[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GAO on confidentiality of health information used in research(long)
Medical Records Privacy: Access Needed for Health Research, but Oversight
of Privacy Protections Is Limited (Letter Report, 02/24/99,
GAO/HEHS-99-55).
Pursuant to a congressional request, GAO reviewed the types of health
research conducted outside the Common Rule and Federal Drug
Administration (FDA) regulations, focusing on: (1) examining how
medicalinformation is used for research and the need for personally
identifiable information; (2) identifying research that is and is not
subject to current federal oversight requirements; (3) examining how
institutional review boards (IRB) ensure the confidentiality of health
information used in research; and (4) identifying the safeguards health
care organizations have put in place to protect the confidentiality of
health information used in research.
GAO noted that: (1) medical information is used for a number of research
purposes--to advance biomedical science, understand health care
utilization, evaluate and improve health care practices, and determine
causes and patterns of disease; (2) while such research is sometimes
conducted without information tied to identifiable patient records, other
research relies on personal identifiers to track treatment of an individual
over time, link multiple sources of patient information, or verify such
information; (3) some of the research conducted by the organizations GAO
contacted must conform to the Common Rule or FDA regulations because the
research is either federally supported or regulated; (4) but many of these
same organizations voluntarily apply federal rules, including IRB review,
to all their research, regardless of source of funding; (5) other
organizations choose not to apply the Common Rule and IRB review where not
required; (6) IRB review does not ensure the confidentiality of medical
information used in research because the provisions of the Common Rule
related to confidentiality are limited; (7) records-based research is often
subject to an expedited
review process--under which only one board member, rather than the full
IRB, considers the research proposal; (8) IRBs can waive informed consent
requirements, including the requirement to inform people of the extent to
which their data will be kept confidential, if they judge that research
subjects are not likely to be harmed and that the research could not be
carried out without the waiver--as in cases where there are too many
subjects to inform; (9) the IRBs contacted rely on the existence of general
organizational confidentiality policies for protecting personal
information; (10) while the extent to which IRB practices protect the
privacy of research subjects is not fully known, several examples of
breaches of confidentiality reported to the National Institutes of Health's
Office for Protection From Research Risks illustrate the potential for harm
resulting when medical information used in research is not adequately
protected; (11) although external review of their research is limited, the
organizations contacted have taken steps to limit access to personally
identifiable information; (12) most of the organizations have various
security safeguards to limit internal and external access to paper and
electronic databases, and many
have taken measures to ensure the anonymity of research and survey
subjects; and (13) all but two of the organizations GAO contacted have
written confidentiality policies restricting employee access to health
information.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: HEHS-99-55
TITLE: Medical Records Privacy: Access Needed for Health
Research, but Oversight of Privacy Protections Is
Limited
DATE: 02/24/99
SUBJECT: Research program management
Ethical conduct
Informed consent (medical law)
Health research programs
Internal controls
Medical records
Medical research
Right of privacy
Medical information systems