In HSR there are few physical risks. Much HSR involves the analysis of previously collected, personally identifiable, health information recorded in the course of clinical care, billing, or payment for services. Thus, in HSR the primary risks are due to breaches of confidentiality, with ensuing loss of privacy and possible stigma and discrimination. Little is known about IRB practices in the area of HSR projects. Furthermore, much HSR using large databases falls outside the scope of federal regulations that require oversight by IRBs because it is undertaken with private funding by organizations that do not hold federal multiproject assurances that require all research at the institution to fall under IRB review.
In order to facilitate the national discussion of the topic of IRB oversight of HSR, the sponsors commissioned the IOM to call together a panel of national experts on various aspects of the problem. The purpose of this project was to provide information and advice on the current and best practices of IRBs in protecting privacy in health services research. The project was sponsored by the Agency for Healthcare Research and Quality and the Office of the Assistant Secretary for Planning and Evaluation, both in the Department of Health and Human Services. The charge to the committee was as follows:
To gather information on the current practices and principles followed by institutional review boards to safeguard the confidentiality of personally identifiable health information used for health services research purposes, in particular, to identify those IRB practices that are superior in protecting the privacy, confidentiality, and security of personally identifiable health information.
To gather information on the current practices and principles employed in privately funded health services research studies (that are generally not subject to IRB approval) to safeguard the confidentiality of personally identifiable health information, and to consider whether and how IRB best practices in this regard might be applied to such privately sponsored studies.
If appropriate, to recommend a set of best practices for safeguarding the confidentiality of personally identifiable health information that might be voluntarily applied to health services research projects by IRBs and private sponsors.
This summary describes the presentations and discussions that took place at the IOM Workshop on the role of Institutional Review Boards and Health Services Research Data Privacy. This summary reflects what transpired at the workshop and does not include committee deliberations, findings, or conclusions. The committee's deliberative report is being published separately (IOM, 2000).
The workshop itself was one of the major information-gathering activities of the committee. The committee invited speakers including IRB administrators and chairs from universities, research foundations, the U.S. Army and private businesses, as well as representatives from health care services and pharmaceutical companies. The committee also welcomed all interested parties to attend and to participate in discussion periods following the presentations. The invited speakers and members of the audience were asked to provide information on what their organizations actually do to protect confidentiality in health services research, whether or not the research they