The papers included in this volume were edited to conform to minimal stylistic consistency. The content and accuracy of the papers are the responsibility of the authors, not the National Bioethics Advisory Commission.
Author(s): Janlori Goldman and Angela Choy, Georgetown University
The Health Privacy Project is dedicated to raising public awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and a community level.
Health research can offer many benefits, such as the improvement of clinical practices, public health programs, and health products; the reduction of public health threats; the advancement of basic biomedical science; and the development and improvement of pharmaceuticals and medical devices.1 All of this research, however, requires access to a great deal of individuals' data. This need for data often runs counter to the public's desire to keep health information confidential. The public may have some reason to be concerned about the confidentiality of their health information. At present, there is no comprehensive federal law protecting the confidentiality of health information. The patchwork of state and federal laws varies in scope and tends to protect specific types of information collected and maintained by particular entities. A significant amount of research is conducted without federal oversight or review. Ultimately, the public's fear and anxiety over the loss of privacy and confidentiality can threaten the research initiatives meant to benefit them. The federal government, researchers, Institutional Review Boards (IRBs), and research institutions will need to work together to provide strong privacy and confidentiality protections to build public trust and encourage continued participation in research.
Back to Top
Individuals share a great deal of sensitive, personal data with their physicians.2 Full disclosure to health care providers is necessary for accurate diagnosis and treatment of the patient. While patients may expect, or desire, to have all of their health data kept confidential, it is not possible to protect confidentiality absolutely. In seeking health care, patients will likely experience some loss of privacy and confidentiality. Health data may be shared with pharmacies, employers, researchers, and even marketers for reasons not related to diagnosis and treatment. In fact, it is estimated that when a person goes to the hospital, approximately 150 different people will look at his or her records.3 But since patients are often not involved in decisions about the disclosure of their health data, they may be taken by surprise when they learn of disclosures, including disclosures to researchers. A recent Department of Health and Human Services (DHHS) Inspector General report found that 'patients are often unaware that their records are being reviewed by persons other than their physicians and these records may be used to contact them about participating in research.'4 Historically, there has been tension between privacy advocates and researchers over how to address privacy and confidentiality issues. Consumer advocates often view research initiatives as threats to individual privacy, while researchers may treat privacy as a barrier to improving health. There is a fear that protecting confidentiality will prevent the free flow of health data for research, public health initiatives, and other health-related activities.5 Protecting privacy and confidentiality and promoting health, however, are values that go hand-in-hand. Without trust that the personal, sensitive data that they share with researchers will be handled with some degree of confidentiality, subjects will not participate in research projects.6 If people continue to withdraw from full participation in their own care, the personal health data from medical files and patient databases that researchers may rely on to recruit subjects or conduct records-based studies will be inaccurate and incomplete.
Researchers therefore need to be aware of potential privacy and confidentiality issues throughout the course of the research to incorporate privacy protections and minimize potential breaches of confidentiality. Public policies should also incorporate privacy standards so individuals will have greater trust in research enterprises and to ensure that there is accountability for breaches of confidentiality. Researchers may becoming more attentive to issues of security and use physical and technological measures, such as locked filed cabinets and passwords to help protect against unauthorized access to data. But these security requirements do not answer the larger policy questions about how data should be used, shared, and exchanged.7 The key issue here is to determine which disclosures in health research are acceptable invasions of privacy and which limits are acceptable on confidentiality.
Currently, there is no comprehensive federal law that protects the confidentiality of all personal health data. Third-party access to medical records and other data, including researcher access to this data, is governed by a loose configuration of state and federal law, common law, and professional ethics. There are federal regulations that apply to some research involving human subjects. These rules, however, may be applied unevenly and may not be relevant for different kinds of research. Furthermore, it is generally believed that a significant amount of research falls outside the scope of these regulations. Reform efforts that seek to bolster existing rules and to expand the kinds of research subject to the rules, however, are met with a common critique: that the existing system of research review is already over-extended and that new requirements could place undue burdens on the system.
This paper addresses 1) the definitions of privacy and confidentiality; 2) the potential threats to privacy and confidentiality in research with a focus on the use of medical records and databases in health research;8 3) public concerns and potential consequences or harm from violations; 4) the existing statutory and regulatory requirements with regards to privacy and confidentiality in health research; 5) the potential impact of DHHS proposed federal health privacy regulations on health research; 6) what data exist on current research review policies and practices regarding privacy and confidentiality when health research is subject to IRB review and when it is not; and 7) what data exist regarding enforcement of the privacy and confidentiality requirements in the Common Rule. It concludes with a set of recommendations for addressing some of the weaknesses in the current system of research review.
The terms privacy and confidentiality are often used interchangeably, although they are distinct concepts. Privacy is a state or condition of physical or informational accessibility.9 Many sources attempt to define and distinguish privacy and confidentiality. One frequently cited source is Privacy and Freedom, by Alan Westin, who defines privacy as 'the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.'10 Professor Anita Allen, Professor of Law and Philosophy at the University of Pennsylvania, breaks down the concept of privacy into four types: physical privacy, informational privacy, proprietary privacy, and decisional privacy. Physical privacy is 'spatial seclusion and solitude.' Informational privacy is 'confidentiality, secrecy, data protection and control over personal information.' Proprietary privacy is 'control over names, likenesses and repositories of personal identity.' Decisional privacy is 'allowing individuals, families and other nongovernmental entities to make many of the most important decisions concerning friendship, sex, marriage, reproduction, religion, and political association.'11 A common justification for protecting privacy is the principle of respect for personal autonomy, 'personal rule of the self that is free from both controlling interferences by others and from personal limitations that prevent meaningful choice.'12 The right to privacy should not be confused with the right to act autonomously. As Tom Beauchamp and James Childress explain in Principles of Biomedical Ethics, rights of privacy are valid claims against unauthorized access based in the right to authorize or decline access.13 In an 1890 law review article, Louis Brandeis and Samuel Warren argued that the right to privacy is 'the right to be let alone,' the right to live without unwarranted interference by the public in matters with which the public is not necessarily concerned.14 Today, the right to privacy is not only a right to 'retreat from the world' but also a right to 'step forward and participate in society,' sharing information about oneself with others while still maintaining some control over the data.15 Rules of confidentiality protect an individual's privacy interests in the data collected about him or her. In cases involving the collection, use, and disclosure of health data, it becomes even easier to confuse the terms privacy and confidentiality. A person, however, can surrender some privacy and still maintain some control over the information generated about him or her. Alan Westin distinguishes confidentiality from privacy by defining confidentiality as 'how personal data collected for approved social purposes shall be held and used by the organization that originally collected it, what other secondary or further uses may be made of it, and when consent by the individual will be required for such uses,' whereas information privacy is 'the question of what personal information should be collected or stored at all for a given function.'16
Again, there is no comprehensive federal law that protects the confidentiality of personal health data. However, there are federal regulations that apply to most research receiving federal funds, commonly referred to as the Common Rule, or research conducted in anticipation of approval by the Food and Drug Administration (FDA). Most federally funded research involving human subjects falls under the Common Rule,17 a federal policy adopted by 17 federal agencies in 1991 to protect 'the rights and welfare of human research subjects,' including their personal health information.18 The FDA has established similar regulations for research involving the development of a product regulated by the FDA.19 The Common Rule requires research organizations to establish and operate IRBs, administrative bodies, to protect the rights and welfare of human research subjects. However, privately funded research that does not involve a federally regulated product is not subject to federal requirements. Some institutions that are not required to follow the Common Rule may choose to subject all research at their institutions to the Common Rule, while others apply the federal rules only where required. For example, an institution that conducts a large number of federally funded studies may enter into multiple project assurances (MPAs), which require all research at that institution to comply with the Common Rule.
Given the limited applicability of the federal regulations, it is generally believed that a significant amount of human subjects research is conducted in the absence of federal regulation, such as some privately funded research conducted by pharmaceutical companies, health plans, and universities not in anticipation of product approval by the FDA. An IRB chair commented at a U.S. House Commerce Committee hearing in May 1999 that 'Today, if I want to study the medical history of Congressional representatives, and I don't use federal funds, I may be able to get access to your medical records without going through any meaningful review process.'20 A recent Institute of Medicine (IOM) workshop found that much health services research using large databases falls outside the scope of federal regulations because the research is privately funded by organizations without federal MPAs.21 In addition, even where organizations submit research to an IRB for review, certain activities that involve identifiable health data and other human subjects research may not be defined by the organization as research, and therefore are left without any oversight and accountability.22 For example, the IOM found that IRBs vary in how they interpret federal guidelines regarding the definition of research, specifically whether or not a project is intended to yield 'generalizable knowledge.'23 Some institutions may differ in how they interpret activities that might be considered quality assurance or quality improvement, taking the view that as long as the findings will be disseminated outside the division or department conducting the project, the project is research and thus subject to IRB review.24 While IRB review does not necessarily ensure that issues of privacy and confidentiality are adequately addressed, it does provide some level of accountability and oversight.
Health researchers encounter privacy and confidentiality issues at various stages of research, from recruitment of participants and data gathering, to data processing and analysis, to data storage, data dissemination, and the publication of research results. Researchers and IRBs need to be aware of and understand the range of privacy and confidentiality concerns in health research to adequately protect the privacy interests of their subjects and the confidentiality of personal health data.
Where there is a lack of direct contact in research with subjects, individuals may have little or no knowledge that data collected from them in a clinical setting are being used for purposes other than for their treatment and payment. For research involving interaction with individuals, such as clinical trials, prior to contact with potential research participants, the researcher has to determine where and how to recruit participants. Most people are not concerned about researchers who are also physicians searching their own patient database to identify eligible subjects; they are concerned about someone other than their physician accessing their medical records to screen for potential subjects and contacting them about participation.25 A physician may have patients who would meet the criteria for subjects in a research project, but the potential participants may consider direct recruitment by a researcher a violation of privacy, whereas recruitment by the physician may be considered acceptable. Patients expect a certain level of confidentiality when they share sensitive information with their physicians. Therefore, when individuals are contacted by someone whom they were not aware had access to their medical information, they may consider the contact an invasion of privacy.
A recent DHHS Inspector General report on recruitment of subjects for industry-sponsored clinical research found that in a rush to recruit subjects, investigators might compromise privacy and confidentiality. The Inspector General found that patients were often unaware that someone other than their physician may be reviewing their records and using them to contact them about participating in research. Some IRBs have received complaints of harassment from potential participants.26 However, nothing in the federal regulations specifically prohibits access to these records by researchers, and there is little guidance from DHHS on acceptable recruitment practices.
After a research project is completed, a researcher also may decide to conduct follow-up studies or a different project. However, the subjects of the first study may not have been asked whether they would want to be contacted for other studies, and some of them may find subsequent contact from the researcher an invasion of privacy, particularly if contact occurs many years after completion of the first project.
Even if a research protocol does not call for direct contact with individual subjects, the researcher still must determine whether or not he or she will require access to personally identifiable health data. There are confidentiality concerns when researchers want access to personally identifiable data from health care providers, insurers, state registries, and any other entity that collects data from individuals in the course of treatment and payment. For example, many states maintain a cancer registry of which many patients are not even aware. Researchers may have access to the registry to conduct epidemiological studies and examine trends among cancer cases on behalf of a state's health department. In a few states, researchers can obtain access to data from the cancer registry without first obtaining permission from the patient.27
After a researcher receives or collects health data, there are confidentiality concerns regarding redisclosure of those data to third parties. Latanya Sweeney, Assistant Professor of Public Policy and of Computer Science at Carnegie Mellon University, stated at a recent Senate briefing that even if the original data holder imposes privacy and confidentiality requirements on a third party requesting access to the data, once the data are disclosed to the third party, the third party may redisclose the data to others without restrictions.28 Similarly, Dr. Carolin Frey, Chair of the Geisinger Medical Center IRB, stated at a July 1999 House Commerce Committee hearing that when identifiable data travel between institutions, 'it is possible for only [a] portion of an individual's record to be within the purview of an IRB.'29 As an example, she noted that medical records are protected by the hospital IRB when the records are used in research but are not protected when the data travel to a third party payer.
Some researchers, however, are restricted from redisclosing data. For example, for data requests from other DHHS employees and contractors, the Health Care Financing Administration (HCFA) requires data use agreements that indicate the requestor's understanding of the confidentiality requirements of the Privacy Act and HCFA's data release policies and procedures. These agreements include a requirement that those receiving information from HCFA use it only for its approved purpose. Subsequent use for a different purpose is prohibited without further approval.
Without uniform rules for all research that limit redisclosure of personal health data, data collected for one purpose will continue to be disclosed and used for another purpose without the knowledge or consent of the subjects of the data. For example, for 52 years, research has been conducted using data from medical examinations, food diaries, X-rays, and blood samples of 10,000 Massachusetts residents in a long-term study known as the Framingham Heart Study. Originally, the participants signed on to a National Institutes of Health (NIH)-funded heart disease project.30 Now, Framingham Genomics Medicine (FGM) proposes to correlate the genetic information from blood samples with the study's clinical data to create a huge database and sell the data to biotechnology and pharmaceutical companies. The major concern here is whether or not FGM will contact all the living study participants and relatives of the deceased for informed consent to use the information for this new project. Will strong and effective measures be implemented to protect the privacy of the subjects and the confidentiality of the genetic information? How meaningful is informed consent if sensitive health information is used for different purposes years later?
In another example, in December 1998, Iceland's parliament authorized a license to deCODE genetics, a for-profit U.S. corporation, to use data already collected by the government to create a database (Icelandic Healthcare Database) of the medical records of all Icelandic citizens. This privatization plan raised a number of ethical questions, including the role of individual informed consent. The primary purpose of deCODE is to collect and analyze DNA samples for commercial purposes. Individual consent was not obtained prior to the transfer of medical data to the database, although individuals have the right to withhold their records by filing paperwork to opt out of the program.31 Those who do not opt out are presumed to give consent.
In a research study, it also may be technically difficult for an IRB and investigators to determine how it is required to protect privacy and confidentiality. Inconsistencies or conflicts may exist among legal requirements and institutional policies and practices. Some IRBs, for example, believe that unless a study impacts ongoing care, the consent forms for the study should not be included in a subject's medical record.32 There is a fear that the consent form itself may reveal information about a patient that the patient wants to keep confidential. In one project, a medical resident discovered that his consent form for participation in research was placed in his medical record, even though the research had nothing to do with treatment. In fact, he was participating as a control subject for a study on coping behavior involving HIV. While the resident was not HIV-positive, the consent form in his medical record indicated he was participating in a study involving HIV. The Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) requires consent forms to be included in a patient's medical record, so in compliance with JCAHO requirements, the medical records department at this hospital placed the consent form in the resident's medical record. There is limited guidance for IRBs on how to reconcile conflicting policies and requirements.
Researchers and IRBs also face other potential privacy and confidentiality issues. The method of contact, such as a postcard notice or e-mail regarding participation in a research project, may be considered a breach of confidentiality, because information on the postcard or e-mail may suggest information that the potential subject considers confidential. For example, a recruitment postcard for a study that is sent to an individual's home may suggest that the recipient of the postcard has a specific disease. Even if the individual does have the disease, he may have kept it a secret from the rest of the household, and the postcard would be considered a breach of confidentiality.
If subjects get paid for participation in a project, parties providing compensation also need to be sensitive to concerns that the form of payment may contain information that would indicate to a third party a subject's participation in a research project. For example, there may be information on a check that could constitute a confidentiality breach, not only because it is apparent to the bank that the recipient of the check is a research subject, but because the information can presumably be transferred to an affiliate of the bank, such as an insurer.
Another potential breach of confidentiality can occur with projects that involve periodic tests or visits with a physician. Reminders are often sent out to subjects at their home addresses, which may have information suggestive of the addressee's health status or participation in research. There are also special considerations for research involving minority groups. A research study may focus on a particular group because of specific physical, social, or cultural attributes, possibly threatening the privacy of a small community. Dr. William Freeman, IRB chair at the Indian Health Service, stated at an IOM workshop that with certain minority groups, such as the American Indian and Alaska Native, the communities are small and isolated and the members are well known to each other, making it difficult to ensure individual privacy.33 If a minority group, however, perceives a research study as a threat to the privacy of the individual members or the group, they will be less likely to cooperate with the researchers.
Individuals usually expect that the information they provide to their physicians will be kept confidential. Today, a growing number of disclosures occur without the express consent of the individual, stimulated in part by technological and scientific advances. The growth of information technologies for the delivery and payment of health care may offer significant opportunities for improved access to quality care at reduced costs. However, growing demands for access to health data and easier and cheaper storage and access to such data pose greater threats to privacy and confidentiality.
Organizational and structural changes in the delivery of health care call for the use of information technology to coordinate care and to integrate and disseminate information among providers, institutions, and managed care organizations. The demand for better quality care and the desire for reduced health care costs have also contributed to the rising need for patient data. The management of care in this environment requires data about what, where, and when health care services are provided, by whom for whom, and at what cost to determine the value and appropriateness of care. Such changes have led to the creation of large databases of health information, data linkage within and across data sets, and the ability for more people to access medical records and other personal health data from remote locations.
In fact, most data that move through health information systems end up in databases.34 While many of the databases are not organized optimally for research, researchers can avoid the costs of original data collection by using the available data. For example, one of the largest databases in the world is the U.S. Medicare database system, which process over 600 million reimbursement claims records yearly.35 Researchers have access to this database provided that they meet HCFA's criteria for release of the data.36 The database includes data on enrollment, eligibility, and utilization. The data may not be of the highest quality or fully standardized, but they provide a great deal of information about the health status and health care of millions of patients. With the recent release of the final rule on national standards for electronic transactions by DHHS, however, there will be greater standardization of data transmitted for health care transactions.37 Standardization creates the potential for data linkage within and between data sets. Data linkage provides greater opportunities for research. It allows researchers to make associations between data on subjects from one source or multiple sources. For example, researchers can link workplace exposures with suspected illnesses. Such research may not require identifiable data, but the existence of large databases, especially those that are public databases, raise particular concerns. Chief among these concerns is that the more data are linked from different sources, the more likely it is that individual people or particular groups of people can be identified. Data may be aggregated from several sources without individual knowledge or consent and accessed by parties outside the health care treatment environment.
As Latanya Sweeney demonstrated at a policy briefing on medical and genetic privacy on July 14, 2000, 'nonidentifiable' data can be combined with publicly available data to easily identify people.38 For example, most cities sell locally collected census data or voter registration lists, which include the date of birth, name, and address of the residents. These data may be linked to de-identified medical data, containing dates of birth and zip codes, to re-identify individuals, particularly in smaller communities.39 With an increasing focus on the health of a population rather than an individual comes the greater need for comparable data across health care organizations. Some of the sources of the data come from hospital databases, but a growing number of databases exist outside the health care environment. If personally identifiable data are used, the question is whether or not the subjects of the data need to be asked consent for the new use of their information. Locating and contacting subjects may be more difficult and prohibitively expensive. Where consent is waived, however, it is particularly important that there is objective review of the research protocol to ensure that safeguards are in place to respect the privacy of the subjects and protect the confidentiality of the data.
The lack of confidentiality protections is particularly troubling because Internet users may consider themselves anonymous or their activities as private. Chat room participants, especially those participating in support groups, often perceive these chat rooms as private sites when they exchange sensitive information about themselves.44 However, researchers are often not asking for consent to quote the participants, and a review board is not reviewing the research to ensure that the research is conducted ethically45.
Scientific developments in genetics have given society a greater understanding of alterations in genes that are associated with human diseases, providing opportunities for better diagnosis, treatment, and prevention of disease. On June 26, 2000, two groups of scientists announced that they had completed a rough draft of the human genome, a breakthrough that may revolutionize the practice of medicine46. With a rough draft complete, biomedical researchers can begin their search for disease-causing genetic mutations and develop therapies to treat disorders at the molecular level. Scientists may eventually be able to identify from birth the diseases a person may develop and tailor treatment to that individual.
However, with the ability to better detect genetic aberrations comes the questions of how genetic information should be protected and used and who should have access to that information. Genetic research on stored samples, such as blood samples, biopsy specimens, and organs and tissues, raises questions about privacy, consent, and confidentiality. Unlike most other biomedical research, genetic studies involve families. Research findings about individual subjects have direct implications for biological relations of the research participants because they may reveal information about the likelihood that members of the family are carriers or will be affected by a disease. The ethical question here is whether or not the research findings become part of the study without consent from the subjects of the findings.
Genetic research involving groups of people with specific genetic attributes also raise concerns about privacy. The Iceland example mentioned earlier concerns not only individual privacy but also group privacy. Like the American Indians, the Amish, and Ashkenazi Jews, Icelanders have a relatively homogenous gene pool, which improves the likelihood that researchers will find the genetic mutations associated with a disease. However, population-based genetic studies can lead to stigmatization. Specific groups of people may become identified with certain diseases, even if these diseases do not affect them disproportionately.
There is also public concern that access to genetic information by others, such as insurers and employers, will increase the potential for discrimination based on such information. Many people shy away from genetic testing because they fear that too many people have access to their information and that it can be used against them. Such fears may be justified: A 1992 - 1993 pilot study documented 206 instances of discrimination (loss of employment and insurance coverage or ineligibility for benefits) as a result of access to genetic information47. The primary risks of genetic research are social and psychological rather than physical harm. Confidentiality concerns are a significant barrier to genetic research. According to a 1997 national survey conducted by the U.S. Department of Labor, 63 percent of people reported that they would not take genetic tests for diseases if insurers or employers could access the tests.48 One in three women invited to participate in a breast cancer study using genetic information refused because they feared discrimination or loss of privacy.49 More recently, a CNN-Time magazine poll found that 46 percent of the respondents expect harmful results from the Human Genome Project. Only about 20 percent said the genetic information should be available to insurance companies, and only 14 percent said it should be available to the government.50 While a number of states have passed laws to provide greater confidentiality protections and to prohibit genetic discrimination to encourage more people to seek genetic testing and counseling, protections are still piecemeal.
Needless to say, research is only subject to IRB review if it is indeed research as defined in the federal regulations. It is not, however, always easy to determine which activities are regulated research and thus subject to IRB review.
It is particularly hard to distinguish between health services research and health care operations and quality assurance activities, for example. Many aspects of health services research are similar to quality assurance and improvement activities. Research is defined in the Common Rule as 'a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.'51 While quality improvement activities at an institution are intended to affect the population of participants, the data may or may not be generalizable to others within and even outside the institution.52 Government Accounting Office (GAO) investigators found that several managed care organizations did not define records-based quality improvement activities as research, so these activities do not undergo IRB review, while some organizations do define these studies as research and thus submit them for IRB review.53 Alternatively, what begins as an internal review of quality of care may evolve into an activity that could be classified as health research. Even after an institution discovers that it may be engaging in research, however, it may choose to publish its results without seeking IRB review.54
In general, research involving human subjects does not directly benefit the subject. Some health research can even pose potential harm to the subject physically and emotionally. Health research, however, can offer many societal benefits. To justify placing individuals at risk for the greater good, therefore, requires that research be conducted with respect for the rights and welfare of the individual subjects. Whether research involves collecting information or samples from individuals or getting access to medical records and databases, respect for the individual requires that researchers strive to protect the privacy of their research subjects by obtaining voluntary informed consent and ensuring that data are safeguarded against unauthorized access.
A 1993 survey conducted by Louis Harris & Associates found that 64 percent of the public wanted to be asked their permission before medical records are used for research.55 Furthermore, a 1996 Louis Harris & Associates survey found that only 18 percent of the public considers the use of patient records for medical research without prior permission to be very acceptable. The public's comfort level increased if the information released did not identify individual patients, but one-third found it not at all acceptable for researchers to use health information without patient consent, even if their identities were kept confidential.56 The public is right to be apprehensive about invasions of privacy and lack of protections for their personal health data. While there are few widely publicized cases of violations of privacy and confidentiality in the research environment, in a recent GAO report, investigators noted that 'during a research presentation at a national meeting, notes on a patient suffering from extreme depression and suicidal impulses stemming from a history of childhood sexual abuse were distributed. The notes included the patient's identity, medical history, mental status and diagnosis, as well as extensive intimate details about the patient's experience.'57 Because the study did not receive federal funding, there was no legal recourse for the research subjects. In a separate investigation, the former OPRR found that a university inadvertently released the names of study participants testing positive for HIV to parties outside the research project, including a local television station.58
Such breaches of confidentiality raise concerns not only about individuals being exposed or embarrassed, but also concerns that access to personal health data would allow others to use the information against the individuals to deny insurance, employment, and housing or to expose them to unwanted judgments and scrutiny. According to a California HealthCare Foundation survey, one in five U.S. adults believes that a health care provider, insurance plan, government agency, or employer has improperly disclosed personal medical information. Half of these people say it resulted in personal embarrassment or harm.59 Today, people engage in a variety of 'privacy-protective' behaviors to protect themselves from what they consider harmful and intrusive uses of their health information. Privacy-protective behavior includes paying out of pocket for health care, seeing multiple providers, providing inaccurate or incomplete information, or avoiding care altogether. One in six adults in the United States engage in some form of privacy-protective behavior when seeking, receiving, or paying for health care.60 Engaging in such behavior not only puts the patient at risk, but affects the accuracy and integrity of health data for downstream users, such as individuals engaged in public health initiatives and health services research.61 Lack of privacy protections erodes public confidence and trust in the health care and research community, potentially resulting in the reluctance and unwillingness of individuals to participate in important research.
While there is not yet any comprehensive federal legislation that protects the confidentiality of health information, there is a patchwork of federal and state legislation, constitutional law, case law, and rules of civil procedure that provide limited protection. These laws address specific aspects of patient privacy and confidentiality of personal health data:
Some of the laws provide substantial protections for the confidentiality of sensitive medical information, such as drug and alcohol abuse data, but without a comprehensive federal law protecting the confidentiality of all health information, most health information will continue to be subject to inconsistent legal standards and requirements.62
Currently, most research that receives federal funding is subject to the Common Rule. The Common Rule requires research institutions and federal agencies conducting research with human subjects, which includes the use of 'identifiable private information,' to establish IRBs to review research proposals. The role of the IRB is to determine if the rights and welfare of the subjects will be safeguarded. While IRBs can help to ensure that a study's procedures observe sound research design and that there is adequate informed consent, they do not directly observe the research study or the process in which consent is obtained. IRBs periodically review previously approved research to determine whether the study should be allowed to continue.
IRBs review the risks and benefits of the research and also make sure that adequate plans are made by the researcher to protect the privacy of subjects and maintain the confidentiality of the data. Among the criteria for IRB approval of research are requirements that
There is no further guidance in the Common Rule, however, for evaluating privacy and confidentiality issues when reviewing a research protocol.
Although most federally funded health research involving human subjects generally requires IRB review, there are exceptions to full IRB review and consent requirements. Records-based research, for example, is often subject to an expedited review process.63 Under the Common Rule, research activities that involve only minimal risk or 'research involving materials that have been collected, or will be collected solely for nonresearch purposes' may be eligible for expedited review, which is carried out by the IRB chair or one or more of the IRB members.64 The IRB member or members conducting expedited review must follow the same standard of review; however, the protocol may lack the evaluation that a full board review can offer. The level and adequacy of IRB review depend on the expertise and capabilities of the IRB members.
In particular, it appears that records-based research that does not involve any direct contact with patients may be reviewed differently by IRBs. According to Elizabeth Andrews at Glaxo Wellcome, 'a fairly small proportion of research that is currently being reviewed by IRBs is [research for which there is no medical risk to the patient and relies purely on existing medical records] so IRBs typically have less experience reviewing this kind of research.'65 The typical procedure is to automatically assume that research using existing records is 'minimal risk' and allow the study to undergo expedited review.66 Furthermore, the current regulations were largely written for interventional research studies, such as clinical trials, so there is less guidance for research that uses personally identifiable data without physically involving the individual in the research.67 Under the Common Rule, some research may be exempt from IRB review. The Common Rule lists many kinds of research that are not subject to IRB review, such as research that only involves 'the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.'68 However, what is 'identifiable' or 'nonidentifiable' is subject to interpretation. IRBs may find projects eligible for exemption because of how they interpret the definition of nonidentiable data, so they may come to different conclusions regarding subject consent for the same kinds of research. Not everyone grasps the distinction between identifiable and nonidentifiable data, so exemptions may be misapplied. According to Daniel Nelson, director of Human Research Studies at the University of North Carolina-Chapel Hill, some investigators and IRBs consider data stripped of the common identifiers, such as name, address, and Social Security number, as nonidentifiable and therefore not subject to IRB review.69 Professor Latanya Sweeney has often shown in her published work and presentations how difficult it is to produce nonidentifiable data in today's society. As she puts it, 'anonymity is in the eye of the beholder.'70 Data that appear anonymous can be linked or matched to other databases (public or private) to re-identify individuals; a person can also look at unique characteristics in the fields and records of the database to identify individuals.71 DHHS-proposed health privacy regulations do not cover information that has been de-identified. To be considered de-identified under the proposed regulations, a covered entity must remove, code, or encrypt specified identifiers outlined in the proposed regulation and have no reason to believe that the information can be used by recipients to identify an individual. Some of the identifiers may be retained if the covered entity has appropriate statistical experience and expertise and determines that the probability of identifying the individuals with these identifiers is very low. The new definition of de-identified information may help researchers and IRBs better distinguish between identifiable and nonidentifiable information; however, some comments from the public on the proposed definition indicates that further clarification and guidance will be needed to ensure proper compliance with the regulations. The National Bioethics Advisory Commission (NBAC) report on human biological materials also provides a breakdown of unidentified, unlinked, coded, and identified samples, which may be helpful to IRBs considering these terms in research protocols.72 For human subjects research not exempt from review, informed consent of the research participants is required, unless an IRB waives the informed consent requirements, including the requirement to inform participants of the extent to which their information will be kept confidential. If an IRB finds that the research is not likely to cause harm to the subjects and the research could not otherwise be carried out without waiving consent, the IRB may waive consent.73 For example, an IRB may decide to waive informed consent for a project involving access to the medical records of 10,000 patients because it may consider the researcher's access to these records minimal risk. Furthermore, the IRB may find that such research could not practicably be conducted if consent was required from all 10,000 patients. Consent waivers, however, raise concerns about adequate considerations for privacy and confidentiality.
Congress recognized the importance of medical privacy when it passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA).74 In response to growing public pressure for a comprehensive federal health privacy law, Congress imposed a deadline on itself in HIPAA to enact a privacy law by August 21, 1999. Congress' failure to meet that deadline triggered a requirement in HIPAA for the Secretary of DHHS to issue final health privacy regulations. The Secretary published proposed regulations on November 3, 1999, and the public comment period closed on February 17, 2000. The final regulations are expected by fall 2000, with a 24-month implementation period to follow before the law takes effect.
The proposed regulation would directly cover only three entities: health care providers who transmit claims in electronic format; health insurers; and health care clearinghouses. As such, the regulation does not directly cover most researchers. Only researchers who provide care are considered providers and are thus subject to the regulations. The regulation will, however, have a large impact on researchers because it establishes rules for when a covered entity may disclose 'protected health information'75 to researchers without the informed consent of the subject of the information. The regulation outlines specific criteria that must be met to disclose 'protected health information' to a researcher without informed consent:
Common Rule provisions for the waiver of informed consent:
New criteria required by the proposed federal health privacy regulations:
If a researcher is also providing health care to the subjects of the research and processes claims electronically, then the researcher is considered a provider and must abide by additional rules outlined in the proposed regulations. These include:
Research data that are unrelated to treatment may not be disclosed without specific voluntary patient authorization for purposes of treatment, payment, or health care operations. The proposed regulations, however, do not cover all researchers. For example, the regulation does not address use and disclosure of health data generated by researchers, if they are not based within a covered entity and do not provide health care.
In effect, the proposed regulations would change research requirements in two significant ways: 1) extend application of the Common Rule provisions for waiver of informed consent by requiring all research involving individually identifiable electronic health information regardless of the source of funding to undergo some form of review (IRB or privacy board) and 2) add additional criteria for review of such research.
It should be emphasized that the regulation will not apply to all researchers or all research. The proposed regulations do not cover researchers who generate their own data or who receive data from any entity not covered by the regulation. Much research conducted by pharmaceutical companies, for example, will not be covered by the regulations.
In 1974, concern about computerized data systems led to the passage of the Privacy Act,77 which covers all personally identifiable data held by the federal government. The Privacy Act limits the ability of federal agencies to disclose personally identifiable data. It also provides people the right to access and amend their records. The act, however, only applies to federal government agencies and their contractors. While it may prevent most nonconsensual access to government-held health records by insurers or the general public, the records are accessible to researchers and other federal and state agencies. The 'routine use' exception in the act gives broad discretion to disclose information when compatible with the purpose for which the information was obtained. Over time, the volume of routine use exceptions has increased and government officials have interpreted the exception to allow disclosure that is compatible with any original purpose for which records were collected.78 For example, government officials have interpreted the routine use exemption to allow the computerized matching of separate agency records, even though a literal reading of the act does not appear to permit matching.79 On May 14, 1998, President Clinton issued a memorandum directing each federal agency to review its information practices to ensure compliance with the Privacy Act.80 As a result of this memorandum, in January 1999, the Office of Management and Budget (OMB) issued guidance stating that agencies can protect privacy by limiting the amount of data they maintain about individuals and ensuring that such data are relevant and necessary to accomplish an agency purpose, which would include research purposes. The OMB instructs the agencies to
At the federal level, there are strict laws limiting access to data about individuals with certain sensitive conditions. However, these laws apply only to specific types of data collected and maintained by particular entities.
The Alcohol, Drug Abuse, and Mental Health Administration Reorganization Act amended the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970 to make records of the identity, diagnosis, prognosis, or treatment of substance abuse patients confidential and require express authorization for disclosure.81 The Controlled Substances Act allows the Attorney General to authorize persons engaged in drug abuse research to withhold the names and other identifying characteristics of research subjects. Researchers with this authorization cannot be compelled in any federal, state, or local civil, criminal, administrative, legislative, or other proceeding to identify the research subjects for which the authorization was obtained.82 The Public Health Service Act also prohibits personally identifiable information from research, demonstration projects, and evaluation conducted or supported by the Agency for Health Care Policy and Research (now known as the Agency for Healthcare Research and Quality) from use, publication, or release for any purpose other than the purpose for which it was supplied.83 Under the Public Health Service Act β 301(d), the Secretary of DHHS may authorize persons engaged in biomedical, behavioral, clinical, or other research to protect the privacy of research subjects by withholding the subjects' names or other identifying characteristics from persons not connected with the research in any federal, state, or local civil, criminal, administrative, legislative, or other proceedings. Persons so authorized would receive a Certificate of Confidentiality.84 Individually identifiable information obtained in the course of activities supported or undertaken by the Agency for Healthcare Research and Quality or the National Center for Health Statistics (NCHS), Centers for Disease Control and Prevention (CDC), cannot be used for any purpose other than the purpose for which it was obtained, unless the establishment or person providing the information gives consent for its use. Furthermore, individually identifiable information obtained in the course of health statistical or epidemiological activities may not be published or released if the person or establishment providing the information has not given consent.85 Data collected by NCHS may be used only for the purpose of health statistical reporting and analysis. The Director of CDC can issue an Assurance of Confidentiality, which protects both individuals and institutions from court-ordered release of identifiable information. This assurance is used for studies conducted by CDC staff and/or contractors.86 In addition, under the Justice System Improvement provisions, no officer or employee of the federal government or any recipient of assistance under Title 42, which covers various public health and welfare programs such as the Public Health Service, Family Violence Prevention Services, Civil Rights, and the National Space Program, can use or reveal individually identifiable research or statistical information provided by any person under title 42 for any purpose other than the purpose for which the information was obtained.87 The Department of Education (DOE) also offers additional safeguards for children under the Protection of Pupil Rights Amendment.88 No student will be required to submit to a DOE-funded survey, analysis, or evaluation that reveals information concerning the student's attitudes, beliefs, or habits in seven areas, including mental and psychological problems potentially embarrassing to the student or family, sexual behavior and attitudes, and legally recognized privileged or analogous relationships, such as those with lawyers, physicians, and ministers, without the prior consent of the student (if the student is an adult or emancipated minor) or the parent.
While the above mentioned laws attempt to provide some protection for personally identifiable health data, a recent provision in OMB's appropriation for FY1999 provides public access under some circumstances to research data through the Freedom of Information Act (FOIA). The provision directed OMB to amend its Circular A-110 to require 'federal awarding agencies to ensure that all data produced under an award be made available to the public through the procedures established under FOIA.'89 Circular A-110 applies only to grants, not to contracts and to data produced with federal support that are cited publicly and officially by a federal agency in support of an action that has the force and effect of law. It covers data collected by institutions of higher education, hospitals, and nonprofit institutions receiving grants from federal agencies, but not data collected by commercial organizations or most data collected by state and local governments.90 The new law was widely criticized by the scientific community, and OMB tried to narrow the scope of the law by applying it only to published research and to research that is used as a basis for making federal policy or rules. OMB has defined research data as 'the recorded factual material commonly accepted in the scientific community as necessary to validate research findings,' but the research community still has concerns about what data would fall under this definition.
Finally, under the Financial Services Modernization Act (more commonly referred to as Gramm-Leach-Bliley),91 banks can share with their affiliates (which include insurers and others) a consumer's personal data, including health data, without the consumer's knowledge or consent. For example, if a researcher pays a subject with a check and the check has information on it that is suggestive of the subject's health status or participation in a study, the bank that cashes that check could presumably pass the information along to its affiliates. The law also allows the sharing of this information with others not affiliated with the bank if the bank or insurer gives the consumer notice that it intends to share the information and the opportunity to opt out of the disclosure.
In cases where insurance companies may cover treatment administered in the course of a clinical trial, the health insurer would be covered by the HIPAA regulations governing individually identifiable health information. While Gramm-Leach-Bliley itself is silent on whether or not it supersedes or limits the provisions of HIPAA, the regulations promulgated by the Department of the Treasury (Office of the Comptroller of the Currency and Office of Thrift Supervision),92 Federal Reserve System,93 Federal Trade Commission,94 Federal Deposit Insurance Corporation,95 Securities and Exchange Commission,96 and the National Credit Union Administration97 specifically state in their final regulations on the Privacy of Consumer Financial Information that they do not modify, limit, or supersede the HIPAA standards.
Information privacy is not constitutionally protected as a fundamental right. While there is some judicial protection of privacy interests, application of federal or state law is often limited to specific factual situations. Most federal and state courts have recognized a right to informational privacy; however, the scope of privacy protection varies. Furthermore, courts often balance an individual's privacy interest against the compelling interests of the state or other individuals, and few cases, if any, adequately explain how such interests should be weighted.98 The lack of uniform protection through the judicial system leaves individuals vulnerable to potential intrusions on their privacy.
In Griswold v. Connecticut, the Supreme Court found that the First, Third, Fourth, Fifth, and Ninth Amendments 'have penumbras, formed by emanations from those guarantees that help give them life and substance' and create zones of privacy. While the Griswold Court limited the zones of privacy to the marriage relationship when it overturned state law that prohibited the use or dissemination of contraceptives, it did recognize that a constitutional interest in privacy exists.
Over a decade later, in Whalen v. Roe, the Supreme Court examined whether there was a right to privacy with regard to the collection, storage, and dissemination of information in government databanks. The Whalen Court upheld the requirement that names of individuals obtaining abusable prescription drugs be reported, but it observed that the 'right to collect and use such data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures.' The Court found that the safeguards implemented by the New York Health Department had sufficiently shown 'a proper concern with, and protection of, the individual's interest in privacy.'
In United States v. Westinghouse Electric Corp., a Third Circuit court held that the invasion of privacy was justified when the director of the National Institute for Occupational Safety obtained a federal subpoena ordering an employer to disclose information from employee medical records. The court established a five-part test for determining whether the government's 'right to know' justifies invasions of privacy. The test requires a balancing of the following factors:
In civil and criminal cases and when the government conducts an investigation, the courts have the authority to compel disclosure of relevant information, including scientific data and health information, by judicial subpoenas. In addition to Griswold and Whalen, the Federal Rules of Civil Procedure provide some level of protection against subpoenas or other court orders in federal courts. Section 26(a) of the Federal Rules limits discovery, but, generally, if a court finds that certain information is relevant to the requesting party's case, it will order disclosure of that information. If the information is of questionable importance or relevance, the court will examine the requesting party's need for the information before granting or denying a motion to quash the subpoena. For example, in one case, a plaintiff put her medical condition at issue by seeking damages for pain and suffering, so her gynecological records were held relevant to possible alternative causes of her medical problems and her claim of emotional distress.100 In a suit against Procter & Gamble to recover damages for toxic shock syndrome allegedly caused by a tampon manufactured by P & G, Farnsworth v. Procter & Gamble Co.,101 the court of appeals held that the CDC's interests in keeping confidential the names and addresses of its participants in research on toxic shock syndrome outweighed the discovery interests of Procter & Gamble. The Farnsworth court emphasized the compelling social interest in promoting research and the potential harm to the CDC's public health mission if the information were released.
Even when research data are discoverable, Rule 45(c)(3)(B) of the Federal Rules of Civil Procedure allows the court to quash or modify a subpoena, if the subpoena 1) requires disclosure of a trade secret or other confidential research, development, or commercial information102 or 2) requires disclosure of a) an unrelated expert's opinion or information that does not describe specific events or occurrences in dispute and b) information from an expert's study which was not made at the request of any party to the lawsuit.103 For example, in Bluitt v. R.J. Reynolds Tobacco Co., the court upheld a U.S. Magistrate Judge's order to quash a subpoena, based on Rule 45(c)(3)(B), for data and supporting documentation from the Louisiana State University Medical Center for research involving environmental tobacco smoke and cancer in women.104
Health researchers, federally and privately funded, can also apply for Certificates of Confidentiality, so they 'may not be compelled in any federal, state, or local civil, criminal, administrative, legislative, or other proceeding to identify [subjects of research].'105 Certificates of Confidentiality were originally enacted in 1970 as part of the 'War on Drugs' to allow studies of drug addiction and abuse. Because potential research subjects were involved in illegal activity, they needed to be assured that the information they shared with researchers would remain completely confidential. Of particular concern was disclosure to law enforcement. In 1988, biomedical or behavioral research information that an investigator deems to be 'sensitive' was incorporated into the Public Health Service Act.
The Public Health Service has the authority to issue Certificates of Confidentiality to researchers to protect the identities of the research participants; however, the research must be of a 'sensitive nature where the protection is judged necessary to achieve the research objective.'106 The Certificates legally free the researcher from obligations to comply with a subpoena, court order, or mandatory reporting, but the researcher can still voluntarily disclose the information to other interested parties. The Certificate allows the holder to use it to resist compulsory disclosure. No court decisions challenging Certificates of Confidentiality have been found.
It is important to recognize that the protections of the Certificate of Confidentiality are exclusively for identifiable research data and do not extend to clinical information or medical records. In addition, according to Olga Boikess from the National Institute of Mental Health at NIH, the Certificates are issued sparingly and are only intended to provide additional confidentiality protections.
Certificates are issued on a project by project basis, and they are administered out of multiple agencies. Therefore, there may be inconsistent administrative guidance. According to Moira A. Keane, Director of the Research Subjects' Protection Program IRB/IACUC at the University of Minnesota Health Center, it also can be very time-consuming, taking several months to get a Certificate of Confidentiality.107 Furthermore, even in cases where IRBs find a protocol that seems to fit all the requirements for a Certificate, applications for Certificates have been denied. For example, the IRB at UNC asked some researchers to apply for a Certificate of Confidentiality for a project on illegal activity, HIV, and drug use, but the application was rejected.108 Authorizations of confidentiality are also available for research requiring an Investigational New Drug exemption under section 505(i) of the Federal Food, Drug, and Cosmetic Act109 or to approved new drugs that require long-term studies, records, and reports. For research directly related to law enforcement activities concerning drugs or other substances that may be subject to control under the Controlled Substances Act, the Attorney General has the authority to issue grants of confidentiality.110
For privately funded research that does not involve approval of an FDA-regulated product, the researcher need only comply with state law. There is little uniformity in how state statutes regulate researcher access to people's health information. Virtually every state has some law aimed at the confidentiality of patient health information in the health care environment, but very few states have anything approaching a comprehensive health privacy law, and so the requirements for researchers are scattered or nonexistent.111 Most state health privacy laws were never intended to be comprehensive.112 They were enacted at different points in time, over many years, to address a wide variety of uses and public health concerns. The statutes are generally entity specific or condition specific because they are often crafted to speak to the unique needs of the patient population and the information needs of particular entities in the state. Many states, for example, have privacy laws governing hospitals and clinics, but not health plans and HMOs. Finally, many of the heightened privacy protections at the state level also were enacted hand-in-hand with mandatory reporting laws.113 Many states require patient authorization prior to disclosure. Researcher access, however, is almost always built-in as an exception to these statutes. The vast majority of laws, therefore, allow researchers broad access to patient records. Minnesota, for example, however, is an exception. For records generated after January 1, 1997, the health care provider must first advise the patient in writing that his records may be released to researchers. If the patient objects, the records may not be released, but they still may be used by researchers within the entity holding the data.114 Some states place restrictions on researcher access by requiring IRB approval, patient authorization, or justification of the need for the individually identifiable information. There also may be specific requirements for information such as HIV/AIDS or genetic information. While researchers are generally given broad access to patient data, some states place limits on researchers once they obtain the data. For example, in Michigan, information, records of interviews, written reports, or records that came in the possession of the department of health through a medical research project may not be admissible as evidence in a legal proceeding against an individual.115 In South Dakota, information may be released for the purpose of research into the causes and treatment of alcohol and drug abuse, but the researchers are prohibited from publishing the data in such a manner that identifies individuals.116 Researcher access to patient data held by state government entities is also often subject to different rules.117 (For a more comprehensive review of the role of states in the oversight of human subjects research, see, in this volume, the commissioned paper by Jack Schwartz from the Office of the Maryland Attorney General entitled Oversight of Human Subjects Research: The Role of the States.)
Historically, privacy and confidentiality in research received little attention until the early twentieth century. The first set of principles for protection of human subjects was codified in 1946 as part of the verdict of the Nuremberg War Crime Trials after World War II. In 1964, the World Medical Association adopted the Declaration of Helsinki, which includes among its principles the following: 'Every precaution should be taken to respect the privacy of the subject' and 'Concern for the interests of the subject must prevail over the interests of science and society.' More recently, the European Union (EU) passed a Data Protection Directive that took effect in October 1998.118 The World Medical Association also announced that it will draft international guidelines on the use of centralized health databases to address issues of informed consent, privacy, confidentiality, individual access, and accountability.119 The EU Directive protects the privacy rights of its citizens, setting conditions on the international transfer of personal information from the EU to nonmember countries, such as the United States. The Directive prohibits the transfer of data to any country that fails to ensure an 'adequate' level of protection. Such a prohibition can potentially impede the flow of personal health data from the EU to the United States, since the United States lacks a comprehensive health privacy law or nationally enforceable regulations or policies.
In an attempt to avoid punitive measures, the United States has been negotiating a safe harbor agreement with the EU this past year, which would make U.S. businesses responsible for safeguarding the confidentiality of personal data they collect or receive about European consumers. EU members have approved the U.S. proposal in principle; however, the European Parliament rejected the proposal on July 5, 2000, saying 'key provisions needed to be renegotiated to strengthen data privacy and protection rights.'120 Nevertheless, the Internal Market Commissioner, Frits Bolkestein, is expected to recommend that the European Commission approve the agreement, a recommendation that likely will be accepted by the Commission.121
There are an estimated 3,000 to 5,000 IRBs in the United States associated with a hospital, university, or other research organization. IRBs also exist in managed care organizations, government agencies, and as independent entities that review protocols for a fee. There is no accurate count, since IRBs are not required to register with any entity. Each of the 17 federal Common Rule agencies has independent responsibility for oversight of IRBs reviewing the research that it supports.122 Some researchers or research facilities conducting research that falls outside the scope of the Common Rule or FDA regulations use external research ethics or advisory boards. There are no data on the number of such review boards in the United States. At a July 1999 House Commerce Committee hearing, Greg Koski, the recently appointed director of the Office for Human Research Protections (OHRP), stated that only about 1,200 of the 5,000 or so IRBs that currently review research in the United States come under the Common Rule.123
Within DHHS, until recently, OPRR oversaw implementation of the Common Rule in all DHHS facilities and any institutions or sites receiving DHHS funds to conduct research involving human subjects. OPRR required these facilities and institutions to submit an 'assurance' of compliance, a policy statement that sets forth the procedures they will use to protect human subjects. The assurance is a formal commitment to implement 1) widely held ethical principles; 2) 45 CFR 46 (the Common Rule and additional protections pertaining to research involving children, prisoners, fetuses, pregnant women, and human in vitro fertilization); and 3) institutional procedures adequate to safeguard the rights and welfare of human subjects. If a problem arises, OPRR uses the assurance to gauge an institution's compliance with human subject protections.124 The former OPRR investigated allegations of noncompliance and had the authority to restrict an institution's authority to conduct DHHS-funded human subjects research if there were a breach of confidentiality. OPRR handled most inquiries and investigations by telephone and correspondence. OPRR sometimes restricts further research until the researcher takes corrective action. For example, in one investigation, OPRR found that a university inadvertently released the names of study participants testing positive for HIV to parties outside the research project, including a local television station.125 The OPRR worked with the university to evaluate the extent of the breach of confidentiality. The university revised its internal systems to prevent a similar violation from occurring in the future.
In June 2000, the new Office for Human Research Protections in DHHS officially replaced OPRR. In 1999, the Advisory Committee to the Director of NIH had recommended that the role of OPRR be expanded and that the office be elevated in stature and effectiveness. There was growing recognition of the need for enhanced federal oversight of human clinical studies. As such, OHRP was established in the Office of the Secretary at DHHS with the responsibility for ensuring the safety and welfare of research participants in DHHS-sponsored research. An independent National Human Research Protection Advisory Committee has also been established to provide scientific and ethical guidance to OHRP in its oversight role.
In its regulatory role, OHRP monitors and evaluates an institution's compliance with the rules governing human subjects research. OHRP has the authority to investigate complaints and require corrective action or suspend research at an institution until the problem is resolved. For example, OHRP recently shut down all government-funded human medical experiments at the University of Oklahoma Health Sciences Center in Tulsa because the researchers broke multiple rules designed to protect subjects and then tried to cover up their lapses by withholding information from the university's IRB and subjects.126 In its educational role, OHRP provides guidance to IRBs, scientists, and research administrators on ethical issues related to medical or behavioral research involving human subjects. The office conducts national educational workshops and on-site technical assistance to institutions conducting DHHS-sponsored research.127 The former OPRR Institutional Review Board Guidebook provides some guidance for addressing privacy and confidentiality. The guidebook provides points IRBs should consider in reviewing research protocols.128 The OPRR does note, however, that even research in which there are privacy concerns, these concerns may not come to the attention of an IRB. For example, under the federal regulations, IRBs do not have to review proposed research involving observation unless someone, such as the investigator or department head, determines that it falls in the category of research requiring IRB review.
The FDA also monitors and enforces human subject protections. The agency requires a promise from researchers that they will abide by FDA requirements for conducting drug, medical devices, and biologics research and conducts on-site inspections of IRBs that oversee such research. If there are serious violations, FDA may terminate the IRB's authority to approve new studies or recruit new participants for ongoing studies until FDA is assured of corrective action. Both OHRP and FDA have oversight responsibilities for research involving an FDA-regulated product supported by DHHS.
However, a review of FDA's inspection process for clinical investigators conducted by the DHHS Office of Inspector General shows that FDA's main focus is procedural compliance with FDA regulations affecting IRBs rather than the content of IRB reviews. Furthermore, while its objectives for inspections are 'ensuring the quality and integrity of data and information submitted to FDA as well as the protection of human research subjects,' the FDA has focused mainly on ensuring the integrity of the data submitted to the agency.129 The FDA monitors human subjects protection by conducting on-site inspections of the IRBs that oversee drug research. Its inspections have demonstrated that compliance with federal oversight rules are uneven. To enforce its regulations, the FDA uses four types of actions:
At the institution level, the institutions conducting or supporting the research are responsible for ensuring that the Common Rule requirements are met and for addressing violations of privacy and confidentiality. The IRBs and investigators are responsible for implementation of and compliance with the Common Rule. The IRB assists researchers in identifying possible threats to privacy and confidentiality. According to the 1999 GAO report on medical records privacy, IRBs rely on their organization's policies for determining the appropriate actions for protecting the confidentiality of personally identifiable health data used in the projects at the organization. However, according to Moira Keane at the University of Minnesota Health Center, while IRB members have an appreciation of the need for privacy and confidentiality, unless members themselves are actively involved in research, the level of expertise of IRBs to adequately identify and address privacy and confidentiality varies.131 In addition, IRB and institutional oversight is generally limited to review of progress reports, such as a review of outcomes, implementation of research design, and adverse physical effects. The IRB does not audit the researchers to ensure compliance. A GAO report found that 'while reasonable safeguards may be in place in these companies [organizations surveyed by GAO], external oversight of their research is limited, and even in those cases where IRBs are involved, they are not required to give substantial attention to privacy protection.'132 Even where there is subsequent and periodic review of the research approved by the IRB, privacy and confidentiality issues may be ignored once a project has been approved. The frequency of review may also depend on the level of risk the study poses to the subjects, but the focus is on physical or psychological risk, not threats to privacy and confidentiality.133 There is an expectation that the investigators will put in place the necessary privacy and confidentiality protections as specified in their research protocol. The principal investigators are ultimately responsible for ensuring that adequate safeguards are in place to protect privacy and confidentiality. As such, they may not follow all of the IRB's instructions. For example, researchers may retain identifying fields as a matter of convenience or when there is no need for that information, even after an IRB has informed the researchers that retaining the identifiers may pose a confidentiality threat that can easily be eliminated without jeopardizing the study.134
For research not subject to the Common Rule or FDA regulations, there are few data about criteria for addressing privacy and confidentiality. Some organizations choose only to apply the federal rules when they are required. They may also rely on their collaborating universities or institutions for informed consent procedures and IRB review.
HCFA imposes additional requirements on researchers who are not funded by a DHHS agency and want access to HCFA databases. The agency conducts a review to determine whether disclosure would be permitted under the Privacy Act and determines if the purpose of the research
However, HCFA does not routinely monitor these researchers to prevent unauthorized disclosures or uses and to provide corrective action for violations of the agreement.135 The agency does not have a system for monitoring whether organizations outside of HCFA have established safeguards for personal health information received from the agency. Instead, HCFA relies on each organization to monitor its own compliance with the data use agreements.
A February 1999 GAO report shows that most of the organizations the agency surveyed have steps to limit access to personal health data, such as security safeguards to limit internal and external access to paper records and electronic databases.136 The agency, however, found that 2 of the 12 organizations contacted lacked written confidentiality policies restricting employee use and access to health information.137 Furthermore, while there may be some sanctions in place, there is little information on how violations are addressed. In addition, there are no guarantees that the institution's own penalties will be imposed for violations of privacy or confidentiality. Without remedies or sanctions, the current framework of enforcement will be lacking.
Once the federal health privacy regulations are finalized, penalties may be imposed on researchers who are also health care providers and transmit or maintain health information in electronic form, if they wrongfully obtain or disclose individually identifiable health information. Penalties include fines and/or imprisonment. There are also penalties for noncompliance with the regulations. However, there is no individual right to sue, so if an individual finds that his or her rights under HIPAA have been violated, all he or she can do is file a complaint with DHHS.
There has been recent and growing concern about the adequacy of the current system of IRB review and oversight, particularly as it relates to the confidentiality of personal health information. A report commissioned by DHHS Secretary Donna E. Shalala concluded, 'It is less clear that IRBs have been attending as vigorously to privacy risks as they have to physical and emotional risks.'138 Recent studies conducted by the Office of the Inspector General at DHHS and NIH have found that IRBs review too many studies too quickly and with insufficient expertise.139 There is little training for researchers and IRB members and minimal oversight of approved studies.140 The level of expertise across IRBs varies. For example, according to the DHHS Inspector General report, in June 2000, 25 percent of the IRB survey respondents did not even ask researchers to explain their recruitment practices in the application for review.141 Most studies on human subjects research and protection focus on specific topics, such as informed consent issues and injuries to subjects. There are smaller data gathering efforts, such as the GAO report on Medical Records Privacy142 and the IOM Workshop on data privacy in health services research,143 which provide a glimpse into the current system of review for research protocols.
Experts in the research community comment that the current IRB system works well with respect to most interventional protocols but not necessarily for observational research, that is, research involving only existing medical data. Among the weaknesses of the existing system:
There is also concern that the extension of the federal regulations to privately funded research under the proposed federal health privacy regulations will place further burdens on the IRB system.147
In 1995, NIH conducted an evaluation of the implementation of the human subjects protection program, surveying IRB members and chairs from institutions that operated with MPAs.148 The main conclusion of this study was that IRBs are providing an adequate level of protection at a reasonable cost. However, there were only limited references to privacy and confidentiality issues. The emphasis of the survey was on broader issues of IRB workload, IRB personnel and policy practices, and the adequacy of protections for the rights and welfare of research subjects.
Little is known about IRB practices and how IRBs function, particularly in health services research, which is largely research using databases of health information. The IOM convened a committee to gather information on the current practices and principles followed by IRBs to safeguard confidentiality of identifiable health data used for federally and privately supported health services research purposes. On August 14, 2000, the IOM released its recommendations regarding best practices for IRB review of health services research subject to federal regulations and IRB or other review board review of research outside the scope of federal regulations. Highlights of the IOM recommendations include the following:
In 1999 a GAO report on medical records privacy identified research that is and is not subject to federal oversight and examined how IRBs ensure the confidentiality of health data used in research. While the basis of its findings was limited to the information provided by federal agencies and organizations interviewed, the GAO concluded that external oversight of privately funded research is limited. Not all research is subject to outside review, and even when IRBs are involved, they are not required to give substantial attention to privacy protection.149 In addition, the agency found that 'privacy protection is not a major thrust of the Common Rule and IRBs tend to give it less attention than other research risks because they have the flexibility to decide when it is appropriate to focus on privacy protection issues for review.'150 There are even fewer data on the research review policies and practices regarding privacy and confidentiality in institutions conducting privately supported research. GAO found that some of the organizations the agency contacted conform to the FDA regulations because the organizations conduct both FDA regulated and privately funded research. Some organizations have adopted internal policies that require all studies that meet their definition of research to follow the Common Rule requirements. However, not all organizations necessarily define the same type of activity as research. Hence, application of the Common Rule varies within and across organizations.151 The GAO also found that in some organizations no research receives IRB review. One pharmacy benefits manager used external advisory boards rather than IRBs to review research proposals.152
Currently, there are only federal requirements for federally funded human subjects research or research involving an FDA-regulated product, leaving a significant amount of research outside the scope of federal regulation. NBAC itself has stated in its preliminary findings on the adequacy of federal protections for human subjects research that 'the absence of federal jurisdiction over much privately funded research means that the U.S. government cannot know how many Americans currently are subjects in experiments, cannot influence how they have been recruited, cannot ensure that research subjects know and understand the risks they are undertaking, and cannot ascertain whether they have been harmed.'153 At the same time, the public has demonstrated a concern about the lack of protections for their sensitive personal health data, withholding information or providing incomplete information to prevent intrusive uses of their information and to avoid discrimination, stigma, or embarrassment. Ultimately, such actions not only hurt individuals, but also compromise important research initiatives. Public trust in the research community is the key to ensuring continued access to personally identifiable health data for health research.
To ensure adequate protections for research participants' privacy and health data confidentiality and to improve implementation of existing federal requirements for human subjects research, we offer the following recommendations. We hope that NBAC will consider these recommendations in its review and evaluation of the current system of review for human subjects research.
Today, research is subject to any number of review procedures, or subject to no review at all, depending on a fairly arbitrary set of circumstances, such as funding or the site of the research. Even recent attempts to create greater uniformity have fallen short. For example, the intent of the HIPAA regulations is to establish uniform rules and process for research regarding privacy and confidentiality issues regardless of the source of funding. However, the proposed regulations would allow the creation of privacy boards, which would only address the confidentiality concerns of a research project. Much of privately funded research will continue to be less accountable if it is subject only to privacy board review. The benefits of the IRB system are not reflected in privacy boards. In the proposed regulations, privacy boards exist only to grant a waiver for patient authorization, whereas IRBs review every step of a research project. All health research involving human subjects should receive comprehensive review.
Establishing a truly uniform system of review would ensure oversight and accountability of all research. As Dr. Greg Koski, the recently appointed first director of OHRP, testified on July 15, 1999, before the Subcommittee on Health and Environment of the U.S. House Committee on Commerce, 'having a separate process that causes segregation in the whole process for review and approval of research would not only undermine the process that is there, it would tend to dilute the process for protection of human subjects.'154 The most effective way to achieve uniformity is to subject all research to IRB review. Critics of this suggestion have argued that subjecting more research to IRB review will overburden a system that is already beyond capacity. Those concerns, however, can and should be addressed separately. In fact, adequate reform of the system can only take place when there is a single uniform system.
Research projects should be held to the same standards to ensure equity, fairness, and accountability to bolster public trust and confidence in research.155 On June 8, 2000, Representative Diana DeGette introduced H.R. 4605, the Human Research Subject Protection Act of 2000, which would extend the Common Rule to human subjects participating in private sector research.
In the absence of a uniform review system, such as an IRB, all research should be held to the same standard. Therefore, private IRBs, internal review systems, or even newly created 'privacy boards' should all be following the same set of rules and standards. In particular, there should be uniformity in decisions about when and under what circumstances a waiver of informed consent can be granted.
The privacy and confidentiality standards established for federally funded research should be the standard for all research. As these standards are revised, they should be incorporated into the policies of the bodies reviewing research proposals.
Today, it is impossible to determine how many IRBs are in existence, so it is impossible to even accurately study IRBs, let alone ensure compliance with federal standards. Registration is a basic easy step to allow for greater oversight of IRBs.
Registration could be coordinated through the OHRP or with an office in each of the federal departments that provides funding for health research. According to Daniel Nelson, Director of Human Research Studies at the University of North Carolina-Chapel Hill, there is currently a national effort to require certification and accreditation of all institutions conducting research.156
Several recent reports have identified problems in the current IRB system, which could impact an IRB's ability to address human subjects concerns, including privacy and confidentiality. Not only have these reports found that IRBs are understaffed and overburdened, but also there is little oversight once a project has received IRB approval. A DHHS Inspector General report found that continuing review has become a low priority at many IRBs.157 Review is largely paper based, and IRBs often rely on the investigators to provide timely and accurate reports.158 The system of review is generally based on trust and confidence that once a protocol is approved, the investigators will implement appropriate privacy and confidentiality safeguards as specified in the protocol.159 Furthermore, the focus of subsequent review tends to be physical and psychological harm to the subjects.160 Continued periodic review, which includes an examination of privacy and confidentiality issues, would better ensure that IRBs and researchers address unanticipated privacy and confidentiality issues that may arise during the course of a study.
To maintain public trust and encourage individuals to participate in research, recipients of personally identifiable health data should be bound by the same requirements and obligations as the original data holder to protect the privacy of the subjects and the confidentiality of the data.
DHHS Secretary Shalala announced on May 23, 2000, that DHHS will be undertaking an aggressive effort to improve education and training of clinical investigators, IRB members, and associated IRB and institutional staff on bioethics and human subjects research.161 However, there are other federal departments that engage in and sponsor health research, and they should also expand their educational efforts. Specifically, more education and training is required for researchers, IRBs, and institutions on 1) particular privacy and confidentiality issues arising from various types of health research and 2) the best policies and practices for safeguarding privacy and confidentiality More training and education of investigators and IRBs will be required as new opportunities for and types of health research arise, especially with the mapping of the human genome.162 Expanding the scope of IRB-reviewed research will also require more resources to ensure that adequate review is conducted.
The OHRP at DHHS and other federal departments all need to play a greater role in providing guidance and support to IRBs and researchers as they confront issues of privacy and confidentiality in their research. A recommendation for uniform and objective rules and standards would be meaningless without adequate guidance for investigators, IRBs, and research institutions to effectively implement these rules. Specifically:
Today, there are few data on how IRBs function; how they currently identify and address privacy and confidentiality; and how research is reviewed (if at all) outside the IRB system. Furthermore, there is little information on how many IRBs exist and how many people are research subjects. A study on IRBs would provide data on the strengths and weaknesses of the current system with regards to the protection of privacy and confidentiality. A study can also help identify policies and best practices for safeguarding privacy and confidentiality that can be adopted by all IRBs and other review boards.
The IOM recently released a report with findings and recommendations, which include specific recommendations for ensuring health data privacy and confidentiality in health services research. Any entity collecting or receiving personal health data should do so under comprehensive policies.
Generally, there is broad agreement that the use of anonymous data in noninterventional research should not require informed consent of the subjects of the data. It is becoming increasingly difficult, however, to differentiate between identifiable and nonidentifiable (or anonymous) data. Data exist on a continuum of identifiability. The increasing amount of publicly available data means that seemingly anonymous data can now be used to identify individuals.
More guidance is needed for institutions, IRBs, and researchers to make determinations about whether data is truly anonymous. Such guidance should specifically comment on the amount, quality, and type of data that is publicly available. The guidance should also include commentary on the feasibility of using privacy-enhancing technologies in research, such as encryption.
One of the major issues in health research is distinguishing activities that will require IRB review from activities that do not fall under the definition of research for purposes of federal regulation. Guidance to researchers, IRBs, and research institutions is needed on what activities must undergo IRB review, especially when an activity begins as quality assurance but evolves into health research.163
New federal health privacy regulations are expected to be finalized by the fall of 2000. We have found that some IRBs and researchers are not aware of HIPAA and the impact that the new regulations will have on their research activities. Researchers, IRBs, and data holders will need guidance on implementation of the new rules and information about the possible penalties for noncompliance with the new regulations.
For rules and policies to be truly effective, strong, and enforceable sanctions need to be established for violations of privacy and confidentiality, inside and outside an institution. HIPAA penalties are limited in application, since they would apply only to researchers who fit the definition of a covered entity, such as researchers who are also health care providers who transmit or maintain health information in an electronic format.