Protecting Privacy During ResearchPhysician Group Calls for Stronger Safeguards
The organization says rules governing research "should maximize appropriate uses of information to achieve scientific advances without compromising ethical obligations to protect individual welfare and privacy."
The college has issued a detailed policy paper outlining its proposal to revise existing regulations. The paper, an update to a document produced two years ago, was released as federal authorities solicit comments on a plan to update the Common Rule governing medical research, which has been in effect for 20 years. Regulators are seeking feedback on a plan to establish mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data (See: Research Data Protections Considered). The deadline for comments on that notice of proposed rulemaking was extended to Oct. 26.
Consent IssuesIn its proposal, the college notes:
- Participation in prospective clinical research requires fully informed and transparent [patient] consent that discloses all potential uses of PHI [protected health information] and IIHI [individually identifiable health information], and an explanation of any limitations on withdrawing consent for use of data, including biological materials.
- ACP recognizes that further study is needed to resolve informed consent issues related to future research use of PHI and IIHI associated with existing data, including biologic materials.
- Informed consent documents should clearly disclose whether law enforcement agencies would have access to biobank data without a warrant.
- ACP recommends that regulations governing IRB (Institutional Review Board) review be expanded to include consideration of the preferences of research subjects whose tissue has been stored.
Defining ResearchA federal advisory group recently recommended that regulators apply a narrow definition of "research" when updating the Common Rule to protect the privacy of patients involved in medical research projects (see: Medical Research and 'Trust Issues').
The Health IT Policy Committee said that when a provider organization uses data from electronic health records to evaluate the safety, quality and effectiveness of prevention and treatment activities, that amounts to using it for "operations" and not "research." As a result, the provider should not need to obtain "informed consent" from patients for these evaluations or approval by an institutional review board, as is required for broader research projects.
The American College of Physicians reaches a similar conclusion. It notes in a statement: "The paper says that by including providers, governmental bodies, consumers, payers, quality organizations, researchers, and technologists, the resulting framework would clearly specify appropriate activities - such as treatment, payment, and some health care operations - where sharing of personal health information can proceed without the need for additional consent. Once the boundaries of appropriate data-sharing practices and situations are agreed on, it will be far easier to define consent requirements for appropriate activities."