted for its security by HHS, but many observers, including public health researchers and privacy attorneys, have raised questions about what it means for the privacy and security of autism patients' data.
Autism platform moving forward
The HHS announcement on Wednesday follows an initial public outcry in response to HHS Secretary Robert F. Kennedy, Jr.'s statements this spring about collecting autism data in a centralized database. HHS later pushed back on those reports, with a spokesperson promising that it is "not creating an autism registry."
But the agency does plan to move forward with a quest to understand autism diagnosis trends over time, such as health outcomes from specific medical interventions, care disparities and related economic burdens.
HHS said that the CMS and NIH partnership will focus initially on enabling research around the root causes of autism spectrum disorder and, long term, will link real-world data for research on chronic conditions.
"We’re using this partnership to uncover the root causes of autism and other chronic diseases," said Kennedy in a statement this week. "We’re pulling back the curtain – with full transparency and accountability – to deliver the honest answers families have waited far too long to hear."
The department added that use of the data would follow applicable privacy laws to protect Americans’ sensitive health information.
Data usage limitations TBD
Though there are similar databases on the state level, according to Newsweek, concerns about the department's intentions are running high. (And some state politicians, including Illinois Gov. JB Pritzer, have promised to resist HHS' efforts on this front.)
"The biggest concern with the CMS and NIH registry is how they are going to use this data," said Nicole Clark, CEO and cofounder of the Adult and Pediatric Institute.
Given that HHS has not specified whether CMS will first de-identify the data, or whether protected personally identifiable information (PII) will be contained in the proposed secure platform, Clark says she and others are concerned about whether there will be a consent process for patients involved.
"When they announced this registry, they did not announce any information as to how this data would be used, or whether or not personally identifiable information would be removed," she told Healthcare IT News by email on Thursday.
"Registries can be very useful and valuable when it comes to research," Clark acknowledged. "However, healthcare research is strictly governed by internal review boards and other laws to ensure that individuals participating in the research have given their consent and that their private health information and any [PII] are removed to protect their privacy."
That could be all spelled out in the data use agreement under CMS’ Research Data Disclosure Program focused on Medicare and Medicaid enrollees with a diagnosis of ASD.
"Using ASD as the pilot research program, teams at CMS and NIH will establish a secure tech-enabled mechanism to enhance this data sharing with timely, privacy and security compliant data exchange," the agency said.
Wide-ranging studies to examine public health challenges are not new, says Shannon Hartsfield, health lawyer at the firm Holland & Knight.
"NIH has been funding studies related to autism for many years," she said, noting that CMS has made data available to researchers since 2015 and is required to comply with HIPAA rules, which set privacy guardrails for research.
But it's still unclear what kind of data use agreement will be made between the agencies.
While HIPAA "allows subsets of protected health information, called limited data sets, to be used and disclosed for research purposes," Hartsfield said, "these data use agreements impose restrictions on how the research information will be protected."
Purpose and data security
HHS said in its announcement this week that the pilot research program would use the data to "inform continued development of a landmark NIH platform to ultimately be used by researchers in understanding healthcare utilization, chronic disease etiology and treatment, and the economic burden of chronic conditions."
"While I don’t know whether [a limited data use agreement] is what will be signed in connection with the NIH initiative, this document requires the recipient to represent that the information will be used only for the purposes set forth in the Data Use Agreement Request," Hartsfield said.
"The information cannot be used or disclosed except as specified in the request, as authorized by CMS, or as otherwise required by law," she said.
Under such an agreement, NIH would also have to "indicate that the information requested is the minimum necessary to achieve the purposes covered by the agreement."
CMS also requires that recipients establish appropriate security measures to maintain confidentiality and prevent unauthorized use or access.
"Security measures have to be at least as stringent as certain federal standards," including those established by the National Institute of Standards and Technology, she added.
Currently in process is a major update to the HIPAA Security Rule, which requires covered entities to obtain written documentation to verify that a business associate has technical safeguards in place to protect sensitive health data.
Not all research entities are covered by the HIPAA Security Rule, Hartsfield explained.
"I doubt NIH would be a business associate of CMS here. Instead, the DUA would likely govern the relationship between the parties."
Autism funding and resources
Clark said the autism community is also concerned about the impact the data will have on funding future programs and resources related to assisting individuals with autism and their families and caregivers.
Others have also cast doubt on the HHS secretary's intentions.
"From my many discussions 8 years ago with Mr. Kennedy, it was clear that he had no interest in autism/helping families like mine," Dr. Peter Hotez, a public health professor and vaccine researcher at Texas Medical Center, wrote in a social media post on X on Monday. "Maybe he’s changed, but I’m concerned about his zeal to pursue a registry."
Healthcare IT News has reached out to HHS to ask whether CMS intends to first de-identify the data, if protected PII will be contained in the proposed platform and to clarify if there will be a consent process for autism patients.
We've also requested a statement about complying with pending HIPAA security rule updates and will update this story if information is provided.
"I think that the autism community and the providers who work with this community need to hear more details about this registry and what they intend to do with this information to calm the anxiety that we are seeing within the communities," Clark said.
HHS said that, with autism spectrum disorder prevalence affecting 1 in 31 children in the United States and more than 25% of those individuals experiencing profound or severe autism, the need for multi-source, real-world data insights is urgent.
Previous research has led to the development of advanced digital ASD screening tools.
Two years ago, Duke University released an autism screening tool to be used by toddlers aged 17 months to 3 years old during well-child visits. HHS researchers previously found that parent questionnaires generally used in primary care may not be as accurate, while an NIH study found that Duke's SenseToKnow app could help healthcare providers connect children who they diagnose with ASD and their families to resources.
"This partnership is an important step in our commitment to unlocking the power of real-world data to inform public health decisions and improve lives," NIH Director Dr. Jay Bhattacharya said in announcing the data platform this week.
"Linking CMS claims data with a secure real-world NIH data platform, fully compliant with privacy and security laws, will unlock landmark research into the complex factors that drive autism and chronic disease – ultimately delivering superior health outcomes to the Americans we serve."
Added CMS Administrator Dr. Mehmet Oz: "This joint effort aligns with our shared goal of fostering innovation to improve Americans’ lives while safeguarding patient privacy."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
