Protecting Data Privacy in Health Services Research (2000) / Chapter Skim
Currently Skimming:
3 Best Practices for IRB Review of Health Services Research Subject to Federal Regulations
3 Best Practices for IRB Review of Health Services Research Subject to Federal Regulations
Pages 51-70
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 51... ...
. The committee collected information from some universities and health centers and private research foundations, hearing testimony at a public workshop and collecting materials and statements from participating IRBs (see Appendixes A and B)
|
From page 52... ...
Clearer guidance would make IRB review more efficient as well as enhance the protection of subjects by helping to ensure that HSR projects incorporate confidentiality protections that the IRB finds important. The committee found that IRBs vary in how they interpret federal guidelines pertaining to whether a project is intended to yield "generalizable knowledge" and thus should be subject to IRB review.
|
From page 53... ...
The IRB representatives participating in the workshop agreed that an activity would be considered research if the investigator plans to publish the findings. IRBs differ, however, in how they interpret other situations, particularly activities that might be considered QA or QI.
|
From page 54... ...
Joanne Lynne of RAND gave the example of small hospices and home health care organizations who want to improve their own services but also share their findings with similar organizations, perhaps as part of a multisite study. The committee noted, however, that the likelihood of identifying individuals and the difficulty of maintaining confidentiality are both greatly increased in small organizations.
|
From page 55... ...
Ms. Khan noted that the UTHSCSA IRB, regarding projects using data from computer databases, asks the investigator to list all the fields to be collected and to indicate who will actually collect the data, how respect for confidentiality by any personnel involved will be ensured, and how further dissemination of the information will be prevented (e.g., storing data on computers that are not networked, storing codes identifying individuals separately from data, using passwords and/or key requirements to restrict access both to computers for data storage and to computer housing identifying codes)
|
From page 56... ...
Recommendation 3-2. IRBs should develop and disseminate principles, policies, and best practices for investigators regarding privacy and confidentiality issues in HSR that makes use of personal health data previously collected for other uses.
|
From page 57... ...
It is also, of course, always possible for a human employee mistakenly to allow data to become available. Many health services researchers and IRBs have developed practical and specific procedures for protecting privacy and confidentiality in HSR projects that involve analyses of previously compiled databases.
|
From page 58... ...
In fact when the IRB questioned the necessity for using identified data, the investigators realized they simply had never thought of whether their research required the identification and they immediately removed them. In another instance, already mentioned, that was reported to the committee at the workshop, one participant described finding his own HIV results projected in a meeting with personally identifying information, with no other purpose than showing an example of records in the database.
|
From page 59... ...
The committee also heard, however, from organizations that store such sensitive data in facilities outside the United States to protect them from discovery processes (the committee did not, however, seek legal opinions as to whether such a strategy would provide effective legal protection from discovery)
|
From page 60... ...
The risk may be increased still further by the presence of culturally significant identifiers that are not recognized as sensitive private information by researchers who are not familiar with the community and therefore do not mask all the sensitive data fields. For example, specific locations, occupations, or other characteristics may indicate a very small subgroup even within a minority community (e.g., a few members of a particular tribe on a reservation inhabited primarily by another tribe)
|
From page 61... ...
The committee also found that certain variables, such as hospitalizations, are so much rarer among minors than among older adults that special consideration for protecting the confidentiality of these variables as potential identifiers is warranted. As with the previous finding regarding subjects who are members of small minority communities, protecting the confidentiality of data on minors will be enhanced by an IRB whose members or consultants are knowledgeable about the particular issues of a study and about the relevant developmental changes of the minor subjects involved, and can help highlight variables of unusual identifying potential.
|
From page 62... ...
Overall, interactive forms would enhance compliance with IRB policies and federal regulations and would make review less burdensome for investigators and IRB members alike. The committee found that some organizations make use of interactive online forms to help investigators determine whether a project should be considered research and whether it qualifies for expedited review.
|
From page 63... ...
The committee urges IRBs and investigators to consult information technology and data security experts about protecting confidentiality in their specific situations. It is not the intent, nor would it be possible, for this committee or this report to provide an adequate basis for a data security program.
|
From page 65... ...
Again, the committee emphasizes that this study could not undertake detailed presentation of data-masking techniques, but suggests that investigators and IRBs consider the protective measures already described and implement them where possible if they have not done so. Ideally, these technical and datamasking safeguards for confidentiality would be implemented in the context of policies and procedures adopted by the organization for all uses of personal health information, including clinical care, business activities, or research.
|
From page 66... ...
Most IRBs do not, however, have the power or resources to implement data security programs on their own, and their time must be devoted to reviewing research proposals, protocols, and annual reports. What IRBs can do is reject studies that do not have acceptable data security measures, while at the same time working to understand the value of reductions in the incidence and severity of security breaks relative to the cost of increased security precautions.
|
From page 67... ...
Institutions that carry out HSR and train health services researchers should require that trainees, investigators, and IRB members receive education, with updates as technology changes, regarding the protection of privacy and con~dentiality when using data previously collected for another use. Education is critical not only for IRB members, but also for researchers, technicians, and any other employees who may come in contact with health information.
|
From page 69... ...
In particular, training should be tailored to the type of research methods that researchers use the ideal training for clinical trials investigators would not be helpful for health services researchers. Several organizations require, or are planning to require that investigators pass a course on human subjects protection before their protocols can be reviewed.
|
From page 70... ...
Therefore organizations should complement and support the proactive strategies of expertise and education for better confidentiality protection with deterrents to wrongdoing. Such sanctions ought to be graded according to the offense (e.g., whether the incident was a simple mistake or an intentional violation)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.