Patient Registries and Their Governance: A Pilot Study and Recommendations*

Leslie P Francis; Michael Squires

doi:10.18060/3911.0054

. Author manuscript; available in PMC: 2026 Mar 13.

Published in final edited form as: Indiana Health Law Rev. 2019 Mar 13;16(1):43–66. doi: 10.18060/3911.0054

Patient Registries and Their Governance: A Pilot Study and Recommendations^*

Leslie P Francis ^**, Michael Squires ^***

PMCID: PMC12981721 NIHMSID: NIHMS2094483 PMID: 41835951

I. Introduction

Patient registries collect information in a systematic way about individuals who share a particular feature of medical interest. As such, they may provide critical resources for medical research, for improving health care, for public health, or for other purposes.

Registries vary in many important ways. Registries may be devoted to specific conditions such as cystic fibrosis (“CF”) or Pompe disease. They may gather information about patients who have received particular medical devices such as pacemakers or joint replacements. Some registries such as tumor registries or vaccination registries are maintained by state public health departments. Others are maintained by non-profits, professional organizations, or academic medical centers. Still others are maintained by pharmaceutical companies or medical device manufacturers. Some registries are established specifically for research purposes and approved according to the federal regulations governing research with human subjects, while others serve primarily to network patients and their families. Some glean data from patient records and may continue to be covered by the federal privacy and security rules for protecting health information. Others may gather information from patients themselves or from other sources beyond the scope of these protections.

Registries also differ in how they use and protect the information they contain. That is, they engage in quite different practices of governance and data stewardship. This article presents data from a pilot study of a selected group of patient registries about their practices of governance and date stewardship. Although some of the registries surveyed have implemented robust practices of data stewardship, others have not. The article concludes with preliminary recommendations for improvements based on these findings.

II. Patient Registries

This section provides an overview of what a registry is and the myriad variations of registries that exist today.

A. What Are Registries?

Patient registries are difficult to define precisely because they appear in so many different forms. The Agency for Healthcare Research and Quality (“AHRQ”) offers this formal definition of a patient registry: “an organized system that uses observational study methods to collect uniform data (clinical and other) to evaluate specified outcomes for a population defined by a particular disease, condition, or exposure, and that serves one or more predetermined scientific, clinical, or policy purposes.”¹ This definition would encompass only a limited subset of the entities described as patient registries today and performing at least some of the functions of registries. Many of the registries in the clinical research and disease communities meet the characteristics of this definition, but others do not in at least some respects. To grasp a fuller picture of the registry world and how data is used within it, it is critical to extend the universe more widely to include the range of efforts to collect a variety of information in a systematic way about patients who share a feature of medical interest.

The registry’s purpose drives choices about its participant pool, data collection, data standards, funding sources, and even stakeholders involved in making decisions about the registry. Registry stakeholders play critical roles in determining a registry’s purposes and activities. A “stakeholder’s input directly influences whether development of a registry can proceed, and it can have a strong influence on how a registry is conducted.”² Stakeholders are either primary or secondary. Primary stakeholders are those responsible for the data collection and management of the registry. Secondary stakeholders are distinguished by the fact that they benefit from the data that is collected as part of the registry. These secondary stakeholders might include other researchers, patients, patient organizations, or commercial entities such as pharmaceutical companies. In some instances, a secondary stakeholder could have a greater impact on the purpose and activities of a registry than a primary stakeholder. This situation is especially likely if stakeholders provide funding for the registry.

Registries have in common that they possess data, sometimes the data is very rich. They may collect information from across the globe about conditions that are very rare or events that are of low frequency. Their information may be standardized and collected over long periods of time. Registries thus have the potential to be critical sources of information for assessing disease risks, following the natural history of little-known conditions, comparing care quality at different institutions, developing novel treatments, or even hoped-for cures. If commercial enterprises in health care assert trade secrets protection over predictive algorithms they have developed from patient data, information they have about the significance of novel genetic variants, or other analytic methods developed from patient information, registries may also be an independent source of information for medical research or studies of care quality. Nonetheless, ongoing upkeep of registries poses considerable administrative and financial challenges.

B. The Differing Characteristics of Registries

This section describes the wide variety of registry purposes, of entities that maintain registries, of information acquisition by registries, and of registry funding. The size and scope of registries varies enormously, from lists of several hundred patients with rare genetic syndromes to information about nearly a million and a half patients with hip or knee replacements. Registries are proliferating and taking many different forms. Registries that are expensive to maintain also may diminish their activity levels or become effectively defunct, leaving questions about what is to happen with the data they leave behind.

The vast proliferation of registries gives rise to concerns about reduplication, wasted efforts, gaps, and missed opportunities for cooperation. Efforts have been made to gather information about what registries are in operation but by no means are complete. The National Institutes of Health maintains a list of registries functioning at the national level that is explicitly not intended to be comprehensive.³ AHRQ maintains a Registry of Patient Registries that allows registry owners to provide information about their registries, including registry collaborators and the status of any clinical trials being conducted.⁴ Other entities such as the National Association of Rare Diseases (“NORD”) or Sanford Research also maintain a significant number of registries and provide resources for small patient groups that may be unable to develop registries on their own. The description that follows draws on these and other sources but it is important to recognize that efforts to provide a systematic description of a widespread and changing phenomenon will inevitably be incomplete. Although some registries of registries or registry consortiums also exist—that collect information about registries⁵ or that seek to further collaboration among registries⁶—the focus of what follows will be registries collecting information about individual patients.

1. Registry Purposes

The wide variety of registry purposes includes collecting contact information about individuals with particular conditions, assessing the incidence and prevalence of conditions, studying the natural history of conditions, assessing treatment safety and efficacy, comparing treatment outcomes for patients, engaging in clinical research, and providing support for patients and their families. Individual registries may, of course, serve many of these different functions.

Estimates are that over 7,000 rare diseases have been identified, many of which are genetic in origin and manifested in childhood. While a disease is classified as “rare” in the U.S. if it affects fewer than 200,000 patients,⁷ some very rare syndromes have been diagnosed in as few as a handful of individuals worldwide.⁸ Information about patients with these conditions may be difficult to assemble because they occur so infrequently, yet valid studies require adequate sample sizes. Registries have been developed to address this challenge. In their simplest form, these rare disease registries collect contact information about patients with an identified condition who may be interested in entering research studies devoted to their disease and who otherwise might be very difficult to contact in a coordinated way. For example, the Rare Diseases Clinical Research Network of the National Center for Advancing Translational Science maintains a contact registry for patients to sign up, describe their conditions, and be open to contact for participation in clinical studies.⁹ The Coordination of Rare Diseases registry at Sanford Research aims to work with patient advocacy groups to create registries of people with diseases such as Bohring-Opitz Syndrome, a rare mutation in the ASKL1 gene.¹⁰ Registries devoted to lysosomal storage diseases in children are another good example of registries aimed to assemble sufficient numbers of individuals with unusual conditions to enable sound research studies.¹¹

Rare disease registries may also aim to study the natural history of these conditions. Because they are diagnosed so infrequently, little may be known about whether the course they take is highly variable in different patients or indeed whether there are patients with milder forms of the condition who have not been recognized. NORD now has a project to establish registries to study the natural history of 20 rare diseases, such as galactosemia.¹² These registries ask patients (or their family members on their behalf) to update information regularly so that better understanding can be developed of how the disease progresses in different patients.¹³ The NORD project also partners with the Food and Drug Administration to identify patients who may be interested in participating in clinical trials aimed to develop potential treatments for these conditions.¹⁴

Registries may also be devoted to improving treatment for conditions that occur more frequently. One of the longest-operating registries is the Cystic Fibrosis Foundation Patient Registry which contains nearly 30,000 patients being treated in 282 different programs offering care for CF.¹⁵ In addition to serving as a resource for participation in clinical trials and research, this registry provides a resource for assessing approved therapies, for comparing treatment options, and for improving care quality.¹⁶

Registry development also serves implementation of learning health care systems. The idea of a learning healthcare system is to continuously capture and present the best available evidence tailored to patient care.¹⁷ Registries of patients with the condition at issue can provide continuing updated feedback about outcomes of similar patients, and thus assist in evidence-based treatment recommendations for particular patients. For example, there is now a Collaborative Health Outcomes Information Registry that integrates patient data into an open source platform to enable physicians to tailor care to their patients needing pain management.¹⁸ A parallel registry has been established for pediatric patients.¹⁹

Clinical research is another area for registry development. There are national and international requirements for certain clinical trials to be listed in public registries so that the public can acquire summary information about the trial, such as its sponsor, recruitment locations, inclusion criteria, and outcomes.²⁰ Particular clinical trials may also create patient registries that are maintained during the period of the trial. For example, patients with intracranial arterial stenosis and a high risk of stroke were entered into a registry designed to evaluate the technical success of stenting with a particular stent device.²¹ This registry followed patients for a year after insertion of the stent.²²

Other registries collect ongoing data about particular treatments or medical devices. For example, the American Academy of Orthopedic Surgeons maintains a registry of patients who have received hip or knee replacements which included over 1,414,000 procedures by 2018,²³ and the American College of Cardiology maintains a suite of ten registries aimed to improve the evidence base for cardiac care.²⁴ A registry of all genetic tests maintained by the National Institutes of Health collects information submitted by test providers about what the test measures, where it can be administered, and any evidence of its analytical and clinical validity and clinical utility but does not acquire information about individual patient test results.²⁵

Still other registries are designed for public health purposes to assess the incidence and prevalence of selected conditions. For example, forty-six states and the District of Columbia receive funding from the U.S. Centers for Disease Control and Prevention (“CDC”) to maintain state cancer registries that collect incidence and mortality data.²⁶ These registries may be used to identify high-risk groups of patients or to investigate the possibility that there are cancer clusters with environmental causes.²⁷ To take another example, forty-three states have birth defect tracking systems that collect information about the incidence of defects and use the data for prevention, referral, and early intervention treatment for patients.²⁸

2. Entities Maintaining Registries

The entities maintaining registries are as diverse as the registries themselves. Some registries are maintained by federal or state public health authorities. To illustrate with one state, Utah maintains a Cancer Registry,²⁹ a Trauma Registry,³⁰ an immunization information system,³¹ and a birth defect network.³² In addition, Utah established a Stroke and Cardiac Registry by statute in 2018.³³

Other registries are maintained by non-profit organizations devoted to particular diseases. The patient registry maintained by the Cystic Fibrosis Foundation³⁴ is an example, as is the newer world bleeding disorders registry created by the World Federation of Hemophilia.³⁵ Other registries are maintained by academic medical centers or other not-for-profit entities conducting clinical research, such as Sanford Research.³⁶

Still other registries are maintained by professional organizations. The cardiac and orthopedic registries described above are examples. The registries of the American College of Cardiology provide a number of the functions of professional organizations, including networking, quality improvement, and certification. The joint replacement procedure registry of the American Academy of Orthopaedic Surgeons is explicitly aimed to improve care quality and reduce rates of surgical revision.³⁷

Finally, some registries are maintained by provider organizations, health care payers, or pharmaceutical and medical device companies. Some of these organizations are non-profits but many others are for-profit corporations interested in using registry data to further their corporate goals. These registries are especially useful for optimizing care, reducing care costs, furthering understanding about the value of treatments, and developing new treatments.³⁸ Controversies may arise, however, if patients providing data believe they are contributing to the advancement of knowledge about their disease while the ultimate outcome of the use of the registry information is a commercially marketed product protected by intellectual property rights, such as a genetic test or a novel pharmaceutical.³⁹

3. Sources and Types of Registry Information

Much of the value of registries lies in the utility of the data they collect. The utility of the registry is found in the integrity of its data and whether the data can be shared and utilized by a registry’s stakeholders and potential partners. Registry data is most useful if it is standardized. Registries are urged to include similar core components and to structure the data in ways that further interoperability. Standard core components include a description of the disease that will be followed, a determination of effective standards for data collection, and measurement of data results.⁴⁰ As registries increasingly collect data from multiple sources and share data cooperatively, interoperability poses significant challenges, however.⁴¹

Registries acquire information from varied sources. Some contain information drawn directly from medical records. For example, the registry devoted to Pompe Disease, a glycogen storage disorder, tracks the clinical outcomes for patients with this condition as they are recorded in the medical records of the patients’ treating physicians.⁴² Some registries such as cancer registries contain data reported by health care providers. Other registries contain information entered by patients themselves or their family members. Some registries draw data from multiple sources, including medical records directly from providers, medical records uploaded by participants, and additional information provided by patients themselves.⁴³ Registries may also have data that allows research on the impact of exposure to traumatic events or environmental disasters. For example, there is a registry of rescue workers and people who were in the immediate area of the World Trade Center disaster,⁴⁴ and a registry has recently been established for people who were in Houston during Hurricane Harvey.⁴⁵

Registries also vary on whether the information in them is collected with the consent of the participants. When registries are constructed as part of clinical research and contain identifiable patient information, patients (or their responsible persons on their behalf) consent to participation. Consent may permit data collection over extended periods of time, however, and patients may lose track of their participation in the registry. Moreover, many registries are devoted to conditions that are manifested in infancy or early childhood; in such cases, parents may enter their children into the registry without the child’s knowledge or consent. In some cases, longitudinal registries may require re-consent for the continued participation of children in the registry after they reach adulthood.⁴⁶ Registries that function to identify patients who may be interested in participating in clinical research will typically require consent to participation on a study-by-study basis. When registries are assembled from data submitted by patients themselves, patients will presumably be aware of their involvement in the registry and the information they have submitted.

Other registries may acquire data without either the consent or the knowledge of the individuals from which registry data is drawn. As described below, data that has been de-identified are not considered individual data for regulatory purposes. Inclusion of identifiable data in registries maintained by public health, moreover, may occur without either the consent or even the knowledge of the patient or his or her decision-maker.

While the scope and geographic reach of some registries may remain confined to a region of the country, an increasing number of registries not only include data about patients treated in the United States, but also data from patients scattered across the globe. When diseases are quite rare—as many genetic disorders may be—larger national or international inclusion criteria may be necessary to acquire sufficient clinical data to be informative about the prevalence and natural history of the disease or to facilitate translational research.⁴⁷

The source of registry data is particularly important to how the data are protected legally in the U.S. As discussed below, registry data obtained from patient medical records and maintained in entities covered by the U.S. privacy and security rules protecting health information receives quite comprehensive protection against misuse. Once information leaves the entities covered by these rules, however, it receives far less protection. Information downloaded from protected systems may lose the protections to which it was initially subject, and information in registries collected from patients or other sources will never have had that protection. Information entered by patients themselves or drawn from non-health care sources is largely unprotected by federal law. International data protection standards, and especially the European Union Data Protection Regulation,⁴⁸ come into play when data crosses national borders. The European Regulation is far more protective that U.S. privacy law, and it remains to be seen whether it will pose difficulties for registries transferring information between jurisdictions.

Registries also vary widely in the sensitivity of the information they contain. Those registries that serve primarily as a means for identifying and connecting people with particular disease conditions may contain little sensitive information, although even contact information may be troubling if it enables people to be traced and harmed.⁴⁹ Some registries collect contact information only and require further communication and consent before participants are contacted about sharing information for research or other purposes. For example, a registry may be contacted by researchers interested in studying their participants, and the registry may then contact their participants to ask whether they are interested in participating in the proposed study. Registries that function in this way raise far more limited confidentiality and other data use concerns than registries that share contact information directly with third parties or that collect far greater amounts of information about participants.

Other registries attempt to mitigate concerns about confidentiality and scope by limiting their information to de-identified data. There are significant controversies about the success of de-identification strategies,⁵⁰ however. Primary problems with de-identification occur when data sets are combined. Risks of re-identification depend on what other information may be available for combination with a particular set of de-identified data. That the availability of other data may not be easily predicted in advance raises particularly difficult challenges for de-identification strategies. Such difficulties in prediction are especially noteworthy for registries that collect data longitudinally over comparatively long periods of time. Even when data are deidentified, however, other concerns beyond confidentiality may remain. One particular concern is that inferences may be drawn about group members based on a conjunction of characteristics that may apply even to individuals not included in the registry.⁵¹

4. Registry Funding

In most instances, the size, scope, and activities of a registry will be determined by the funding that is available. Collecting, curating, and protecting data are expensive activities. Even if they have been originally established on a sound financial basis, registries may be challenged to remain in operation if they lack reliable ongoing funding sources. For this reason, entities supporting rare diseases, such as NORD, provide funding for registries and their operation.

Diverse groups of stakeholders have contributed to a wide variety of registry funding models. Some registries are 501(c)(3) non-profit organizations, or maintained by these organizations, and funded largely by donations and fundraising efforts. Some receive funding from the institutions hosting them such as academic medical centers; some of this support may take the form of in-kind financial assistance. Many of these registries receive and are dependent on federal grant support, especially from NIH; the lifespan of grant-supported registries may, however, be the lifetime of the grant.

Registries that are supported by professional organizations may function on a membership model, with individuals or their institutions paying dues or membership fees. On these models, registry data and services are available to fee-paying members only.

Other registries are funded by commercial entities such as pharmaceutical companies. An example of a commercially-funded registry is the registry devoted to Gaucher disease, an autosomal recessive storage disorder in which patients cannot metabolize a particular lipid.⁵² The registry has been in operation since 1991.⁵³ It is supported by Genzyme.⁵⁴ It currently houses records of over 6000 patients from sixty-two countries.⁵⁵

One common theme in the registry landscape with regard to registry funding is that registry stakeholders play a major role in the source of a registry’s funding.⁵⁶

III. Legal protections for information in registries

Like registries themselves, the legal protections that apply to them vary in many ways. This section describes the two U.S. federal regulatory structures that apply to protect information in some registries: the Common Rule, governing research with human subjects, and the Health Insurance Portability and Accountability Act (HIPAA), governing privacy and security rules. Other regulatory structures may also apply to registries but are beyond the scope of this description. At the U.S. federal level in the background is the Federal Trade Act prohibition on unfair or deceptive trade practices that requires registries to abide by any data protection assurances they make explicitly and not to collect information in ways people might not expect and that could be harmful to them in ways they are ill-equipped to prevent.⁵⁷ In the U.S., several states are engaging in their own efforts to protect data privacy. There are also many trans-national regulations, the most notable of which is the European Union Data Protection Regulation, and other data protection regulations in jurisdictions outside of the U.S.⁵⁸

A. The Common Rule and Patient Registries

Many patient registries are constructed in settings that require conformity with the federal regulations governing research subjects. Strictly construed, these regulations apply to research receiving federal funding or to research that will be submitted to the FDA for approval of drugs or devices. However, many institutions apply the federal regulations governing research to all research they conduct; thus, registries maintained by academic medical institutions will typically be governed by the federal regulations. The FDA regulations and the Common Rule differ somewhat but in ways that are not relevant to this discussion; what follows is a summary of Common Rule requirements as they apply to registries.

The Common Rule defines “research” as “a systematic investigation … designed to develop or contribute to generalizable knowledge.”⁵⁹ Public health surveillance activities are excluded from this definition.⁶⁰ Collection of information is not “human subjects research” if the information is not collected through intervention or interaction with the individual or does not involve identifiable private information or biospecimen.⁶¹ Registries containing neither individually identifiable information nor assembled by contact with the people about whom they contain information are thus not covered by the Common Rule.⁶² If information is collected from the medical records of identifiable individuals but recorded in the registry in a manner that does not allow the identity of the individuals to be readily ascertained, the individuals are not contacted for the research, and the researcher does not make efforts to reidentify the individuals, research using that information is exempt from further Common Rule requirements.⁶³ Use of identifiable information in registries is also exempt from the Common Rule if it is for health care operations or for public health activities; in these cases, the research is covered by the HIPAA privacy and security rule, described below.

Under the Common Rule, when registries engage in research with identifiable human subjects, consent is required unless the research meets the requirements for waiver of consent.⁶⁴ These requirements are that the research poses no more than minimal risk, could not be practicably carried out without the waiver or without the use of the information in identifiable form, and will not adversely affect the rights or welfare of the subject.⁶⁵ In addition, any pertinent information should be provided to subjects after the research has been conducted, if providing this information is appropriate.⁶⁶

Consent must include the risks and benefits of the research, including risks of loss of confidentiality; the extent to which the confidentiality of records will be maintained must be stated clearly as well.⁶⁷ For the information to be stripped of identifiers and then reused in additional research without additional informed consent, this option must be clearly stated in the consent form.⁶⁸ The Common Rule now also permits a form of “broad consent” to research involving the reuse of identifiable private information; such broad consent must include a general description of the types of research that may be conducted, a description of the identifiable information that might be used, a description of the time frame in which it is anticipated that the information will be maintained and used (a frame that explicitly may be indefinite), a description of any plans to share information about research and its results, and an explanation about how to contact researchers.⁶⁹ The privacy of subjects and the confidentiality of data must also be appropriately maintained.⁷⁰

To summarize, the Common Rule thus presents a complex set of consent requirements for registries conducting research with human subjects. Registries not conducting research, or not containing information or drawn from information about identifiable human subjects, are not covered by the Common Rule. Registries may also be beyond the Common Rule’s coverage when they are created by institutions that do not receive federal funding and are not intended to be used in the development of products requiring FDA approval for marketing. Informed consent may otherwise be required for research involving information in registries—but this consent may be broad or waived. The consent mechanisms of the Common Rule are thus limited at best in protecting the information in registries.

B. The HIPAA Rules and Patient Registries

The HIPAA security and privacy rules apply to identifiable health information possessed by HIPAA-covered entities. These entities are health care providers who transmit any information in electronic form; entities also include health plans and health care clearinghouses.⁷¹ HIPAA also covers the “business associates” of covered entities—that is, entities receiving identifiable health information from covered entities in order to provide functions such as cost analytics, quality of care analytics, legal advice, accounting services or a host of other business functions required by health care organizations.⁷² Entities not included in these definitions are not covered by the HIPAA rules. When information is transferred out of the HIPAA domain—for example by a patient request for records to be transferred—the transferred information no longer has the protections accorded by HIPAA, although the original copy possessed by the covered entity would continue to be protected.

Under the HIPAA security rule, covered entities must perform an assessment about security risks and implement reasonable security plans.⁷³ Security has three aspects. The first is administrative security: proper training of staff so that they do not risk security breaches, for example, sharing passwords, using very weak passwords, or letting people into files who have not been properly authenticated.⁷⁴ A second is physical security: the data from destruction or loss, such as when the data are stored on a portable device, and the portable device is taken where it can be lost or stolen.⁷⁵ The third is technical security which is achieved by methods such as encryption and automatic logoff.⁷⁶

The HIPAA privacy rule also provides significant protections for health information that it covers. Most importantly for this discussion, patients have rights to receive copies of most of their records⁷⁷ and to request amendments if they identify errors.⁷⁸ Authorization from patients is required if information is to be used in research; thus registry research conducted by covered entities would require authorization.⁷⁹ Authorization may combine inclusion in the registry with participation in a given research study.⁸⁰ On the other side, patient authorization is not required for covered entities to share information with public health as required by law.⁸¹ Thus, providers need not seek patient authorization to report information to public health registries in a manner that is legally required. Authorization is also not required for treatment, payment, or health care operations;⁸² thus registries maintained internally for purposes such as analysis of cost effectiveness do not require authorization. Finally, information de-identified to HIPAA standards is no longer considered health information protected by HIPAA;⁸³ thus, information that has been de-identified before being transferred to registries is no longer considered to be under the strictures of HIPAA. Information may also be transferred and used without authorization if it has been partially de-identified in the form of what HIPAA terms a “limited data set.”⁸⁴ Use of limited data sets requires a data use agreement to protect from re-identification.

HIPAA thus provides some fairly extensive protections for the health information it covers. To be sure, some of the exceptions to authorization, such as the exception for public health, have come under significant criticism from privacy advocates. However, the far greater concern is the amount of health information that is outside of the domain of HIPAA. Information in registries may never have been HIPAA-protected because it was submitted by patients themselves or other entities that are not within the HIPAA definition of a covered entity or business associate. Information that was once HIPAA-protected may also lose that protection if it is transferred to a registry that is not within the HIPAA orbit.

IV. Fair Information Practices and Data Stewardship

Fair information practices (“FIPs”) were initially proposed over forty years ago with the advent of electronic data and have been honed over the ensuing years.⁸⁵ This summary of FIPs is distilled from the initial report of the then-Department of Health, Education, and Welfare (“DHEW”), the Organization for Economic Co-Operation and Development (“OECD”) guidelines for privacy protection, and recommendations of the U.S. Office of the National Coordinator for Health Information Technology (“ONC”) and the National Committee on Vital and Health Statistics (“NCVHS”).

FIPs were initially proposed in a report from DHEW in 1973: “Records, Computers, and the Rights of Citizens.”⁸⁶ The report, spawned by the growing recognition of the power of electronic data, rested on five key principles:

there must be no record-keeping systems whose very existence is private;
there must be a way for an individual to find out information about his own record and how it is being used; (3) there must be a way for the individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent; (4) there must be a way for an individual to correct or amend a record of identifiable information about him; and (5) any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.⁸⁷

In 1980, the OECD proposed a similar list of recommendations that subdivided several of the HEW recommendations and also specified collection limitation, security protections, and accountability.⁸⁸ The OECD principles included: (1) collection limitation; (2) data quality; (3) purpose specification; (4) use limitation; (5) security safeguards; (6) openness; (7) individual participation; and (8) accountability.⁸⁹ These initial efforts to delineate FIPs placed robust emphasis on transparency, individual involvement, data integrity, and protections against data misuse.

As health information has become managed in electronic forms that facilitate uses beyond the treatment of individual patients, the U.S. Department of Health and Human Services (“HHS”) has both encouraged electronic medical records and developed a variety of materials for promoting the privacy and security of the information these records contain. The ONC within HHS is the primary federal entity responsible for health IT and has published a range of “how to” materials for consumers and providers about health information privacy and security. ONC has also attempted to provide guidance for the wide range of uses of health information now burgeoning across the electronic data landscape. For purposes of this article, one of the most important of these is the model privacy notice (“MPN”), originally issued in 2011 and updated in 2016 and 2018.⁹⁰

The MPN is designed to be a standard form for health technology developers to use in disclosing their practices with respect to the collection of health information.⁹¹ If registries collect information through internet sites, as many now do, they will need to inform participants of their privacy policies. For registries that are outside of the scope of either HIPAA or the Common Rule, from the perspective of federal law these policies need only comply with the FTC Act’s prohibition of unfair or deceptive trade practices, as outlined in the previous section. The MPN is designed with these legal requirements in the background and begins with a disclosure of whether the entity collecting the information is HIPAA-covered.⁹² The MPN then prompts disclosure of how data are used internally, including whether the data will be used for scientific research or for the development of products.⁹³ It also prompts disclosure of any external sharing of data, including whether it will be used for research, marketing, or development of products.⁹⁴ Importantly, it requires indicating to participants whether their data will be used or shared in identifiable form or only after it has been deidentified.⁹⁵ It also requires informing participants of what other data may be combined with the information they submit, what participants may do with the data, what will happen in the case of a data breach, what will happen if participants decide to end their participation, and what will happen if the entity itself ceases operations.⁹⁶

The federal advisory committee to HHS for vital and health statistics, the NCVHS, has also put forth a series of documents on data governance and stewardship. The NCVHS documents, built on FIPs, emphasize transparency and accountability in data governance.⁹⁷ They present a number of concrete recommendations for parties responsible for data stewardship, including application of minimum necessary principles in data sharing and use and care in assuring that any data transfers are carefully monitored to assure that they occur as planned.⁹⁸ They also recommend clear accountability and the development of mechanisms to both identify any failures, attach consequences to responsible parties, remediate any harms, and pursue needed corrective action.⁹⁹

V. Registry Practices

To ascertain the extent to which registries are guided by fair information practices and methods of data stewardship, the authors conducted telephone interviews with a selected group of registries. This section describes research methods and study results. The study was approved by the University of Utah Institutional Review Board and funded by the Utah Center for Excellence in ELSI Research (“UCEER”). The study was a pilot and represents at best a snapshot of practices of the registries contacted. Nonetheless, it is clear that registry practices vary substantially and that at least some registries desire more specific guidelines about practices to use in managing the data they contain.

A. Study Methods

To select registries for interview, the authors began with the registries and registry groups listed on the NIH registry webpage.¹⁰⁰ Contact attempts were made for all registries listing contact information and collecting data longitudinally rather than at a single point in time, a total of fifty-nine registries. Contact was initiated first with an email providing a brief background of the S.J. Quinney College of Law’s Center for Law and Biomedical Sciences and explaining the study objectives. Contact was successfully made with thirty registries and interviews were ultimately conducted with twenty who agreed to discuss their registry’s practices; seventeen of these registries provided sufficient information to be used in the analysis that follows. Population sizes vary across the registries contacted, from approximately 200 to over three-quarters of a million participants. Disease types varied as well. Registries were promised confidentiality and the discussion that follows reports only aggregate information or information in which no registries are identified.

Interviews were conducted by telephone by Michael Squires; they were not recorded but detailed notes were kept.¹⁰¹ The interviews followed a scripted questionnaire. The questionnaire was based on the authors’ review of the FIPs and registry governance materials outlined in the prior section. Each section of the questionnaire was aimed at quickly identifying essential registry information. There were four main sections: (1) registry governance; (2) registry funding; (3) registry population and consent; and (4) data protection and privacy of registry participants. In all, the interviews provide a skeleton understanding of the registry landscape. Some registries were reluctant to answer some of the questions due to liability concerns. Some registries were also unable to answer the questions during the interview because the person contacted at the registry simply did not know the answer. Some registries asked for findings to be shared with them to enable them to improve their practices. Of particular note going forward, no registry was willing to agree to participate in a study that would involve registry participants and that might involve questions about participants’ knowledge about their participation in the registry, registry uses and protection of information, or other registry matters such as governance or financing.

B. Study Findings

This section reports study findings with respect to the four targeted questionnaire areas: governance, funding, registry populations, and privacy.

1. Registry Governance

Registry governance involves whether the registry has stated rules for its operations, how its decision-making is structured, and whether oversight mechanisms are in place. With respect to registry governance, the most consistent finding was the great variety that exists. Of the seventeen registries interviewed, fourteen had official statements of the registry mission. Six had explicit bylaws, five had formal statements of the makeup of governance committees, and six had formal statements of their decision-making structures. Fifteen of the seventeen had a formal management board; nine had advisory boards.

Statements of the duties of these governance structures varied widely as well. One registry specifically assigned fiscal responsibility to the management board, two used the board to advise on its strategic direction, and two used the board to review scientific reports and publications from the registry. For two registries, the board developed and monitored data practices, for another two the board created strategies for communication of registry activities, and for six the explicit role of the board was to consider the needs of all registry stakeholders.

Very few of the registries interviewed had formal or independent oversight mechanisms. Only two of the seventeen had an independent oversight mechanism. Six had internal oversight mechanisms, primarily composed of physicians. One identified an ethicist as a member of its oversight mechanism and two identified statisticians.

Although these data are perforce limited to the registries interviewed, the extent to which registries lack formal governance and accountability structures clearly warrants further study. Registries may find that their success in enrolling patients and in generating patient trust is enhanced by more robust and transparent governance structures.

2. Registry Funding

Of the registries that agreed to be interviewed for this study, the predominant funding source was NIH. Several received ongoing support from academic medical centers after the expiration of the initial grant. One registry functioned largely on the basis of a grant from a single private donor. Several received at least some funding or support from industry. Several engaged in significant fundraising efforts to support their activities. The interviews did not yield sufficient information for analysis about the extent to which funding structures drove decisions about data acquisition, uses, and protections, although this is an area that clearly warrants more systematic investigation.

3. Registry Populations: Enrollment, Information, and Consent to Participate

Interviewees cited many factors as affecting registry size. The type of the disease and the frequency with which it occurs in the target population clearly constrains a registry’s potential population size. The method of acquiring registry participants also has an impact on the number of participants. Most registries in this study used similar methods of identifying potential participants, including: (1) Participating private clinics and physicians; (2) Partnerships with universities with medical centers; and (3) Website marketing by the registry itself.

Most registries identify potential registry participants through participating clinics and clinicians themselves. These are sometimes connected to private clinics, but a partnership with university medical centers is very common. Registries also invest in their own advertising to reach individuals themselves, often by hosting a website and advertising directly to potential registry participants. Less common still are registries that advertise directly to potential registry participants by way of publication or brochure placed at a doctor’s office.

All interviewed registries required some form of consent to initiate participation in the registry. For a majority of registry participants who are referred to a registry by a participating clinician or clinic, the process of enrollment and consent typically occurs within the treatment context. The likely process is that these potential participants will be approached by their clinician after a diagnosis of a condition of interest to the registry. For these patients, the consent process will take place with their physician and may also involve creating an online profile for contact and further consent to inclusion in future studies. The identity of registry participants is assured through their clinicians’ participation in the enrollment process.

Registries that recruit through direct advertising typically request the registry participant to provide the registry with personal health information. Creating an online account and uploading medical reports and other information to the registry is the most usual method. Typically included in that process are online registration consent forms. This process of enrollment may take place without the same kind of opportunity to ask questions that might occur for patients enrolled through the provider from whom they are obtaining treatment. It is also unlikely to involve a reliable method for assuring the identity of the registry participant. Registries that permitted individuals to enroll and submit information themselves had very limited identity management structures in place; only one registry had a specific process for identity proofing and no registry required any kind of in person identity verification before participants could sign up for the registry.

The longitudinal nature of many registries poses additional complications for participants’ consent to participation. Many registries are devoted to conditions that become manifest by very early childhood; in such cases, participants are enrolled by their parents and may never become aware of their inclusion in the registry. Even when participants were aware of their inclusion at the outset, they may lose touch with their participation in the registry and ultimately forget that their clinicians may nonetheless continue to update information about them in the registry. Consent to registry participation, that is, may take place at a single point in time whereas registry participation is ongoing. Some registries are structured to require new consent for participation in research sponsored by the registry, but others do not require renewed consent for research uses of the data contained in the registry.

4. Data Protection and Privacy

Data protection and privacy are core to FIPs. Questions in this portion of the questionnaire were the most numerous and likely the most difficult for registries to answer. Indeed, many registries deferred answering a significant portion of the questions relating to the registry’s data protection policies from explicit liability concerns. Registries also expressed concern that answering questions that touched on their registry privacy protocol would provide with too much information. Many registries simply stated that they were unable to answer these questions about data protection and use.

Questions included the extent to which the registry made clear to participants the purposes for which information would be used and whether subsequent uses would be limited to the initial specified purposes. Interviews also asked whether there was clarity about who would have access to the data, including whether participants would have access to data about themselves. When participants submit data themselves, they presumably are aware they are making the submission, at least at the time it occurs. When clinicians supply data to the registry, however, patients may not have the opportunity to know what data has been submitted and to request correction of any errors.

Findings from the interviews were that twelve registries specify the purpose for which data are being collected. None indicated explicit policies about letting participants obtain a copy of information about them in the registry or suggest corrections for this information in the registry. Six had explicit use limitation requirements. Seven limited access to registry data to specific registry personnel. Five registries allowed data to be shared with external organizations—but none of these had a data use agreement they were willing to share.

Security practices were also an area of concern raised in the interviews. Four registries had explicit data security practices and set a minimum standard of care for data security protection. No registries had adopted breach notification processes and no registries reported awareness of any data breaches.

VI. Recommendations and Conclusion

As this snapshot may indicate, registries vary widely with respect to the extent to which they have explicit policies that reflect the core values of FIPs and data stewardship. The interview data are limited, however, and must be viewed with the caution that they may reflect an unwillingness to share information about policies rather than the lack of policies. It is also fair to say that some of the larger and more established registries were among the ones with more extensive data management and protection policies, but this generalization did not always hold.

Nonetheless, the interview findings give significant reason for concern. Registries may be more enthusiastic collectors of information than they are protectors of it. If so, at least some registries would appear to be at significant risk of experiencing problems with their use and protection of information—problems that could undermine trust and participation in the registry enterprise. Registries should be encouraged, at a minimum, to develop governance and oversight plans.¹⁰² They should develop explicit policies for specifying the purposes of data collection and limitations on data use. Data use agreements should be developed and enforced whenever registry data are made available to entities outside of the registry. Security risk assessments are also imperative for many registries. Transparency about registry policies and data uses are also essential. Transparency should also include allowing registry participants to know what information the registry holds about them and to suggest any needed corrections. Regular communication with registry participants—for example, in the form of an electronically available annual report—could greatly enhance awareness of registry activities for participants. These measures have the potential to enhance trust among registry participants and encourage engagement with the registry.

Registries are a growing part of the health information landscape and an important source of information, particularly about rare conditions. Further research on registry practices and on the attitudes and experiences of registry participants is needed both to reduce risks for participants and to further registry development.

Acknowledgments

* Research reported in this publication was supported by Utah Center for Excellence in ELSI Research (“UCEER”). UCEER is supported by the National Human Genome Research Institute of the National Institutes of Health under Award Number RM1HG009037. The content is solely the responsibility of the authors and does not necessarily represent the official views of the National Institutes of Health.

References

1.Agency for Healthcare Research & Quality, Patent Registries, in Registries for Evaluating Patient Outcomes: A User’s Guide (Gliklich Richard E. et al. eds., 3rd ed. 2014), https://www.ncbi.nlm.nih.gov/books/NBK208643/ [https://perma.cc/93YQ-A24Y]. [Google Scholar]
2.Agency for Healthcare Research & Quality, Planning a Registry, in Registries for Evaluating Patient Outcomes: A User’s Guide (Gliklich Richard E. et al. eds., 3rd ed. 2014), https://www.ncbi.nlm.nih.gov/books/NBK208631/#ch2.s19 [https://perma.cc/W5DJ-FZWQ]. [Google Scholar]
3.List of Registries, Nat’l Inst. Health, https://www.nih.gov/health-information/nih-clinical-research-trials-you/list-registries [https://perma.cc/525G-YTD6] (last reviewed Aug. 8, 2018). [Google Scholar]
4.About the Registry of Patient Registries (RoPR), Agency for Healthcare Res. & Quality, https://patientregistry.ahrq.gov/about/ [https://perma.cc/5U3D-UUDL]. [Google Scholar]
5.See Listing of Clinical Trial Registries, U.S. Dep’t of Health & Human Servs. (May 28, 2015), https://www.hhs.gov/ohrp/international/clinical-trial-registries/index.html#_edn2 [https://perma.cc/P6AN-PK3P]; Rubinstein Wendy S. et al. , The NIH Genetic Testing Registry: A New, Centralized Database of Genetic Tests to Enable Access to Comprehensive Information and Improve Transparency, 41 Nucleic Acids Res. D925 (2013), 10.1093/nar/gks1173 [https://perma.cc/M664-X2L3] (discussing registry of genetic tests). [DOI] [Google Scholar]
6.For example, the U.S. FDA is now facilitating a public-private partnership to facilitate collaboration among the over 30 orthopedic registries now in existence. Int’l Consortium Orthopaedic Registries, http://www.icor-initiative.org [https://perma.cc/7J77-2U5G]. [Google Scholar]
7.FAQs About Rare Diseases, Nat’l Ctr. for Advancing Translational Sciences, Genetic & Rare Disease Info. Ctr., https://rarediseases.info.nih.gov/diseases/pages/31/faqs-about-rare-diseases [https://perma.cc/BS65-7X6E] (last updated Nov. 30, 2017). The U.S. classification of a disease as “rare” comes from the Orphan Drug Act of 1983. Id. The European Union classifies a disease as rare if it occurs in fewer than one out of 2,000 patients. Id. [Google Scholar]
8.Examples of extremely rare conditions include Hutchinson-Gilford progeria, a premature aging syndrome diagnosed in 130 patients since it was first identified in 1886, Hutchinson-Gilford Progeria Syndrome, Genetics Home Ref. (Oct. 16, 2018), https://ghr.nlm.nih.gov/condition/hutchinson-gilford-progeria-syndrome#statistics [https://perma.cc/2AL8-DH8A], and Fields Condition, a progressive neuromuscular condition diagnosed only in the two twins who have it, What Is It Like to Live with a Rare Disease?, NRS Healthcare (Feb. 27, 2018), https://www.nrshealthcare.co.uk/articles/news/what-is-it-like-to-live-with-a-rare-disease [https://perma.cc/MU4C-E5HR]. [Google Scholar]
9.RDCRN Contact Registry, Rare Diseases Clinical Res. Network, https://www.rarediseasesnetwork.org/registry [https://perma.cc/J88E-5WEZ]. [Google Scholar]
10.Research with CoRDR, Sanford Res. www.sanfordresearch.org/specialprograms/cords/researchers/ [https://perma.cc/38RV-FJ9E]; What Is BOS?, Bohring-Opitz Found., http://bos-foundation.org/whatisbos [https://perma.cc/ZKL6-X4VU]. [Google Scholar]
11.See e.g., Simon Jones et al. , Disease Registries and Outcomes Research in Children: Focus on Lysosomal Storage Disorders, 13 Pediatric Drugs 33 (2011). [Google Scholar]
12.NORD-FDA Natural History Study Frequently Asked Questions, Nat’l Org. for Rare Disorders, https://rarediseases.org/for-patient-organizations/ways-partner/patient-registries/nord-fda-natural-history-study-faq/ [https://perma.cc/CJG7-E93W]; Press Release, National Organization for Rare Disorders, NORD Announces 20 Rare Disease Patient Groups Selected to Develop Natural History Studies as Part of FDA Cooperative Agreement (Apr. 19, 2016), https://rarediseases.org/nord-announces-20-rare-disease-patient-groups-selected-to-develop-natural-history-studies-as-part-of-fda-cooperative-agreement/ [https://perma.cc/BL3E-B8ZG]. [Google Scholar]
13.Gavin Pamela, The Importance of Natural Histories for Rare Diseases, 3 Expert Opinion on Orphan Drugs 855 (2015). [Google Scholar]
14.Information on Clinical Trials and Research Studies Nat’l Org. for Rare Disorders, https://rarediseases.org/for-patients-and-families/information-resources/info-clinical-trials-and-research-studies/ [https://perma.cc/V3CE-QV88]; Anne R. Pariser, Importance of Natural History Studies in Rare Diseases, https://events-support.com/Documents/Pariser.pdf [https://perma.cc/LWC2-389E]. [Google Scholar]
15.Cystic Fibrosis Foundation Patient Registry Highlights, Cystic Fibrosis Found. (2017), https://www.cff.org/Research/Researcher-Resources/Patient-Registry/2017-Cystic-Fibrosis-Foundation-Patient-Registry-Highlights.pdf [https://perma.cc/WLH2-CTGP]. [Google Scholar]
16.Id. [Google Scholar]
17.Best Care at Lower Cost: The Path to Continuously Learning Health Care in America 136 (Smith Mark et al. eds. 2013), https://www.nap.edu/read/13444/chapter/1#xvii [https://perma.cc/J4JS-RMY6]. [Google Scholar]
18.Clinical, Collaborative Health Outcomes Info. Registry, https://choir.stanford.edu/clinical-practice/ [https://perma.cc/2QJD-854K]. [Google Scholar]
19.Bhandari Rashmi P. et al. , Pediatric-Collaborative Health Outcomes Information Registry (Peds-CHOIR): A Learning Health System to Guide Pediatric Pain Research and Treatment, (Sept. 1, 2017) (unpublished manuscript) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4988911/ [https://perma.cc/C6SB-XSNF]. [Google Scholar]
20.Listing of Clinical Trial Registries, supra note 5. [Google Scholar]
21.Zaidat OO et al. , The NIH registry on use of the Wingspan stent for symptomatic 70–99% intracranial arterial stenosis (Nov. 26, 2012) (author manuscript), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3506389/ [https://perma.cc/8MTB-S63D]. [Google Scholar]
22.Fiorella David J. et al. , US Wingspan Registry 12-Month Follow-Up Results, 42 Stroke 1976 (2011). [Google Scholar]
23.A Growing Network, Am. Acad.Orthopedic Surgeons, Am. Joint Replacement Registry, http://www.ajrr.net/ [https://perma.cc/UQ8Y-CK46]. [Google Scholar]
24.Registries, AM. College of Cardiology, https://cvquality.acc.org/NCDR-Home/registries [https://perma.cc/CLR7-QC8X]. [Google Scholar]
25.Rubinstein et al. , supra note 5. Although this is called a registry, it is not one in the more standard sense that it collects data about individual patient. [Google Scholar]
26.National Program of Cancer Registries, Ctrs. Disease Control, https://www.cdc.gov/cancer/npcr/index.htm [https://perm.cc/NVM9-4JTH] (last updated Oct. 25, 2018). [Google Scholar]
27.National Program of Cancer Registries (NCPR), Centers For Disease Control & Prevention (Mar. 27, 2018), https://www.cdc.gov/cancer/npcr/index.htm [https://perma.cc/2ABM-V8M6]. [Google Scholar]
28.State-Based Tracking Systems, Centers for Disease Control & Prevention (Nov. 30, 2017), https://www.cdc.gov/ncbddd/birthdefects/states/index.html [https://perma.cc/D3WB-3TUT]. [Google Scholar]
29.Utah Cancer Registry, Huntsman Cancer Inst. U. Utah https://uofuhealth.utah.edu/utah-cancer-registry/ [https://perma.cc/GXH2-KJ3J]. [Google Scholar]
30.Welcome to the Utah Trauma Registry!, Utah Trauma Registry, https://www.utahtrauma.org/ [https://perma.cc/V4BS-MPFY]. [Google Scholar]
31.Utah Statewide Immunization Information System, Utah Dep’t Health, http://www.usiis.org/index.shtml [https://perma.cc/U5Q9-KMMB]. [Google Scholar]
32.Utah Birth Defect Network, Utah Dep’t Health, https://health.utah.gov/cshcn/programs/ubdn.html [https://perma.cc/XD9W-M8DE] (last updated Oct. 4, 2018). [Google Scholar]
33.Utah Code Ann. § 26–8d-101—105 (LexisNexis 2018). [Google Scholar]
34.Patient Registry, Cystic Fibrosis Found ., https://www.cff.org/Research/Researcher-Resources/Patient-Registry/ [https://perma.cc/5NJ2-BEST]. [Google Scholar]
35.WFH World Bleeding Disorders Registry, World Fed’n Hemophilia, https://www.wfh.org/en/wbdr [https://perma.cc/Y85V-ZRKY] (last updated Jan. 2018). [Google Scholar]
36.Research with CoRDS, Sanford Res., www.sanfordresearch.org/specialprograms/cords/researchers/ [https://perma.cc/5VVA-GV5Y]. [Google Scholar]
37.American Joint Replacement Registry, Am. Acad. Orthopedic Surgeons, http://www.ajrr.net [https://perma.cc/DXS7-9N2T]. [Google Scholar]
38.Kelly Brian, Registries and the Future of Medicine, PharmExec (May 16, 2016), http://www.pharmexec.com/registries-and-future-medicine [https://perma.cc/6QXH-LSXN]. [Google Scholar]
39.Such was the controversy when patients with Canavan disease contributed data and biological samples to researchers who then developed a test to identify the gene and patented the test. Greenberg v. Miami Children’s Hosp. Research Inst. Inc., 264 F. Supp. 2d 1064 (S.D. Fla. 2003). [Google Scholar]
40.Agency for Healthcare Research & Quality, supra note 1. [Google Scholar]
41.da Silva Kátia Regina et al. , Correction: Glocal Clinical Registries: Pacemaker Registry Design and Implementation for Global and Local Integration – Methodology and Case Study, PLOS ONE (July 25, 2013), https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0071090 [https://perma.cc/5LCA-H3AP]. [Google Scholar]
42.Pompe Disease Registry, U.S. Nat’ Libr. Med. (Oct. 4, 2005), https://clinicaltrials.gov/ct2/show/NCT00231400 [https://perma.cc/3FQH-BP9S]. [Google Scholar]
43.See Accelerate Preeclampsia Research, Preeclampsia Registry https://preeclampsiaregistry.org/ [https://perma.cc/Y68W-GPGR] (Registry participants have the option of uploading themselves actual information into their online profile that they can edit and use, but that is also used by the registry). [Google Scholar]
44.World Trade Center Health Registry, NYC 9/11 Health, https://www1.nyc.gov/site/911health/about/wtc-health-registry.page [https://perma.cc/9XUP-NSPC]. [Google Scholar]
45.Houston Partners Announce Launch of Post-Harvey Health Registry, Envtl. Defense Fund (Apr. 25, 2018), https://www.edf.org/media/houston-partners-announce-launch-post-harvey-health-registry [https://perma.cc/9YEE-9KR4]. [Google Scholar]
46.Francis Leslie P., Patient Registries: Patient Consent When Children Become Adults, 7 Saint Louis U. J. of Health L. & Pol’y 389–404 (2014) (Adult consent to continued Participation in patient registries). [Google Scholar]
47.E.g., Ng David M. et al. , The Role of Patient Registries for Rare Genetic Lipid Disorders, 29 Current Opinion Lipidology 156, 156–162 (2018). [Google Scholar]
48.Commission Regulation 2016/679, 2016 O.J. (L 119/1) (EU) (Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)). [Google Scholar]
49.Testimony of Sarah Tucker to the National Committee on Vital and Health Statistics, Nat’l Comm. on Vital and Health Stats. (June 15, 2010), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/100615p09.pdf [https://perma.cc/85ED-BCLQ]. [Google Scholar]
50.These concerns apply even to data de-identified the extent stipulated by the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. § 164.514(a), (b) (2018).) See e.g., Bradley Malin A De-identification Strategy Used for Sharing One Data Provider’s Oncology Trials Data Through the Project Data Sphere^®Repository (2013), https://www.projectdatasphere.org/projectdatasphere/html/resources/PDF/DEIDENTIFICATION [https://perma.cc/5WJ7-2RDA]. [Google Scholar]
51.Francis John G. & Francis Leslie P., Privacy, Confidentiality, and Justice, 45 Utah J. of Soc. Phil. 408, 408–431 (2014). [Google Scholar]
52.Weinreb Neil J. & Kaplan Paige, The History and Accomplishments of the ICGG Gaucher Registry, 90 Am. J. Hematology S2, S2–S5 (2015). [Google Scholar]
53.Id. [Google Scholar]
54.Id. [Google Scholar]
55.Id. [Google Scholar]
56.Id. [Google Scholar]
57.Federal Trade Commission Act § 5, 15 U.S.C. § 45(a)(1) (2018). [Google Scholar]
58.2016 O.J. (L 119) 1. [Google Scholar]
59.45 C.F.R. § 46.102(l) (2018). [Google Scholar]
60.45 C.F.R. § 46.102(l)(2) (2018). [Google Scholar]
61.45 C.F.R. § 46.102(e)(1)(i)-(ii) (2018). [Google Scholar]
62.45 C.F.R. § 46.101(a) (2018). [Google Scholar]
63.45 C.F.R. § 46.104(d)(4)(ii) (2018). [Google Scholar]
64.45 C.F.R. § 46.111(a)(4) (2018). [Google Scholar]
65.45 C.F.R. § 46.116(f)(3)(i)-(iv) (2018). [Google Scholar]
66.45 C.F.R. § 46.116(f)(3)(v) (2018). [Google Scholar]
67.45 C.F.R. § 46.116(b)(2), (5) (2018). [Google Scholar]
68.45 C.F.R. § 46.116(b)(9)(i) (2018). [Google Scholar]
69.45 C.F.R. § 46.116(d)(2)-(7) (2018). [Google Scholar]
70.45 C.F.R. § 46.111(a)(7) (2018). [Google Scholar]
71.45 C.F.R. § 160.103 (2018). [Google Scholar]
72.Id. [Google Scholar]
73.See 45 C.F.R. § 164.306(a)-(b) (2018). [Google Scholar]
74.See 45 C.F.R. § 164.308 (2018). [Google Scholar]
75.See 45 C.F.R. § 164.310 (2018). [Google Scholar]
76.See 45 C.F.R. § 164.312 (2018). [Google Scholar]
77.45 C.F.R. § 164.524(a) (2018). This right extends only to information in the “designated record set” and excludes psychotherapy notes. Id. [Google Scholar]
78.45 C.F.R. § 164.526 (2018). [Google Scholar]
79.45 C.F.R. § 164.508(a) (2018). [Google Scholar]
80.45 C.F.R. § 164.508(b)(3) (2018). However, such compound authorizations must be careful to distinguish situations in which it is permissible to condition treatment on authorization and situations in which it is not. For example, receipt of treatment in a clinical trial may be conditioned on allowing data to be shared with the trial. However, treatment may not be conditioned on participation in a registry unless the registry is part of the trial. Id. [Google Scholar]
81.45 C.F.R. § 164.512(b)(1)(i) (2018). See Office of the Nat’l Coordinator for Health Info. Tech. Permitted Uses and Disclosures: Exchange for Public Health Activities (2016), https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf [https://perma.cc/62EW-GSQ3]. [Google Scholar]
82.45 C.F.R. § 164.502(a)(1)(ii) (2018). [Google Scholar]
83.45 C.F.R. 164.514(a) (2018). [Google Scholar]
84.45 C.F.R. 164.514(e) (2018). Limited data sets may contain more specific location information and dates of treatment than de-identified information. Id. [Google Scholar]
85.Robert Gellman, Fair Information Practices: A Basic History (2017), https://bobgellman.com/rg-docs/rg-FIPshistory.pdf [https://perma.cc/J4MW-N6KG]. [Google Scholar]
86.Ware Willis H. et al. , Records, Computers and the Rights of Citizens, xx-xi (1973), https://www.justice.gov/opcl/docs/rec-com-rights.pdf [https://perma.cc/29KU-S648]; see also S. Rep. NO. 93–1183, at 8–10 (1974). [Google Scholar]
87.Ware, supra note 86, at xx-xxi. [Google Scholar]
88.OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Org. Econ. Co-operation & Dev. (Sept. 23, 1980), http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#recommendation [https://perma.cc/W2YV-XCAA]. [Google Scholar]
89.Id. [Google Scholar]
90.Model Privacy Note (MPN), HealthIT.gov, https://www.healthit.gov/topic/privacy-security-and-hipaa/model-privacy-notice-mpn [https://perma.cc/WBZ5-MM8H]. [Google Scholar]
91.Off. of the Nat’l Coordinator for Health Info. Tech., 2018 Model Privacy Notice (2018), https://www.healthit.gov/sites/default/files/2018modelprivacynotice.pdf [https://perma.cc/R9LE-9D9N]. [Google Scholar]
92.Id. at 2. [Google Scholar]
93.Id. [Google Scholar]
94.Id. [Google Scholar]
95.Id. [Google Scholar]
96.Id. at 4. [Google Scholar]
97.Nat’l Comm. on Vital & Health Statistics, Health Data Stewardship: What, Why, Who, How: an NCVHS Primer (2009), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/090930lt.pdf [https://perma.cc/UG2Z-XWGT]. [Google Scholar]
98.Id. [Google Scholar]
99.Id. [Google Scholar]
100.List of Registries, supra note 3. [Google Scholar]
101.Notes are on file with the authors. [Google Scholar]
102.Agency for Healthcare Research & Quality, supra note 1. [Google Scholar]

[R1] 1.Agency for Healthcare Research & Quality, Patent Registries, in Registries for Evaluating Patient Outcomes: A User’s Guide (Gliklich Richard E. et al. eds., 3rd ed. 2014), https://www.ncbi.nlm.nih.gov/books/NBK208643/ [https://perma.cc/93YQ-A24Y]. [Google Scholar]

[R2] 2.Agency for Healthcare Research & Quality, Planning a Registry, in Registries for Evaluating Patient Outcomes: A User’s Guide (Gliklich Richard E. et al. eds., 3rd ed. 2014), https://www.ncbi.nlm.nih.gov/books/NBK208631/#ch2.s19 [https://perma.cc/W5DJ-FZWQ]. [Google Scholar]

[R3] 3.List of Registries, Nat’l Inst. Health, https://www.nih.gov/health-information/nih-clinical-research-trials-you/list-registries [https://perma.cc/525G-YTD6] (last reviewed Aug. 8, 2018). [Google Scholar]

[R4] 4.About the Registry of Patient Registries (RoPR), Agency for Healthcare Res. & Quality, https://patientregistry.ahrq.gov/about/ [https://perma.cc/5U3D-UUDL]. [Google Scholar]

[R5] 5.See Listing of Clinical Trial Registries, U.S. Dep’t of Health & Human Servs. (May 28, 2015), https://www.hhs.gov/ohrp/international/clinical-trial-registries/index.html#_edn2 [https://perma.cc/P6AN-PK3P]; Rubinstein Wendy S. et al. , The NIH Genetic Testing Registry: A New, Centralized Database of Genetic Tests to Enable Access to Comprehensive Information and Improve Transparency, 41 Nucleic Acids Res. D925 (2013), 10.1093/nar/gks1173 [https://perma.cc/M664-X2L3] (discussing registry of genetic tests). [DOI] [Google Scholar]

[R6] 6.For example, the U.S. FDA is now facilitating a public-private partnership to facilitate collaboration among the over 30 orthopedic registries now in existence. Int’l Consortium Orthopaedic Registries, http://www.icor-initiative.org [https://perma.cc/7J77-2U5G]. [Google Scholar]

[R7] 7.FAQs About Rare Diseases, Nat’l Ctr. for Advancing Translational Sciences, Genetic & Rare Disease Info. Ctr., https://rarediseases.info.nih.gov/diseases/pages/31/faqs-about-rare-diseases [https://perma.cc/BS65-7X6E] (last updated Nov. 30, 2017). The U.S. classification of a disease as “rare” comes from the Orphan Drug Act of 1983. Id. The European Union classifies a disease as rare if it occurs in fewer than one out of 2,000 patients. Id. [Google Scholar]

[R8] 8.Examples of extremely rare conditions include Hutchinson-Gilford progeria, a premature aging syndrome diagnosed in 130 patients since it was first identified in 1886, Hutchinson-Gilford Progeria Syndrome, Genetics Home Ref. (Oct. 16, 2018), https://ghr.nlm.nih.gov/condition/hutchinson-gilford-progeria-syndrome#statistics [https://perma.cc/2AL8-DH8A], and Fields Condition, a progressive neuromuscular condition diagnosed only in the two twins who have it, What Is It Like to Live with a Rare Disease?, NRS Healthcare (Feb. 27, 2018), https://www.nrshealthcare.co.uk/articles/news/what-is-it-like-to-live-with-a-rare-disease [https://perma.cc/MU4C-E5HR]. [Google Scholar]

[R9] 9.RDCRN Contact Registry, Rare Diseases Clinical Res. Network, https://www.rarediseasesnetwork.org/registry [https://perma.cc/J88E-5WEZ]. [Google Scholar]

[R10] 10.Research with CoRDR, Sanford Res. www.sanfordresearch.org/specialprograms/cords/researchers/ [https://perma.cc/38RV-FJ9E]; What Is BOS?, Bohring-Opitz Found., http://bos-foundation.org/whatisbos [https://perma.cc/ZKL6-X4VU]. [Google Scholar]

[R11] 11.See e.g., Simon Jones et al. , Disease Registries and Outcomes Research in Children: Focus on Lysosomal Storage Disorders, 13 Pediatric Drugs 33 (2011). [Google Scholar]

[R12] 12.NORD-FDA Natural History Study Frequently Asked Questions, Nat’l Org. for Rare Disorders, https://rarediseases.org/for-patient-organizations/ways-partner/patient-registries/nord-fda-natural-history-study-faq/ [https://perma.cc/CJG7-E93W]; Press Release, National Organization for Rare Disorders, NORD Announces 20 Rare Disease Patient Groups Selected to Develop Natural History Studies as Part of FDA Cooperative Agreement (Apr. 19, 2016), https://rarediseases.org/nord-announces-20-rare-disease-patient-groups-selected-to-develop-natural-history-studies-as-part-of-fda-cooperative-agreement/ [https://perma.cc/BL3E-B8ZG]. [Google Scholar]

[R13] 13.Gavin Pamela, The Importance of Natural Histories for Rare Diseases, 3 Expert Opinion on Orphan Drugs 855 (2015). [Google Scholar]

[R14] 14.Information on Clinical Trials and Research Studies Nat’l Org. for Rare Disorders, https://rarediseases.org/for-patients-and-families/information-resources/info-clinical-trials-and-research-studies/ [https://perma.cc/V3CE-QV88]; Anne R. Pariser, Importance of Natural History Studies in Rare Diseases, https://events-support.com/Documents/Pariser.pdf [https://perma.cc/LWC2-389E]. [Google Scholar]

[R15] 15.Cystic Fibrosis Foundation Patient Registry Highlights, Cystic Fibrosis Found. (2017), https://www.cff.org/Research/Researcher-Resources/Patient-Registry/2017-Cystic-Fibrosis-Foundation-Patient-Registry-Highlights.pdf [https://perma.cc/WLH2-CTGP]. [Google Scholar]

[R16] 16.Id. [Google Scholar]

[R17] 17.Best Care at Lower Cost: The Path to Continuously Learning Health Care in America 136 (Smith Mark et al. eds. 2013), https://www.nap.edu/read/13444/chapter/1#xvii [https://perma.cc/J4JS-RMY6]. [Google Scholar]

[R18] 18.Clinical, Collaborative Health Outcomes Info. Registry, https://choir.stanford.edu/clinical-practice/ [https://perma.cc/2QJD-854K]. [Google Scholar]

[R19] 19.Bhandari Rashmi P. et al. , Pediatric-Collaborative Health Outcomes Information Registry (Peds-CHOIR): A Learning Health System to Guide Pediatric Pain Research and Treatment, (Sept. 1, 2017) (unpublished manuscript) https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4988911/ [https://perma.cc/C6SB-XSNF]. [Google Scholar]

[R20] 20.Listing of Clinical Trial Registries, supra note 5. [Google Scholar]

[R21] 21.Zaidat OO et al. , The NIH registry on use of the Wingspan stent for symptomatic 70–99% intracranial arterial stenosis (Nov. 26, 2012) (author manuscript), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3506389/ [https://perma.cc/8MTB-S63D]. [Google Scholar]

[R22] 22.Fiorella David J. et al. , US Wingspan Registry 12-Month Follow-Up Results, 42 Stroke 1976 (2011). [Google Scholar]

[R23] 23.A Growing Network, Am. Acad.Orthopedic Surgeons, Am. Joint Replacement Registry, http://www.ajrr.net/ [https://perma.cc/UQ8Y-CK46]. [Google Scholar]

[R24] 24.Registries, AM. College of Cardiology, https://cvquality.acc.org/NCDR-Home/registries [https://perma.cc/CLR7-QC8X]. [Google Scholar]

[R25] 25.Rubinstein et al. , supra note 5. Although this is called a registry, it is not one in the more standard sense that it collects data about individual patient. [Google Scholar]

[R26] 26.National Program of Cancer Registries, Ctrs. Disease Control, https://www.cdc.gov/cancer/npcr/index.htm [https://perm.cc/NVM9-4JTH] (last updated Oct. 25, 2018). [Google Scholar]

[R27] 27.National Program of Cancer Registries (NCPR), Centers For Disease Control & Prevention (Mar. 27, 2018), https://www.cdc.gov/cancer/npcr/index.htm [https://perma.cc/2ABM-V8M6]. [Google Scholar]

[R28] 28.State-Based Tracking Systems, Centers for Disease Control & Prevention (Nov. 30, 2017), https://www.cdc.gov/ncbddd/birthdefects/states/index.html [https://perma.cc/D3WB-3TUT]. [Google Scholar]

[R29] 29.Utah Cancer Registry, Huntsman Cancer Inst. U. Utah https://uofuhealth.utah.edu/utah-cancer-registry/ [https://perma.cc/GXH2-KJ3J]. [Google Scholar]

[R30] 30.Welcome to the Utah Trauma Registry!, Utah Trauma Registry, https://www.utahtrauma.org/ [https://perma.cc/V4BS-MPFY]. [Google Scholar]

[R31] 31.Utah Statewide Immunization Information System, Utah Dep’t Health, http://www.usiis.org/index.shtml [https://perma.cc/U5Q9-KMMB]. [Google Scholar]

[R32] 32.Utah Birth Defect Network, Utah Dep’t Health, https://health.utah.gov/cshcn/programs/ubdn.html [https://perma.cc/XD9W-M8DE] (last updated Oct. 4, 2018). [Google Scholar]

[R33] 33.Utah Code Ann. § 26–8d-101—105 (LexisNexis 2018). [Google Scholar]

[R34] 34.Patient Registry, Cystic Fibrosis Found ., https://www.cff.org/Research/Researcher-Resources/Patient-Registry/ [https://perma.cc/5NJ2-BEST]. [Google Scholar]

[R35] 35.WFH World Bleeding Disorders Registry, World Fed’n Hemophilia, https://www.wfh.org/en/wbdr [https://perma.cc/Y85V-ZRKY] (last updated Jan. 2018). [Google Scholar]

[R36] 36.Research with CoRDS, Sanford Res., www.sanfordresearch.org/specialprograms/cords/researchers/ [https://perma.cc/5VVA-GV5Y]. [Google Scholar]

[R37] 37.American Joint Replacement Registry, Am. Acad. Orthopedic Surgeons, http://www.ajrr.net [https://perma.cc/DXS7-9N2T]. [Google Scholar]

[R38] 38.Kelly Brian, Registries and the Future of Medicine, PharmExec (May 16, 2016), http://www.pharmexec.com/registries-and-future-medicine [https://perma.cc/6QXH-LSXN]. [Google Scholar]

[R39] 39.Such was the controversy when patients with Canavan disease contributed data and biological samples to researchers who then developed a test to identify the gene and patented the test. Greenberg v. Miami Children’s Hosp. Research Inst. Inc., 264 F. Supp. 2d 1064 (S.D. Fla. 2003). [Google Scholar]

[R40] 40.Agency for Healthcare Research & Quality, supra note 1. [Google Scholar]

[R41] 41.da Silva Kátia Regina et al. , Correction: Glocal Clinical Registries: Pacemaker Registry Design and Implementation for Global and Local Integration – Methodology and Case Study, PLOS ONE (July 25, 2013), https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0071090 [https://perma.cc/5LCA-H3AP]. [Google Scholar]

[R42] 42.Pompe Disease Registry, U.S. Nat’ Libr. Med. (Oct. 4, 2005), https://clinicaltrials.gov/ct2/show/NCT00231400 [https://perma.cc/3FQH-BP9S]. [Google Scholar]

[R43] 43.See Accelerate Preeclampsia Research, Preeclampsia Registry https://preeclampsiaregistry.org/ [https://perma.cc/Y68W-GPGR] (Registry participants have the option of uploading themselves actual information into their online profile that they can edit and use, but that is also used by the registry). [Google Scholar]

[R44] 44.World Trade Center Health Registry, NYC 9/11 Health, https://www1.nyc.gov/site/911health/about/wtc-health-registry.page [https://perma.cc/9XUP-NSPC]. [Google Scholar]

[R45] 45.Houston Partners Announce Launch of Post-Harvey Health Registry, Envtl. Defense Fund (Apr. 25, 2018), https://www.edf.org/media/houston-partners-announce-launch-post-harvey-health-registry [https://perma.cc/9YEE-9KR4]. [Google Scholar]

[R46] 46.Francis Leslie P., Patient Registries: Patient Consent When Children Become Adults, 7 Saint Louis U. J. of Health L. & Pol’y 389–404 (2014) (Adult consent to continued Participation in patient registries). [Google Scholar]

[R47] 47.E.g., Ng David M. et al. , The Role of Patient Registries for Rare Genetic Lipid Disorders, 29 Current Opinion Lipidology 156, 156–162 (2018). [Google Scholar]

[R48] 48.Commission Regulation 2016/679, 2016 O.J. (L 119/1) (EU) (Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)). [Google Scholar]

[R49] 49.Testimony of Sarah Tucker to the National Committee on Vital and Health Statistics, Nat’l Comm. on Vital and Health Stats. (June 15, 2010), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/100615p09.pdf [https://perma.cc/85ED-BCLQ]. [Google Scholar]

[R50] 50.These concerns apply even to data de-identified the extent stipulated by the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. § 164.514(a), (b) (2018).) See e.g., Bradley Malin A De-identification Strategy Used for Sharing One Data Provider’s Oncology Trials Data Through the Project Data Sphere^®Repository (2013), https://www.projectdatasphere.org/projectdatasphere/html/resources/PDF/DEIDENTIFICATION [https://perma.cc/5WJ7-2RDA]. [Google Scholar]

[R51] 51.Francis John G. & Francis Leslie P., Privacy, Confidentiality, and Justice, 45 Utah J. of Soc. Phil. 408, 408–431 (2014). [Google Scholar]

[R52] 52.Weinreb Neil J. & Kaplan Paige, The History and Accomplishments of the ICGG Gaucher Registry, 90 Am. J. Hematology S2, S2–S5 (2015). [Google Scholar]

[R53] 53.Id. [Google Scholar]

[R54] 54.Id. [Google Scholar]

[R55] 55.Id. [Google Scholar]

[R56] 56.Id. [Google Scholar]

[R57] 57.Federal Trade Commission Act § 5, 15 U.S.C. § 45(a)(1) (2018). [Google Scholar]

[R58] 58.2016 O.J. (L 119) 1. [Google Scholar]

[R59] 59.45 C.F.R. § 46.102(l) (2018). [Google Scholar]

[R60] 60.45 C.F.R. § 46.102(l)(2) (2018). [Google Scholar]

[R61] 61.45 C.F.R. § 46.102(e)(1)(i)-(ii) (2018). [Google Scholar]

[R62] 62.45 C.F.R. § 46.101(a) (2018). [Google Scholar]

[R63] 63.45 C.F.R. § 46.104(d)(4)(ii) (2018). [Google Scholar]

[R64] 64.45 C.F.R. § 46.111(a)(4) (2018). [Google Scholar]

[R65] 65.45 C.F.R. § 46.116(f)(3)(i)-(iv) (2018). [Google Scholar]

[R66] 66.45 C.F.R. § 46.116(f)(3)(v) (2018). [Google Scholar]

[R67] 67.45 C.F.R. § 46.116(b)(2), (5) (2018). [Google Scholar]

[R68] 68.45 C.F.R. § 46.116(b)(9)(i) (2018). [Google Scholar]

[R69] 69.45 C.F.R. § 46.116(d)(2)-(7) (2018). [Google Scholar]

[R70] 70.45 C.F.R. § 46.111(a)(7) (2018). [Google Scholar]

[R71] 71.45 C.F.R. § 160.103 (2018). [Google Scholar]

[R72] 72.Id. [Google Scholar]

[R73] 73.See 45 C.F.R. § 164.306(a)-(b) (2018). [Google Scholar]

[R74] 74.See 45 C.F.R. § 164.308 (2018). [Google Scholar]

[R75] 75.See 45 C.F.R. § 164.310 (2018). [Google Scholar]

[R76] 76.See 45 C.F.R. § 164.312 (2018). [Google Scholar]

[R77] 77.45 C.F.R. § 164.524(a) (2018). This right extends only to information in the “designated record set” and excludes psychotherapy notes. Id. [Google Scholar]

[R78] 78.45 C.F.R. § 164.526 (2018). [Google Scholar]

[R79] 79.45 C.F.R. § 164.508(a) (2018). [Google Scholar]

[R80] 80.45 C.F.R. § 164.508(b)(3) (2018). However, such compound authorizations must be careful to distinguish situations in which it is permissible to condition treatment on authorization and situations in which it is not. For example, receipt of treatment in a clinical trial may be conditioned on allowing data to be shared with the trial. However, treatment may not be conditioned on participation in a registry unless the registry is part of the trial. Id. [Google Scholar]

[R81] 81.45 C.F.R. § 164.512(b)(1)(i) (2018). See Office of the Nat’l Coordinator for Health Info. Tech. Permitted Uses and Disclosures: Exchange for Public Health Activities (2016), https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf [https://perma.cc/62EW-GSQ3]. [Google Scholar]

[R82] 82.45 C.F.R. § 164.502(a)(1)(ii) (2018). [Google Scholar]

[R83] 83.45 C.F.R. 164.514(a) (2018). [Google Scholar]

[R84] 84.45 C.F.R. 164.514(e) (2018). Limited data sets may contain more specific location information and dates of treatment than de-identified information. Id. [Google Scholar]

[R85] 85.Robert Gellman, Fair Information Practices: A Basic History (2017), https://bobgellman.com/rg-docs/rg-FIPshistory.pdf [https://perma.cc/J4MW-N6KG]. [Google Scholar]

[R86] 86.Ware Willis H. et al. , Records, Computers and the Rights of Citizens, xx-xi (1973), https://www.justice.gov/opcl/docs/rec-com-rights.pdf [https://perma.cc/29KU-S648]; see also S. Rep. NO. 93–1183, at 8–10 (1974). [Google Scholar]

[R87] 87.Ware, supra note 86, at xx-xxi. [Google Scholar]

[R88] 88.OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Org. Econ. Co-operation & Dev. (Sept. 23, 1980), http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#recommendation [https://perma.cc/W2YV-XCAA]. [Google Scholar]

[R89] 89.Id. [Google Scholar]

[R90] 90.Model Privacy Note (MPN), HealthIT.gov, https://www.healthit.gov/topic/privacy-security-and-hipaa/model-privacy-notice-mpn [https://perma.cc/WBZ5-MM8H]. [Google Scholar]

[R91] 91.Off. of the Nat’l Coordinator for Health Info. Tech., 2018 Model Privacy Notice (2018), https://www.healthit.gov/sites/default/files/2018modelprivacynotice.pdf [https://perma.cc/R9LE-9D9N]. [Google Scholar]

[R92] 92.Id. at 2. [Google Scholar]

[R93] 93.Id. [Google Scholar]

[R94] 94.Id. [Google Scholar]

[R95] 95.Id. [Google Scholar]

[R96] 96.Id. at 4. [Google Scholar]

[R97] 97.Nat’l Comm. on Vital & Health Statistics, Health Data Stewardship: What, Why, Who, How: an NCVHS Primer (2009), https://ncvhs.hhs.gov/wp-content/uploads/2014/05/090930lt.pdf [https://perma.cc/UG2Z-XWGT]. [Google Scholar]

[R98] 98.Id. [Google Scholar]

[R99] 99.Id. [Google Scholar]

[R100] 100.List of Registries, supra note 3. [Google Scholar]

[R101] 101.Notes are on file with the authors. [Google Scholar]

[R102] 102.Agency for Healthcare Research & Quality, supra note 1. [Google Scholar]

PERMALINK

Patient Registries and Their Governance: A Pilot Study and Recommendations^*

Leslie P Francis

Michael Squires

I. Introduction

II. Patient Registries

A. What Are Registries?

B. The Differing Characteristics of Registries

1. Registry Purposes

2. Entities Maintaining Registries

3. Sources and Types of Registry Information

4. Registry Funding

III. Legal protections for information in registries

A. The Common Rule and Patient Registries

B. The HIPAA Rules and Patient Registries

IV. Fair Information Practices and Data Stewardship

V. Registry Practices

A. Study Methods

B. Study Findings

1. Registry Governance

2. Registry Funding

3. Registry Populations: Enrollment, Information, and Consent to Participate

4. Data Protection and Privacy

VI. Recommendations and Conclusion

Acknowledgments

References

ACTIONS

PERMALINK

RESOURCES

Cite

Add to Collections

PERMALINK

Patient Registries and Their Governance: A Pilot Study and Recommendations*

Leslie P Francis

Michael Squires

I. Introduction

II. Patient Registries

A. What Are Registries?

B. The Differing Characteristics of Registries

1. Registry Purposes

2. Entities Maintaining Registries

3. Sources and Types of Registry Information

4. Registry Funding

III. Legal protections for information in registries

A. The Common Rule and Patient Registries

B. The HIPAA Rules and Patient Registries

IV. Fair Information Practices and Data Stewardship

V. Registry Practices

A. Study Methods

B. Study Findings

1. Registry Governance

2. Registry Funding

3. Registry Populations: Enrollment, Information, and Consent to Participate

4. Data Protection and Privacy

VI. Recommendations and Conclusion

Acknowledgments

References

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases

Patient Registries and Their Governance: A Pilot Study and Recommendations^*