Confidentiality and Privacy of Lab Data:

An IRB Perspective

Automated Information Management in the Clinical Laboratory

Ann Arbor, Michigan, May 24, 2002

Jules J. Berman, Ph.D., M.D.

Program Director, Pathology Informatics, CDP/NCI/NIH

Disclaimer

I’m not a member of any Institutional Review Board.

I do not speak for any agency of the Federal Government.

My experience consists of helping grantees

navigate the IRB process

and

Dealing with questions from research centers

and private industry

and

Participating in seemingly endless discussions

of HIPAA and Common Rule

and

Knowing how to correctly abbreviate HIPAA (not HIPPA)

What are the kinds of questions most often asked?

When do I need to get patient consent?

What constitutes a deidentified record (different definitions)?

How will HIPAA effect my research plans?

How may I use archived tissue blocks?

How may I use prospectively collected specimens?

Value to Society of Lab Data Research

It’s how you can reduce medical errors and improve patient care.

It’s how you can determine trends and associations in disease.

It’s how you can determine effectiveness of medical procedures, tests, protocols, markers.

It’s how you can generate new hypotheses

It’s one of the most important tools in translational research (which we don’t have enough of)

Analysis of lab data is the only way of understanding what you’re doing. Don’t think of it as data mining (bad connotation)

Incorrect Perception

Using lab datasets for research without patient permission (consent) is sneaky.

The ethical “high road” is to get consent for each use of medical data.

Getting consent is also the legally “safe” approach.

Unconsented research with deidentified lab data doesn’t pose much of a threat to patients.

Federal regulations (45CFR46 (the Common Rule) and proposed HIPAA Privacy Regulations specify very simple approaches that permit researchers to conduct unconsented research.

Consented research almost always poses a threat to patients.

The whole idea of consent is that the patient consents to the risks posed by the research. There’s a misconception that “consent” relates to the patient giving the researcher authority to conduct the research.

Think about it. A consent form lists the risks, and the patient signs indicating that he/she accepts the risks. If there are no risks, there’s no consent form.

Consented research almost always poses a threat to patients.

One of the risks is the consent form itself. That’s a document that tells anyone something confidential about the patient, including the patient’s identity.

Most consented lab-data research is research that maintains a link to the patient’s identity. That’s the most common “risk” factor in the consent. If everyone conducted consented research there’d be a lot of identified research lab data circulating.

Consented research can be used to further an undisclosed agenda.

There’s nothing to stop someone who has received consent to collect a very specialized lab database from simply converting that database to a deidentified dataset, and then using that database for an undisclosed agenda.

That deidentified dataset would have never been created without the consent, may be used for purposes that the consenting patients may have objected to (like commercialization of a product) .

Consented medical research always has a hint of coercion

You’re putting your life in the hands of a doctor. The doctor asks you to sign an informed consent. You don’t want to risk upsetting your doctor by refusing to give consent.

Consent forms can be challenged and invalidated

When you write a consent form, there’s always the chance that someone with standing may say that it was inadequate.

There are examples of challenged consent documents.

There are some practical problems with getting consent:

1. Very very expensive. The money spent on the consent process cannot be used for research. Raises an ethical issue.

2. With few exceptions, consent is obtained for prospective studies. It’s very hard to get 5-years follow-up on a prospective study without waiting 5 years to collect your data. Retrospective studies done on 5-year-old specimens give you your 5-year follow-up instantly.

3. The consent process itself creates informatics hurdles that few large laboratories can solve.

Informatics hurdles of obtaining patient consent

The consent status needs to be tracked without error.

How well can you identify the patients in your hospital or lab?

How do you track the person who says “no” or who changes their mind regarding consent?

Myth: The only way to use unconsented lab data is to anonymize the data, and this makes it impossible to update the data with follow-up data received on subsequent encounters with the patient.

A record is given a one-way hash (md_5 and SHA are good public domain algorithms) performed on some agreed-upon identifier from the record (e.g. name + social security number, hashes to 0033kfdldssj3392kf).

The record is passed to the database with the one-way hash value and without the item(s) used to compute the one way hash value.

Nobody can link this record back to the patient (that's why it's called a one-way hash)

When the patient comes back in for another encounter, his new record is hashed. Because his name and social secuity number have not changed, the record is given the same hash number, 0033kfdldssj3392kf).

When the record is added to the pooled database, it can be merged with the previously submitted record on the same patient because both records have the same hash value.

The final record is "anonymous" in the sense that no observations on the record can link to the patient. The records never need to be "re-identified" You just keep merging records that have the same hash without ever going through a re-identification step.

Federal Regulations in a nutshell:

If you want to do research with Lab Data, you need to get patient consent unless you can show that the risk of harm to the patient is zero or the actual harm that might result is trivial.

General Federal Regulatory Mindset Regarding the Use of Confidential Data for Research

1. Medical research is essential, and medical privacy legislation should not impede medical research.

2. Deidentified pre-existing medical records can be used for research purposes without obtaining patient consent because it can’t hurt the patient much. The exact meaning of “deidentified” is a source of complexity.

3. In both HIPAA and the Common Rule, IRBs are to exercise judgment and can waiver the consent requirement. This generally applies when the risk to patient confidentiality/privacy is small, the burden of obtaining consent is large and the value of the research is high.

What are the risks of research performed using lab data?

1. The risk of loss of privacy resulting from participation in a medical study.

If the study produces results that will necessitate contacting the patient or informing the patient of any results of the study, you almost certainly will need to get patient consent for all the records used in the study.

2. The risk of loss of database security.

Sometimes a study itself places the hospital information system at risk (a risk regardless of whether consent is obtained).

3. The risk of loss of confidentiality.

If the lab data can be linked to patients.

Good things to remember:

1. IRBs don’t get into trouble for making a wrong decisions (they get into trouble when they fail to make decisions).

2. Researchers virtually never get into legal trouble over confidentiality leaks.

3. Laws regulating the use of data are almost never used to drag institutions into court (the problem is tort cases brought by angry patients or family)

4. Regulations, if anything, will reduce tort cases by providing exculpatory procedures (“don’t blame us, we were following the law”)

My advice:

1. Trust your own judgment. If you think that your research poses no risk to patients, then you should consider going for an exemption or a waiver of patient consent.

2. Trust your IRB. The overwhelming majority of “data” proposals submitted to IRBs are approved! But learn to stack the deck in your favor.

Tips on writing an IRB proposal

1. IRBs fear that they might inadvertently violate regulations.

Write your proposal in a way that makes it obvious that you have meticulously complied with every conceivable aspect of the regulations.

Tips on writing an IRB proposal

2. IRBs are responsible for making sure that your research won’t hurt patients.

Write your proposal in a way that accounts for every type of harm that could result from your proposed use of lab data:

1. Confidentiality

2. Privacy

3. Network Security

Tips on writing an IRB proposal

3. IRBs have the ability to waive consent requirements when the risks to the patients are small and the benefit to society is large.

Don’t trivialize your research. Make it very clear that your research is intended to help patients. If you can’t think of any value for your research, nobody else will.

Tips on writing an IRB proposal

4. IRBs need to take into account the sensibilities of patients. Patient advocacy groups are an underused resource. They understand the importance of human subject research and are eager to remove impediments to research.

Include a letter of support from a patient advocacy group in your IRB application. The letter should specifically comment on the acceptability of the IRB proposal from a patient’s perspective.

Tips on writing an IRB proposal

5. If at first you don’t succeed, try try try again.

Determine what the problem was and correct it in your next draft.