standing of the original disclosure without permission. (OPRR Guidebook, Chapter Three, Section D, 1993)
The protection of privacy is an important matter, and many individuals regard the protection of their privacy (and likewise the confidential treatment of private information they choose to disclose) as an important ethical value. The responsible conduct of high-quality research is also an important value, and many individuals appreciate the benefits of effective health care, efficacy that is based on information that can be obtained only from population data. Privacy and confidentiality can be protected by limiting access to data. Good research can be conducted only if investigators have access to data. Risks to individuals (from possible breaches of confidentiality) and benefits both to individuals and society (from the results of good research) are thus two concerns that we must balance.
In research, one way to ensure that subjects are protected, and in particular for this report's concerns, that the confidentiality of personally identifiable health information is maintained, is to have the proposed study reviewed by an institutional review board (IRB). IRBs are usually located within the organization doing the research, so that they can be aware of the nuances of the local situation. IRBs must ensure that they follow federal regulations pertaining to the protection of human subjects but they also use their local knowledge in practice along with the general principles in those regulations. This is why it was important in this project to consider the practices that IRBs actually follow as well as the regulations they apply through those practices.
It is also important to understand that IRB review is required only for research activities. So if data were to be collected for some proposed research (i.e., federally funded or otherwise subject to federal regulation), the protocol would be reviewed by an IRB for the protection of confidentiality. But health care provider or product companies often undertake reviews of their internal operations to assess and improve the quality of care and/or products they provide. These quality assessment and quality improvement exercises are not defined as research but may involve similar types of data collection as HSR, as well as raising similar questions about the use of private information and the maintenance of confidentiality. So if similar data were to be collected or used by a health care provider or health product company in the course of day-to-day clinical care or business operations, such collection and use would not be subject to regulations requiring IRB review.
In recent years, public interest in and concern about privacy and personally identifiable health information has increased and continues (e.g., Appelbaum, 2000). Some individuals have been disturbed, for instance, at corporate use of health information to create targeted mailings that seem to straddle the line between anticipating health questions and marketing products. For example, a database marketing firm received patient prescription records from two large pharmacies in the Washington, D.C. metro area (Lo and Alpers, 2000). The firm then created mailings for the pharmacies on the pharmacies' letterhead targeted to consumers of certain prescription drug products, informing them of new products with similar indications. The project, which was quickly canceled by the pharmacies in response to customer complaints, had been sponsored by the manufacturers of the new products, although the manufacturers never had access to any patient records themselves. In other cases, these worries have been heightened by still more dramatic reports of privacy violations, such as the release of HIV test results of hundreds of indi-