National Academies Press: OpenBook
« Previous: 1 Introduction
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

2

Workshop Summary

The Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection hosted a public workshop on March 13–14, 2000 (agenda appended). The committee invited speakers with a variety of institutional perspectives and also welcomed contributions from the audience. As a starting point for the workshop, the committee reviewed its charge (as given in the previous section). The committee was charged with collecting information on the current practices of institutional review boards for protecting data privacy in health services research, gathering information on the practices of organizations that are not required to consult IRBs but still carry out HSR activities where data privacy and confidentiality are of concern, and to the extent possible, identifying and recommending the best practices for wider adoption. This section presents a summary of the workshop proceedings. The summary does not include deliberations, findings, or recommendations by the committee (see IOM, 2000)

INTRODUCTORY PRESENTATIONS

The first series of presentations was given by representatives of several agencies within the federal Department of Health and Human Services (DHHS). The sponsors of the project, the Agency for Healthcare Research and Quality (AHRQ) and the Office of the Assistant Secretary for Planning and Evaluation (ASPE), outlined their perspective on the objectives of the workshop and the committee's task, and the Office for Protection from Research Risks (OPRR) provided an overview of the current regulations on the protection of human subjects in research.

Comments from Sponsoring Agencies

Dr. Michael Fitzmaurice of the AHRQ, one of the agencies sponsoring the project, spoke first. Dr. Fitzmaurice observed that the tension between the availability of data for research and the protection of data for maintaining confidentiality and privacy will not disappear but has to be managed through judicious balancing of these countervailing interests. Essentially, these interests should reinforce each other. In order to facilitate the national discussion of this balancing with regard to the use of individually identifiable health data by health services researchers with principles and best practices for maintaining confidentiality, the sponsors commissioned the Institute of Medicine (IOM) to convene a panel of national experts on various aspects of the prob-

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

lem. The panel's report will provide guidance to assist IRBs that review HSR, organizations that are not required to use IRBs but may still be concerned with balancing privacy and data access in such research, and health services researchers themselves.

Dr. Fitzmaurice continued that the DHHS is directed under the Health Insurance Portability and Accountability Act to promulgate federal regulations governing the privacy of personal health information. The proposed regulations allow the release of individually identifiable health data and information for use in research, under appropriate conditions. Current and proposed regulations would set conditions for safeguards that researchers must observe. Oversight mechanisms described in the proposed federal regulations on health privacy (Department of Health and Human Services, 1999) depend on the current IRB system but also would require complementary oversight bodies, called “privacy boards”(see Box 2-1); that would oversee the protection of personal health information in research not covered (by regulation or voluntarily) by the current IRB system—non-federally funded research for the most part.

Mr. John Fanning of the ASPE (also a sponsor of the project) provided further context for the workshop. Mr. Fanning pointed out that many sets of principles pertaining to privacy protection have already been published, but these principles may fail to provide practical guidance to investigators and IRBs concerned with HSR.1 In addition, he noted, little information is available regarding actual practices and procedures whereby the principles are implemented by IRBs. Such information is needed in order for IRBs to improve their oversight of HSR. In particular, Mr. Fanning explained, the agencies sponsoring the project believe that identification of best practices of IRBs in reviewing HSR could provide helpful guidance to other IRBs, as well as to organizations that are not required to have IRBs review health services research but wish to ensure that confidentiality and privacy are adequately protected in HSR.

The location of the boundaries of HSR, in the focus of the present project, has been an additional and difficult question. The regulations now in place define “research” as an activity intended to result in generalizable knowledge. However, it is often difficult to draw a line between HSR and other activities that use personal health information in databases, such as internal efforts at quality assurance, business planning, or marketing.

In the discussion immediately following the presentations, committee members highlighted their concerns about focusing on the protection of privacy in the context of research while ignoring very similar activities using databases that contain personal health information when undertaken for business or administrative purposes. The sponsors ' representatives replied that the Common Rule applies only to the oversight of research, not to these other activities. Thus, although the appropriate use of personal health information for purposes other than research is an important question that the nation has to address, the current project is intended to address only the more limited but still important topic of HSR.

1  

Because different groups are developing principles to address different problems, or at least to address problems in different contexts, the sets of principles do not directly overlap in many instances —in particular, not mentioning a principle is not evidence that an organization would oppose it. These different perspectives make for difficult comparison (though see Buckovich, 1999). See, for example, GHPP, 1999; ISPE, 1997; Lowrance, 1997; AAMC, 1997; JHITA (web page), PhRMA (web page).

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

BOX 2-1 Privacy Board Review of Research in the Proposed Rule

Privacy boards, in the proposed rule, would review the protocols for research proposing to use or disclose protected health information without individual authorization that does not fall under the Common Rule to determine that the research meets specified criteria. The board could be an IRB constituted under the Common Rule, or an equivalent privacy board that meets the requirements in this proposed rule (note that not all commentors agree that the board described would in fact be equivalent to an IRB). The criteria proposed were the following:

  • the use or disclosure of protected health information involves no more than minimal risk to the subjects;

  • the waiver or alteration will not adversely affect the rights and welfare of the subjects;

  • the research could not practicably be carried out without the waiver or alteration;

  • whenever appropriate, the subjects will be provided with additional pertinent information after participation;

  • the research would be impracticable to conduct without the protected health information;

  • the research project is of sufficient importance to outweigh the intrusion into the privacy of the individual whose information would be disclosed;

  • there is an adequate plan to protect the identifiers from improper use and disclosure; and

  • there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers.

SOURCE: DHHS, 1999.

Overview of Current Human Subjects Regulations

The OPRR administers the federal regulations on human and animal subjects. Dr. Thomas Puglisi, director of OPRR's Division of Human Subject Protections, presented an overview of the human subjects regulations to the committee. IRBs have to address several questions, all of which may require some interpretation specific to HSR. First, does an activity constitute research? Second, is the project exempt from IRB review? Third, may individual informed consent be waived?

Dr. Puglisi explained that the regulations apply to projects involving human subjects, defined as protocols in which there is to be an intervention or interaction with a living person that would not be occurring, or would be occurring in some other fashion, but for the research or if identifiable private data or information will be obtained for the protocol in a form associable with the individual (Figure 2-1). Private information, in this context, is defined as “information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (e.g. a medical record)” (45 CFR 46 102(f)). The definition stipulates that the information must be individually identifiable, that is, that the identity of the individual can be readily ascertained or associated with the information.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

Dr. Puglisi noted that several aspects of these regulations already merit attention with regard to HSR. With HSR, the second condition marking an activity as research is generally the most pertinent ( “identifiable private data or information will be obtained for the protocol in a form associable with the individual”), since HSR often works with data that have already been collected and hence requires no further interaction with subjects. The question of identifiability can be difficult, since coded data are not necessarily nonidentifiable because subjects often still can be identified by inference.

The term research is also defined in the regulations: the activity must be systematic and designed to contribute to generalizable knowledge. The important term “generalizable” is not, he pointed out, itself defined in the regulation. This term usually must mean at least that the product of the activity is intended to be applicable beyond the immediate situation and present conditions. For example, a project that is intended for publication in a medical journal or presentation at a conference would be deemed research, whereas an organization's internal review of records for the purpose of improving its operations would likely not be considered research. Different organizations, however, make different distinctions between research and quality assurance activities.

FIGURE 2-1 Is the definition of “human subject” at 45 CFR 46.102(f) met in the research activity?

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

Activities may be exempt from IRB review, either because they are not research or because they may not meet the definition of human subjects research as described above. These conditions are a basis of a specific exemption (45 CFR 46.101(b)(4)):

(4) Research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.

For a project that is research involving human subjects and is not eligible for exemption as above, the IRB must ensure that the subjects have given free and informed consent to participate, unless the informed consent requirement can be waived. The requirement for informed consent may be waived by the IRB under some conditions including that the research involves no more than minimal risk and the research could not otherwise be practicably carried out (where “not practicable” is not specifically defined but means a general zone between merely inconvenient and truly impossible). The key point in considering when a waiver of informed consent would be appropriate is “minimal risk.” In HSR, Dr. Puglisi explained, the IRB would have to consider the protections for confidentiality that were built into the protocol, keeping in mind that the protocol may require access to records on very large numbers of individuals, and weigh the probabilities of harm or wrong to these individuals. With adequate protections, the IRB often determines that the risk would be minimal and individual informed consent therefore unnecessary.

In discussion following the presentation, several committee members raised the question of review of a protocol's expected benefit to society and its scientific merit, with regard to which matter different IRBs take different views. The question of the role of OPRR in education also surfaced, in particular its possible involvement in collecting and disseminating information about the best practices of IRBs. Dr. Puglisi said that a great deal of information and guidance is posted on OPRR's website and that OPRR is actively expanding its educational activities.

IRB FUNCTION

Many different types of institutions conduct research with human subjects and therefore have IRBs associated with them, including universities, state and federal agencies, hospitals, and research foundations. The committee invited speakers from a variety of these institutions to present information on the practices and experience with protecting the confidentiality of data in health services research in their respective organizations.

In preparation for the workshop, the speakers were given a list of points to discuss points about IRBs and HSR, which are listed in Box 2-2.2 Many presenters used these discussion points as a basis for their remarks. The summary of the presentations and discussion below follows these points as much as possible. Some discussion points, however, did not apply to some speakers, and several speakers remarked that they did not wish to repeat what had already been said about IRB function, so they did not specifically speak to all the discussion issues in their presentations.

2  

This list of suggested discussion issues was also posted on an IRB-targeted list serve and on the projects' section of the National Academies ' Current Project System website, with an invitation to provide any relevant information or experience. The full invitation is included in Appendix A of IOM (2000).

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

BOX 2-2 Points to Discuss Regarding IRB Review of HSR

  1. Policy or practices, if any, for identifying specific studies as health services research

  2. Procedures, if any, for determining which health services research studies are exempt from IRB review

  3. Procedures, if any, to determine whether and which information is identifiable when assessing risk of disclosure in a health services research protocol

  4. Procedures, if any, for weighing the importance of the research relative to the risk (of disclosure) to those whose data are used

  5. Procedures, if any, in place for merging different datasets and, in this context, for ensuring that identifiable health information is protected

  6. Procedures, if any, used for reviewing protocols to ensure that identifiable health information is being protected while the study is actually under way

  7. Procedures, if any, to review protocols for the protection of data after a study is completed

  8. Procedures, if any, for auditing or oversight to make sure protections and procedures are used and enforced

  9. Provisions, procedures, and/or principles that should be more widely adopted by IRBs in safeguarding data privacy in health services research

SOURCE: IOM 2000, Appendix A.

IRB Administrators

The first speakers were IRB administrators. IRB administrators coordinate IRB activities and provide staff support for IRB meetings and actions. IRB administrators typically work very closely with their IRBs in substantive as well as procedural capacities, often serving as voting members and in some cases even chairing the board.

The first presenter was S. Angela Khan, Institutional Coordinator of Research Review of the IRB at the University of Texas Health Sciences Center in San Antonio (UTHSCSA). The second presenter was Colonel Arthur Anderson, M.D., administrator and also chair of the IRB for the U. S. Army Medical Research Institute of Infectious Diseases at Fort Detrick. Col. Anderson highlighted some of the special features of human subjects research in the military. The summary of their remarks follows, with some modifications, the issues listed in Box 2-2.

Identifying Specific Studies as HSR

Ms. Khan explained that the UTHSCSA IRB does not specifically classify protocols as to whether they are HSR, but in any case does not review such projects any differently than other protocols. This IRB has reviewed protocols addressing various HSR questions including the effects of training and of guidelines, the delivery and perception of services, and the costs of different services.

Col. Anderson explained that his institute is a research institute that is not primarily involved with providing health care to persons with illnesses. The institute does very little that would be classed as HSR but is heavily involved in vaccine research studies, which give rise to many concerns about privacy protections for the soldiers who volunteer.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Determining Which HSR Studies Qualify as Exempt

Ms. Khan reported that in assessing whether certain studies (generally only those directed toward internal quality assurance [QA] should be exempt from review, the IRB would consider

  • whether the findings of the study will be disseminated beyond the department proposing to carry out the study,

  • whether the protocol includes any change in clinical care or clinical processes,

  • whether the data to be collected would be available to the investigator only through the study (i.e., the investigator would not have access to such data in normal practice), and finally

  • whether there is any risk to patients or staff.

If the answer to all these questions is no, then the protocol could be considered exempt as a QA activity. Other research may fall into an exempt category under the regulations but probably also would be reviewed at least by a subcommittee of the IRB, and informed consent might still be required. Ms. Khan also noted that generally the first consideration about publication is sufficient to classify a project as research since most investigators do in fact wish to publish their findings, even from projects that were planned as internal investigations, if they should prove interesting.

Ms. Khan explained that other research that falls into one of the categories defined in the regulations as exempt undergoes the review by IRB members who review protocols in the “expedited” category.3 Even for exempt studies, the IRB opens files, requires annual reports, and for studies involving contacts with subjects (e.g., interviews), often requires researchers to obtain informed consent or to provide subjects with written material including the elements that would appear on a consent form.

Col. Anderson explained that Army regulations are separate from civilian regulations, but that the Army's regulations on human subjects research closely follow the Common Rule as previously presented by Dr. Puglisi. He explained further that the Army's regulations on the treatment of military research subjects have been expanded (by Title 10 USC 980) to include a ban on waiving informed consent when data collected will include identifying information, unless the research is exempt. Finally, he said that the military criteria for exemption are substantively the same as the civilian criteria as codified in the common rule.

Determining Whether Information Is Identifiable in Assessing Risk of Disclosure

Ms. Khan noted that the UTHSCSA IRB continues to wrestle with how to determine whether data would be identifiable. For projects collecting data from computer databases, it asks the investigator to list all the fields to be collected and to indicate who will actually collect the data, how respect for privacy by any personnel involved will be ensured, and how further dissemination of the information will be prevented (e.g., storing data on computers that are not networked, storing codes identifying individuals separately from data, using passwords and/or key requirements to restrict access both to computers for data storage and to computer housing identifying codes).

3  

In the context of HSR, the most relevant exempt category is “research, involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects” (45 CFR 46.101(b)(4)).

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

Col. Anderson explained that the Army tracks all the records associated with a soldier by Social Security number. In the case of certain types of research such as developing vaccines in preparation for missions to other climates or protection of soldiers from possible biological warfare, the military has adopted special precautions for maintaining confidentiality of the records. Although many of the personal privacy issues of civilian life cannot enter into the military environment (i.e., a soldier's health status must be known to his or her supervisors, and he or she cannot deny them access to it because it determines medical qualification to serve), additional privacy protection has been adopted for soldiers who volunteer as the subjects of biological warfare vaccine research. These additional protection measures were adopted because information about the particular vaccines tested might later be used as a basis for the denial of insurance coverage or other benefits or might be used to refuse issuing a visa in cases where the vaccine record suggested an assignment in a nation unfriendly to the United States. Col. Anderson noted that the use of vaccines, whose names are the same as those of highly hazardous organisms associated with biological warfare, does not have any real risks greater than those of ordinary vaccines used for the general public, but the names may be frightening. To shield their privacy, soldiers may opt for separate research medical records, stored apart from regular clinical records, so that records regarding research participation remain confidential and under more restricted access.

Weighing Importance of the Research Relative to Risk

Ms. Khan explained that risk to subjects must be balanced against benefits of the research in HSR, as with any protocol. However, in most of the HSR studies, she continued, the subjects themselves are not likely to receive any direct benefit. Thus, the UTHSCSA IRB' s tolerance for risk to the subjects tends to be correspondingly low. The IRB tries to assist investigators in identifying possible disclosure risks, stemming, for instance, from overlooked links between fields or retention of identifying information that could be eliminated without jeopardizing the results of the research. Ms. Khan observed that investigators sometimes retain identifying fields as a matter of convenience and sometimes even do so when there is no need for the information. The IRB can assist by alerting investigators to the possible risks and educating them about how to avoid them.

In the review of the privacy issues in an HSR study, Ms. Khan noted that the UTHSCSA IRB considers all those about whom data would be collected, and whose privacy might therefore be at risk. In some protocols, for instance, the set of subjects regarding whom data will be collected includes not only the patients who received a service, but also the health care providers who delivered the service. In this case, the UTHSCSA IRB is concerned that the privacy of health care providers is protected.

Ensuring That Identifiable Information Is Protected During the Study

Ms. Khan explained that the UTHSCSA IRB requires information at the time of the application detailing how the protocol will protect confidentiality. Upon approval, the IRB instructs the investigators that they may not make any changes to these procedures without prior IRB approval. The IRB requires status reports annually or more often. Ms. Khan also noted that for any protocol involving particularly sensitive data, the IRB requires the investigator to obtain a certificate of confidentiality.4

4  

The certificate of confidentiality is described in the Public Health Services Act (§301(d)). It provides protection for research data from subpoena by law enforcement agencies. The investigator applies directly to the appropriate official, which varies depending on the nature of the sensitive data. The types of data that may be eligible for protection include information pertaining to sexual matters, drug use, illegal activity, mental health, or other information that could damage the subject's financial standing, reputation, or could be in some way stigmatizing. See also Wolf and Lo, 1999.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

Col. Anderson mentioned that an investigator may request that research records be maintained under special coded identification numbers, with a linkage to the individual's Social Security number. The key linking the study identification number and the Social Security number is then stored separately under extremely limited access.

Enforcement of Procedures to Protect Confidentiality

Ms. Khan concluded that IRBs function best when working in a collaborative, educational relationship with the investigators. The UTHSCSA IRB requires periodic status reports on all studies but does not itself audit investigators or otherwise engage in active surveillance to ensure compliance. Indeed, if a compliance assurance role proves necessary, she argued that it would be more effectively carried out by another office so as not to lose the positive relationship with investigators that the IRB has developed.

Regarding Col. Anderson's presentation, committee member Peter Szolovits commended the Army 's ability to maintain effective barriers between different parts of the organization so as to keep a file of identifiers for use if necessary but not risk improper disclosure, and asked if such a centralized resource for psuedonymizing data could be used at other institutions. Col. Anderson replied that the centralization of subject data demographics, control of data privacy, and enforcement of procedures to maintain them might be implemented effectively in a military organization but be impracticable or impossible in a civilian setting.

Additional Recommendations by Presenters

Ms. Khan offered several additional recommendations. First, in multisite projects, personally identifiable health information generally ought not to be shared beyond the local investigators. Second, she suggested that studies involving collection of data through telephone interviews, which are frequently used to collect information about services rendered (though not the focus of this workshop), should be carefully reviewed and not necessarily approved if the subject's name and telephone number will be given to a contract research organization to make the calls. Finally, Ms. Khan emphasized that IRBs can and should develop collaborative relationships with other parts of their institutions. As an example, she suggested consulting with university committees that review research for appropriateness and research allocation. She explained that since these bodies tend to be concerned with both costs and legal exposure during research, it is important that they and the IRB coordinate their policies. Coordination both avoids frustrating investigators with inconsistent requirements and builds in more internal support for compliance with the policies.

General Discussion Following Presentations

Committee member Lisa Iezzoni commented that some IRBs either prefer, or believe themselves required, to insist on using exactly the same language on the consent form as would be used for clinical trials. In her experience, the result is that potential participants in a health services research study that may involve a review only of their records are warned about risk of

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

physical injury, possibly including death. Ms. Khan and several IRB administrators and/or chairs replied that their IRBs work to ensure that the language of the consent form reflects the actual risks of the protocol.

Dr. Iezzoni also mentioned that one branch of HSR, qualitative health services research, involves detailed interviews with a small sample of patients and that, in these cases, additional precautions are needed to protect the privacy of the participants. For instance, if the interviews are taped or videotaped, the voices and/or faces may have to be masked.

Finally, a member of the audience, Dr. Joanne Lynne of RAND, urged the committee to be mindful of the plight of very small hospices and other health care providers who wish to carry out quality improvement projects. Such organizations may lack the resources to locate or negotiate with an IRB.

Academic IRB Chairs

Dr. James Kahn, chair of the Committee for Human Research at the University of California in San Francisco (UCSF), presented first, followed by Dr. Robert Amdur of the University of Florida, recently IRB chair at Dartmouth Medical School.

Identifying Specific Studies as HSR

Dr. Kahn said that HSR studies at UCSF are reviewed in the same way as other studies involving human subjects, except that the wording in the informed consent form would be modified to reflect the type of research and would not warn of physical injury. Dr. Kahn commented that if data are to be collected systematically, the project ought to be reviewed by the IRB, since it is reasonably likely that the investigator will publish the results if the findings prove to be of interest.

Dr. Amdur said that the differentiation of health services research from various types of health operations such as internal quality assessment is critical and argued that IRBs ought not to take on the task of protecting privacy in nonresearch settings. Instead, protection of privacy in a nonresearch setting ought to be addressed in other ways. He was concerned not only about the workload of IRBs but also about placing administrative burdens on quality improvement projects and health care operations. He suggested that the way to distinguish research from other activities is to determine whether the project would be done in the same way if the project directors knew they would not be able to publish or otherwise present the results in an academic forum (Amdur et al., in press). That is, if the project would be done even if the findings could not be published or disseminated, it is not research. He pointed out that the fact of publication alone would not be a sufficient criterion because the results of nonresearch assessments are in fact sometimes published, but that research is always undertaken with a view to contributing to public, general, knowledge.

Determining Which HSR Studies Qualify as Exempt

Dr. Amdur argued that current federal regulations are applicable and appropriate for evaluating health services research. Current regulations already allow waiving of informed consent when risk would be minimal and the project could not reasonably be carried out if informed consent were required. From this perspective, he continued, the problem then resolves again to the need for the IRB to take a rigorous view of what is research and to turn back any proposals

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

that ought, under the regulatory definition of research, to be viewed as a health care operations or QA activity.

Weighing Importance of the Research Relative to Risk

Dr. Amdur commented that for IRBs that are operating according to the Common Rule, the fundamental risk assessment approach is not a new task and the regulatory structure is already, for the most part, in place. He continued that reviewing HSR protocols, in particular the evaluation of risks associated with possible invasions of privacy or breaches of confidentiality, does not make the risk assessment task any different. An IRB could need additional knowledge or expertise about how privacy might be invaded (whether intentionally or inadvertently) since some means now available have only recently been developed.

Additional Recommendations by Presenters

Dr. Kahn reported that in response to several recent incidents in which the IRBs of other institutions had been criticized for inadequate oversight, the vice chancellor of the UCSF had commissioned an ad hoc committee to consider some specific questions in reviewing the UCSF IRB's function. The ad hoc committee was asked to consider the composition, procedures, and support of the IRB and whether it could be of better service to the university. The committee returned a list of recommendations, including several suggestions about increasing the use of electronic information systems, increased training for researchers to address both research responsibilities and institutional procedures, and increasing staff support for the human subjects protection program. In addition, the chair specifically suggested designating 1 to 1.5 percent of each grant involving human subjects to be earmarked as funding for the human subjects protection program.

Dr. Amdur suggested that the growth of multisite research projects would require changes in IRB function and structure. Because many HSR projects depend on data from many different sites, the current system of review by each local IRB creates an administrative burden that may discourage valuable HSR projects. He suggested testing a central IRB to review multisite HSR studies.

General Discussion Following Presentations

In additional general discussion, committee member Lisa Iezzoni mentioned experiences where different IRBs from different institutions are involved and return inconsistent assessments. Several participants agreed that this is not uncommon and must be resolved by negotiation on a case-by-case basis.

In discussions of problems turning on what party has a claim to data, either for gaining or for withholding access, several participants asked to whom the data belonged. Committee member Adele Waller explained that, as a legal matter, disputes over how to handle data between different institutions cannot be resolved simply by determining ownership of the data. She continued that several parties typically have legitimate rights and responsibilities pertaining to the data, distinctions that the concept “ownership” is unable to capture, and that no single party has ownership.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Research Institute IRB Chairs

Research institutes that are separate from universities carry out a great deal of HSR. When such research is federally funded, these institutions are subject to the Common Rule. Some research institutes have multiple project assurances 5 through the OPRR in which they have agreed to comply with the Common Rule for any human subjects research. The research institutes that participated in the workshop are not affiliated with health care organizations such as integrated health care systems or health maintenance organizations (HMOs), so they do not face the issue of distinguishing HSR from quality improvement or business functions. Because research institutes do not carry out clinical care or payment, all of their activities would be research.

The first presenter was Dr. Tora Bikson, senior social scientist and IRB chair at RAND. She was followed by Dr. Steven A. Garfinkel, an IRB chair and health services researcher at Research Triangle Institute (RTI).

RAND's multiple project assurance agreement stipulates that the institution will be guided by the ethical principles in the Belmont Report (Belmont, 1979) and will adhere to federal regulations regarding human subjects protection for all research involving human subjects regardless of sponsorship. RTI also follows the Common Rule in all human subjects research.

Identifying Specific Studies as HSR

Dr. Bikson noted that the organizational unit that carries out a study cannot be viewed as an indication of whether the study is HSR. Various parts of RAND, including the health research program, but also for example, the education program and the criminal justice program, carry out HSR studies but they are reviewed by the same IRB. As noted above, RAND requires all its research involving human subjects to be in accord with the common rule and to be reviewed by its IRB.

Dr. Garfinkel said that RTI does surveillance, cost and use studies (for example, an evaluation of Oregon's Medicaid Reform Project), program evaluation, and outcomes assessments. RTI also does coordination of clinical trials and epidemiological work. In the former areas, it works with medical records and insurance enrollment and claims (as well as interviews and tissue specimens). RTI actually maintains three IRBs, two of which include physicians. The HSR proposals go to the third IRB, which does not include physicians, for review.

Determining Which HSR Qualify Studies as Exempt

The committee heard that RAND has implemented an on-line system to ensure that there is appropriate IRB review of all protocols. The IRB is notified whenever a project receives an internal funding account number—in fact, assigning such a number automatically triggers a message to the investigator containing a brief screening questionnaire about the project. If the screener indicates that the project might require IRB review, a more detailed questionnaire then helps the investigator explore alternatives of exemption from IRB review, expedited review, or full review (Figure 2-2). The on-line system may indicate that a project would be exempt from

5  

An “assurance” is an agreement or contract between an institution and the OPRR, on behalf of the Secretary of Health and Human Services. The assurance stipulates the methods by which the institution will protect the welfare of research subjects in accordance with the regulations. An MPA is a type of assurance designed for institutions that engage in large amounts of health-related research. An MPA can be approved for 5-year intervals.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

FIGURE 2-2 RAND's system for identifying reviewable research. SOURCE: Adapted from slide presented by Dr. Tora Bikson at the Workshop on Institutional Review Boards and Health Services Research Data Privacy.

IRB review if it will use only anonymous or public use datasets or de-identified data sets if neither RAND nor any another party on the contract has access to the identifiers. Dr. Bikson emphasized that the system is designed to be inclusive, that is, to send any borderline cases to IRB members for specific attention. In less clear situations, the IRB chair and/or selected members would have to decide whether the particular project could be exempt. Examples of borderline situations where an IRB member would have to examine the project to decide whether further IRB review might be needed include projects that will use anonymous or nonsensitive primary data gathered through surveys, interviews or other methods requiring a direct interaction with subjects; projects that gather data from public officials or candidates; or intervention research that is anonymous and without risk.

Determining Whether Information Is Identifiable in Assessing Risk of Disclosure

Dr. Bikson noted that the determination of whether identifiable information will be involved remains challenging, and it is important to realize that identifiability could enter the process at various points, from subject selection to data combination to subject compensation. She reminded participants that information may be directly identifiable (e.g., a Social Security number) but may also be identifiable by inference from the combination of several data fields—identifiability by inference is therefore one of the key concerns of privacy in research utilizing databases. She suggested a general rule used by RAND that may be of interest to others: if sorting data according to any variables produces subsets with ten or fewer members, then these individuals will be at risk for identifiability by inference.

Dr. Bikson, seconded by several participants, commented that researchers often would strongly prefer to work with de-identified data, but that even if they request such data and supply de-identifying algorithms to providers, they may receive data complete with identifiers because the provider lacked time and staff to remove identifying fields.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

Dr. Garfinkel commented that when RTI researchers collect data from surveys and claims, they are often required to produce public use files as part of the product. He noted that in the course of producing such files, they have likewise had to work at the problem of determining which fields may lead to identifiability or at least increase the risk of unintended disclosure of personal information.

Weighing Importance of the Research Relative to Risk

Dr. Garfinkel explained that when RTI plans to produce a public access file, it informs respondents that their data will be kept confidential, by which it means that data will not be released in an identifiable form. He reported that in RTI's experience, informing respondents that their data will be included in a public use file, even though not in identifiable form, will needlessly lower the response rate. He observed that the scientific benefit of a study could be seriously impaired by unnecessarily alarming individuals about their privacy in the consent form.

Ensuring That Identifiable Information Is Protected During the Study

Dr. Bikson said that RAND's IRB includes a three-person privacy team. The team, includes an information resource specialist (who specializes in security measures such as encryption and creating codes to substitute for identifying data), a data librarian (who specializes in rules and practices for dealing with very large datasets acquired from other organizations), and a network specialist (who specializes in conditions and limitations of safe data transfer over the network). These IRB members help design and implement data safeguarding plans commensurate with the level of risk for various protocols. Dr. Bikson emphasized that data safeguarding includes maintaining physical control of the data especially while in transit and that the risk of physical access to data by unauthorized parties is sometimes overlooked even while more sophisticated technical security measures may be attended to.

Beyond physical delivery, Dr. Bikson continued, the treatment of datasets to be merged and manipulated is important to preserve data integrity and also to protect subject privacy. RAND's suggested procedure calls for first replacing any direct identifiers with codes. The file linking the code to the subject's identity is then encrypted and stored separately from the encoded data file. Then when another dataset is obtained, it is possible to regenerate the link file, replace direct identifiers in the new file with the subject codes, and merge the coded files.

Dr. Bikson noted that because physical and technical protections are not sufficient, RAND has implemented procedural protective measures. These procedures include annual reviews for all projects, including inactive projects, until such time as the direct identifiers and link files have been destroyed and any remaining data that might be identifiable by inference have been eliminated or altered so that identities cannot be inferred.

Dr. Garfinkel discussed briefly some situations in which beneficence may require breach of confidentiality. RTI would consider such a breach in cases of subjects exhibiting suicidal ideation or intent. Child abuse is another difficult area, and the reporting of cases may be required in some states. Dr. Garfinkel described an RTI project on child abuse in which researchers review records from county social services with varying reporting laws. Since the laws differ by locale, RTI designed a uniform national guideline and consent form and then asked local interviewers to inform RTI when they were in danger of differing from local laws.

Dr. Garfinkel said that in some studies they receive coded data, for example, Medicare enrollment data with ID codes but no names or addresses, so the investigators can track costs and

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

utilization by each subject without knowing the identity of these individuals. In other instances, Dr. Garfinkel noted, they might receive files of names and addresses for the purpose of contacting individuals. When they make a contact, they first ask permission from the individual to continue the project and to do a data linkage, thus obtaining an “ex post facto” consent (or dropping the individual from the study if this is what the individual prefers).

Enforcement of Procedures to Protect Confidentiality

Dr. Bikson said that RAND has observed that networked, distributed, and backed-up digital environments together pose new types of threats to privacy. Some researchers, for instance, may not realize that taking a diskette with backup files home to work on a personal computer that is connected to a Digital Subscriber Line (DSL) line (which is on all the time) can create a serious security breach. Such examples suggest that the role of technical experts may be underappreciated, and new technologies to protect privacy may yet be unexplored or insufficiently exploited. She concluded that policy control must be developed to replace physical oversight to ensure privacy protection, because it is in many cases impossible, and surely impractical, to observe directly whether researchers carrying out electronic manipulations are conforming to data protection rules.

Additional Recommendations by Presenters

Dr. Bikson observed that professionals in other areas of study already have gained long experience in the types of privacy concerns that HSR is now facing, so researchers in health services might learn from, for example, researchers in the criminal justice system.

Dr. Garfinkel reaffirmed the importance of health services researchers ' having the freedom to work with their IRBs to modify standard consent and confidentiality language as appropriate for the particular study in question.

Dr. Garfinkel also commented on the distinct issue of studies using tissue specimens (although not the primary focus of this project), saying that requirements for informed consent for tissue storage are as yet misunderstood by some researchers. In addition, such research raises issues of how to communicate storage provisions on the consent form. The consent form separates stages of consent, requesting the candidate to consider and consent separately to participation in the study, to provision of the specimen, and then to allowing the specimen to be stored for later use.

Commercial, Nonaffiliated IRBs

Although the traditional model of an IRB envisions a board closely associated with a particular institution that draws its membership from the institution and surrounding community, there are also nonaffiliated or freestanding IRBs that provide review services for a fee. For many, the bulk of their business involves clinical trials, but some also review health services research. Some nonaffiliated IRBs regard their niche as providing consultative services primarily to relatively small institutions that do not have MPAs and therefore might find the support of an inhouse IRB review to be difficult. Dr. Angela Bowen, chief executive officer of Western Institutional Review Board (WIRB) attended the workshop and spoke about WIRB.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Determining Which HSR Studies Qualify as Exempt

A central feature of WIRB's approach is its commitment to making individual, specific, informed consent a part of all human subjects research it sees.

Several health services researchers pointed out that since it is not uncommon for HSR protocols to utilize databases containing on the order of hundreds of thousands or even millions of records, it would be difficult to design a workable individual informed consent associated with a particular research protocol. Dr. Bowen replied, however, that protocols of this type rarely, if ever, go to commercial IRBs, so WIRB has not experienced that particular problem.

Determining Whether Information Is Identifiable in Assessing Risk of Disclosure

Like other IRBs, the WIRB committee struggles with determining whether data will be identifiable. In reviewing protocols for potential privacy risks, it considers data to be identifiable if there is any link between the data and the subject's identity, in which case, again, it would insist on informed consent by the subject.

General Discussion Following Presentation

Several participants raised questions about how nonaffiliated IRBs can take into account the values and attitudes of the community in which the research is conducted. Dr. Bowen explained that nonaffiliated IRBs can develop solid relationships with clients, especially repeat clients, so they work closely with the local institutions. Other discussion addressed the accountability of a nonaffiliated IRB, since it does not report directly to an institution, and Dr. Bowen noted that commercial IRBs are audited regularly by the FDA and OPRR.

HEALTH CARE PRODUCTS AND SERVICES INDUSTRY

Many health care organizations carry out a spectrum of activities that involve the secondary analysis of personal health information. The spectrum ranges from health services research to operations. Representatives of several types of organizations that are largely concerned with the delivery of health services—that is, operations —along with research functions spoke about their experience in the review of HSR by IRBs.

Pharmaceutical Manufacturer's Epidemiological Research

Dr. Harry Guess, executive director of epidemiology at Merck Research Laboratories, discussed epidemiological surveillance of drugs and vaccines as carried out within a pharmaceutical company. The purpose of these studies is to assess the efficacy and safety of the product in clinical trials and the safety of the product in actual postmarketing use. Much of the epidemiological analysis utilizes previously collected data.

Identifying Specific Studies as Research under the Regulations

Dr. Guess explained that in most cases, although not federally funded, pharmaceutical company epidemiological work will be under the purview of the Common Rule, either because it is subject to regulation by the Food and Drug Administration or because it is done in conjunction with a university or other organization that requires it.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Ensuring That Identifiable Information Is Protected During the Study

Dr. Guess observed that the approaches used to protect confidentiality of data in research sponsored by pharmaceutical companies differ by type of data. In the case of adverse event reporting, he explained, the company may be unable to avoid knowing the identity of the patient or the physician because one of these individuals actually called in the report. Such information is subject to additional levels of security. The reports to regulatory agencies do not identify patients or physicians. In clinical trials, however, he said that the identity of the participants is generally not given to the Merck officials at all, but rather is replaced by a code at each study site. For protection of privacy, he concluded, Merck must therefore rely on the IRBs and investigators at each study site, since the identifiable information generally is not transmitted to Merck. He continued that for other potentially identifying information, such as birthdates, Merck typically requests that only ranges be reported whenever possible. Finally, Dr. Guess noted that Merck audits study sites to make sure they are in compliance with FDA regulations and the FDA also conducts inspections.

Enforcement of Procedures to Protect Confidentiality

The situation of records research at Merck was of particular interest at the workshop because of the affiliation of Merck with Medco, a pharmacy benefit management company. In the discussion after the presentation, participants inquired about the degree of separation between the Merck research databases and the Medco administrative and pharmacy usage databases. Dr. Guess said that federal trade law requires the two branches of the company to be unambiguously separate with regard to inside information. Thus, when other divisions of Merck wish to utilize data from Merck-Medco for research, they must negotiate a purchase of access to the data as any other research organization would.

Intermountain Health Care

Intermountain Health Care is a not-for-profit integrated health care delivery system, including hospitals and clinics in four states and tertiary services in a larger area. The organization has strongly promoted electronic medical records since the 1950s. Dr. Brent James and Mr. Morris Linton of Intermountain Health Care participated in the workshop.

Identifying Specific Studies as HSR

Dr. James began with the persistent problem of distinguishing the activities of HSR from operations, since Intermountain Health Care (IHC), unlike the research foundations, does both. He explained that IHC views these activities as encompassing a continuum ranging from health care operations performance assessment, to records review or epidemiological research, to clinical research. Then, in this view, confidentiality protection also forms a continuum (Figure 2-3).

Dr. James said that the clinical research end of the spectrum is overseen by an IRB, and confidentiality concerns pertaining to clinical research would also be reviewed by the IRB. The hospitals in the IHC system that do the most research have an MPA and shared IRB structure. Investigations and analyses on the health care operations end of the spectrum that do not meet the definition of “research,” do not fall under the purview of IRB oversight. Here Dr. James observed that when IRBs go beyond their original role of protecting human subjects from direct harms due to research, they may tend both to cause confusion and to neglect their primary mis-

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

FIGURE 2-3 Intermountain Health Care's approach to operations: research spectrum. SOURCE: adapted from a slide presented by Dr. Brent James at the Workshop on Institutional Review Boards and Health Services Research Data Privacy.

sion. Finally, Dr. James noted that just as the vast majority of uses of patient data occur in the course of health care operations, so also the vast majority of breaches of confidentiality occur in operations (indeed he said that all the known privacy violations in IHC have occurred in health care operations, none in research).

Determining Which HSR Studies Qualify as Exempt

Dr. James explained that IHC has an Information Security Committee, which it believes may be similar to the privacy boards described in the proposed rule. This committee is constituted similarly to an IRB, consisting of community members as well as line administrators and scientists (including computer specialists). The committee oversees and coordinates IRB functions in the organization. It also determines whether projects from the area in the middle of the health care operations and research spectrum should proceed to seek IRB review.

Ensuring That Identifiable Information Is Protected During the Study

Dr. James continued that the Information Security Committee generates and recommends data security policies to the Board of Trustees of the company. The committee then helps implement the policies and procedures throughout the organization.

Enforcement of Procedures to Protect Confidentiality

Dr. James said that, first, all IHC employees must sign a confidentiality agreement, which must be renewed every two years, and then comply with a “need-to-know” policy limiting who has access to which data. The company also tracks data access with automatic electronic logs and has designed the electronic records system to ensure that identifiable portions are accessible only to designated employees. IHC terminates employment because of privacy infractions.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

Dr. James expects the user authentication problem to be addressed much more effectively in the future with, for instance, biological log-ons6 rather than passwords to restrict access.

Additional Recommendations by Presenter

Dr. James noted that IHC believes that patients as well as providers should be able to view their own records and add comments (although nothing can be changed or deleted). With rare exceptions, IHC-covered patients have this access.

Regarding patient perception of privacy, Dr. James observed that many types of professionals within a health system generate and use patient information and that patients understand that many professionals, as well their own physicians, will need access to their medical records. It is important to be sensitive to patients' perceptions, however, so when it is necessary to contact the patient for a research project or other purposes, the contact should be initiated by a professional who would be, and would be perceived by the patient as being, reasonably expected to have access to the patient's records.

Finally, Dr. James suggested that truly de-identifying a health care record is impossible if there is any link to any potentially identifying information. Hence, the way to minimize confidentiality breaches is to control access to the link that leads to identifiability. He suggested further that a record is identified only when a human being sees it, so that if a computer program links records using identifiable data but returns a nonidentifiable output, then that would not constitute a privacy violation.

Pharmacy Benefit Management Company

Ms. Jennifer Low and Dr. Fred Teitelbaum of Express Scripts discussed privacy and confidentiality in the context of pharmacy benefit management. Express Scripts is a pharmacy benefit management (PBM) company, serving various types of clients including insurers, unions, health care organizations, and employers—any type of organization, in short, that wishes to contract for a pharmacy benefit. Among other things, the company provides pharmacy network management, claim adjudication services, and drug utilization review and also functions as a mail service pharmacy.

Identifying Specific Studies as HSR

Ms. Low and Dr. Teitelbaum both observed that, as members of a PBM company, it is difficult if not impossible for them to distinguish HSR from operations. Express Scripts conducts in-

6  

Biological log-ons, also called biometric identifiers, would permit a user to have access to a file based on some recognizable and unique feature. In Weiderhold's on-line glossary, (http://www-db.stanford.edu/pub/gio/CS99I/security.html#BIOMETRIC) biometric identifiers are explained as follows: are more reliable than passwords. Biometric identifiers: voice prints, signature dynamics, keystroke dynamics, hand measurements, finger prints, face recognition. The pattern of the iris in a person's eye is also a candidate for making a unique identification. Biometric identifiers are difficult to forge, but the equipment needed to read them is awkward and forbidding. The person being identified must cooperate for instance be willing to speak or write a specific expression clearly or be scanned by a camera in a well-lighted space. Voice recognition is probably the easiest technique to integrate into computer workstations. The voice pattern can also be recorded on a smartcard, which can be linked securely to its owner. That card can contain passwords, that are easily handled by the networks that verify access privileges.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

ternal analyses of data to improve operations (e.g., plan design, but also formulary decisions and assessment of outcomes), although results are published whenever possible. However, confidentiality standards (which include the protection and ultimate purging of identifiable data) apply when such data are first used to create the research data set.

Ms. Low explained that, especially when it was smaller, the company regarded itself as a pharmacy and thus bound by professional standards and law without need for additional policy. As the size and scope of its operations increased, the company has undertaken more formal policy development. She also said that the company's primary means of ensuring that its appropriate authorization to use data on patients is by asking the plan sponsor (i.e., the managed care organization, employer, etc.) to obtain authorization from individual plan participants.

Determining Whether Information Is Identifiable in Assessing Risk of Disclosure

Dr. Teitelbaum reported that Express Scripts has instituted increasingly stringent policies of limiting internal access to data.

Ensuring That Identifiable Information Is Protected During the Study

Dr. Teitelbaum described processes of data use: the data are typically kept in a de-identified format, with a cross-reference for identification stored separately and securely. De-identification of the data includes not only the removal of names but also, for example, the use of age rather than date of birth and the use of only the first three digits of the zip code.

Dr. Teitelbaum continued that the company is in the process of instituting a privacy board to ensure that it does follow appropriate and effective procedures for maintaining confidentiality. Its practices regarding data retention vary according to state law (typically two to three years for prescriptions) or Employee Retirement Income Security Act (ERISA) (six to seven years), but de-identified data may be kept indefinitely.

Health Maintenance Organizations and Research

Mr. Andrew Nelson, executive director of HealthPartners and president of the HMO Research Network, offered some perspective on the amount of HSR that occurs in the managed care industry.

Mr. Nelson reported that the fraction of HMOs that formally and regularly engage in research is relatively small (Nelson et al., 1998). There are 1,315 licensed managed care organizations, 24 of which have formal research programs doing public domain research. Of the 24 HMOs that are active in research 13 established the HMO Research Network. Mr. Nelson also noted that many of these HMO-based research organizations follow the Common Rule whether the funding source would require it or not.

Mr. Nelson said that, like many observers, he has noted that many IRBs are busy to the point of being overwhelmed and that increasing demands on them also decrease the satisfaction of what is, in many cases, voluntary work. He offered for consideration ten recommendations to help ease the overall problem of properly protecting confidentiality in HSR without unduly stressing IRBs. The first six address recommendations what institutions need; the last four are external to the research HMO:

  1. A framework to define the intersection between research and quality improvement.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
  1. An internal auditing process.

  2. Training and educational programs.

  3. Individual data access and confidentiality certification for anyone who may have access.

  4. Internal and external data access policy as a broad foundation for data privacy.

  5. Information technology policy defining how to apply privacy protections.

  6. Encouraging academic institutions to incorporate research ethics and research subjects protections into their curricula,

  7. Development ready-to-use tools for HSR investigators to apply.

  8. Asking IRBs to apply the Common Rule regardless of the funding source of the study.

  9. Increasing government involvement to include education as well as oversight of IRBs.

SPECIAL CONSIDERATIONS OF DATA PRIVACY AND MINORITY GROUPS

Dr. William Freeman, IRB chair at the Indian Health Service, highlighted some issues of particular importance in research involving minority populations. He concentrated on American Indian, Alaska Native, Canadian First Nations, Inuit, and Kanaka Maoli or Native Hawaiian groups. Dr. Freeman emphasized that he has not seen any specific instance of harm to minority groups due to HSR, but the potential for privacy violation exists. He noted further that the potential harm may affect not only the individuals and groups that might be subjects, but also the research enterprise because if a group participates in research and regards the privacy of the group or individual members to have been violated, then any researcher approaching that group or perhaps other groups, as well, will not be able to secure cooperation.

Levels of Privacy Concerns

Dr. Freeman pointed out that HSR usually addresses large sets of data in which individual subjects may have little in common and are difficult to identify. He suggested that in local, small, minority groups the situation is quite different, with serious implications for privacy. First, he noted, the groups mentioned are often relatively small and isolated communities whose members are well known to one another, so the privacy of individuals within the group may be much more difficult to protect than the privacy of an individual in a large city with a diverse population. At the same time, a second type of privacy concern can affect such populations. Because the minority group in question may have strong intracommunity ties and be distinct from the surrounding culture or cultures in significant respects, its members are likely to place a high value on the integrity of the group. In this context, privacy may refer to the group as a whole rather than to individuals.

Strategies for Enhancing Both Privacy Protection and Trust

Dr. Freeman reaffirmed that both physical and electronic data security are very important and frequently not given adequate attention in rural areas. He also pointed out that data fields that might appear at first sight not to be identifying in a large population could lead to the identification of one or a few individuals in a small community. He suggested that the way to avoid such mistakes would be to include in the protocol review, consultation with individuals knowledgeable about the particular culture or group in question. He also suggested that in some cases the use of formal, individual contracts—in which the researchers promise not to attempt to identify

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

any individual and to notify the IRB if an individual may have been identified inadvertently—may help build the trust of the community in the research project.

General Discussion

In the discussion after the presentation, several participants raised the questions of what is an appropriate role for the community in the research process and of how to involve affected parties in the community when there is no cohesive group and therefore no generally accepted spokesperson (though many, of course volunteering for that role, with divergent views). Although a definitive answer did not emerge, several participants suggested that it is generally possible to speak with several groups when there is no single representative.

TECHNICAL CONSIDERATIONS AND PRODUCTS

Mr. Lawrence Dietz of AXENT Technologies, an attorney and market research analyst specializing in information security, briefed the committee on market and technical trends in data security.

Web access security products are becoming increasingly necessary for security maintenance and enhancement as more organizations wish to store, retrieve, and exchange information via intranet. Although the products are emerging, it is not yet clear what the costs may be of providing full servicing for them.

Regarding public key infrastructure (PKI), the industry and researchers are very enthusiastic, and some observers believe the HIPAA and several laws in the European Union to be driving the market to develop PKI products.7 Market adoption of PKI is, however, proceeding only slowly, especially in the United States. This may be due at least in part to the fact that the process of integrating PKI with individual legacy applications is very labor intensive. One reason integration is difficult is that it is so complex; indeed, a PKI encryption device may be asked to solve a wide variety of problems including authentication, access, and authorization. The development and market penetration of smart cards and other portable platforms for utilizing databases via PKI seems to be much further advanced in Europe than in the United States, although unresolved questions about cross-border privacy protection remain.

As the technology of Web-integrated systems becomes more ubiquitous and easier to use, it is also becoming more difficult to defend from outside attack (Dietz, 2000). Internal and external filtering techniques can be viewed as necessary in any operation utilizing electronic records, since it would be critical to minimize any time when the system is not available. Filtering systems, for example, would be able to detect a pattern when a denial-of-service attack is launched from multiple points requesting the same data at the same time and also can guard against local

7  

A public key infrastructure is a system for managing and distributing public keys and digital certificates to authenticate different users —that is, to ensure that the asserted identity of a given user in fact corresponds to user. (In face-to-face interactions, one person can “authenticate” himself to another by presenting a document such as a driver 's license or a passport. By telephone, a speaker can authenticate himself to another person by virtue of a familiar voice. In cyberspace, however, some other mechanism is needed to provide authentication among parties that do not know in advance that they need to interact —that mechanism is PKI.) PKIs are an essential component of secure electronic communications, but also raise important concerns for privacy (see for example, Brands, 1999).

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

systems being co-opted from the outside to serve as launching points for such an attack (also described as “being used as zombies”).

Cost pressures are of course resulting in both specific and general trends. Specifically, many or perhaps most organizations are installing virtual private networks, enhancing security relative to standard internet e-mail while also saving money. More generally, many organizations are exhibiting a marked preference to hire services, that is, to contract out to meet their information technology needs, rather than to purchase products and train in-house support; this practice has corresponding security risks as more people have access to electronic records while being less invested in the culture of the organization.

In the future, additional work on security will likely be required at the small office and home office level, a point that often arises in consideration of academic researchers who deal with secure data but often work at home.

SPECIAL CONSIDERATIONS OF DATA PRIVACY AND MINORS8

Federal regulations on human subjects include special provisions that apply when subjects are of minor age (45 CFR 46 Subpart D). The contract describing the IOM's project included an agreement that the committee would consider measures for protecting personally identifiable health information that pertains to children if any different conditions should be deemed desirable, and, in particular, would consider the desirability of requiring projects involving children always to undergo full IRB review. For background on these matters, the committee commissioned a paper on protecting the data from health services research in minors. The paper was presented in draft form at the workshop and appears in full as appendix C of the (IOM, 2000) report.

There are three basic issues that further complicate the question of how to conduct research involving minors that meets high ethical and scientific standards:

  • the heterogeneity of the population in question,

  • complications arising from proxy consent, and

  • the changing interests and risks affecting the subjects.

The heterogeneity of the subject population arises from the intersection of the legal definition of the term “minor” with the developmental process of maturation from infancy to adulthood. The law recognizes any person under the age of majority, for most purposes 18 years old, as a child, but the maturation of a person from infancy through the age of majority is a dynamic process, encompassing a very wide range of capacities, interests, concerns, and also risks.

The law recognizes that children do not have the decision-making capacity of adults and addresses this fact through beneficent paternalism. In the case of medical or research interventions, beneficent paternalism requires that consent for the intervention be made by an adult proxy, in most cases the child's parent(s). The question of uncoerced and informed consent to participate in research brings with it problems when subjects are adults, and proxy consent brings further complications. In some cases, the adult proxy may have interests that differ from, or even conflict with, those of the child. A further complication arises when the child does reach the age of majority: if an adult has given proxy consent for data on the child to be examined in research, is this consent still valid when the child reaches adulthood, or must consent be sought anew?

8  

This section is based on a presentation by Dr. Ross Thompson, developmental psychologist and author of the commissioned paper author.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

The maturation of children not only means that the category “children” is heterogeneous, as described above, but also that as a particular individual matures, the interests of this individual change and the changes themselves are complex. The law—and most people—readily recognize that research on children involves special risks, which must be taken into account and do not apply to adult subjects. The risks, concerns and areas of vulnerability of children do not, however, necessarily diminish inversely with an increase in age and body mass; indeed, some risks increase. Risks that may increase as the child matures include vulnerability to embarrassment, fear of exposure, and concern for violations of privacy—just the risks most likely to be associated with health services research.

In the discussion after the presentation, participants raised several additional points. In consideration of protecting privacy, some features of children as subjects increase the difficulty of de-identifying data. For example, hospitalization is rare for children, so even within a large sample of children, data on hospitalization or very high medical bills may effectively identify one or a small number of individuals. Another special problem is that the effect of the identification of individual children might have additional impact on other family members, since the mother may then be identified as well.

Participant Gerald S. Schatz pointed out that the difficulties associated with proxy consent are further intensified in the case of children who are wards of the state, and proxies who are government agencies and liable to be overburdened or to prefer not to see problems.

INTERNATIONAL COMPARISONS OF DATA PRIVACY STANDARDS9

Questions and issues of protecting privacy and personally identifiable health information have arisen in nation states around the world and in regard to the transfer of data across international borders. The contract describing the IOM's project included an agreement that the committee would compare the privacy protections contained in international conventions for personally identifiable health information used in research with the principles and best practices developed in this study. For background on these matters, the committee commissioned a paper comparing international approaches to protecting the privacy of data from health services research. The paper was presented in draft form at the workshop and appears in full as appendix D of (IOM, 2000) report.

The Organization for Economic cooperation and Development (OECD) published Guidelines on the Protection of Privacy and Transborder Flows of Information in 1989, which included eight basic principles on the collection, use, and holding of personal data; these are further distilled here into four core principles pertaining to data protection, including the creation of statutory protections, transparency of data processing, additional protections for sensitive data, and the rights of individuals to claim enforcement of rules on data protection. The concept of privacy and the principle that individuals ought to be secure from improper interference in privacy are also mentioned in other international agreements including the United Nations Universal Declaration (1948) and International Covenant on Civil and Political Rights (1966); the European Convention on Human Rights (1955); the Council of Europe's Convention for the Protection of Individuals, with Regard to Automatic Processing of Data (1981), Convention on Human Rights and Biomedicine (1997), and subsequent recommendations; the World Health Organization 's Declaration on the Promotion of Patient's Rights in Europe (1994) and Directive on the Protection of Individuals (1995); the World Medical Association's Revised Declaration of Lisbon on

9  

This section is based on a presentation by Ms. Bartha Maria Knoppers, professor of international law.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×

the Rights of the Patient (1995); and the European Group on Ethics in Science and New Technologies ' Ethical Issues of Health Care in the Information Society (1999).

Turning to the internal or domestic arrangements in selected nation states, the United Kingdom and other Common Law countries such as Australia and New Zealand recognize the protection of privacy under Common Law, although the law can be modified or clarified by statute. Privacy under the Common Law is an aspect of the liberty of a citizen, and if this liberty is infringed upon so as to cause harm, the citizen can pursue legal action. As an exception to the general protection of privacy, however, a medical practitioner may be required to disclose certain information in court if called for by the public interest. Australia also follows Common Law with some statutory exceptions, one of which provides that medical records are considered the property of the private medical practitioner, but not of the public health facility.

By contrast, the legal systems of continental nation states did not develop under Common Law, but follow the Napoleonic Code and variations. Rather than being an aspect of liberty that might be harmed, privacy in this system is viewed as a right in and of itself, which means that a citizen need not show that an infringement of privacy caused harm—an infringement of privacy is sufficient for legal action regardless of whether harm followed. In France, the confidentiality of medical records is further protected by being treated as an obligation of result, which means that not only what is heard or seen is protected by law, but also what is understood, and the body of law that protects the information from disclosure is the penal code.

In the domestic legal systems of individual nation states, the Common Law versus civil code contrast is again the basic distinction. The United Kingdom's British Medial Association has recently affirmed that any disclosure should be anonymous and minimized to the degree possible and that patients should be informed of how data about them may be used. Australian law includes several sets of principles and guidelines, that call for the entity in possession of a record containing personal information to use the information only for the purpose for which it had been collected unless either the subject consents or another use is mandated by other law. France has recently undergone two important developments pertaining to the protection of the privacy of health information in its legal system. The first was a statute regulating the use of data for research, that provided significant new oversight mechanisms, and second was a decree regarding the use of data in the process of reimbursement.

At the conclusion of the presentations, the committee again thanked all the participants for their effort to provide information and insight, and encouraged anyone wishing to comment further or submit written materials to feel free to do so through the study director.

Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 12
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 13
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 14
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 15
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 16
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 17
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 18
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 19
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 20
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 21
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 22
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 23
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 24
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 25
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 26
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 27
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 28
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 29
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 30
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 31
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 32
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 33
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 34
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 35
Suggested Citation:"2 Workshop Summary." Institute of Medicine. 2000. Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary. Washington, DC: The National Academies Press. doi: 10.17226/9890.
×
Page 36
Next: References »
Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF
  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!