Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 71
Protecting Data Privacy in Health Services Research 4 Best Practices for IRB or Other Review Board Oversight of Health Services Research Not Necessarily Subject to Federal Regulations This chapter presents the recommendations and findings of the committee regarding the practices of organizations conducting research or quality assessment or quality improvement activities that are not necessarily subject to federal regulations. The committee collected information from health care provider organizations (Intermountain Health Care and HealthPartners), a pharmacy benefit management company (Express Scripts), and the epidemiology section of a pharmaceutical company (Merck). The committee heard testimony at a public workshop and collected materials and statements from these organizations (Appendix A and Appendix B). As in the previous chapter, the reader should note that the committee was not able to conduct a comprehensive survey of private organizations that utilize health information, much less to collect all their practices for maintaining confidentiality. The recommendations and findings that follow are based on information from various organizations, but neither the committee nor the informants make any claim to be representative of the entire segment of the industry. The committee presents these recommendations and findings in the hope that they may be helpful to some organizations and may inform and stimulate further work in this area. The committee believes that studies involving human subjects should be reviewed similarly whether the study is subject to Common Rule provisions or not. As a result, the committee has recommendations in this chapter that are similar to those in the Chapter 3. The committee decided to keep two separate chapters in part because the implications of the recommendations might
OCR for page 72
Protecting Data Privacy in Health Services Research be different for different types of organizations, and also because the separate structure seemed to reflect the committee's charge more clearly. The committee was impressed with the commitment to privacy and confidentiality that the representatives of several private companies presented at the workshop. Companies appear to be at different stages of developing internal privacy or confidentiality policies regarding HSR and should be encouraged to continue to develop these organizational policies and procedures. The committee believes this recommendation to be consistent with the spirit of proposed federal regulations on privacy (DHHS, 1999). It is, however, outside the scope of this project to make a detailed critique of those regulations. RECOMMENDATIONS Recommendation 4-1. Researchers should have all HSR reviewed by an IRB or other review board regardless of the source of support or whether the research is subject to pertinent federal regulations. Recommendation 4-2. IRBs and other boards that review HSR that is not subject to federal regulation should assess their practices in comparison with the best practices of IRBs working under pertinent federal regulations and, when the latter offer improvements, adopt them. Alternatively, when their own practices are superior though not subject to federal regulation, they should share them with IRBs applying the Common Rule. IRBs, or other suitable review bodies, offer a review of research projects by knowledgeable persons not directly associated with the project. This independent review protects subjects of research because independent reviewers may identify concerns and suggest ways to minimize risks that were not apparent to investigators. The committee heard several examples of protocols that were or could have been substantially improved with respect to confidentiality by relatively simple modifications. Research subjects, who undergo risks for the benefit of science and society as a whole, should have the protections of such independent review as a matter of ethical best practice, regardless of funding source. There is little ethical justification for making a distinction between the level of protection afforded subjects in federally funded projects and that given subjects in projects funded by private sources if the risks to these subjects are comparable; indeed, proprietary projects could have additional conflict-of-interest pressures and thus might greatly benefit from outside review. The committee found that some organizations and their IRBs apply the federal regulations to all health services research, regardless of funding source even though they are not legally required to do so.
OCR for page 73
Protecting Data Privacy in Health Services Research The committee commends this consistent approach and notes that well-designed review operations, procedures, and practices, some of which are highlighted in the previous chapter, should allow the extension of IRB or other review board oversight without creating significant additional burdens for researchers or review boards. In addition, this would allow both researchers and potential subjects to benefit from a review that is independent of the study staff, for instance, by identifying potential investigator–subject communication problems early on. The committee believes that the best practices identified in the previous chapter are feasible to implement in electronic data systems, provided that the institution has the resources to do so and that implementing them can substantially increase confidentiality. In general, the techniques mentioned are “practices” precisely because they are already in use at some institution (see also Halamka et al., 1997). These practices include using codes, rather than identifiers such as Social Security numbers or names, to locate a record and a variety of measures to reduce the likelihood that individuals can be identified by inference. In particular, the committee recommends the following observations from the previous chapter to institutions that do HSR and similar work that is not subject to federal regulations. As in Recommendation 3-2, IRBs or other review boards should develop lists of principles, policies, and best practices on protecting privacy and confidentiality in HSR for use by investigators. Because the identifiability of data in HSR is a continuum, so that absolute guarantees of confidentiality are impossible, it is critical to take all reasonable steps that can synergistically enhance confidentiality, such as the areas of consideration listed in Box 3-2 and Box 3-3. As noted in Recommendation 3-3, the committee suggests that the development and on-line posting of applications and review forms specifically designed for HSR would improve the quality of review of HSR projects. IRBs and other review boards in any setting should be educated about the differences between HSR and clinical research, and any forms developed should reflect these differences. As mentioned in Recommendation 3-4, IRBs or other review boards should have available expertise (either on the committee or through consultants) to evaluate the risks to confidentiality and security in HSR, including the risks of identification of individuals and the physical security of data. The committee urges review boards and investigators in any setting to consult information technology experts about protecting confidentiality in their specific situations. It is not the intent of, nor would it be possible for, this committee or this report to provide an adequate basis for a data security program. Also, as stated in Recommendation 3-5, organizations should require that researchers and other employees who come in contact with confidential health information receive education in the handling of this information to maintain confidentiality. The committee concluded that principal investigators intending to involve human subjects in research or for other types of investigations should not be in
OCR for page 74
Protecting Data Privacy in Health Services Research the position of exempting themselves; rather, the protocol should receive at least some outside review. Such a check by knowledgeable, independent individuals will facilitate consistently high standards of treatment for all confidential health information in research and for all subjects whose data are so used. Recommendation 4-3. Health care organizations that conduct projects applying the methods of HSR to personally identifiable health information for purposes such as QA or QI, disease management, and core business functions as well as for research should have comprehensive policies, procedures, and other structures to protect privacy when personal health information is used for research or other purposes. Intermountain Health Care, a large, integrated health care organization, reported that most violations of confidentiality occurred outside the research arena, in areas such as clinical care and business activities. This distribution is not surprising, because most uses of personal health information are in these nonresearch areas. From the viewpoint of the patient, it does not matter whether a violation of confidentiality occurs in a research project or other activity because the risks of being harmed or wronged may be the same. Publicity about violations or alleged violations of confidentiality undermines public confidence in both health care operations and research. The committee found that companies that purchase, deliver, and/or reimburse health care services could likely engage in many activities that analyze personal health information using the same techniques as HSR, which fall into the “gray zone” between research and nonresearch described in the workshop summary (see Figure 3 in Appendix B). As detailed in the earlier report For the Record (NRC, 1997, see especially, pp. 66–68, Table 3.3), health care organizations use personal health information for clinical care, billing, payment, quality improvement, and business planning. The need to make personal health information accessible for these purposes must be balanced with the need to respect the confidentiality of such information. The committee found that some organizations have developed comprehensive policies and procedures regarding the confidentiality of personal health information that are best practices. These comprehensive policies apply to research as well as to other activities making use of personally identifiable data. A comprehensive program has several facets: organizational components such as a privacy board that recommends and implements policies; procedural components including an active training and enforcement program for all employees, technical components such as the use of audit trails to detect unauthor-
OCR for page 75
Protecting Data Privacy in Health Services Research ized uses of personal health information; and a suitable board to review research projects. Comprehensive organizational privacy policies and procedures apply to researchers as well as clinicians and administrative staff. A review board can be more certain that confidentiality is protected in research if the organization has a strong, comprehensive policy. The committee heard that Intermountain Health Care (IHC) has an Information Security Committee that may be similar to the privacy boards described in the proposed rule. The IHC Information Security Committee (IISC) is constituted similarly to an IRB, including community members, as well as line administrators, researchers, and computer specialists. The IISC works closely with the IRB on activities on the HSR side of the continuum. The IISC is also responsible for determining whether projects from the ambiguous area in the middle of the health care operations/research spectrum should proceed to seek IRB review. Finally, the IISC generates and recommends data security policies to the Board of Trustees of the company and then helps implement these policies and procedures throughout the organization, thus enhancing confidentiality protections at the operations end of the continuum. Recommendation 4-4. Health care or other organizations that disclose or use personally identifiable health information for any purpose including QA or QI, disease management, and core business functions as well as for research should have in place appropriate, strong, and enforceable sanctions against breaches of the confidentiality of health information. Committee members agreed that previous experience provides ample evidence that, although most investigators and staff are upstanding, there will always be a few who are subject to the temptation to misuse access to confidential information. In fact, the committee felt that this aspect of human subjects protection may have been neglected and therefore recommends consideration of deterrent policies for organizations working with IRBs under the Common Rule and for the organizations considered here. Such individuals and, even more, the subjects of any research projects that they may come in contact with, would benefit from a credible threat of sanctions for improper use or inspection of confidential information. Such sanctions ought to be graded according to the offense, (e.g., whether the incident was a simple mistake or an intentional violation) and should apply not only to researchers but to all employees of the organization. Just as in organizations that have IRBs, it is important that the proactive approaches of expertise and education toward proper handling of confidential information also be complemented and supported with sanctions against mishandling information. The committee heard at the workshop that at the personnel level, all IHC employees must sign a confidentiality agreement, which must be renewed every two years, and then comply with a “need-to-know” policy limiting who has access to which data. The company also tracks data access with automatic elec-
OCR for page 76
Protecting Data Privacy in Health Services Research BOX 4-1 Summary of Protections for Sensitive Data Organizational Practices Security and confidentiality policies. Organizations should develop explicit and clear security and confidentiality policies that express their dedication to protecting health information. These policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information. Security and confidentiality committees. Organizations should establish formal points of responsibility (standing committees for large organizations, a single person or a small committee for small organizations) to develop and revise policies and procedures for protecting patient privacy and for ensuring the security of information systems. Information security officers. Organizations should identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The security officer should maintain contact with relevant national information security organizations. Education and training programs. Organizations should establish programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems. Sanctions. Organizations should develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title. Organizations should adopt a zero-tolerance policy to ensure that no violation goes unpunished. Improved authorization forms. Health care organizations should develop authorization forms that will improve patients' understanding of health data flows and limit the time period for which authorizations are valid. The forms should list the types of organizations to which identifiable or unidentifiable information is commonly released. Patient access to audit logs. Health care providers should give patients the right to request audits of all accesses to their electronic medical records and to review such logs. SOURCE: NRC, 1997. Page 9, Box ES.1. tronic logs and has designed the electronic records system to ensure that identifiable portions are accessible only to designated employees. IHC terminates employment because of privacy infractions. Many of the provisions in Recommendations 4-3 and 4-4 are consistent with the recommendations regarding organizational practices discussed in For the Record (NRC, 1997) and quoted in Box 4-1. As noted in Chapter 3, the committee emphasizes that a complete analysis of organizational structures and
OCR for page 77
Protecting Data Privacy in Health Services Research processes to enhance the maintenance of confidentiality is beyond the scope of this project but recommends that organizations consider these practices and implement them as appropriate, if they have not already done so. The committee encourages health care organizations to adopt provisions that are practicable in their circumstances. Comprehensive policies for all uses of personal health information will avoid issues of how to oversee activities that are in the gray zone between research and QA or QI. If a comprehensive policy is in place, a QA or QI project will have strong confidentiality safeguards that make the risk to patients minimal.
Representative terms from entire chapter: