Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary (2000)

The Institute of Medicine and the Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection hosted a workshop on March 13–14, 2000, to gather and to exchange information on human subjects protection in health services research.

Health services research uses quantitative or qualitative methodology to examine the impact of the organization, financing, and management of health care services on the access to and the delivery, cost, outcomes, and quality of services. Another IOM committee (IOM, 1995) recently developed the following definition:

Health services research is a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations.

As these definitions show, HSR includes a broad range of questions and of research methodologies. This IOM project concentrates on HSR conducted through analyses of previously existing databases of health information. Further, among such studies, this project considers just the role of institutional review boards in ensuring that the study design will maintain confidentiality in the use of the subjects ' data.

The benefits of HSR studies include increased understanding of the results of policy changes and other systemic effects in health care. The major risk in this branch of research, where the actual object of study is not the human body, but data about human beings, is likewise not to life and limb, but rather the risk resulting from improper disclosure of personal information. Any potential for harm would come about through possible breaches of confidentiality. The methodology, and in many respects the type of questions, of HSR are often very similar to the questions and methods directed toward assessing and improving the quality of operations within an organization. As a result, a boundary between research and operations is often difficult to locate.

It is important to distinguish privacy and confidentiality. The following explanation is provided by the Office of Protection from Research Risks in guidance to institutional review boards.

Privacy can be defined in terms of having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others in ways that are inconsistent with the under-

standing of the original disclosure without permission. (OPRR Guidebook, Chapter Three, Section D, 1993)

The protection of privacy is an important matter, and many individuals regard the protection of their privacy (and likewise the confidential treatment of private information they choose to disclose) as an important ethical value. The responsible conduct of high-quality research is also an important value, and many individuals appreciate the benefits of effective health care, efficacy that is based on information that can be obtained only from population data. Privacy and confidentiality can be protected by limiting access to data. Good research can be conducted only if investigators have access to data. Risks to individuals (from possible breaches of confidentiality) and benefits both to individuals and society (from the results of good research) are thus two concerns that we must balance.

In research, one way to ensure that subjects are protected, and in particular for this report's concerns, that the confidentiality of personally identifiable health information is maintained, is to have the proposed study reviewed by an institutional review board (IRB). IRBs are usually located within the organization doing the research, so that they can be aware of the nuances of the local situation. IRBs must ensure that they follow federal regulations pertaining to the protection of human subjects but they also use their local knowledge in practice along with the general principles in those regulations. This is why it was important in this project to consider the practices that IRBs actually follow as well as the regulations they apply through those practices.

It is also important to understand that IRB review is required only for research activities. So if data were to be collected for some proposed research (i.e., federally funded or otherwise subject to federal regulation), the protocol would be reviewed by an IRB for the protection of confidentiality. But health care provider or product companies often undertake reviews of their internal operations to assess and improve the quality of care and/or products they provide. These quality assessment and quality improvement exercises are not defined as research but may involve similar types of data collection as HSR, as well as raising similar questions about the use of private information and the maintenance of confidentiality. So if similar data were to be collected or used by a health care provider or health product company in the course of day-to-day clinical care or business operations, such collection and use would not be subject to regulations requiring IRB review.

In recent years, public interest in and concern about privacy and personally identifiable health information has increased and continues (e.g., Appelbaum, 2000). Some individuals have been disturbed, for instance, at corporate use of health information to create targeted mailings that seem to straddle the line between anticipating health questions and marketing products. For example, a database marketing firm received patient prescription records from two large pharmacies in the Washington, D.C. metro area (Lo and Alpers, 2000). The firm then created mailings for the pharmacies on the pharmacies' letterhead targeted to consumers of certain prescription drug products, informing them of new products with similar indications. The project, which was quickly canceled by the pharmacies in response to customer complaints, had been sponsored by the manufacturers of the new products, although the manufacturers never had access to any patient records themselves. In other cases, these worries have been heightened by still more dramatic reports of privacy violations, such as the release of HIV test results of hundreds of indi-

viduals to several Florida newspapers (in Etzioni, 1999). Such incidents are not HSR, but still increase general concern about the reliability of privacy protections.

In 1996, Congress enacted the Health Insurance Portability and Accountability Act directing the Secretary of Health and Human Services to prepare detailed recommendations on standards for privacy and personally identifiable health information. The Secretary's recommendations were delivered to Congress in September 1997 (Shalala, 1997), and several privacy bills have been introduced in Congress since that time. Both the Secretary's recommendations and most of the privacy bills introduced in the 105th Congress would permit personally identifiable health information to be used in research without the person's explicit permission if the research project were approved by an IRB.

The HIPAA further directed the Secretary of Health and Human Services to publish regulations on privacy standards by February 2000, unless the Congress had taken legislative action at least six months earlier. The Secretary published a Notice of Proposed Rulemaking in November 1999, with the comment period closing on February 17, 2000 (Department of Health and Human Services, 1999). The proposed regulations would create new requirements for privacy protection for all health care providers and health plans, and would establish research standards and oversight for all research. In addition, the proposed rule would permit the use and disclosure of personally identifiable health information for research without authorization by the subject, as long as the research protocol had been approved by an IRB or, if it does not fall under regulations requiring IRB review, then by an equivalent body. As this workshop was being held and summarized, the department was analyzing and responding to the many (approximately 52,000) comments that the proposed rule elicited.

Another important context for this report is recent media attention to research on human subjects. For example, news stories on topics such as gene therapy and clinical trials in developing countries have highlighted concerns about human subjects protections. Policies on many levels, from institutional to international, address of the proper and ethical conduct of research with human subjects. In the United States, the use of human beings as research subjects is governed by federal regulations when the research is federally funded. The body of federal regulations about human subjects protection (45 CFR 46 Subpart A) is called the Common Rule, since it has been adopted “in common” by many federal departments and agencies that are involved in research with human subjects as the basis for their regulations. The Food and Drug Administration (FDA) has adopted similar regulations (21 CFR 50 and 56) and will not consider clinical trial results submitted in support of a marketing application unless the trial was approved by an IRB. In addition, many organizations that do human subjects research have entered into agreements to conduct all their research according to the Common Rule, regardless of funding. Such agreements are called multiple product assurances (MPAs, see also footnote 6 below).

The provisions of this shared body of regulation, including the Common Rule and MPAs as well as FDA regulations, grew from a variety of sources including the Belmont Report (Belmont, 1979). The Belmont Report presented the ethical basis of human subjects research as three principles: respect for persons, beneficence, and justice. The main mechanism in the human subjects protection system for protecting research subjects and for assessing the balance between the risks and benefits of research is the institutional review board. An IRB is a standing committee composed of scientists and/or physicians not directly involved with the proposal being reviewed and including at least one person who is not primarily involved in scientific pursuits and at least one person who is not otherwise connected with the institution. IRBs review proposals for research with human participants to make sure that any risk of harm to the subjects of the research is rea-

sonable in relation to the possible benefits and that they will be respected as persons, not just used as research subjects. In many studies the subjects participate only after giving informed consent. So the IRB must make sure that subjects will be fully informed and then have an opportunity to consent, decline to participate in the research, or withdraw at anytime, unless the research is of such low risk that informed consent is not needed. In federal regulations, the IRB of a particular organization is charged with reviewing and approving all research at the institution covered by the regulations. The criteria set out in the regulations for IRBs to use in assessing research proposals are listed in Box 1-1.

Research using databases containing health information on individuals, of which health services research is one example, also falls under the Common Rule, although the Belmont Report and regulations primarily address clinical research and individual direct interventions. HSR involving the analysis of previously collected data is somewhat different from clinical research in that subjects participate indirectly because researchers are sorting data on large sets of individuals but not intervening with the specific individuals themselves. As a result, the application of the principles may also have to be somewhat different in HSR.

The sponsors commissioned the IOM to call together a panel of national experts on various aspects of the problem. The purpose of this project was to provide information and advice on the current and best practices of IRBs in protecting confidentiality in health services research. The project was sponsored by the Agency for Healthcare Research and Quality and the Office of the Assistant Secretary for Planning and Evaluation, both in the Department of Health and Human Services.

The charge to the committee was as follows:

1. To gather information on the current practices and principles followed by institutional review boards to safeguard the confidentiality of personally identifiable health information used for health services research purposes, in particular, to identify those IRB practices that are superior in protecting the privacy, confidentiality, and security of personally identifiable health information.

2. To gather information on the current practices and principles employed in privately funded health services research studies (that are generally not subject to IRB approval) to safeguard the confidentiality of personally identifiable health information, and to consider whether and how IRB best practices in this regard might be applied to such privately sponsored studies.

3. If appropriate, to recommend a set of best practices for safeguarding the confidentiality of personally identifiable health information that might be voluntarily applied to health services research projects by IRBs and private sponsors.

The charge did not encompass many other possible questions about privacy of medical records or electronic records in general. The committee recognized the strong connections between these related matters and the question of protecting data confidentiality in health services research. However, in keeping with the committee's charge, these issues were not discussed at the workshop. The committee also did not discuss issues of privacy and confidentiality as they pertain to other types of research, for example, clinical research that deals with sensitive topics such as HIV infection, mental illness, or substance abuse.

The committee focused its attention on HSR involving the secondary analysis of existing data because this type of research raises the most dilemmas about how IRBs can protect the confidentiality of the patients' data. To be sure, HSR that involves, for example, questionnaires to patients about satisfaction or clinical outcomes also raises concerns about privacy and confidentiality. However, patients must be contacted and must cooperate for data to be gathered. Because of these interactions, the research may be less likely to be exempt from IRB review, and potential subjects have the ability to decline to participate.

The committee therefore urges the reader to bear in mind that such related matters were not in the charge, were not addressed by the committee, and in particular, were not discussed at the workshop.

This summary describes the presentations and discussions that took place at the March 13–14, 2000 IOM Workshop on Institutional Review Boards and Health Services Research Data Privacy Protection. This summary reflects what transpired at the workshop and does not include committee deliberations, findings or conclusions. The committee' s deliberative report is being published separately (IOM, 2000).

The workshop itself was one of the major information-gathering activities of the committee. The committee invited speakers including IRB administrators and chairs from universities, research foundations, the U.S. Army, and private businesses, as well as representatives from health care services and pharmaceutical companies (see appended workshop agenda). The committee also welcomed all interested parties to attend and to participate in discussion periods following the presentations. The invited speakers and the audience were asked to provide information on what their organizations, whether IRBs or organizations doing research not under the purview of the Common Rule, currently and actually do to protect privacy in health services research. The committee also asked the participants to share any observations they had made regarding which practices are best and might be applicable to other institutions.

Some of the issues discussed at the workshop and in this document have been the subject of recent IOM and National Research Council (NRC) reports. These reports include For the Record (NRC, 1997), Health Data in the Information Age (IOM, 1994), and Private Lives and Public Policies (NRC, 1993).

This summary uses several terms repeatedly, for which the committee has offered definitions below.* In most cases, these definitions are incomplete in a global sense, reflecting their use in the context of the present study; “privacy, ” for instance, has other shades of meaning to be sure, but the definition below emphasizes the use of the word in regard to information.

• Informational Privacy—The right of individuals to control access to, and the use of, information about themselves.

• Confidential—a manner of treating private information, which has been disclosed by the individual subject of the information to a particular person or persons, such that further disclosure of the information will not be allowed to occur without authorization.

• Health Services Research—a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations.

• Personally Identifiable Health Information—information such that an individual person can be identified as the subject.

• Institutional Review Board—administrative body established to protect the rights and welfare of human research subjects in research activities of the institution to which the board is affiliated, by reviewing proposed research protocols and approving or requesting changes prior to their inception.