Protecting Data Privacy in Health Services Research

Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection

Division of Health Care Services

INSTITUTE OF MEDICINE

NATIONAL ACADEMY PRESS
Washington, D.C.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Protecting Data Privacy in Health Services Research Protecting Data Privacy in Health Services Research Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection Division of Health Care Services INSTITUTE OF MEDICINE NATIONAL ACADEMY PRESS Washington, D.C.

OCR for page R1
Protecting Data Privacy in Health Services Research NATIONAL ACADEMY PRESS 2101 Constitution Avenue, N.W. Washington, DC 20418 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this study was provided by The Agency for Healthcare Research and Quality, and the Office of the Assistant Secretary for Planning and Evaluation, both of the Department of Health and Human Services (Contract No.282-99-0045, Task Order No.1). International Standard Book No. 0-309-07187-9 Protecting Data Privacy in Health Services Research is available for sale from the National Academy Press , 2101 Constitution Avenue, N.W., Box 285, Washington, DC 20055; call (800) 624-6242 or (202) 334-3938 (in the Washington metropolitan area), or visit the NAP's on-line bookstore at www.nap.edu. The full text of this report is available on line atwww.nap.edu. For more information about the Institute of Medicine, visit the IOM home page at www.iom.edu. Copyright 2000 by the National Academy of Sciences. All rights reserved. Printed in the United States of America. The serpent has been a symbol of long life, healing, and knowledge among almost all cultures and religions since the beginning of recorded history. The image adopted as a logo-type by the Institute of Medicine is based on a relief carving from ancient Greece, now held by the Staatliche Musseen in Berlin.

OCR for page R1
Protecting Data Privacy in Health Services Research “Knowing is not enough; we must apply. Willing is not enough; we must do.” —Goethe INSTITUTE OF MEDICINE Shaping the Future for Health

OCR for page R1
Protecting Data Privacy in Health Services Research THE NATIONAL ACADEMIES National Academy of Sciences National Academy of Engineering Institute of Medicine National Research Council The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. William A. Wulf are chairman and vice chairman, respectively, of the National Research Council.

OCR for page R1
Protecting Data Privacy in Health Services Research COMMITTEE ON THE ROLE OF INSTITUTIONAL REVIEW BOARDS IN HEALTH SERVICES RESEARCH DATA PRIVACY PROTECTION BERNARD LO (Chair), Professor of Medicine, Director of Programs in Medical Ethics University of California San Francisco ELIZABETH ANDREWS, Director, World Wide Epidemiology, Glaxo Wellcome JOHN COLMERS, Executive Director, Maryland Health Care Commission GEORGE DUNCAN, Professor of Statistics, Heinz School of Public Policy and Management, Carnegie Mellon University JANLORI GOLDMAN, Director, Health Privacy Project, Georgetown University, Institute for Health Care Research and Policy CRAIG W. HENDRIX, Associate Professor of Medicine, Johns Hopkins University MARK C. HORNBROOK, Associate Director, Center for Health Research, Kaiser Permanente Northwest LISA IEZZONI, Professor of Medicine, Harvard Medical School, Beth Israel Deaconess Medical Center, Division of General Medicine and Primary Care DONALD KORNFELD, Associate Dean Faculty of Medicine, Chairman, Institutional Review Board, Professor of Psychiatry, Columbia University College of Physicans and Surgeons, Presbyterian University ELLIOT STONE, Executive Director and CEO, Massachusetts Health Data Consortium, Inc. PETER SZOLOVITS, Professor, Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science ADELE WALLER, Partner, Bell, Boyd & Lloyd, Chicago Consultants BARTHA-MARIA KNOPPERS, Professor, Faculty of Law, Senior Researcher, C.R.D.P., Legal Counsel, McMaster Gervais, University of Montreal ROSS A. THOMPSON, Professor, Department of Psychology, University of Nebraska Staff LEE ZWANZIGER, Senior Program Officer RITA GASKINS, Senior Project Assistant

OCR for page R1
Protecting Data Privacy in Health Services Research BOARD ON HEALTH CARE SERVICES DON E. DETMER (Chair), Professor of Medical Education in Health Evaluation Sciences, University of Virginia BARBARA J. MCNEIL (Vice Chair), Ridley Watts Professor, Department of Health Care Policy, Harvard Medical School LINDA AIKEN, Director, Center for Health Outcomes and Policy Research, and the Claire M. Fagin Leadership Professor of Nursing and Professor of Sociology, University of Pennsylvania STUART H. ALTMAN, Sol C. Chaikin Professor of National Health Policy, the Florence Heller Graduate School for Social Policy, Brandeis University HARRIS BERMAN, Chairman and Chief Executive Officer, Tufts Health Plan BRIAN BILES, Chair and Professor, Department of Health Services Management and Policy, School of Public Health and Health Services, the George Washington University CHRISTINE CASSEL, Chairman, Henry L. Schwarz Department of Geriatrics and Adult Development, and Professor of Geriatrics and Internal Medicine, Mount Sinai Medical Center PAUL D. CLAYTON, Medical Informaticist, Intermountain Health Care, Salt Lake City, Utah PAUL F. GRINER, Vice President and Director, Center for the Assessment and Management of Change in Academic Medicine, Association of American Medical Colleges RUBY P. HEARN, Senior Vice President, Robert Wood Johnson Foundation PETER BARTON HUTT, Partner, Covington & Burling, Washington, D.C. ROBERT L. JOHNSON, Professor of Pediatrics and Clinical Psychiatry, and Director, Adolescent and Young Adult Medicine, University of Medicine and Dentistry of New Jersey, New Jersey Medical School JACQUELINE KOSECOFF, President and Co-Chief Executive Officer, Protocare SHEILA T. LEATHERMAN, Executive Vice President, United Healthcare Corporation, Center for Health Care Policy and Evaluation, Minneapolis UWE E. REINHARDT, James Madison Professor of Political Economy and Professor of Economics and Public Affairs, Princeton University SHOSHANNA SOFAER, Robert P. Luciano Professor of Health Care Policy, School of Public Affairs, Baruch College GAIL L. WARDEN, President and Chief Executive Officer, Henry Ford Health System JANET M. CORRIGAN, Director, Board on Health Care Services, Institute of Medicine

OCR for page R1
Protecting Data Privacy in Health Services Research Preface Health services research (HSR) exemplifies some of the greatest hopes and greatest fears for collecting and analyzing computerized personal health information. Information routinely collected in the course of providing and paying for health care can be used by researchers to investigate the relative effectiveness of alternative clinical interventions, of alternative methods of organizing, delivering, and paying for health care, and of a variety of health care policies. Such research may improve the effectiveness and efficiency of health care. For example, HSR has identified significant variation in outcomes of care for a specific health problem according to the specialty of the clinician, type of insurance or reimbursement, and gender or ethnicity of the patient. At the same time, using personal health information for such research raises concerns about privacy (whether participants should provide the data) and confidentiality (how the data may be used later). Such concerns are intensified because of public concerns that confidentiality is being eroded for many types of computerized personal information, ranging from credit card purchases to addresses on drivers' licenses. Concerns about maintaining confidentiality of medical information are particularly important because patients disclose sensitive information to physicians that they may not tell close relatives and friends, such as information about their mental health, alcohol and substance abuse, and sexual practices. Confidentiality of medical information used in HSR is particularly important because information on many individuals may be analyzed by researchers without their knowledge or consent. The very power of HSR, to juxtapose patient-level data from a variety of sources on a large number of patients, also raises the largest concerns

OCR for page R1
Protecting Data Privacy in Health Services Research about confidentiality. It is often not feasible to obtain consent from every patient in a large population to be studied. Even if consent were possible to obtain, the requirement of consent would likely lead to bias and invalid findings, because those who opt out might differ systematically from those giving consent. Thus, for important HSR to proceed, it is important that the privacy and confidentiality of subjects be adequately protected. IRBs play a key role in protecting the subjects of research. This IOM committee was charged with identifing current and best practices of IRBs that review HSR, both HSR that is subject to federal regulation and research that falls outside it. Within restrictions of the scope and time, the committee found a number of examples of IRBs that had put into place thoughtful, effective measures for reviewing HSR. There appears to be considerable variation in how IRBs deal with such difficult questions as how to distinguish HSR from such activities as quality improvement, how to determine whether a HSR project is exempt from IRB review, and how to determine whether informed consent can be waived for a HSR project. If IRBs adopted the best practices more widely, the quality of HSR could be improved, and the public could be more assured that privacy and confidentiality were being properly safeguarded in HSR. Identifying best practices for protecting privacy and confidentiality in HSR is a promising approach that needs to be further developed. Identifying best practices is a quality improvement technique that builds on the achievements of HSR investigators and IRBs on the leading edge of their fields. It stimulates an explicit discussion of ethical concerns about HSR and potential solutions. Best practices give IRBs the flexibility to respond to the particular issues raised by different HSR projects; a technique that effectively safeguards confidentiality in one HSR project may be inappropriate in another. Finally, the approach of best practices not only helps to bring everyone up to a higher level, but also raises the best level higher as improved methods, such as informational technologies, develop and spread. At the same time, the effectiveness of IRBs in reviewing HSR will depend on organizational factors. First, authors of GAO reports and in the popular press have noted that IRBs often do not have sufficient resources to carry out their charges. The committee found that IRBs will need additional resources and training to oversee HSR better, since HSR differs in important ways from clinical research involving new drugs or invasive medical interventions. Second, protecting the confidentiality of personal health information in HSR is easier if health care organizations effectively protect confidentiality of electronic personal health information, whether used for clinical or administrative purposes. Finally, the committee found that many IRBs play an important role in educating investigators about the protection of human subjects in HSR. In the long run, such educational programs will enhance the quality of HSR proposals submitted for IRB review. I was privileged to work with a committee that was so thoughtful, committed, and embodied with good sense. We were grateful to the IRB chairs and administrators, health services researchers, and leaders of health care organizations

OCR for page R1
Protecting Data Privacy in Health Services Research who shared with us their wisdom, experience, and commitment protecting human subjects. The IOM staff was extremely helpful in keeping us on track on a tight schedule. Lee Zwanziger was excellent in pulling together information and ideas from many sources into a coherent, readable report.

OCR for page R1
Protecting Data Privacy in Health Services Research This page in the original is blank.

OCR for page R1
Protecting Data Privacy in Health Services Research Acknowledgments The workshop speakers, listed in the appendix, all were very helpful and generous with their time in preparing, attending, and participating in the workshop. The committee very much appreciates the information and insight they provided both in the workshop and in comments and suggestions afterwards. Many individuals assisted with helpful advice and suggestions throughout this project. The committee particularly thanks Paul Clayton of Intermountain Health Care, Nancy Donovan of the U.S. General Accounting Office, Gary Ellis and Tom Puglisi of the (former) OPRR, Molly Greene of UTHSCSA, Erica Heath of IRC, Steve Heinig of AAMC, Jon Merz of University of Pennsylvania, Eric Meslin and Margorie Speers of the National Biothics Advisory Commission, Andy Nelson of HealthPartners Research Foundation, Erica Rose of SmithKline Beecham, Joan Rachlin of PRIM &R, Patricia Scannell of Washington University in St. Louis, Ada Sue Selwitz of ARENA, Alvan Zarate of the National Center for Health Statistics, and many others. The committee appreciates the support provided by the sponsors of the project, the Agency for Healthcare Research and Quality (AHRQ) and the office of the Assistant Secretary for Planning and Evaluation (ASPE), both of the Department of Health and Human Services. The individual representatives of the sponsoring agencies, Michael Fitzmaurice (AHRQ) and John Fanning (ASPE) were very helpful throughout the planning and execution of the workshop. At the Institute of Medicine, the study director greatly appreciated the assistance of Sue Barron, Jennifer Cangco, Claudia Carl, Mike Edington, Rita Gaskins, Linda Kilroy, Janice Mehler, Jennifer Otten, Sally Stanfield, and Vanee Vines, among others. Florence Poillon helped in copy editing the report.

OCR for page R1
Protecting Data Privacy in Health Services Research REVIEWERS This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council's Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the Institute of Medicine in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and the draft manuscript remain confidential to protect the integrity of the deliberative process. Ruth S. Bulger, Ph.D., Former President, Henry Jackson Foundation for Advancement of Military Medicine Donna Chen, M.D., Assistant Director and Research Scientist, Southeastern Rural Mental Health Research Center, University of Virginia Health System Helen McGough, IRB Director, Human Subjects Division, University of Washington Joan Porter, D.P.A., M.P.H., Office of Research Compliance and Assurance, Office of Veterans Affairs Patricia Scannell, IRB Director, Human Studies Committee, Washington University Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations nor did they see the final draft of the report before its release. The review of this report was overseen by Hugh H. Tilson, M.D., Dr.P.H., Senior Advisor to the Dean, University of North Carolina School Public Health, also of Glaxo Wellcome Company, appointed by the Institute of Medicine, who was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

OCR for page R1
Protecting Data Privacy in Health Services Research Contents     EXECUTIVE SUMMARY   1  1   INTRODUCTION   20      Privacy and Research,   21      Health Services Research,   25      Benefits of HSR,   27      Risks of Harm from HSR,   29      Background and Policy Context,   34      Project and Scope,   37      Outline of Report,   39  2   HUMAN SUBJECTS PROTECTION AND HEALTH SERVICES RESEARCH IN FEDERAL REGULATIONS   40      IRBs and Human Subjects Protection,   40      Previous Studies of IRBs,   47      Human Subjects Protection in HSR,   48      Principles and Practices,   49  3   BEST PRACTICES FOR IRB REVIEW OF HEALTH SERVICES RESEARCH SUBJECT TO FEDERAL REGULATIONS   51  4   BEST PRACTICES FOR IRB OR OTHER REVIEW BOARD OVERSIGHT OF HEALTH SERVICES RESEARCH NOT NECESSARILY SUBJECT TO FEDERAL REGULATIONS   71

OCR for page R1
Protecting Data Privacy in Health Services Research  5   RECOMMENDATIONS FOR NEXT STEPS   78     REFERENCES   93     ACRONYMS AND ABBREVIATIONS   99     APPENDIXES    A   Study Activities,   101  B   Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary,   106      Executive Summary,   106      Introduction,   111      Workshop Summary,   119      References,   151     Addendum A— Workshop Speakers,   155     Addendum B— Workshop Participants,   157  C   Protecting the Health Services Research Data of Minors, Ross A. Thompson   159  D   Confidentiality of Health Information: International Comparative Approaches, Bartha Maria Knoppers   173  E   Biographical Sketches,   187

OCR for page R1
Protecting Data Privacy in Health Services Research Protecting Data Privacy in Health Services Research

OCR for page R1
Protecting Data Privacy in Health Services Research This page in the original is blank.