Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary (2000)

The Institute of Medicine (IOM) and the Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection hosted a workshop on March 13–14, 2000, to gather and to exchange information on the protection of human subjects in health services research (HSR). HSR examines the impact of the organization, financing and management, of health care services, on the access to, delivery, cost, outcomes and quantity of those services. The benefits of such studies include increased understanding of the effects of changing parts of the health care system, such as whether a change in the reimbursement policy for a particular class of drug has any effect on the health or quality of life of the participants. The major risk in such research is not physical harm, but risk resulting from improper disclosure of personal information, that is, a breach of confidentiality. Confidentiality can be protected by limiting access to data and strengthening protections of data handling. However, HSR can be conducted only if researchers have access to data. Thus, data privacy and data access are objectives that have to be balanced.

In recent years, public interest in and concern about the privacy of personally identifiable health information has increased. Currently, there is no comprehensive federal law that affords protection for the privacy of all health-related information. There are some federal laws, and state statutes varying by locale, that protect certain types of personally identifiable health information under certain circumstances (Gostin et al., 1996; O'Brian and Yasnoff, 1999; Goldman and Hudson, 1999).

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), which directed the Secretary of Health and Human Services to publish regulations by February 2000, unless the Congress had taken legislative action at least six months earlier. The Secretary published a Notice of Proposed Rulemaking in November 1999 (Department of Health and Human Services, 1999), with the comment period closing on February 17, 2000. As this workshop was being held and summarized, the Department was analyzing and responding to the many (approximately 52,000) comments that the proposed rule elicited.

Historically, the focus of institutional review boards (IRBs) has been on protecting human subjects from harm associated with invasive clinical procedures or administration of new drugs.

In HSR there are few physical risks. Much HSR involves the analysis of previously collected, personally identifiable, health information recorded in the course of clinical care, billing, or payment for services. Thus, in HSR the primary risks are due to breaches of confidentiality, with ensuing loss of privacy and possible stigma and discrimination. Little is known about IRB practices in the area of HSR projects. Furthermore, much HSR using large databases falls outside the scope of federal regulations that require oversight by IRBs because it is undertaken with private funding by organizations that do not hold federal multiproject assurances that require all research at the institution to fall under IRB review.

In order to facilitate the national discussion of the topic of IRB oversight of HSR, the sponsors commissioned the IOM to call together a panel of national experts on various aspects of the problem. The purpose of this project was to provide information and advice on the current and best practices of IRBs in protecting privacy in health services research. The project was sponsored by the Agency for Healthcare Research and Quality and the Office of the Assistant Secretary for Planning and Evaluation, both in the Department of Health and Human Services. The charge to the committee was as follows:

1. To gather information on the current practices and principles followed by institutional review boards to safeguard the confidentiality of personally identifiable health information used for health services research purposes, in particular, to identify those IRB practices that are superior in protecting the privacy, confidentiality, and security of personally identifiable health information.

2. To gather information on the current practices and principles employed in privately funded health services research studies (that are generally not subject to IRB approval) to safeguard the confidentiality of personally identifiable health information, and to consider whether and how IRB best practices in this regard might be applied to such privately sponsored studies.

3. If appropriate, to recommend a set of best practices for safeguarding the confidentiality of personally identifiable health information that might be voluntarily applied to health services research projects by IRBs and private sponsors.

This summary describes the presentations and discussions that took place at the IOM Workshop on the role of Institutional Review Boards and Health Services Research Data Privacy. This summary reflects what transpired at the workshop and does not include committee deliberations, findings, or conclusions. The committee's deliberative report is being published separately (IOM, 2000).

The workshop itself was one of the major information-gathering activities of the committee. The committee invited speakers including IRB administrators and chairs from universities, research foundations, the U.S. Army and private businesses, as well as representatives from health care services and pharmaceutical companies. The committee also welcomed all interested parties to attend and to participate in discussion periods following the presentations. The invited speakers and members of the audience were asked to provide information on what their organizations actually do to protect confidentiality in health services research, whether or not the research they

do falls under the purview of the common rule. The committee also asked the participants to share any observations they had made regarding which practices are best and which might be applicable to other institutions.

The Office for Protection from Research Risks (OPRR) is the agency that administers the federal regulations on human and animal subjects. The director of OPRR's Division on Human Subject Protections presented an overview of federal regulations on human subjects, particularly regulations pertaining to the determination of whether a records review study involves human subjects, when data are considered identifiable, whether a study might be exempted from IRB review, and whether informed consent from subjects might be waived.

The committee heard presentations by several speakers who administer or chair IRBs in universities, private foundations, corporations, or military settings. Highlights mentioned included how IRBs have wrestled with determining whether data would be identifiable and how to ensure that potential risks to all affected parties are considered. For instance, the set of subjects may include not only the patients who received a service, but also the health care providers who delivered the service. In most HSR studies, the subjects themselves are not likely to receive any direct benefit, so the tolerance of some IRBs for risk to the subjects is correspondingly low, although IRBs consider risk to subjects in balance with the benefits to society of the research in the case of HSR as with any protocol. Other highlights include the following:

• An IRB chair from the UCSF medical school reported on an internal study leading to a recommendation that research grants should include 1.0 to 1.5 percent of the budget as an above-the-line item directed to the support of the institution's human subjects protection program.

• A former IRB chair, recently relocated to University of Florida, identified the differentiation of health services research and health services operations as critical, but also noted that the evaluation of risks to privacy is not new for IRBs and that current federal regulations allow appropriate flexibility.

• An IRB chair from RAND described its on-line system for initiating research projects, designed to help investigators determine whether the project might be addressed as research and, if so, to explore the possibilities of exemption from full IRB review, eligibility for expedited review, or requirement for full review. This IRB has access to a three-person privacy team, including an information resource specialist, a data librarian, and a networks specialist, to help design and implement data safeguarding plans commensurate with the level of risk for various protocols.

• An IRB chair from the Research Triangle Institute observed that it is very important that health services researchers have the freedom to work with their IRBs to modify standard consent and confidentiality language as appropriate for the particular study in question. He concluded that although many issues are often not well understood by IRB members or by researchers because they represent new or rare situations, the IRB system is workable and working, and has never in his experience been an onerous burden to researchers.

• An officer from Intermountain Health Care described the comprehensive technical protections and enforceable policies the organization has implemented in the protection of personally identifiable health information, whether in the context of research or in day to day operations of providing health services. He noted that all known violations of privacy have occurred in operations, but none have been found in the research branch.

• A representative of AXENT, an information security firm, spoke on recent market trends in security such as the widespread adoption of Web access security products and virtual private

networks, the slower adoption of products for authenticating users (i.e., public key infrastructure products), public key infrastructure products, and the general tendency of organizations to contract for information technologists rather than develop in-house expertise.

• The chair of the IRB of the Indian Health Service spoke about ethical issues regarding research with minority groups, including both the privacy of individuals within small and isolated groups and the privacy of the group itself. In either case, he observed, consultation with individuals familiar with the particulars of the group is important to avoid unintentional privacy violations and to build trust between the researchers and the participants.

The committee had commissioned two background papers, in accord with the contract between the IOM and the sponsors, which were presented in draft at the workshop. One paper analyzed issues regarding HSR with children. The author identified three issues of particular concern in considering health services research involving minors, including the heterogeneity of the population in question, complications arising from proxy consent, and the changing interests and risks affecting the subjects as they grow older. The second commissioned paper analyzed international standards regarding the use of personally identifiable health information for HSR. The author studied international conventions and guidelines and the domestic law of several nation states. This analysis pointed out different approaches to requiring oversight of the use of personally identifiable health information in HSR by IRB-like bodies and the uses of such information without individual consent. Both papers are appended to the committee's report, as is this workshop summary.