5

Recommendations for Next Steps

“The end of this study will not be the end of studying [the issue of privacy and confidentiality in health services research],” said Dr. Michael Fitzmaurice of the Department of Health and Human Services ' (DHHS') Agency for Healthcare Research and Quality (AHRQ), one of the agencies sponsoring this study, during the committee's workshop. The committee endeavored to stay strictly within the focused charge for the project. In the course of the study, however, the committee identified many important issues in addition to institutional review board (IRB) practices that should be addressed if subjects of health services research (HSR) are to be protected adequately. Throughout this report the committee has tried to refer inclusively to IRBs and/or other review boards (unless circumstances specified only IRBs). The term “IRB” has regulatory implications of the extension of federal oversight in a new area. The term “privacy board” has been used in a rule that, as this report was being written, had been proposed but not finalized and may mean different things to different people.

The committee has also tried to emphasize that any HSR should be reviewed according to the ethical principles reflected in the federal regulations and further that the reviewers should be knowledgeable about HSR and privacy protection and should be independent of the research group. Although not all HSR is in fact subject to federal regulations, the committee concluded that the review of HSR ought to follow the principles of these regulations.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 78
Protecting Data Privacy in Health Services Research 5 Recommendations for Next Steps “The end of this study will not be the end of studying [the issue of privacy and confidentiality in health services research],” said Dr. Michael Fitzmaurice of the Department of Health and Human Services ' (DHHS') Agency for Healthcare Research and Quality (AHRQ), one of the agencies sponsoring this study, during the committee's workshop. The committee endeavored to stay strictly within the focused charge for the project. In the course of the study, however, the committee identified many important issues in addition to institutional review board (IRB) practices that should be addressed if subjects of health services research (HSR) are to be protected adequately. Throughout this report the committee has tried to refer inclusively to IRBs and/or other review boards (unless circumstances specified only IRBs). The term “IRB” has regulatory implications of the extension of federal oversight in a new area. The term “privacy board” has been used in a rule that, as this report was being written, had been proposed but not finalized and may mean different things to different people. The committee has also tried to emphasize that any HSR should be reviewed according to the ethical principles reflected in the federal regulations and further that the reviewers should be knowledgeable about HSR and privacy protection and should be independent of the research group. Although not all HSR is in fact subject to federal regulations, the committee concluded that the review of HSR ought to follow the principles of these regulations.

OCR for page 78
Protecting Data Privacy in Health Services Research RECOMMENDATIONS Recommendation 5-1. Institutions whose IRBs or other review boards review HSR should ensure adequate administrative support and funding for review bodies and should incorporate improving review operations into overall institutional strategic planning, and organizations that sponsor HSR should also support designating adequate funds for such review. The committee corroborated previous reports that questioned whether IRBs have the resources to carry out their mission. The committee noted especially the April 2000 update report of the DHHS Office of the Inspector General, (OIG). This report, Protecting Human Research Subjects: Status of Recommendations, concluded that the resource problems identified in the OIG's 1998 report, Institutional Review Boards: A Time for Reform, still exist. The committee heard that many IRBs already have a heavy workload of proposals for review and that most members serve in a voluntary capacity. Additional resources will be required to implement the best practices described in Chapter 3 and Chapter 4. The committee found that IRBs (or any other review boards) need adequate funding specifically to review HSR. As just mentioned, previous reports have documented the need for adequate funding of IRBs. The committee heard corroborating evidence that resources continue to be a problem for IRBs. A recent committee at the University of California at San Francisco, an institution conducting a great deal of research involving human subjects, recommended that high priority be given to adequate IRB staff support, increased use of computerized information systems, and increased funding for training investigators about IRB function (see also Appendix B). In addition to adequate resources for staff and committee members, IRBs or other review boards need additional funding for new activities that could make their work more effective and efficient. With regard to HSR, for example, review committees need access to more expertise in information technology, such as how investigators can reduce the likelihood that subjects will be identified through the use of coding and encryption and through defining variables in ways that eliminate data cells having a small number of subjects with an unusual set of characteristics. Furthermore, human subjects protection programs will require additional resources to put into place the kinds of computer decision support systems that would enhance the effectiveness and efficiency of reviews of HSR studies and better ensure that these studies have in place appropriate safeguards for confidentiality. The committee also heard a number of proposals for how to provide the resources that human subjects protection committees would need to carry out their missions adequately. Dr. James Kahn, IRB chair at the University of California in San Francisco, proposed that IRB review be added as a line item in grants,

OCR for page 78
Protecting Data Privacy in Health Services Research doubting that sufficient overhead funds would be directed to IRB support at a large university that has many other competing uses of overhead funds (this proposal is very similar to that suggested in the 1998b and 2000 OIG reports). Some committee members argued that support of the IRB, manifestly a necessary overhead cost of supporting a human subjects research program, is a particularly appropriate use of overhead funds. In fact, Dr. Kahn reported that UCSF had commissioned an ad hoc committee to review the UCSF IRB's function. The ad hoc committee was asked to consider the composition, procedures, and support of the IRB and whether it could be of better service to the university. The committee returned a list of recommendations, including several suggestions about increasing the use of electronic information systems, as well as increased training for researchers to address both research responsibilities and institutional procedures, and increasing staff support for the human subjects protection program. In addition, Dr. Kahn specifically suggested designating 1 to 1.5 percent of each grant using human subjects to be earmarked as funding for the human subjects protection program. Independent IRBs, of course, charge investigators or institutions a set fee to review protocols. Determining the resource needs of IRBs and analyzing how to provide the necessary support in different organizational contexts, although far beyond the scope of this report, are important issues that must be addressed. Groups such as the American Association of Medical Colleges (AAMC), Public Responsibility in Medicine and Research (PRIM &R), and Applied Research Ethics National Association (ARENA) can play key roles in addressing these issues. Particular attention has to be given to how to support innovative uses of computer technology that would make IRB review less burdensome and help train investigators in research ethics and IRB requirements. Recommendation 5-2. The DHHS and other federal departments and private organizations such as the Association of American Medical Colleges (AAMC), the Association for Health Services Research (AHSR, but now known as the Academy for Health Services Research and Health Policy), the American College of Epidemiology (ACE), the International Society for Pharmacoepidemiology (ISPE), Public Responsibility in Medicine and Research (PRIM&R), the Applied Research Ethics National Association (ARENA), and others should continue or expand educational efforts regarding the protection of the confidentiality of personally identifiable health information in research. While these recommendations highlight DHHS as the sponsor of this study and a major sponsor of relevant research, the recommendations should be applied by other Common Rule signatory departments and agencies as well. The committee believes that the approach of identifying best practices for IRB oversight of HSR is a fruitful one that should be further developed. Recommendations of best practices will provide more specific guidance to investigators and

OCR for page 78
Protecting Data Privacy in Health Services Research IRB members than is currently available. This approach draws its strength from the commitment of both IRB members and administrators and of researchers to protecting the rights and welfare of the subjects of HSR. Both IRBs and scientists have developed useful practices that, if more widely adopted, could lead to improved protection of confidentiality and privacy, without creating undue burdens. Private organizations can play a crucial role in developing and publicizing best practices. Professional societies such as AHSR, ACE, and ISPE are composed of investigators who carry out studies analyzing large databases of data previously collected for other uses. AAMC represents medical schools that train researchers and carry out a great deal of HSR. PRIM&R and ARENA members review HSR studies and help educate investigators about the protection of human subjects. All of these organizations can help identify and disseminate best practices for the protections of privacy and confidentiality in HSR. Ultimately, such best practices for data security or confidentiality protection should be developed for each of the other specific types of data collection methods used in HSR including, but not limited to, focus groups, mail surveys, telephone surveys, personal interviews, home visits, interactive data collection via the Web, and remote sensing, as well as secondary analysis of health data that have already been collected for some other purpose. The committee found enthusiasm and openness to new ideas on the part of the IRBs and investigators who participated. The committee was impressed that in the spirit of scientific collaboration and competition, many health services researchers, IRB members, and IRB administrators were receptive to good ideas and wanted to excel in how they protect confidentiality in HSR. As with any other aspect of research, there is a great deal to be gained when people from different institutions exchange ideas and experiences. These stakeholders recognize that public confidence that personally identifiable health information will be used appropriately is crucial to the continued ability to carry out important HSR projects in a timely fashion. The committee found that these stakeholders were dedicated to resolving the tension between confidentiality and access to personally identifiable health information for HSR in an ethically acceptable manner. The committee observed that the general willingness of IRB administrators, chairs, investigators, and organizations whose research is not subject to federal regulations to participate in its workshop and to consider and try ideas that had been developed at other institutions indicates that the distribution of information on best practices would likely be well received. Such recommendations should be transmitted to investigators and IRBs through the Internet, as well as through presentations at professional society meetings and workshops, and in training

OCR for page 78
Protecting Data Privacy in Health Services Research grants and awards, program grants, and center grants.1 This committee, because of the time frame, could take only the first steps in identifying best practices for IRB review of HSR. Further efforts, including more systematic input from IRBs and health services researchers, could lead to more specific and comprehensive suggestions for institutions and investigators to adopt. The difficulty in the dissemination of information about best practices identified through this approach may be in locating a central venue and keeping it up to date. The DHHS can promote interactions among scientists and IRBs that will lead to wider dissemination of good ideas regarding the oversight of HSR and protection of the subjects of HSR. Through its roles in funding HSR, supporting training programs in HSR, and overseeing human subjects protection, the DHHS can have great impact on strengthening IRB review of HSR while allowing valuable research to proceed. In the long run, greater public confidence that personally identifiable health information is adequately safeguarded will promote more support for HSR and perhaps avoid the restrictive legislation and regulation that some European nations have adopted (see for example Appendix D). The committee found that identifying best practices is a promising approach to strengthen the protection of HSR, while allowing valuable studies to proceed in a timely and practical manner. The committee found that the federal regulations and the interpretations and guidance issued by OHRP do not provide sufficiently specific guidance for many issues regarding HSR. As discussed earlier in this report, IRBs and investigators admit that they struggle with such difficult concepts as identifiable information and the definition of HSR. Bringing together people who grapple with these issues is likely to lead to greater agreement and clarity. Based on these findings, the committee believes that DHHS should convene meetings that will facilitate these exchanges of ideas and identify feasible best practices that institutions might choose to adopt more widely. The meetings should include health services researchers, IRB members and administrators, leaders of institutions that carry out HSR, experts in information technology, experts in ethics and law, and public representatives. Such interdisciplinary expertise will be needed to resolve the complex problems regarding the protection of subjects of HSR. The working group should draw on the expertise of organizations that are required to handle sensitive computerized personal information in a confidential manner. Such organizations would include commercial firms transacting business over the Internet as well as government agencies such as the Bureau of the Census and the National Center for Health Statistics. Although the committee was unable to consult with these organizations because of time con- 1   Informal communication already flourishes through the Medical College of Wisconsin IRB (MCWIRB) list serve (see www.mcwirb.org) and should be encouraged and enhanced however possible.

OCR for page 78
Protecting Data Privacy in Health Services Research straints, it recognizes that such expertise would be extremely useful to health services researchers. In addition, the committee identified from material presented at the workshop several topics that require additional discussion. These include how to contact persons identified through secondary data analysis using large databases for more intensive interviews in those instances where it is possible and necessary to identify and contact subjects (often neither is true of HSR); how to review multisite HSR projects, particularly those carried out in small health care organizations that do not have IRBs; and how to ensure that HSR projects involving children take into account the changing needs, vulnerabilities, and capacities of children as they mature (see, for example, Appendix C). Recommendation 5-3. Organizations that furnish health services researchers with personally identifiable health information should ensure that the data are prepared in a manner that protects confidentiality adequately. The committee heard several instances reported at the workshop where HSR investigators requested de-identified data from federal agencies but received data that had not been de-identified because the agency in question lacked the resources to do so. As large holders of personally identifiable data, the situation of federal agencies having to choose between providing data that have not been deidentified, or simply refusing to provide data for research at all, is worrisome. Organizations holding health data should develop and/or implement lists of points to consider in reviewing data requests with respect to protecting privacy and confidentiality in HSR. Similarly, either such holders of information should require that the health services researcher submit evidence that the proposed research has undergone IRB review, or the data holder should review the study through its own independent review process. Committee members observed further that if data suppliers possessed more highly developed data warehouses so that investigators could always go back to the source to pick up forgotten variable(s), health services researchers would be more likely to ask for only those variables they really believe they will need. When data requests are limited to a one-time, take-what-you-need process, investigators are prone to ask for much more than they expect to need just in case they might be forgetting something. Recommendation 5-4. The funders of HSR should be willing to cover the cost of preparing personally identifiable health information that is collected in clinical care, billing, or payment so that confidentiality can be adequately protected in HSR.

OCR for page 78
Protecting Data Privacy in Health Services Research The committee found that health services researchers and other data handlers need sufficient funding to protect adequately the confidentiality of personally identifiable health information. The committee heard examples of how health services researchers lacked the resources to adopt computer-based measures that would strengthen confidentiality in important HSR. For example, a health services researcher at a leading academic hospital reported that she was finding it increasingly difficult to obtain consultation from their excellent medical informatics group because these experts were over-committed to other projects. The committee concluded that adequate resources to consult with and pay for the services of computer experts will be essential if confidentiality is to be adequately protected in HSR. In most cases, funders of HSR will have to allow such computer consultation and services as line items in grants. The need for such support should be accepted as an integral cost of high-quality HSR. Recommendation 5-5. The DHHS should continue and expand efforts to encourage holders of personally identifiable health information to make this information available to researchers as public use files after suitable application of techniques to minimize the risks of identifiability. If an organization holding health data has made a dataset publicly available without restriction, as is done with the National Health Interview Survey (NHIS), then projects using only such data can be considered minimal risk and eligible for exemption per 45 CFR 46.101(b)(5). In order to promote HSR, data-holding organizations should consider making as much data available in the public domain as is safely possible. The committee notes that the Interagency Confidentiality and Data Access Group has developed a checklist for use in considering whether data may be released, which helps holders of data develop such public use files.2 This group is affiliated with the Federal Committee on Statistical Methodology, an interagency committee first convened in 1975 and dedicated to improving the quality of Federal statistics. Recommendation 5-6. The AHRQ should consider supporting a feasibility study on developing procedures for facilitating linkage of separate data files containing sensitive data from different sources to create analytical files such that it would be possible for researchers to create linkages that are reliable and informative, and at the same time, to protect the confidentiality of the original data disclosure through de-identification and other protective measures so as to save 2   Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology. Checklist on Disclosure Potential of Proposed Data Releases (July 1999): http://www.fcsm.gov/spwptbco.html.

OCR for page 78
Protecting Data Privacy in Health Services Research the subject from being placed at risk of harm or wrong through improper re-identification. Much of the value of retrospective, database-oriented research comes from the ability to draw inferences from data derived from different sources. The committee urges interested parties including DHHS agencies to encourage research on linkage and anonymization with a view toward two goals: first, to create linkages that are reliable and informative, and second, to approach as closely as possible the goal of anonymized data. The ability to link records to one another may be very important, though that does not mean that the data need to be linked to the identity of the individual. Health care organizations may have to identify episodes of illness in a patient, which may be found in records of emergency room visits, ambulance services, hospital stays, operative records, bills from independent medical providers, rehabilitation services, pharmacies and pharmacy benefit managers, and so forth. To recognize that the data drawn from these various sources refer to the same individual, it is important that researchers be able to identify the same patient in each set of records. This identification allows joining of these various datasets into a single (logical) database that contains all relevant data about the patient. Such identification and joining is often difficult and is one of the motivations for keeping names or other direct identifiers in the records. The true identity of any given individual is not really necessary to merge databases; all that is required is some unique identifier, such as a code, which could be difficult to re-associate with the actual patient. Ideally, then, the various sources of data would have their records indexed by the same set of identifiers, but ones that are not easily re-associated with the actual patient's identity. There are several possible ways to address this problem. One suggestion exploits developing cryptographic and authentication technology to create health information identification systems (as explored in a pilot study of Kohane et al., 1998, described in greater detail in Box 5-1). Such a system would have the advantage of allowing different databases to be linked through an identifier that could be certified as associating records about the same individual but would be difficult for any user to decode. As different projects were designed, the investigators could specify different types of health identifiers to maximize values in various dimensions including the extent to which the identifying code could be used in other projects and the degree of security surrounding it. Since the program designed by Kohane and colleagues generates identification systems (not a particular identification code), the resulting flexibility and complexity of the identifiers would be much less vulnerable to decoding than a single certified identifier such as a Social Security number, while still allowing database linkage.

OCR for page 78
Protecting Data Privacy in Health Services Research BOX 5-1 Sample Tool for Creating Health Information Identification Systems The Tool: A computer program called the Health Information Identification and De-Identification Toolkit, or “HIIDIT” (pronounced “hide it”) What HIIDIT does: Health identification systems allow the creation and use of identifiers to refer to particular individuals, institutions, IRB's, studies, etc. HIIDIT supports the designer of a health identification system to select appropriate properties of such a system, such as whether the identifiers are global in scope or unique only within a specific institution, whether a single centralized directory of identifiers is kept or if such directories are held only locally for small groups of individuals, whether the identifiers are associated with individuals by a recognized national authority or more local means such as a notary public, and whether the identifiers are publicly known or limited to use by specific groups, Based on a choice among such design criteria and on a carefully defined set of operating rules specific to the design, it is usually possible to select a set of technologies that implement a health identification system meeting the criteria. As an example, consider a possible design of an identification system for a regional genomic database, in which a number of different source sites (clinics) contribute genomic data to a study site, where each source site and the study site also have IRB's. The study is to operate under the following rules: (1) Only duly authorized data are entered from any source site into the study. (2) Although the identity of the patient is known at the source site, it should be very difficult to determine from data at the study site. (3) The study data should only be accessible with permission of the study site's IRB. (4) A source site should be able to add data to a patient's record in the study without giving away the identity of the patient to the study. (5) If the study's IRB approves, the study site can contact the source site's IRB, who can in turn identify the patient so that the source site may contact the patient for additional information, but all without revealing the identity of the patient to the study site. In this example, HIIDIT uses the methods of public key cryptography to generate cryptographic key pairs for each patient, each source site, the study site, and each IRB. Within each pair, the public key is known to everyone, but the private key is known only to the patient or responsible individual(s) at that site or IRB. Each key in a pair is the inverse of the other. According to well-known public key principles, this permits, for example, a source site to encrypt a message with the study site's public key. Only the study site can then successfully decrypt this message by using its secret private key; thus, the message is secure against prying eyes in transit. Similarly, a source site can sign a message by encrypting it with its own private key, after which any recipient can verify that the message must have come from that site by successfully decrypting it with that source site's public key. These techniques are often used in combination to send messages that are unreadable and unalterable by anyone other than the sender and receiver. In the example, the source site computes the identifier under which a patient's data will be stored at the study site by the following steps:

OCR for page 78
Protecting Data Privacy in Health Services Research Sign the patient's public key with the source site's private key. Call the result the source id. Encrypt the source id with the source IRB's public key. Append the result of step 2 and the source site's public key, then encrypt the result with the study site IRB's public key. This result is the study id for that patient. The Result: One may verify that the design rules are enforced by the implemented technique. For example, it is possible to verify that the study site 's IRB can determine from which study site a particular patient's record arose, but cannot identify the patient That source site's IRB can, in turn, identify the patient if it chooses to use its own private key. A properly designed set of rules and a correct implementation can assure that data are successfully shared, but without likely risk to the patient's privacy. How HIIDIT could fail: Identification systems designed using HIIDIT are most vulnerable to unauthorized disclosures in the same way that any other system for protecting confidentiality is vulnerable, namely, if the information professionals at an institution are careless (or unscrupulous) when they input data so that they either gain unauthorized information or permit others access to it. HIIDIT can shift the level of security along the health information privacy spectrum toward greater anonymity, but it cannot replace the need to provide staff with rigorous and comprehensive training and policies. SOURCE: Kohane, Isaac S.; Dong, Hongmei; and Szolovits, Peter. HealthInformation Identification and De-Identification Toolkit. Proceedings of the American Medical Informatics Association Symposium 1998: 356–360. Another type of linkage system would depend on trusted third parties to be responsible for linking the separate data files. These entities could hold the keys linking individuals to the data. After merging datasets, this entity would then strip off the identifiers, check that identification cannot be (reasonably) inferred3, and take any needed steps to protect the data. This approach has the advantage of being simpler to implement, specifically because it requires that many fewer organizations and individuals develop high degrees of technical competence and organizational commitment to use standard procedures. The disadvantages are related to the centralization of the linkage operation. The committee notes that the question of how precisely to perform the data file linkage in any particular case is not straightforward but varies depending on the characteristics of the specific research question and data used. At the same time, such merges can be technically complex, so access to a central, highly 3   The committee recognizes that the question of how difficult identifiability by inference must be in order to make data safe for release will continue to be a matter of debate and notes that the standard should be expected to change as technology changes.

OCR for page 78
Protecting Data Privacy in Health Services Research skilled facility to perform them could improve the overall efficiency of the research enterprise. There is, however, an additional theoretical risk that such trusted entities, because they are known to hold large amounts of personally identifiable health information, may be the target of intruders. Thus there is a need to test the feasibility of this approach, regarding both the capability of a central facility to be flexible with the technical needs of different types of projects and the safety of a central merging facility. Recommendation 5-7. DHHS (AHRQ and/or NIH) and other federal departments or agencies should consider developing and supporting a research agenda concerning IRB protection of subjects from nonphysical harms such as risks to privacy and confidentiality in human subjects research (including cultural meanings of privacy and confidentiality). Such a research agenda would likely include current IRB practice, as well as new procedures and policies to provide better human subjects protection, and also would include monitoring of IRB practices. A systematic study of non-physical risk assessment was beyond the charge given to this committee, and the committee would in any case have found itself unable to accomplish it due to limitations of time and in respect of the Office of Management and Budget (OMB) rules on extensive surveys. The committee found, however, that such information would be of great use both as a baseline and, if updated periodically, as a basis of continuous policy evaluation. The findings would be of use to IRBs, researchers, regulators, and any other parties interested in privacy and confidentiality. Recommendation 5-8. The OHRP should review the possibility of proposing a change to the regulations with respect to HSR to replace the terms “exempt” and “expedite” with “administrative review.” The committee is recommending this review only with respect to HSR —the committee did not investigate possible consequences for other types of research that might be affected if the change were applied to all research on human subjects. The committee heard several reports that well-intentioned and conscientious researchers may judge a study to be exempt from review under the current regulatory language and therefore never bring it to the attention of a review board. Since the committee has concluded that all HSR should receive some review by a board that is independent of the research project, the committee suggests that this possibly misleading terminology be avoided. The committee recognizes, however, that a change to the Common Rule involves coordination among many agencies and may therefore be difficult to achieve. The committee further recognizes that others may have other suggestions for a new term. The committee's goal in this matter was to offer a term that recognized

OCR for page 78
Protecting Data Privacy in Health Services Research that some studies do not need full IRB review but did not seem to suggest that the investigator should decide what level of IRB review is needed. Recommendation 5-9. Health services researchers, and institutions that participate in and benefit from HSR, should voluntarily adopt best practices for IRB review of HSR. The committee found that some policies intended to strengthen confidentiality and privacy may have serious adverse consequences for HSR. The committee found that some nations have adopted laws or regulations that allow individuals to exclude their personally identifiable health information from databases, that require written consent from patients for use of health records for research, and that require the anonymization of data for any secondary data analysis. Such measures were enacted to protect the confidentiality of computerized personally identifiable health information (see Appendix D). The committee learned, however, that some measures intended to promote privacy and confidentiality may have serious adverse consequences for HSR (AAMC, 2000; AHSR, 2000). A requirement of individual informed consent would render impossible valuable HSR, notably projects using HMO, insurer, or Medicare and Medicaid databases. Furthermore, population-based studies would be biased if people could exclude themselves from research. Even if studies were possible, their results could be misleading because persons who agree to HSR may be different in important and unpredictable ways from persons who refuse to participate. In addition, a requirement that all secondary data analyses use only anonymized data would make it impossible to conduct valuable HSR that requires follow-up of a cohort or the linking of data from different datasets. Thus, some measures intended to strengthen privacy and confidentiality may lead to invalid studies and be a poor basis for public policy decisions. If patients and members of the public in general do not find that they can trust that confidential information will be protected throughout research, they may seek further measures to protect confidentiality. Some such measures could be detrimental to HSR. The committee therefore urges investigators, data users and data holders and publishers to voluntarily adopt and continually upgrade the best practices of IRBs and other review boards in ensuring the protection of data privacy and confidentiality in HSR. Recommendation 5-10. All stakeholders in HSR should support strategies to improve the protection of privacy and confidentiality without impeding research. The committee found it necessary to encourage further study beyond the scope of its charge. Although there was not time in this project to explore wider-ranging ideas, the committee suggests several as potential starting points in a

OCR for page 78
Protecting Data Privacy in Health Services Research multifaceted strategy to improve the awareness of privacy issues and improve confidentiality protection practices: DHHS could sponsor a conference to include health services researchers, journal editors and editorial boards to discuss inclusion of privacy protection methods in journal articles and requiring evidence of IRB review as a condition for publication, and HSR-related journals and health care management journals could sponsor special issues devoted to health data privacy and confidentiality and could refuse to publish results from studies that had not received IRB review. DHHS should investigate revising the Public Health Service grant application guidelines to incorporate a formal section on data privacy or confidentiality protection in the human subjects section of the application. DHHS could include data privacy experts on scientific peer review panels that are charged with the review of HSR proposals. Funders of HSR, including DHHS, HMOs, and private companies and foundations (perhaps working through a professional organization such as the AHSR), should consider issuing a special research solicitation on data protection methods, to include research on methods of attacking security protections. PRIMR and organizations supporting HSR could sponsor a conference on the equitable selection of subjects for research. Certain populations may be over-solicited as subjects of current HSR projects, because of availablity of suitable databases, federal requirements to have minorities adequately represented, or policy interest in certain topics, such as the impact of poor access to health care. Questions for consideration could include whether participation in many studies may increase the risk that confidentiality will be breached and harms or wrongs occur as a result, and, whether there may be a risk of stigma if a group is overrepresented in current research, even if individual subjects who are members of the groups are at minimal risk for having their individual confidentiality violated. Universities and colleges should conduct special one-week courses in data security for students majoring in HSR and related fields. Organizations with special interest in data privacy and good-quality HSR should consider sponsoring a prize competition, perhaps annually, for the best privacy and confidentiality practices by a health care organization. This might be akin to the Malcolm Baldridge National Quality Award, which has had such an impact on quality assurance in industry. Given the importance currently being placed on privacy and the attendant competitive value that an organization may see in winning such an award, there may well be sufficient incentives for organizations to put forth their best ideas and document them in a way that is understandable. Such a prize competition could be seen as a positive side of such awards as the Annual UK “Big Brother ” Awards, which highlight egregious

OCR for page 78
Protecting Data Privacy in Health Services Research breeches of privacy,4 but would really be more like the Malcolm Baldridge award in spirit, with health data privacy protection as the focus. The methods of HSR, applied to data previously collected for other purposes, have been useful in discovering and demonstrating systemic effects and population-level trends in the organization and delivery of health services. It is important that we, as a society, continue to have access to such research in order to inform policy making in both private and governmental arenas. At the same time, it is important that we, as a society, protect the privacy of individuals and of vulnerable groups, and the confidentiality of information that patients share with health care providers. As a result of the present study, the committee has concluded that it is possible both to carry out valuable HSR and to protect confidentiality. However, to do so will require adequate funding. Resources are needed to support dedicated, trained IRB members and staff, to establish organizational confidentiality policies and electronic security practices, to educate researchers, and to provide statistical and computer expertise. The true test of our commitment to the twin values of advancing useful knowledge and protecting confidentiality is whether we are willing to make the needed investments to achieve both goals. 4   For the Malcolm Baldridge National Quality Award, see http://www.quality.nist.gov. For the Big Brother Awards, see http://www.bigbrotherawards.org/. Note that the organization also recognizes achievements in privacy protection, but generally within the United Kingdom.

OCR for page 78
Protecting Data Privacy in Health Services Research This page in the original is blank.