B

Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary

Executive Summary

The Institute of Medicine (IOM) and the Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection hosted a workshop on March 13–14, 2000, to gather and to exchange information on the protection of human subjects in health services research (HSR). HSR examines the impact of the organization, financing and management, of health care services, on the access to, delivery, cost, outcomes and quantity of those services. The benefits of such studies include increased understanding of the effects of changing parts of the health care system, such as whether a change in the reimbursement policy for a particular class of drug has any effect on the health or quality of life of the participants. The major risk in such research is not physical harm, but risk resulting from improper disclosure of personal information, that is, a breach of confidentiality. Confidentiality can be protected by limiting access to data and strengthening protections of data handling. However, HSR can be conducted only if researchers have access to data. Thus, data privacy and data access are objectives that have to be balanced.

POLICY CONTEXT

In recent years, public interest in and concern about the privacy of personally identifiable health information has increased. Currently, there is no comprehensive federal law that affords protection for the privacy of all health-related information. There are some federal laws, and state statutes varying by locale,

This Appendix was released as a separate workshop summary in June 2000.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 106
Protecting Data Privacy in Health Services Research B Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary Executive Summary The Institute of Medicine (IOM) and the Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection hosted a workshop on March 13–14, 2000, to gather and to exchange information on the protection of human subjects in health services research (HSR). HSR examines the impact of the organization, financing and management, of health care services, on the access to, delivery, cost, outcomes and quantity of those services. The benefits of such studies include increased understanding of the effects of changing parts of the health care system, such as whether a change in the reimbursement policy for a particular class of drug has any effect on the health or quality of life of the participants. The major risk in such research is not physical harm, but risk resulting from improper disclosure of personal information, that is, a breach of confidentiality. Confidentiality can be protected by limiting access to data and strengthening protections of data handling. However, HSR can be conducted only if researchers have access to data. Thus, data privacy and data access are objectives that have to be balanced. POLICY CONTEXT In recent years, public interest in and concern about the privacy of personally identifiable health information has increased. Currently, there is no comprehensive federal law that affords protection for the privacy of all health-related information. There are some federal laws, and state statutes varying by locale, This Appendix was released as a separate workshop summary in June 2000.

OCR for page 106
Protecting Data Privacy in Health Services Research that protect certain types of personally identifiable health information under certain circumstances (Gostin et al., 1996; O'Brian and Yasnoff, 1999; Goldman and Hudson, 1999). In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), which directed the Secretary of Health and Human Services to publish regulations by February 2000, unless the Congress had taken legislative action at least six months earlier. The Secretary published a Notice of Proposed Rulemaking in November 1999 (Department of Health and Human Services, 1999), with the comment period closing on February 17, 2000. As this workshop was being held and summarized, the Department was analyzing and responding to the many (approximately 52,000) comments that the proposed rule elicited. Historically, the focus of institutional review boards (IRBs) has been on protecting human subjects from harm associated with invasive clinical procedures or administration of new drugs. In HSR there are few physical risks. Much HSR involves the analysis of previously collected, personally identifiable, health information recorded in the course of clinical care, billing, or payment for services. Thus, in HSR the primary risks are due to breaches of confidentiality, with ensuing loss of privacy and possible stigma and discrimination. Little is known about IRB practices in the area of HSR projects. Furthermore, much HSR using large databases falls outside the scope of federal regulations that require oversight by IRBs because it is undertaken with private funding by organizations that do not hold federal multiproject assurances that require all research at the institution to fall under IRB review. SCOPE OF PROJECT In order to facilitate the national discussion of the topic of IRB oversight of HSR, the sponsors commissioned the IOM to call together a panel of national experts on various aspects of the problem. The purpose of this project was to provide information and advice on the current and best practices of IRBs in protecting privacy in health services research. The project was sponsored by the Agency for Healthcare Research and Quality and the Office of the Assistant Secretary for Planning and Evaluation, both in the Department of Health and Human Services. The charge to the committee was as follows: To gather information on the current practices and principles followed by institutional review boards to safeguard the confidentiality of personally identifiable health information used for health services research purposes, in particular, to identify those IRB practices that are superior in protecting the privacy, confidentiality, and security of personally identifiable health information. To gather information on the current practices and principles employed in privately funded health services research studies (that are generally not subject to IRB approval) to safeguard the confidentiality of personally identifiable

OCR for page 106
Protecting Data Privacy in Health Services Research health information, and to consider whether and how IRB best practices in this regard might be applied to such privately sponsored studies. If appropriate, to recommend a set of best practices for safeguarding the confidentiality of personally identifiable health information that might be voluntarily applied to health services research projects by IRBs and private sponsors. This summary describes the presentations and discussions that took place at the IOM Workshop on the role of Institutional Review Boards and Health Services Research Data Privacy. This summary reflects what transpired at the workshop and does not include committee deliberations, findings, or conclusions. The committee's deliberative report is being published separately (IOM, 2000). WORKSHOP The workshop itself was one of the major information-gathering activities of the committee. The committee invited speakers including IRB administrators and chairs from universities, research foundations, the U.S. Army and private businesses, as well as representatives from health care services and pharmaceutical companies. The committee also welcomed all interested parties to attend and to participate in discussion periods following the presentations. The invited speakers and members of the audience were asked to provide information on what their organizations actually do to protect confidentiality in health services research, whether or not the research they do falls under the purview of the common rule. The committee also asked the participants to share any observations they had made regarding which practices are best and which might be applicable to other institutions. The Office for Protection from Research Risks (OPRR) is the agency that administers the federal regulations on human and animal subjects. The director of OPRR's Division on Human Subject Protections presented an overview of federal regulations on human subjects, particularly regulations pertaining to the determination of whether a records review study involves human subjects, when data are considered identifiable, whether a study might be exempted from IRB review, and whether informed consent from subjects might be waived. The committee heard presentations by several speakers who administer or chair IRBs in universities, private foundations, corporations, or military settings. Highlights mentioned included how IRBs have wrestled with determining whether data would be identifiable and how to ensure that potential risks to all affected parties are considered. For instance, the set of subjects may include not only the patients who received a service, but also the health care providers who delivered the service. In most HSR studies, the subjects themselves are not likely to receive any direct benefit, so the tolerance of some IRBs for risk to the subjects is correspondingly low, although IRBs consider risk to subjects in balance with the benefits to society of the research in the case of HSR as with any protocol. Other highlights follow.

OCR for page 106
Protecting Data Privacy in Health Services Research An IRB chair from the UCSF medical school reported on an internal study leading to a recommendation that research grants should include 1.0 to 1.5 percent of the budget as an above-the-line item directed to the support of the institution's human subjects protection program. A former IRB chair, recently relocated to University of Florida, identified the differentiation of health services research and health services operations as critical, but also noted that the evaluation of risks to privacy is not new for IRBs and that current federal regulations allow appropriate flexibility. An IRB chair from RAND described its on-line system for initiating research projects, designed to help investigators determine whether the project might be addressed as research and, if so, to explore the possibilities of exemption from full IRB review, eligibility for expedited review, or requirement for full review. This IRB has access to a three-person privacy team, including an information resource specialist, a data librarian, and a networks specialist, to help design and implement data safeguarding plans commensurate with the level of risk for various protocols. An IRB chair from the Research Triangle Institute observed that it is very important that health services researchers have the freedom to work with their IRBs to modify standard consent and confidentiality language as appropriate for the particular study in question. He concluded that although many issues are often not well understood by IRB members or by researchers because they represent new or rare situations, the IRB system is workable and working, and has never in his experience been an onerous burden to researchers. An officer from Intermountain Health Care described the comprehensive technical protections and enforceable policies the organization has implemented in the protection of personally identifiable health information, whether in the context of research or in day to day operations of providing health services. He noted that all known violations of privacy have occurred in operations, but none have been found in the research branch. A representative of AXENT, an information security firm, spoke on recent market trends in security such as the widespread adoption of Web access security products and virtual private networks, the slower adoption of products for authenticating users (i.e., public key infrastructure products), public key infrastructure products, and the general tendency of organizations to contract for information technologists rather than develop in-house expertise. The chair of the IRB of the Indian Health Service spoke about ethical issues regarding research with minority groups, including both the privacy of individuals within small and isolated groups and the privacy of the group itself. In either case, he observed, consultation with individuals familiar with the particulars of the group is important to avoid unintentional privacy violations and to build trust between the researchers and the participants. The committee had commissioned two background papers, in accord with the contract between the IOM and the sponsors, which were presented in draft at the workshop. One paper analyzed issues regarding HSR with children. The

OCR for page 106
Protecting Data Privacy in Health Services Research author identified three issues of particular concern in considering health services research involving minors, including the heterogeneity of the population in question, complications arising from proxy consent, and the changing interests and risks affecting the subjects as they grow older. The second commissioned paper analyzed international standards regarding the use of personally identifiable health information for HSR. The author studied international conventions and guidelines and the domestic law of several nation states. This analysis pointed out different approaches to requiring oversight of the use of personally identifiable health information in HSR by IRB-like bodies and the uses of such information without individual consent. Both papers are appended to the committee's report, as is this workshop summary.

OCR for page 106
Protecting Data Privacy in Health Services Research 1 Introduction The Institute of Medicine and the Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection hosted a workshop on March 13–14, 2000, to gather and to exchange information on human subjects protection in health services research. Health services research uses quantitative or qualitative methodology to examine the impact of the organization, financing, and management of health care services on the access to and the delivery, cost, outcomes, and quality of services. Another IOM committee (IOM, 1995) recently developed the following definition: Health services research is a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations. As these definitions show, HSR includes a broad range of questions and of research methodologies. This IOM project concentrates on HSR conducted through analyses of previously existing databases of health information. Further, among such studies, this project considers just the role of institutional review boards in ensuring that the study design will maintain confidentiality in the use of the subjects ' data. The benefits of HSR studies include increased understanding of the results of policy changes and other systemic effects in health care. The major risk in this branch of research, where the actual object of study is not the human body,

OCR for page 106
Protecting Data Privacy in Health Services Research but data about human beings, is likewise not to life and limb, but rather the risk resulting from improper disclosure of personal information. Any potential for harm would come about through possible breaches of confidentiality. The methodology, and in many respects the type of questions, of HSR are often very similar to the questions and methods directed toward assessing and improving the quality of operations within an organization. As a result, a boundary between research and operations is often difficult to locate. It is important to distinguish privacy and confidentiality. The following explanation is provided by the Office of Protection from Research Risks in guidance to institutional review boards. Privacy can be defined in terms of having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure without permission. (OPRR Guidebook, Chapter Three, Section D, 1993) The protection of privacy is an important matter, and many individuals regard the protection of their privacy (and likewise the confidential treatment of private information they choose to disclose) as an important ethical value. The responsible conduct of high-quality research is also an important value, and many individuals appreciate the benefits of effective health care, efficacy that is based on information that can be obtained only from population data. Privacy and confidentiality can be protected by limiting access to data. Good research can be conducted only if investigators have access to data. Risks to individuals (from possible breaches of confidentiality) and benefits both to individuals and society (from the results of good research) are thus two concerns that we must balance. In research, one way to ensure that subjects are protected, and in particular for this report's concerns, that the confidentiality of personally identifiable health information is maintained, is to have the proposed study reviewed by an institutional review board (IRB). IRBs are usually located within the organization doing the research, so that they can be aware of the nuances of the local situation. IRBs must ensure that they follow federal regulations pertaining to the protection of human subjects but they also use their local knowledge in practice along with the general principles in those regulations. This is why it was important in this project to consider the practices that IRBs actually follow as well as the regulations they apply through those practices. It is also important to understand that IRB review is required only for research activities. So if data were to be collected for some proposed research (i.e., federally funded or otherwise subject to federal regulation), the protocol would be reviewed by an IRB for the protection of confidentiality. But health care provider or product companies often undertake reviews of their internal operations to assess and improve the quality of care and/or products they provide. These

OCR for page 106
Protecting Data Privacy in Health Services Research quality assessment and quality improvement exercises are not defined as research but may involve similar types of data collection as HSR, as well as raising similar questions about the use of private information and the maintenance of confidentiality. So if similar data were to be collected or used by a health care provider or health product company in the course of day-to-day clinical care or business operations, such collection and use would not be subject to regulations requiring IRB review. BACKGROUND AND POLICY CONTEXT In recent years, public interest in and concern about privacy and personally identifiable health information has increased and continues (e.g., Appelbaum, 2000). Some individuals have been disturbed, for instance, at corporate use of health information to create targeted mailings that seem to straddle the line between anticipating health questions and marketing products. For example, a database marketing firm received patient prescription records from two large pharmacies in the Washington, D.C. metro area (Lo and Alpers, 2000). The firm then created mailings for the pharmacies on the pharmacies' letterhead targeted to consumers of certain prescription drug products, informing them of new products with similar indications. The project, which was quickly canceled by the pharmacies in response to customer complaints, had been sponsored by the manufacturers of the new products, although the manufacturers never had access to any patient records themselves. In other cases, these worries have been heightened by still more dramatic reports of privacy violations, such as the release of HIV test results of hundreds of individuals to several Florida newspapers (in Etzioni, 1999). Such incidents are not HSR, but still increase general concern about the reliability of privacy protections. In 1996, Congress enacted the Health Insurance Portability and Accountability Act directing the Secretary of Health and Human Services to prepare detailed recommendations on standards for privacy and personally identifiable health information. The Secretary's recommendations were delivered to Congress in September 1997 (Shalala, 1997), and several privacy bills have been introduced in Congress since that time. Both the Secretary's recommendations and most of the privacy bills introduced in the 105th Congress would permit personally identifiable health information to be used in research without the person's explicit permission if the research project were approved by an IRB. The HIPAA further directed the Secretary of Health and Human Services to publish regulations on privacy standards by February 2000, unless the Congress had taken legislative action at least six months earlier. The Secretary published a Notice of Proposed Rulemaking in November 1999, with the comment period closing on February 17, 2000 (Department of Health and Human Services, 1999). The proposed regulations would create new requirements for privacy protection for all health care providers and health plans, and would establish research standards and oversight for all research. In addition, the proposed rule would permit the use and disclosure of personally identifiable health information for research

OCR for page 106
Protecting Data Privacy in Health Services Research without authorization by the subject, as long as the research protocol had been approved by an IRB or, if it does not fall under regulations requiring IRB review, then by an equivalent body. As this workshop was being held and summarized, the department was analyzing and responding to the many (approximately 52,000) comments that the proposed rule elicited. Another important context for this report is recent media attention to research on human subjects. For example, news stories on topics such as gene therapy and clinical trials in developing countries have highlighted concerns about human subjects protections. Policies on many levels, from institutional to international, address of the proper and ethical conduct of research with human subjects. In the United States, the use of human beings as research subjects is governed by federal regulations when the research is federally funded. The body of federal regulations about human subjects protection (45 CFR 46 Subpart A) is called the Common Rule, since it has been adopted “in common” by many federal departments and agencies that are involved in research with human subjects as the basis for their regulations. The Food and Drug Administration (FDA) has adopted similar regulations (21 CFR 50 and 56) and will not consider clinical trial results submitted in support of a marketing application unless the trial was approved by an IRB. In addition, many organizations that do human subjects research have entered into agreements to conduct all their research according to the Common Rule, regardless of funding. Such agreements are called multiple product assurances (MPAs, see also footnote 6 below). The provisions of this shared body of regulation, including the Common Rule and MPAs as well as FDA regulations, grew from a variety of sources including the Belmont Report (Belmont, 1979). The Belmont Report presented the ethical basis of human subjects research as three principles: respect for persons, beneficence, and justice. The main mechanism in the human subjects protection system for protecting research subjects and for assessing the balance between the risks and benefits of research is the institutional review board. An IRB is a standing committee composed of scientists and/or physicians not directly involved with the proposal being reviewed and including at least one person who is not primarily involved in scientific pursuits and at least one person who is not otherwise connected with the institution. IRBs review proposals for research with human participants to make sure that any risk of harm to the subjects of the research is reasonable in relation to the possible benefits and that they will be respected as persons, not just used as research subjects. In many studies the subjects participate only after giving informed consent. So the IRB must make sure that subjects will be fully informed and then have an opportunity to consent, decline to participate in the research, or withdraw at anytime, unless the research is of such low risk that informed consent is not needed. In federal regulations, the IRB of a particular organization is charged with reviewing and approving all research at the institution covered by the regulations. The criteria set out in the regulations for IRBs to use in assessing research proposals are listed in Box 1-1.

OCR for page 106
Protecting Data Privacy in Health Services Research BOX 1-1 Criteria for IRB Approval of Research Sec. 46.111 Criteria for IRB approval of research. In order to approve research covered by this policy the IRB shall determine that all of the following requirements are satisfied: Risks to subjects are minimized: (i) By using procedures which are consistent with sound research design and which do not unnecessarily expose subjects to risk, and (ii) whenever appropriate, by using procedures already being performed on the subjects for diagnostic or treatment purposes. Risks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reasonably be expected to result. In evaluating risks and benefits, the IRB should consider only those risks and benefits that may result from the research (as distinguished from risks and benefits of therapies subjects would receive even if not participating in the research). The IRB should not consider possible long-range effects of applying knowledge gained in the research (for example, the possible effects of the research on public policy) as among those research risks that fall within the purview of its responsibility. Selection of subjects is equitable. In making this assessment the IRB should take into account the purposes of the research and the setting in which the research will be conducted and should be particularly cognizant of the special problems of research involving vulnerable populations, such as children, prisoners, pregnant women, mentally disabled persons, or economically or educationally disadvantaged persons. Informed consent will be sought from each prospective subject or the subjects legally authorized representative, in accordance with, and to the extent required by Sec. 46.116. Informed consent will be appropriately documented, in accordance with, and to the extent required by Sec. 46.117. When appropriate, the research plan makes adequate provision for monitoring the data collected to ensure the safety of subjects. When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. When some or all of the subjects are likely to be vulnerable to coercion or undue influence, such as children, prisoners, pregnant women, mentally disabled persons, or economically or educationally disadvantaged persons, additional safeguards have been included in the study to protect the rights and welfare of these subjects. SOURCE: 45 CFR 46, Subpart A 46.111. Research using databases containing health information on individuals, of which health services research is one example, also falls under the Common Rule, although the Belmont Report and regulations primarily address clinical

OCR for page 106
Protecting Data Privacy in Health Services Research research and individual direct interventions. HSR involving the analysis of previously collected data is somewhat different from clinical research in that subjects participate indirectly because researchers are sorting data on large sets of individuals but not intervening with the specific individuals themselves. As a result, the application of the principles may also have to be somewhat different in HSR. PROJECT OBJECTIVES The sponsors commissioned the IOM to call together a panel of national experts on various aspects of the problem. The purpose of this project was to provide information and advice on the current and best practices of IRBs in protecting confidentiality in health services research. The project was sponsored by the Agency for Healthcare Research and Quality and the Office of the Assistant Secretary for Planning and Evaluation, both in the Department of Health and Human Services. The charge to the committee was as follows: To gather information on the current practices and principles followed by institutional review boards to safeguard the confidentiality of personally identifiable health information used for health services research purposes, in particular, to identify those IRB practices that are superior in protecting the privacy, confidentiality, and security of personally identifiable health information. To gather information on the current practices and principles employed in privately funded health services research studies (that are generally not subject to IRB approval) to safeguard the confidentiality of personally identifiable health information, and to consider whether and how IRB best practices in this regard might be applied to such privately sponsored studies. If appropriate, to recommend a set of best practices for safeguarding the confidentiality of personally identifiable health information that might be voluntarily applied to health services research projects by IRBs and private sponsors. The charge did not encompass many other possible questions about privacy of medical records or electronic records in general. The committee recognized the strong connections between these related matters and the question of protecting data confidentiality in health services research. However, in keeping with the committee's charge, these issues were not discussed at the workshop. The committee also did not discuss issues of privacy and confidentiality as they pertain to other types of research, for example, clinical research that deals with sensitive topics such as HIV infection, mental illness, or substance abuse. The committee focused its attention on HSR involving the secondary analysis of existing data because this type of research raises the most dilemmas about how IRBs can protect the confidentiality of the patients' data. To be sure, HSR that involves, for example, questionnaires to patients about satisfaction or clinical outcomes also raises concerns about privacy and confidentiality. However, patients must be contacted and must cooperate for data to be gathered. Because

OCR for page 106
Protecting Data Privacy in Health Services Research ent(s). The question of uncoerced and informed consent to participate in research brings with it problems when subjects are adults, and proxy consent brings further complications. In some cases, the adult proxy may have interests that differ from, or even conflict with, those of the child. A further complication arises when the child does reach the age of majority: if an adult has given proxy consent for data on the child to be examined in research, is this consent still valid when the child reaches adulthood, or must consent be sought anew? The maturation of children not only means that the category “children” is heterogeneous, as described above, but also that as a particular individual matures, the interests of this individual change and the changes themselves are complex. The law—and most people—readily recognize that research on children involves special risks, which must be taken into account and do not apply to adult subjects. The risks, concerns and areas of vulnerability of children do not, however, necessarily diminish inversely with an increase in age and body mass; indeed, some risks increase. Risks that may increase as the child matures include vulnerability to embarrassment, fear of exposure, and concern for violations of privacy—just the risks most likely to be associated with health services research. In the discussion after the presentation, participants raised several additional points. In consideration of protecting privacy, some features of children as subjects increase the difficulty of de-identifying data. For example, hospitalization is rare for children, so even within a large sample of children, data on hospitalization or very high medical bills may effectively identify one or a small number of individuals. Another special problem is that the effect of the identification of individual children might have additional impact on other family members, since the mother may then be identified as well. Participant Gerald S. Schatz pointed out that the difficulties associated with proxy consent are further intensified in the case of children who are wards of the state, and proxies who are government agencies and liable to be overburdened or to prefer not to see problems. INTERNATIONAL COMPARISONS OF DATA PRIVACY STANDARDS4 Questions and issues of protecting privacy and personally identifiable health information have arisen in nation states around the world and in regard to the transfer of data across international borders. The contract describing the IOM's project included an agreement that the committee would compare the privacy protections contained in international conventions for personally identifiable health information used in research with the principles and best practices developed in this study. For background on these matters, the committee commissioned a paper comparing international approaches to protecting the privacy of 4   This section is based on a presentation by Ms. Bartha Maria Knoppers, professor of international law.

OCR for page 106
Protecting Data Privacy in Health Services Research data from health services research. The paper was presented in draft form at the workshop and appears in full as appendix D of (IOM, 2000) report. The Organization for Economic cooperation and Development (OECD) published Guidelines on the Protection of Privacy and Transborder Flows of Information in 1989, which included eight basic principles on the collection, use, and holding of personal data; these are further distilled here into four core principles pertaining to data protection, including the creation of statutory protections, transparency of data processing, additional protections for sensitive data, and the rights of individuals to claim enforcement of rules on data protection. The concept of privacy and the principle that individuals ought to be secure from improper interference in privacy are also mentioned in other international agreements including the United Nations Universal Declaration (1948) and International Covenant on Civil and Political Rights (1966); the European Convention on Human Rights (1955); the Council of Europe's Convention for the Protection of Individuals, with Regard to Automatic Processing of Data (1981), Convention on Human Rights and Biomedicine (1997), and subsequent recommendations; the World Health Organization 's Declaration on the Promotion of Patient's Rights in Europe (1994) and Directive on the Protection of Individuals (1995); the World Medical Association's Revised Declaration of Lisbon on the Rights of the Patient (1995); and the European Group on Ethics in Science and New Technologies ' Ethical Issues of Health Care in the Information Society (1999). Turning to the internal or domestic arrangements in selected nation states, the United Kingdom and other Common Law countries such as Australia and New Zealand recognize the protection of privacy under Common Law, although the law can be modified or clarified by statute. Privacy under the Common Law is an aspect of the liberty of a citizen, and if this liberty is infringed upon so as to cause harm, the citizen can pursue legal action. As an exception to the general protection of privacy, however, a medical practitioner may be required to disclose certain information in court if called for by the public interest. Australia also follows Common Law with some statutory exceptions, one of which provides that medical records are considered the property of the private medical practitioner, but not of the public health facility. By contrast, the legal systems of continental nation states did not develop under Common Law, but follow the Napoleonic Code and variations. Rather than being an aspect of liberty that might be harmed, privacy in this system is viewed as a right in and of itself, which means that a citizen need not show that an infringement of privacy caused harm—an infringement of privacy is sufficient for legal action regardless of whether harm followed. In France, the confidentiality of medical records is further protected by being treated as an obligation of result, which means that not only what is heard or seen is protected by law, but also what is understood, and the body of law that protects the information from disclosure is the penal code. In the domestic legal systems of individual nation states, the Common Law versus civil code contrast is again the basic distinction. The United Kingdom's British Medial Association has recently affirmed that any disclosure should be

OCR for page 106
Protecting Data Privacy in Health Services Research anonymous and minimized to the degree possible and that patients should be informed of how data about them may be used. Australian law includes several sets of principles and guidelines, that call for the entity in possession of a record containing personal information to use the information only for the purpose for which it had been collected unless either the subject consents or another use is mandated by other law. France has recently undergone two important developments pertaining to the protection of the privacy of health information in its legal system. The first was a statute regulating the use of data for research, that provided significant new oversight mechanisms, and second was a decree regarding the use of data in the process of reimbursement. At the conclusion of the presentations, the committee again thanked all the participants for their effort to provide information and insight, and encouraged anyone wishing to comment further or submit written materials to feel free to do so through the study director.

OCR for page 106
Protecting Data Privacy in Health Services Research References Amdur, Robert, Speers, Marjorie A., and Bankert, Elizabeth. IRB Triage of Projects that Involve Medical Record Review. In press. Applebaum, Paul S. Threats to the Confidentiality of Medical Records—No Place to Hide. JAMA. 2000 Feb 9; 283(6):795–796. Association of American Medical Colleges. AAMC Comments on The Recommendations of the Secretary of Health and Human Services on the “Confidentiality of Individually Identifiable Health Information.” AAMC Testimony Presented to the Senate Labor and Human Resources Committee. 1997 Nov 10. Belmont 1979. The Belmont Report. Office of the Secretary. Ethical Principles and Guidelines for the Protection of Human Subjects of Research. The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. 1979 April. Bradburn, Norman M. Population—Based Survey Research. Presentation Done at National Bioethics Advisory Commission. 2000 Apr 6. Brands, Stefan. Rethinking public key infrastructures and digital certificates—building in privacy. Thesis of Stefan Brands. 1999 Sep 4: 304 pages. Buckovich, Suzy A., Rippen, Helga E., and Rozen, Michael J. Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information. Journal of American Medical Informatics Association. 1999 Mar–1999 Apr 30; 6(2):123–133. Department of Health and Human Services, and Office of the Secretary. Standards for Privacy of Individually Identifiable Health Information; Proposed Rule. Federal Register. 1999 Nov 3; 64(212):59918. Dietz, Lawrence. Information Warfare Poses New Threats: Are You Ready? Internet Security Advisor. 2000 Mar–2000 Apr. 30:8–10. Etzioni, Amitai. Medical Records. Enhancing Privacy, Preserving the Common Good. Hastings Center Report. 1999 Mar–1999 Apr 30:14–23.

OCR for page 106
Protecting Data Privacy in Health Services Research GHPP (Health Privacy Working Group). Best Principles for Health Privacy. Health Privacy Project; Institute for Health Care Research and Policy, Georgetown University . 1999. Available [online] http://www.healthprivacy.org/latest/Best_Principles_Report.pdf. Goldman, Janlori, and Hudson, Zoe. A Health Privacy Primer for Consumers EXPOSED. Health Privacy Project. Institute for Health Care Research and Policy. Georgetown University. Washington, DC. 1999 Dec. Available [online] http://www.healthprivacy.org/resources/exposed.pdf. Gostin, Lawrence O., Lazzarini, Zita; Neslund, Verla, and Osterholm, Michael T. The Public Health Information Infrastructure A National Review of the Law on Health Information Privacy. JAMA. 1996 Jun 26; 275(24):1921–1927. IOM (Institute of Medicine). Committee on Regional Health Data Networks and Molla Donaldson, and Kathleen N. Lohr, editors. Health Data in the Information Age: Use, Disclosure, and Privacy. 1994. Washington, DC: National Academy Press. IOM (Institute of Medicine). Committee on Health Services Research: Training and Work Force Issues and Marilyn J. Field, Robert E. Tranquada and Jill C. Feasley, editors. Health Services Research: Work. Washington, DC: National Academy Press. 1995. IOM (Institute of Medicine) Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection. Protecting Data Privacy in Health Services Research. Forthcoming. Washington, DC: National Academy Press. ISPE (International Society for Pharmacoepidemiology). Data privacy, medical record confidentiality, and research in the interest of public health. [Web Page]. 1997 Sep 1. Available at: http://www.pharmacoepi.org/policy/privacy.htm. JHITA (Joint Healthcare Information Technology Alliance). Advocacy Paper: Medical Records Confidentiality Legislation [Web Page]. Available at: http://www.jhita.org/medical.htm. Lo, Bernard, and Alpers, Ann. Uses and Abuses of Prescription Drug Information in Pharmacy Benefits Management Programs. JAMA. 2000 Feb 9; 283(6):801–806. Lowrance, William W. Privacy and Health Research: A Report to the U.S. Secretary of Health and Human Services. 1997 May. Nelson, Andrew F., Quiter, Elaine S., and Solberg, Leif I. The State of Research Within Managed Care Plans: 1997 Survey. Health Affairs. 1998 Jan–1998 Feb; 17(1):128–138. NRC (National Research Council). Committee on Maintaining Privacy and Security in Health Care Applications of the National Infrastructure, Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics and Applications, and National Research Council. For the Record. Protecting Electronic Health Information. Washington, DC: National Academy Press. 1997. NRC (National Research Council) Panel of Confidentiality and Data Access, George T. Duncan, Thomas B. Jabine, and Virginia A. de Wolf, editors. Private Lives and Public Policies Confidentiality and Accessibility of Government Statistics. 1993. O'Brien, Dale G., and Yasnoff, William A. Privacy, Confidentiality, and Security in Information Systems of State Health Agencies. American Journal of Preventive Medicine. 1999; 16(4):351–358. OPRR, National Institute of Health. Intitutional Review Board (IRB) Guidebook, 1993 [Web Page]. 1993. Available at: http://grants.nih.gov/grants/oprr/irb/irb_guidebook.htm. PhRMA. PhRMA Policy Papers: Twin Goals: Privacy and Progress [Web Page]. Available at: http://www.phrma.org/issues/goals.html.

OCR for page 106
Protecting Data Privacy in Health Services Research Shalala, Donna. Confidentiality of Individually Identifiable Health Information, Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996. 1997 Sep 11. Wiederhold, Gio. Traveling the Electronic Highway: Glossary Maps, Encounters, Directions . Terms relevant to Internet Computing. 1998 Jan. Wolf, Leslie E. and Lo, Bernard. Practicing Safer Research Using the Law to Protect the Confidentiality of Sensitive Research Data.

OCR for page 106
Protecting Data Privacy in Health Services Research This page in the original is blank.

OCR for page 106
Protecting Data Privacy in Health Services Research ADDENDUM A Workshop Speakers Robert Amdur, M.D. Associate Professor and Associate Chairman for Clinical Affairs Department of Radiation Oncology University of Florida Health Sciences Center Arthur Anderson, M.D. Fort Detrick, U.S. Army Chief, Department of Clinical Pathology and Office of Human Use and Ethics U.S. Army Medical Research Institute of Infectious Disease Tora Bikson, Ph.D. Senior Behavioral Scientist Chair, IRB RAND Angela Bowen, M.D. President Western Institutional Review Board Lawrence Dietz, Esq. Market Intelligence Director AXENT Technologies, Inc. William Freeman, M.D., M.P.H. Director, I.H.S. Research Program Chair, Headquarters I.H.S. IRB Rockville, MD Steven A. Garfinkel, Ph.D. Associate Director Health Services and Policy Research Program Research Triangle Institute Harry Guess, Ph.D. Chief, Epidemiology Merck Brent James, M.D. Vice President for Medical Research and Continuing Medical Education Intermountain Health Care

OCR for page 106
Protecting Data Privacy in Health Services Research James Kahn, M.D. Institute for Health Policy Studies Department of Medicine, University of California, San Francisco S. Angela Khan Institutional Coordinator, Research Review Institutional Review Board University of Texas Health Science Center at San Antonio Bartha-Maria Knoppers, J.D. Professor, Faculty of Law Senior Researcher, C.R.D.P. Legal Counsel, McMaster Gervais University of Montreal Morris Linton, JD Senior Council Intermountain Health Care Jennifer Low, Esq. Associate General Counsel Express Scripts, Inc. Andrew Nelson Executive Director, HealthPartners President, HMO Research Network Minneapolis, MN Thomas Puglisi, Ph.D. Director, Division of Human Subjects Protections Office for Protection from Research Risks U.S. Department of Health and Human Services Fred Teitelbaum, Ph.D Vice President Outcomes Research and Cost Management Express Scripts, Health Management Services Ross A. Thompson, Ph.D. Professor Department of Psychology University of Nebraska

OCR for page 106
Protecting Data Privacy in Health Services Research ADDENDUM B Workshop Participants Olga Boikess NIMH Brian Brown National Naval Medical Center Institutional Review Board Ruth Bulger USUHS Donna T. Chen Southeastern Rural Mental Health Research Center, University of Virginia Angela Choy Institute for Health Care Research and Policy Georgetown University Sarah Comley Carrie Crawford National Naval Medical Center Institutional Review Board Trenita Davis National Institutes of Health (NIH) National Institute of Dental and Craniofacial Research Nancy Donovan U.S General Accounting Office (GAO) Gary B. Ellis Office for Protection from Research Risks National Institutes of Health John P. Fanning Office of the Assistant Secretary for Planning and Evaluation Michael Fitzmaurice Agency for Healthcare Research and Quality

OCR for page 106
Protecting Data Privacy in Health Services Research Ellen Gadbois National Bioethics Advisory Commission Olga Garcia Office of Management and Budget Felix Gyi Chesapeake Research Review, Inc. Stephen Heinig Association of American Medical Colleges Tom Hogan The Blue Sheet Julie Kaneshiro National Institutes of Health Richard A. Knazek National Institutes of Health Eric Larson General Accounting Office Richard Levine USUHS Joanne Lynn RAND Margaret Matula National Institutes of Health Laurie Michel Merck Mary Otto Knight Ridder Shannon Penberthy Association for Health Services Research Douglas Peddicord Washington Health Advocates Joan Porter ORCA Maryann Redford National Institutes of Health Patricia M. Scannell Washington University School of Medicine Gerald S. Schatz National Institutes of Health Amy Schwarzhoff Chesapeake Research Review, Inc. Ann Skinner Johns Hopkins School of Public Health Stuart F. Spicker Massachusetts College of Pharmacy, Boston Miron Straff National Research Council Bernard Talbat National Institutes of Health Ron Warren