Protecting Data Privacy in Health Services Research (2000) / Chapter Skim
Currently Skimming:
Appendix B Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary
Appendix B Institutional Review Boards and Health Services Research Data Privacy: A Workshop Summary
Pages 106-158
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 106... ...
Thus, data privacy and data access are objectives that have to be balanced. POLICY CONTEXT In recent years, public interest in and concern about the privacy of personally identifiable health information has increased.
|
From page 107... ...
The project was sponsored by the Agency for Healthcare Research and Quality and the Office of the Assistant Secretary for Planning and Evaluation, both in the Department of Health and Human Services. The charge to the committee was as follows: To gather information on the current practices and principles followed by institutional review boards to safeguard the confidentiality of personally identifiable health information used for health services research purposes, in particular, to identify those IRB practices that are superior in protecting the privacy, confidentiality, and security of personally identifiable health information.
|
From page 108... ...
is the agency that administers the federal regulations on human and animal subjects. The director of OPRR's Division on Human Subject Protections presented an overview of federal regulations on human subjects, particularly regulations pertaining to the determination of whether a records review study involves human subjects, when data are considered identifiable, whether a study might be exempted from IRB review, and whether informed consent from subjects might be waived.
|
From page 109... ...
An officer from Intermountain Health Care described the comprehensive technical protections and enforceable policies the organization has implemented in the protection of personally identifiable health information, whether in the context of research or in day to day operations of providing health services. He noted that all known violations of privacy have occurred in operations, but none have been found in the research branch.
|
From page 110... ...
The author studied international conventions and guidelines and the domestic law of several nation states. This analysis pointed out different approaches to requiring oversight of the use of personally identifiable health information in HSR by IRB-like bodies and the uses of such information without individual consent.
|
From page 111... ...
Further, among such studies, this project considers just the role of institutional review boards in ensuring that the study design will maintain confidentiality in the use of the subjects' data. The benefits of HSR studies include increased understanding of the results of policy changes and other systemic effects in health care.
|
From page 112... ...
In research, one way to ensure that subjects are protected, and in particular for this report's concerns, that the confidentiality of personally identifiable health information is maintained, is to have the proposed study reviewed by an institutional review board (IRB)
|
From page 113... ...
The proposed regulations would create new requirements for privacy protection for all health care providers and health plans, and would establish research standards and oversight for all research. In addition, the proposed rule would permit the use and disclosure of personally identifiable health information for research
|
From page 114... ...
The Belmont Report presented the ethical basis of human subjects research as three principles: respect for persons, beneficence, and justice. The main mechanism in the human subjects protection system for protecting research subjects and for assessing the balance between the risks and benefits of research is the institutional review board.
|
From page 115... ...
. - - - - - - - - - - - - - - - - - - - - - - - - - - - Research using databases containing health information on individuals, of which health services research is one example, also falls under the Common Rule, although the Belmont Report and regulations primarily address clinical
|
From page 116... ...
The charge to the committee was as follows: 1. To gather information on the current practices and principles followed by institutional review boards to safeguard the confidentiality of personally identifiable health information used for health services research purposes, in particular, to identify those IRB practices that are superior in protecting the privacy, confidentiality, and security of personally identifiable health information.
|
From page 117... ...
SCOPE OF WORKSHOP REPORT This summary describes the presentations and discussions that took place at the March 13-14, 2000 IOM Workshop on Institutional Review Boards and Health Services Research Data Privacy Protection. This summary reflects what transpired at the workshop and does not include committee deliberations, findings or conclusions.
|
From page 118... ...
Personally Identifiable Health Information information such that an individual person can be identified as the subject. Institutional Review Board administrative body established to protect the rights and welfare of human research subjects in research activities of the institution to which the board is affiliated, by reviewing proposed research protocols and approving or requesting changes prior to their inception.
|
From page 119... ...
. The committee was charged with collecting information on the current practices of institutional review boards for protecting data privacy in health services research, gathering information on the practices of organizations that are not required to consult IRBs but still carry out HSR activities where data privacy and confidentiality are of concern, and to the extent possible, identifying and recommending the best practices for wider adoption.
|
From page 120... ...
Dr. Fitzmaurice continued that the DHHS is directed under the Health Insurance Portability and Accountability Act to promulgate federal regulations governing the privacy of personal health information.
|
From page 121... ...
However, it is often difficult to draw a line between HSR and other activities that use personal health information in databases, such as internal efforts at quality assurance, business planning, or marketing. In the discussion immediately following the presentations, committee members highlighted their concerns about focusing on the protection of privacy in the context of research while ignoring very similar activities using databases that
|
From page 122... ...
Thus, although the appropriate use of personal health information for purposes other than research is an important question that the nation has to address, the current project is intended to address only the more limited but still important topic of HSR. Overview of Current Human Subjects Regulations The OPRR administers the federal regulations on human and animal subjects.
|
From page 123... ...
For a project that is research involving human subjects and is not eligible for exemption as above, the IRB must ensure that the subjects have given free and informed consent to participate, unless the informed consent requirement
|
From page 124... ...
IRB FUNCTION Many different types of institutions conduct research with human subjects and therefore have IRBs associated with them, including universities, state and federal agencies, hospitals, and research foundations. The committee invited speakers from a variety of these institutions to present information on the practices and experience with protecting the confidentiality of data in health services research in their respective organizations.
|
From page 125... ...
Col. Anderson highlighted some of the special features of human subjects research in the military.
|
From page 126... ...
, often requires researchers to obtain informed consent or to provide subjects with written material including the elements that would appear on a consent form. sin the context of HSR, the most relevant exempt category is "research, involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects" (45 CFR 46.101(b)
|
From page 127... ...
to include a ban on waiving informed consent when data collected will include identifying information, unless the research is exempt. Finally, he said that the military criteria for exemption are substantively the same as the civilian criteria as codified in the common rule.
|
From page 128... ...
Khan explained that the UTHSCSA IRB requires information at the time of the application detailing how the protocol will protect confidentiality. Upon approval, the IRB instructs the investigators that they may not make any changes to these procedures without prior IRB approval.
|
From page 129... ...
First, in multisite projects, personally identifiable health information generally ought not to be shared beyond the local investigators. Second, she suggested that studies involving collection of data through telephone interviews, which are frequently used to collect information about services rendered (though not the focus of this workshop)
|
From page 130... ...
Identifying Specific Studies as HSR Dr. Kahn said that HSR studies at UCSF are reviewed in the same way as other studies involving human subjects, except that the wording in the informed consent form would be modified to reflect the type of research and would not warn of physical injury.
|
From page 131... ...
The committee returned a list of recommendations, including several suggestions about increasing the use of electronic information systems, increased training for researchers to address both research responsibilities and institutional procedures, and increasing staff support for the human subjects protection program. In addition, the chair specifically suggested designating 1 to 1.5 percent of each grant involving human subjects to be earmarked as funding for the human subjects protection program.
|
From page 132... ...
and will adhere to federal regulations regarding human subjects protection for all research involving human subjects regardless of sponsorship. RTI also follows the Common Rule in all human subjects research.
|
From page 133... ...
In less clear situations, the IRB chair and/or selected members would have to decide whether the particular project could be exempt. Examples of borderline situations where an IRB member would have to examine the project to decide whether further IRB review might be needed include projects that will use anonymous or nonsensitive primary data gathered through surveys, interviews or other methods requiring a direct interaction with subjects, projects that gather data from public officials or candidates, or intervention research that is anonymous and without risk.
|
From page 135... ...
. These IRB members help design and implement data safeguarding plans commensurate with the level of risk for various protocols.
|
From page 136... ...
Such examples suggest that the role of technical experts may be underappreciated, and new technologies to protect privacy may yet be unexplored or insufficiently exploited. She concluded that policy control must be developed to replace physical oversight to ensure privacy protection, because it is in many cases impossible, and surely impractical, to observe directly whether researchers carrying out electronic manipulations are conforming to data protection rules.
|
From page 137... ...
attended the workshop and spoke about WIRB. Determining Which HSR Studies Qualify as Exempt A central feature of WIRB's approach is its commitment to making individual, specific, informed consent a part of all human subjects research it sees.
|
From page 138... ...
HEALTH CARE PRODUCTS AND SERVICES INDUSTRY Many health care organizations carry out a spectrum of activities that involve the secondary analysis of personal health information. The spectrum ranges from health services research to operations.
|
From page 139... ...
Enforcement of Procedures to Protect Confidentiality The situation of records research at Merck was of particular interest at the workshop because of the affiliation of Merck with Medco, a pharmacy benefit management company. In the discussion after the presentation, participants inquired about the degree of separation between the Merck research databases and the Medco administrative and pharmacy usage databases.
|
From page 140... ...
Here Dr. James observed that when IRBs go beyond their original role of protecting human subjects from direct harms due to research, they may tend both to cause confusion and to neglect their primary mission.
|
From page 142... ...
Express Scripts is a pharmacy benefit management (PBM) company, serving various types of clients including insurers, unions, health care organizations, and employers any type of organization, in short, that wishes to contract for a Biological log-one, also called biometric identifiers, would permit a user to have access to a file based on some recognizable and unique feature.
|
From page 143... ...
Teitelbaum reported that Express Scripts has instituted increasingly stringent policies of limiting internal access to data. Ensuring That Identifiable Information Is Protected During the Study Dr.
|
From page 144... ...
SPECIAL CONSIDERATIONS OF DATA PRIVACY AND MINORITY GROUPS Dr. William Freeman, IRB chair at the Indian Health Service, highlighted some issues of particular importance in research involving minority populations.
|
From page 145... ...
Strategies for Enhancing Both Privacy Protection and Trust Dr. Freeman reaffirmed that both physical and electronic data security are very important and frequently not given adequate attention in rural areas.
|
From page 146... ...
The development and market penetration of smart cards and other portable platforms for utilizing databases via PKI seems to be much further advanced in Europe than in the United States, although unresolved questions about cross-border privacy protection remain. As the technology of Web-integrated systems becomes more ubiquitous and easier to use, it is also becoming more difficult to defend from outside attack (Dietz, 2000~.
|
From page 147... ...
. The contract describing the IOM's project included an agreement that the committee would consider measures for protecting personally identifiable health information that pertains to children if any different conditions should be deemed desirable, and, in particular, would consider the desirability of requiring projects involving children always to undergo full IRB review.
|
From page 148... ...
INTERNATIONAL COMPARISONS OF DATA PRIVACY STANDARDS4 Questions and issues of protecting privacy and personally identifiable health information have arisen in nation states around the world and in regard to the transfer of data across international borders. The contract describing the IOM's project included an agreement that the committee would compare the privacy protections contained in international conventions for personally identifiable health information used in research with the principles and best practices developed in this study.
|
From page 149... ...
In France, the confidentiality of medical records is further protected by being treated as an obligation of result, which means that not only what is heard or seen is protected by law, but also what is understood, and the body of law that protects the information from disclosure is the penal code. In the domestic legal systems of individual nation states, the Common Law versus civil code contrast is again the basic distinction.
|
From page 150... ...
France has recently undergone two important developments pertaining to the protection of the privacy of health information in its legal system. The first was a statute regulating the use of data for research, that provided significant new oversight mechanisms, and second was a decree regarding the use of data in the process of reimbursement.
|
From page 151... ...
Standards for Privacy of Individually Identifiable Health Information; Proposed Rule. Federal Register.
|
From page 152... ...
Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection. Protecting Data Privacy in Health Services Research.
|
From page 153... ...
and Lo, Bernard. Practicing Safer Research Using the Law to Protect the Confidentiality of Sensitive Research Data.
|
From page 155... ...
President Western Institutional Review Board 155 Lawrence Dietz, Esq. Market Intelligence Director AXENT Technologies, Inc.
|
From page 156... ...
PROTECTING DATA PRIVACY Andrew Nelson Executive Director, HealthPartners President, HMO Research Network Minneapolis, MN Thomas Puglisi, Ph.D. Director, Division of Human Subjects Protections Office for Protection from Research Risks U.S.
|
From page 157... ...
Fanning Office of the Assistant Secretary for Planning and Evaluation Michael Fitzmaurice Agency for Healthcare Research and Quality 157
|
From page 158... ...
Knazek National Institutes of Health Eric Larson General Accounting Office Richard Levine USUHS Joanne Lynn RAND Margaret Matula National Institutes of Health Laurie Michel Merck Mary Otto Knight Ridder PROTECTING DATA PRIVACY Shannon Penberthy Association for Health Services Research Douglas Peddicord Washington Health Advocates Joan Porter ORCA Maryann Redford National Institutes of Health Patricia M Scannell Washington University School of Medicine Gerald S
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.