Does records scanning violate patient privacy?
Does records scanning violate patient privacy?
Some argue it actually protects patients
As technological advancements make it possible to quickly and easily scan large numbers of medical records to conduct research, there is increasing public concern about the possible intrusions to patient privacy. But careful review by IRBs can ensure that such research can be done ethically and can even provide more stringent protection to patients then previous searches conducted by hand.
"We need to recognize that medical records research has been going on for years and is a staple of medical research," says P. Pearl O’Rourke, MD, director of human research affairs for Partners HealthCare System in Boston. "All of these computerized systems don’t change the fact that it has been happening. It just changes the ease with which it can be done."
Researchers have recently announced powerful new systems that can reach deep into millions of medical files to find information about different illnesses. Potentially, such a system could look for trends in family histories, lifestyle behaviors, even genetics, more quickly and easily than ever was possible before.
The principal risk to patients is the potential breach of their privacy, O’Rourke says, and IRBs need to cut through the worry about the technology to focus on exactly what the privacy risk is — whether patients are identifiable, whether the information is particularly sensitive and if patients must be informed of the use or asked permission to have their records included.
Do you have a subject?
She says the first question IRBs must ask is whether a particular protocol even has an identifiable human subject. She uses the example of a researcher studying appendectomies wanting to do a computerized search of all such procedures performed on patients who live in a particular ZIP code.
"That would require going to identifiable information, and before a medical records room could give you that information, you as the investigator would have to go to the IRB," O’Rourke says.
Next, she says, the IRB should deal with the issue of protecting patient privacy. Here, they not only must reference regular informed consent regulations, but also the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which has its own requirements for alerting patients to uses of their medical information.
In the example O’Rourke used, regarding appendectomies, she says an IRB might conclude that the potential loss of privacy would entail a minimal risk, and so the need for informed consent could be waived.
But for medical information of a more sensitive nature, that would not necessarily be the case, she says.
"Let’s say you wanted to look at medical records review for drug use or aberrant sexual behavior, something that would be more sensitive," she says. "That’s where the IRB might say you can’t do it unless you go and get consent from all these people."
If the IRB were to require it, the investigator would have to notify anyone whose record was being used to ask their permission to include data. In some cases, researchers might consider it to be worth the trouble, particularly if the group involved comprises an easily accessible community of patients, such as people with a specific form of cancer. But in other cases, the investigator might conclude that it would be too difficult to proceed with the research.
O’Rourke says the recent increased use of genetic information, including actual genetic testing of patients, adds a measure of intensity to public concerns about the use of their information. But those types of medical records would almost certainly involve identifiable information, and so would be subject to careful IRB review.
HIPAA adds multiple layers of safeguards to patients whose records might be sought by an investigator:
- First, the IRB or some other committee that acts as a privacy board must determine whether patients have to be notified of the disclosure or authorization can be waived.
- Investigators are required to use only the minimal necessary information and so must justify every bit of data they intend to collect to the privacy board. If an investigator, for example, wants to look at appendectomies but also at a patient’s psychiatric history, the board would ask him to explain why both are needed for the research.
O’Rourke says that line of questioning isn’t new to IRBs. "IRBs always have looked at that, too," she says. "They’ve asked, What are the data points you want, why do you want them, etc.?’ So I think that was already going on, but HIPAA formalized it, in a good way."
HIPAA also requires that investigators carefully document any transaction in which data leave the health system where they were collected. So if an investigator shares data with someone else at another institution, he or she must make a record of it. And the privacy board will ask the investigator to show that the data will be kept and used in a secure way, so that others without authorization can’t access them.
O’Rourke says institutions that plan on using patients’ records for research must include that intention in the privacy notice that patients sign. But that document doesn’t absolve the institution of the other HIPAA and informed consent requirements.
"Our privacy notice essentially tells people that if you come to our institution, research is one of our missions and we will use your information for research of which you are unaware," she says. "But we also tell them that information will not be given out unless it goes before an IRB and is done in an ethical manner."
Computer protections
O’Rourke says the requirements of HIPAA and the recent development of more powerful computing abilities have combined to make the general public much more aware that their records can be viewed by others, and that they can be used in ways they may not have imagined before.
While it causes some patients anxiety, she points out that it’s important to explain the benefits of this kind of research — "It’s how we develop the flu vaccine every year; it’s how we learn about so many cancer-related exposures," O’Rourke explains.
And the high-speed record scanning capabilities can do those things much faster and more easily. While it exposes more patients to the possibility that their records could be used, it also provides greater opportunities to protect their privacy, if investigators and IRBs know how to take advantage of the technology.
For example, O’Rourke says, a computer program, unlike a human being, can extract needed information without reading the entire file. So in cases where identifiable information is not needed, the computer can search only the data fields that apply, leaving the rest of the information secure.
"The computer also makes it safer from a standpoint of collecting minimum necessary [data]," she says. "You can say, I promise all I’m going to look at is the sodium level,’ but if you have to do that by looking through medical charts, that’s physically impossible. If it’s computerized, you can just pull out the sodium levels."
And unlike humans thumbing through files, an investigator running a computerized scan of records leaves a trail showing what was accessed, which can be audited to ensure they’re only collecting the data that’s been authorized.
"If you access a computer database, you leave a record," O’Rourke says. "We know who you looked at, and can go back and say, Why exactly were you here?’
"On the other hand, going into the medical records room is like going through library stacks," she says. "How do you know which book they pulled off the shelf? In that way, I think [computerization] helps protect privacy."
She says IRBs should learn to fine-tune their questions to investigators to take advantages of the privacy protections inherent in computerized scanning.
"The bigger message is to both investigators and to the public: That this is an acceptable way of doing research and has been for many years — if it’s done carefully — with an awful lot of attention to protecting confidentiality."
As technological advancements make it possible to quickly and easily scan large numbers of medical records to conduct research, there is increasing public concern about the possible intrusions to patient privacy.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.