The trusted source for
healthcare information and
IRBs can take steps now to protect patient privacy
Liability protection, breach notification
Doubtless, few IRBs are holding their collective breaths waiting for a massive overhaul of privacy provisions in health research. And even the IOM Committee on Health Research and the Privacy of Health Information's less ambitious recommendations for HHS guidance on use of HIPAA may take a little while.
But there still are steps that IRBs can take right now to better protect patient privacy while facilitating research, says IOM committee member Wendy Visscher, PhD, director of the Office of Research Protection at RTI International in Research Triangle Park, NC.
She says that regardless of how privacy protection is regulated in the future, IRBs should be ensuring that they have expertise in data security issues on their boards.
"IRBs have expertise in human subjects protection and various research areas, but not so much in encryption and secure socket layers (SSL), statistical disclosure and what really constitutes an identifiable data file," Visscher says.
"What we do here (at RTI) is we have a data security expert on all three of our committees. They look at all the protocols in the agenda, strictly for data security issues. They ask all sorts of questions about different hardware that's being proposed to collect data or how we're storing the data or how it's going to be shared with someone else."
She suggests some sort of liability protection for IRB members in the event of a data breach, if they've done their job in good faith.
Visscher's other recommendations for IRBs include:
— creating a standard notification procedure to follow in case of a breach of data. At RTI, the breach notification procedure goes into effect when data is lost that is identifiable to the extent that it could be used for identity theft, she says. Participants receive a letter notifying them of the breach and are offered credit monitoring.
She says the last thing an IRB wants is to be creating such a procedure under the pressure of an actual breach. "Then, you're really scrambling and it needs to be timely for the benefit of the respondent."
— easing the process of releasing limited data sets to outside researchers. Visscher says many IRBs are requiring complicated data use agreements or business associate agreements.
"The guidance specifically says that business associate agreements are not required for research," she says. "A limited data set doesn't have any direct identifiers, so it shouldn't be so cumbersome to release that kind of data. But people were entering into these very long and extensive data use agreements and/or they were using business associate agreements. And it was becoming in some places so cumbersome that the researchers just gave up on it."
— helping to educate the public on the importance of access to health information in research. Visscher says IRBs can ask researchers about their plans for disseminating study results, which can help the public understand how health information is being used and its importance in improving care.