United States General Accounting Office GAO Report to Congressional Requesters February 1999 MEDICAL RECORDS PRIVACY Access Needed for Health Research, but Oversight of Privacy Protections Is Limited GAO/HEHS-99-55 United States GAO General Accounting Office Washington, D.C. 20548 Health, Education, and Human Services Division B-280657 February 24, 1999 The Honorable James M. Jeffords Chairman, Committee on Health, Education, Labor, and Pensions United States Senate The Honorable Christopher J. Dodd Ranking Minority Member Subcommittee on Children and Families Committee on Health, Education, Labor and Pensions United States Senate Historically, patient medical records were used largely by physicians and medical insurers. However, with the creation of electronic records and large databases of medical information, the number of health care professionals and organizations with access to medical records has increased. While such availability allows for research that can improve the understanding of diseases and treatments across broad populations, the number of parties with routine access to personally identifiable medical data has raised concern about the potential misuse of these data and the adequacy of the current system of protections. Under the current Federal Policy for the Protection of Human Subjects, adopted in 1991 and known as the Common Rule, research conducted by organizations, such as academic medical centers and pharmaceutical companies, that is supported or regulated by any of 17 federal agencies is subject to certain federal oversight requirements.1 In accordance with the Common Rule, organizations have established local institutional review boards (IRB), made up of both scientists and nonscientists, to review whether researchers minimize the risks to research subjects and obtain their informed consent. When appropriate, IRBs are also supposed to consider whether the research projects under their review will protect the privacy of subjects and inform them of the extent to which their data will be kept confidential. In addition, pharmaceutical companies and other 1 Department of Health and Human Services (HHS) regulations—codified at title 45, Part 46, Subpart A of the Code of Federal Regulations—apply to research involving human subjects that is conducted, supported, or regulated by HHS. In addition, the following agencies have adopted regulations incorporating the substance of the HHS regulations: Departments of Agriculture, Commerce, Defense, Education, Energy, Housing and Urban Development, Justice, Transportation, and Veterans Affairs; the Agency for International Development; the Central Intelligence Agency; the Consumer Product Safety Commission; the Environmental Protection Agency; the National Aeronautics and Space Administration; the National Science Foundation; and the Social Security Administration. Page 1 GAO/HEHS-99-55 Medical Records Privacy B-280657 manufacturers of certain medical products must also meet Food and Drug Administration (FDA) regulations, which closely resemble the Common Rule, for research they conduct in connection with their FDA-regulated products.2 Organizations conducting research that is not federally supported or regulated can use IRBs if they choose but are generally not required to do so. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L. 104-191) called for protections for the privacy of medical information. Pursuant to HIPAA, the Secretary recommended standards with respect to the privacy of personally identifiable information in September 1997. If federal legislation is not enacted by August 1999, the Secretary of HHS must promulgate regulations setting privacy standards within 6 months. Bills related to medical records privacy introduced in the 105th and 106th Congresses have provisions to address uses of medical information for a variety of purposes, including research.3 The various bills attempt to provide for the conduct of medical research while also offering privacy protections, and some of them call for extending the current requirements of the Common Rule, including the use of IRBs, to research that is not federally supported or regulated. No legislation has been enacted. However, little is known about the types of health research conducted outside the Common Rule and FDA regulations and what safeguards may already be used for such research. Therefore, you asked us to (1) examine how medical information is used for research and the need for personally identifiable information, (2) identify research that is and is not subject to current federal oversight requirements, (3) examine how IRBs ensure the confidentiality of health information used in research, and (4) identify the safeguards health care organizations have put in place to protect the confidentiality of health information used in research. To conduct our work, we reviewed health research and privacy literature and interviewed experts in these fields and officials from various health industry associations. We also reviewed HHS documents and met with officials from HHS and, from within the Department, FDA, and the National 2 FDA regulations are codified at title 21, Parts 50 and 56 of the Code of Federal Regulations. 3 Bills introduced in the 105th and 106th Congresses to set up standards for the privacy of medical records include S. 2609, 105th Cong. (1998) (introduced by Sen. Bennett); S. 1921, 105th Cong. (1998) (introduced by Sen. Jeffords); S. 1368, 105th Cong. (1997) (introduced by Sen. Leahy); H.R. 1815, 105th Cong. (1997) (introduced by Rep. McDermott); H.R. 52, 105th Cong. (1997) (introduced by Rep. Condit); S. 300, 106th Cong. (1999) (introduced by Sen. Lott); and S. 326, 106th Cong. (1999) (introduced by Sen. Jeffords). Page 2 GAO/HEHS-99-55 Medical Records Privacy B-280657 Institutes of Health (NIH). We also interviewed representatives from seven IRBs and officials from two state departments of health. Five of these IRBs were at institutions that conduct research for the federal government, and two are freestanding IRBs that are hired for their services. In addition, we reviewed documents and interviewed officials from 12 organizations that conduct health research not subject to the Common Rule or FDA regulations, including managed care, pharmacy benefit management, pharmaceutical, biotechnology, and health information organizations and integrated health systems. For the most part, organizations provided documentation of their policies on confidentiality and information safeguards; however, we did not assess the implementation of these policies. Given the limited number of organizations in our review, their research and safeguard practices and the practices of the IRBs should not be considered representative of those organizations on the whole. We conducted our work between July 1998 and February 1999 in accordance with generally accepted government auditing standards. A detailed description of our scope and methodology is provided in appendix I. Medical information is used for a number of research purposes—to Results in Brief advance biomedical science, understand health care utilization, evaluate and improve health care practices, and determine causes and patterns of disease. While such research is sometimes conducted without information tied to identifiable patient records, other research relies on personal identifiers to track treatment of an individual over time, link multiple sources of patient information, or verify such information. Some of the research conducted by the organizations we contacted must conform to the Common Rule or FDA regulations because the research is either federally supported or regulated. But many of these same organizations voluntarily apply federal rules, including IRB review, to all their research, regardless of source of funding. Other organizations choose not to apply the Common Rule and IRB review where not required. For example, research conducted by pharmacy benefit management companies, which conduct studies for other companies, is not federally supported or regulated and is, therefore, outside the Common Rule, and they do not use IRB review. In any case, IRB review does not ensure the confidentiality of medical information used in research because the provisions of the Common Rule related to confidentiality have limitations. Records-based research is often subject to an expedited review process—under which only one board Page 3 GAO/HEHS-99-55 Medical Records Privacy B-280657 member, rather than the full IRB, considers the research proposal. In addition, IRBs can waive informed consent requirements, including the requirement to inform people of the extent to which their data will be kept confidential, if they judge that research subjects are not likely to be harmed and that the research could not be carried out without the waiver—as in cases where there are too many subjects to inform. The IRBs we contacted rely on the existence of general organizational confidentiality policies for protecting personal information. While the extent to which IRB practices protect the privacy of research subjects is not fully known, several examples of breaches of confidentiality reported to NIH’s Office for Protection From Research Risks (OPRR), the oversight agency for HHS-supported research, illustrate the potential for harm resulting when medical information used in research is not adequately protected. Although external review of their research is limited, the organizations that we contacted reported they have taken steps to limit access to personally identifiable information. Most of the organizations have various security safeguards to limit internal and external access to paper and electronic databases, and many have taken measures to ensure the anonymity of research and survey subjects. In addition, all but two of the organizations that we contacted have written confidentiality policies restricting employee use and access to health information. Numerous organizations collect, store, transmit, and use individuals’ Background medical information, which includes data, documents, records, and pathological and diagnostic specimens. These individuals may have little or no knowledge of the organizations’ accessing their personal health data. For example, records of patient care—whether through a hospital, private physician, or managed care setting—may be used for health research. The establishment of large computer databases—some with millions of patient records—has not only allowed for such research but has increased the potential for misuse of private medical information, raising concern over issues related to privacy and confidentiality.4 While IRB reviews may help protect the privacy of subjects and maintain the confidentiality of data 4 Privacy refers to the specific right of an individual to control the collection, use, and disclosure of personal information. Confidentiality is a tool for protecting privacy. Confidentiality is implemented through specific controls on personal data, limiting access and disclosure. The privacy provisions of the Common Rule apply to research on human subjects when the researcher obtains information that is individually identifiable. The Common Rule defines a human subject as a living individual about whom a researcher obtains (1) data through intervention or interaction with the individual or (2) identifiable private information. Information is individually identifiable when the identity of the subject is or may be readily ascertained by the researcher or associated with the information. Page 4 GAO/HEHS-99-55 Medical Records Privacy B-280657 used for research, privacy advocates and others argue that any use or disclosure of an individual’s medical information should require the individual’s informed consent. They view this as important because the failure to adequately safeguard sensitive medical information can affect employment or the ability to receive insurance or lead to other harmful outcomes. The federal system of protections was developed largely in response to biomedical and behavioral research that caused harm to human subjects. In 1991, many federal agencies standardized their oversight of research involving human subjects with the adoption of the Common Rule. Each institution engaged in research subject to the Common Rule must assure the agency supporting or regulating the research that it follows basic ethical principles underlying the acceptable conduct of research involving human subjects. Currently, 17 federal departments and agencies adhere to the Common Rule. To protect the rights and welfare of human subjects recruited to participate in research, the Common Rule requires research organizations to establish and operate IRBs, which are, in turn, responsible for implementing federal requirements for research conducted at or supported by their institutions. IRBs are intended to provide basic protections for people enrolled in federally supported or regulated research. Among these are an independent review of the risks and benefits of the research. Another protection is informed consent, which requires researchers to inform potential subjects of the risks to which they, as study participants, agree to be exposed. In addition, IRBs have to make sure that, when appropriate, there are adequate provisions in the research plans to protect the privacy of subjects and maintain the confidentiality of data. Most of the estimated 3,000 to 5,000 IRBs in the United States are associated with a hospital, university, or other research institution; however, IRBs also exist in managed care organizations (MCO), government agencies, and as independent entities employed by the organizations conducting the research. Federal requirements specify that IRBs must have at least five members, including one with primarily scientific interests, one with primarily nonscientific interests, and one otherwise unaffiliated with the institution in which the IRB resides. Each of the 17 federal Common Rule agencies has independent responsibility for oversight of IRBs reviewing the research that it supports. However, two HHS agencies—NIH and FDA—exercise the broadest IRB oversight responsibilities. OPRR, located Page 5 GAO/HEHS-99-55 Medical Records Privacy B-280657 within NIH, is responsible for monitoring protection of human subjects within all HHS-supported biomedical and behavioral research. FDA is responsible for protecting the rights of human subjects enrolled in research involving products it regulates—drugs, medical devices, biologics, foods, and cosmetics. If research supported by HHS also involves a product regulated by FDA, both agencies have oversight responsibilities. Pursuant to HIPAA, the Secretary of HHS submitted to the Congress in September 1997 recommendations on privacy standards that may guide legislation for protecting individually identifiable information and to establish penalties for wrongful disclosure of such information. The Secretary recommended that health care providers and payers be permitted to disclose identifiable patient information, without consent, for research under controlled conditions—including approval by an IRB under conditions essentially the same as the present Common Rule—and that further disclosure be sharply restricted. The Secretary’s recommendations would also require researchers who obtain information from providers to establish and maintain appropriate safeguards for protecting the confidentiality and security of personally identifiable health information. Legislative proposals governing medical records privacy under consideration in the 105th Congress contained provisions resembling the Secretary’s recommendation. The bills differed, however, in how protected health information was defined and the extent to which reviews by IRBs or other entities would be required for research using personally identifiable health information. If legislation on privacy standards is not enacted by August 1999, HIPAA provides that the HHS Secretary must promulgate final regulations containing standards for confidentiality by February 2000. In the absence of comprehensive federal legislation, the federal government and some states have enacted laws to protect the privacy of certain medical information. For example, personal information about subjects of drug abuse research can be protected under the Federal Controlled Substances Act. California law permits disclosure of identifiable health information for research purposes without the patient’s consent but expressly prohibits any disclosure by the researcher of information that permits identification of the patient. Minnesota’s law allows access to medical record information for research unless patients deny their consent, which must be requested. Page 6 GAO/HEHS-99-55 Medical Records Privacy B-280657 The organizations that we contacted primarily conduct health research to Personally Identifiable advance biomedical science, understand health care use, evaluate and Health Information Is improve health care practices, and determine causes and patterns of Needed for a Variety disease. Within biomedical research, several of the organizations conduct clinical trials to develop new medical products and devices. All of the of Research Purposes organizations conduct studies to improve health care practices, such as studies focusing on the most appropriate care for patients with chronic diseases. In addition, nearly all of the organizations conduct epidemiological research—research on the causes and distribution of diseases. Organizations that provide and pay for care, such as MCOs, generate original medical data, which they can then use for their research. Other organizations—such as those that provide health information services ranging from software development to targeted health research—rely on data from health care providers and payers, some of which contain personal identifiers. Some of these organizations’ studies are carried out without personally identifiable health information, but other research requires that, at some point, individual identifiers be known. Patient Data to Conduct The organizations we contacted use health-related information on Research Come From hundreds of thousands, and in some cases millions, of individuals in Various Sources conducting their research. There are primarily three sources of data that organizations rely on. Some organizations use data that they generate in providing health care services, and some rely on data acquired from others; some organizations also use data generated as part of their research. The MCOs and integrated health systems5 that we contacted primarily rely on data that are self-generated—through either service delivery or research. They use medical record data, which are generated in the course of treating patients, to conduct epidemiological research and health services research, such as outcomes and quality improvement studies.6 One MCO cited over 40 outcomes studies it conducted on prevention, disease management, and issues related to the structure of the health care delivery system. Another MCO, in conducting a quality improvement study, 5 Integrated health systems are systems of care that can include hospitals, academic medical centers, and primary care physicians and specialists. 6 Health services research examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase the knowledge and understanding of health services for individuals and populations. It includes outcomes research on the benefits and harms of alternative strategies for preventing, diagnosing, or treating illness. Page 7 GAO/HEHS-99-55 Medical Records Privacy B-280657 used its claims database, along with published treatment guidelines, to determine whether patients with vascular disease were receiving appropriate medications. The MCO then provided each patient’s treating physician a report based on this analysis to encourage them to review the case; verify the accuracy of the data; and determine whether, in the physician’s judgment, any actions were appropriate, such as arranging return visits for these patients and amending their drug regimens. The pharmaceutical and biotechnology companies that we contacted rely on data from each of the three sources. To support their applications for new drugs and medical devices, they sponsor clinical trials conducted at MCOs and academic medical centers. These companies also conduct health services and epidemiological research; but unlike MCOs and integrated health systems, they rely on data from other organizations for this type of research. For example, one pharmaceutical company’s epidemiology department conducts large-scale studies to monitor the effectiveness of treatments in clinical practice and studies to track the effects of drugs on certain populations. These studies rely on data the company obtains from MCOs and health information organizations. Pharmacy benefit management (PBM) firms, which administer prescription drug benefits for health insurance plans, typically generate their own data and obtain data from other organizations. For the PBMs we contacted, a primary source of data is prescription information derived from prescriptions dispensed by mail or claims received from retail pharmacies. The PBMs also use data from other organizations, such as MCOs, to design and evaluate programs that are intended to improve the quality of care for patients who have specific diseases or risk factors while controlling total health care costs. For example, one PBM develops disease management programs, which depend on the ability to identify individuals with conditions, such as diabetes, that require more intensive treatment management. The health information organizations that we contacted rely solely on data from other organizations. Typically, they collect medical claims data from their clients or obtain it from publicly available sources, such as Medicare and Medicaid.7 They may also acquire data through employer contracts that stipulate that all of the employers’ plans provide complete data to a health information organization. Examples of research projects include 7 Clients of health information organizations may include health care providers, health plans and plan administrators, employers, and government health programs. Page 8 GAO/HEHS-99-55 Medical Records Privacy B-280657 studies of the effects of low birth weight on costs of medical care and the effectiveness of alternative drug therapies for schizophrenia. Personally Identifiable Officials at the organizations we contacted believe that a number of Information Is Essential studies require personally identifiable information to ensure study validity for Some Research or to simply answer the study question. For example, to validate initial selection of individuals meeting diagnostic and other criteria as research subjects, researchers may need to review individual patient records. In the case of a research project involving registry data, researchers first determine the feasibility of a study by identifying the likely number of patients meeting certain criteria.8 They then review patient records to obtain more specific information and to validate the study cohort. Officials at the organizations we contacted also indicated that their researchers may need to contact patients or review medical records to validate the quality of data used in their research studies. To prevent error, researchers at one MCO use identifiable data to check for duplicate records or redundant cases. If some item in the analysis appears to show an unusual result for an individual, the researchers may need to check the original file to determine if the information was miscoded. Officials at another MCO described a project that required verifying existing claims data on prenatal visits to evaluate whether women had received prenatal care in the first trimester of pregnancy. To verify the data, researchers telephoned patients to obtain information and subsequently conducted a medical records review. Both the self-reported data and the medical records review showed much higher rates of early prenatal care than the claims data had indicated. Researchers may also need to link multiple sources of information, such as electronic databases and patient records, to compile sufficient data to answer the research question. For example, officials at one health information organization we contacted stated that without patient names or assigned patient codes, it would not have been possible to complete a number of studies—including studies of the effects of length-of-hospital stay on maternal and child health following delivery and studies on patient care costs of cancer clinical trials. For longitudinal studies, researchers may need to track patients’ care over time and link events that occur 8 Registries are databases that collect information on the experience of populations or special groups over time and can be used by researchers to investigate disease characteristics, the impact of various treatments, and to answer other research questions. For example, a registry maintained by one company might pool physician-contributed patient data on individuals with a particular disease to learn about the disease’s natural history, its expected course, and patient response to treatment. Page 9 GAO/HEHS-99-55 Medical Records Privacy B-280657 during the course of treatment with their outcomes. For example, officials at an MCO we contacted used identifiable patient data to link asthma patients’ records over time to determine if specialist care for the disease improved patient outcomes and lowered costs. Health care organizations acknowledge that some types of their research can be accomplished without access to information that is fully identifiable. For example, according to officials at one pharmaceutical company we contacted, the company conducts epidemiological research to understand the kinds of patients that are likely to develop a disease, the effectiveness of existing treatments, the types and rates of complications, and the costs and medical care associated with the disease. They said that much of their research is based on data on unidentified individuals that come from federally sponsored surveys or databases, such as survey data from the National Center for Health Statistics or Medicare data from the Health Care Financing Administration. Some of the research conducted by the organizations we contacted must Federal Requirements conform to the Common Rule or FDA regulations because the research is Do Not Apply to All either supported or regulated by the federal government. Several MCOs that Research, but Some we contacted obtain grants from the Centers for Disease Control and Prevention and other federal agencies, and one health information Organizations organization that we contacted conducts research for the Agency for Voluntarily Apply Health Care Policy and Research and similar federal clients. Some of the organizations that we contacted, including the integrated health systems Those Requirements and several MCOs, operate IRBs to comply with federal requirements. to All Studies While privately funded research that is not in support of a regulated product is not subject to federal requirements, some organizations that conduct both federally supported or regulated research and privately funded research apply the requirements uniformly to all studies involving human subjects, regardless of the source of funding. Organizations conducting a large number of HHS-supported studies may enter into a multiple project assurance (MPA) that commits them to comply with federal regulations on all their research projects involving human subjects, not just those funded by HHS. Even without an MPA, some organizations have adopted internal policies requiring that all studies that meet their definition of research follow Common Rule requirements. As a result, application of the Common Rule to various types of health services research can vary within and across organizations. Page 10 GAO/HEHS-99-55 Medical Records Privacy B-280657 Universities and other major research centers that conduct a substantial number of HHS-supported studies and have demonstrated a willingness and the expertise to comply with human subject protections often apply for MPAs with HHS, which are approved by OPRR. Through an MPA, an organization commits itself to full compliance with informed consent and other federal standards. In addition, an institution with an MPA does not need to apply to OPRR for eligibility to receive HHS funds for each new study approved by its IRB. Two of the organizations we visited—both integrated health systems—have MPAs. Some organizations that do not have an MPA still adopt a policy requiring IRB review of all projects. Two of the MCOs we contacted voluntarily subjected their research to scrutiny by an IRB. At one, the IRB administrator told us that the MCO’s IRB gives non-federally funded research the same scrutiny as federally funded research. The IRB at the other MCO, which was established when the MCO’s research center was created, follows federal guidelines for the protection of study participants and reviews all studies conducted by the center. Other organizations that we contacted that carry out both publicly funded and privately funded research do not commit to an MPA. Rather, they apply the federal rules where required, often relying on IRB review at collaborators’ institutions, and do not apply the rules to their privately funded research. For example, one MCO that we contacted has a separate research unit that carries out a variety of health studies—some initiated by the MCO, some funded by other private sources, and some federally funded in collaboration with universities or other research institutions. Since the MCO does not maintain its own IRB, it relies on IRB reviews at collaborators’ institutions. Still other organizations, such as pharmaceutical and biotechnology companies, rely on the academic medical centers where they sponsor research to have in place procedures for informed consent and IRB review.9 However, even where organizations submit both publicly funded and privately funded research to an IRB, certain activities that involve identifiable medical information may not be included because the organization does not define the project as research. For example, at several MCOs, officials told us that they did not define records-based quality improvement activities as research, so these projects are not submitted for 9 Pharmaceutical and biotechnology companies that conduct clinical research in-house for FDA-regulated products are required to have IRB review and informed consent procedures for that research. Page 11 GAO/HEHS-99-55 Medical Records Privacy B-280657 IRBreview. Some organizations, however, do submit quality improvement studies for IRB review, where they define the studies as research. Finally, at some organizations, none of the research is covered by the Common Rule or FDA regulations and no research receives IRB review. For example, one PBM in our study, which conducts research for other companies, does not receive federal support and, thus, is not subject to the Common Rule in any of its research. Their research includes developing disease management programs. While they do not have an IRB, this PBM uses external advisory boards to review research proposals. Another type of research that for some companies does not fall under the Common Rule or FDA regulations is research that uses disease or population-related registry data. Pharmaceutical and biotechnology companies maintain such registries to monitor how a particular population responds to drugs and to better understand certain diseases. While many organizations have in place IRB review procedures, recent IRB Reviews Provide studies that pointed to weaknesses in the IRB system, as well as the Limited Oversight of provisions of the Common Rule itself, suggest that IRB reviews do not Confidentiality ensure the confidentiality of medical information used in research. The IRB officials we spoke with told us that, for some research, they waive consent provisions and conduct expedited reviews, as permitted by the Common Rule. Most IRBs that we contacted told us that they rely on the existence of general organizational confidentiality policies to protect information. While the extent to which IRB practices protect the privacy of research subjects is not fully known, several examples of confidentiality breaches reported to OPRR illustrate the harm resulting when medical information used in research is not adequately protected. Earlier Studies Revealed In recent years, concern has been raised about the adequacy of the IRB Weaknesses in the IRB system for overseeing the protection of human subjects. While not System focusing specifically on confidentiality, previous studies by GAO and by HHS’ Office of Inspector General have found multiple factors that weaken institutional and federal human subjects protection efforts.10 In 1996, we found that IRBs faced a number of pressures that made oversight of research difficult, including the heavy workloads of and competing 10 Scientific Research: Continued Vigilance Critical to Protecting Human Subjects (GAO/HEHS-96-72, Mar. 8, 1996) and HHS Office of Inspector General, “Institutional Review Boards: A Time for Reform,” OEI-01-97-00193 (June 1998). With the HHS report, there are three companion reports, entitled “IRBs: Their Role in Reviewing Approved Research,” “IRBs: Promising Approaches,” and “IRBs: The Emergence of Independent Boards.” Page 12 GAO/HEHS-99-55 Medical Records Privacy B-280657 professional demands on members who are not paid for their IRB services. We also concluded that the effectiveness of human subjects protections can be weakened by the complexity and volume of research under review and the difficulty of ensuring that individuals understand the risks they may experience as research subjects. Similarly, a 1998 HHS Office of Inspector General report found IRBs unable to cope with major changes in the research environment, concluding that they review too many studies too quickly and with too little expertise. HHS’ Inspector General also concluded that IRBs conduct only minimal oversight of approved studies, face conflicts of interest that threaten their independence, and provide little training for investigators and board members. The Inspector General noted that neither IRBs nor HHS staff devote much attention to evaluating IRB effectiveness and made recommendations for changes to improve the flexibility, accountability, training, and resources of IRBs. Federal Regulations The Common Rule, which was developed largely to protect the rights and Contain Limited Provisions safety of human subjects, contains two general provisions to protect the for Overseeing privacy of human subjects and the confidentiality of data that identify research subjects.11 Specifically, IRBs are directed to approve research only Confidentiality after they have determined that (1) there are provisions to protect the privacy of subjects and maintain the confidentiality of data, when appropriate, and (2) as one of the elements of informed consent, research subjects are adequately informed of the extent to which their data will be kept confidential. According to the Director of OPRR, confidentiality protections are not a major thrust of the Common Rule and IRBs tend to give it less attention than other research risks because they have the flexibility to decide when it is appropriate to review confidentiality protection issues. In addition, the Common Rule assumes that the risks presented by some research are sufficiently low that more limited types of review of privacy protection will be adequate. According to the Common Rule, research with medical information can be exempted from review by IRBs and from requirements for prior informed consent when (1) the data are existing at the time the research is proposed and (2) either the sources are publicly available or information is recorded by the investigator in such a manner that subjects cannot be identified—directly or through identifiers linked to 11 HHS or FDA may also award a Certificate of Confidentiality for a research project, which provides immunity from compelled disclosure, such as subpoenas seeking the identities of subjects enrolled in the study. Page 13 GAO/HEHS-99-55 Medical Records Privacy B-280657 the subjects. Alternatively, research involving medical records that presents no more than minimal risk of harm to subjects may be reviewed by the IRB under expedited procedures, even when the data are personally identifiable. Under expedited procedures, the review may be carried out by the chairperson or a chair-appointed IRB member, rather than the full board. Further, research using individually identifiable information may be permitted by an IRB with a waiver or modification of informed consent if the IRB finds and documents that each of the following criteria has been satisfied: (1) the research involves no more than minimal risk to subjects (that is, no greater harm than ordinarily encountered in daily life); (2) the rights and welfare of subjects will not be adversely affected; (3) the research could not practicably be carried out without the waiver or alteration of the consent requirement; and (4) whenever appropriate, subjects will be provided with pertinent information after participation.12 IRBs Follow Common Rule Consistent with federal regulations, the seven IRBs that we contacted told Criteria for Waiving us that they generally waive informed consent requirements in cases Consent Requirements and involving medical records-based research. For research using individually identifiable medical information that does not involve direct contact with Providing Expedited patients, IRBs often conduct an expedited review and usually do not Reviews for Some require researchers to obtain specific authorization from patients before Research using their medical records for research. Under the Common Rule, the IRB may waive consent requirements if the research meets the four criteria above, including that it cannot practicably be carried out without the waiver or alteration of the requirements. If the IRB waives consent requirements, medical records may be available for research without the knowledge or consent of the subjects, even when they are individually identifiable. For some studies, especially epidemiological studies, researchers need to review thousands of records to identify appropriate subjects for their study. Researchers at the 12 Regulations governing clinical research conducted on FDA regulated products involving no greater than minimal risk do not permit a waiver of consent. Page 14 GAO/HEHS-99-55 Medical Records Privacy B-280657 organizations we visited contend that it is often difficult, if not impossible, to obtain the permission of every subject whose medical records are contained in the files. The director of research at one integrated health system described a study that tracked about 30,000 patients over several years to determine hospitalization rates for asthmatic patients treated with inhaled steroids. He stated that it would have been impossible to obtain the informed consent of every patient because treatment was provided over a long period of time. Obtaining consent from the patients whose records were used would have been time consuming and expensive, he said, and some patients would have died or would no longer be members. The Common Rule also permits IRBs to use expedited review procedures—which involve review by only the chairperson or a chair-appointed IRB member, rather than the full board—if the research presents no more than minimal risk of harm to subjects, even when the medical record data used in the research are personally identifiable. A recent NIH-sponsored study found that 58 percent of IRBs affiliated with major research institutions with multiple project assurances performed an expedited review of research using individually identifiable information.13 The study concluded that the IRBs’ standard practice was to use expedited procedures to review research that involves minimal risk. The IRBs that we contacted told us that they routinely examine all research plans using individually identifiable medical information to determine whether the research is exempt from further review, can receive an expedited review, or requires a full review. Further, in reviewing research using individually identifiable genetic data, two of the IRBs had policies to consider additional confidentiality provisions in approving such research. Several IRBs that we interviewed have some special requirements to ensure that researchers had adequate provisions to protect the confidentiality of individually identifiable information. To obtain IRB approval of research using individually identifiable medical information, three organizations required their researchers to complete applications that included detailed discussions of provisions to protect the privacy of subjects and to maintain the confidentiality of data. The applications typically address who will access research information and how confidentiality of records will be maintained. In another study requiring analysis of personal data on health plan members, the IRB required that everyone involved in conducting the study sign strict confidentiality agreements. 13 James Bell Associates, “Final Report: Evaluation of NIH Implementation of Section 491 of the Public Health Service Act, Mandating a Program of Protection for Research Subjects,” prepared for NIH’s Office of Extramural Research (June 1998). Page 15 GAO/HEHS-99-55 Medical Records Privacy B-280657 IRBs Rely on The IRBs in our study told us that they rely on organizational policies to Organizational Policies to ensure the confidentiality of information used in projects using personally Ensure Confidentiality identifiable medical information. For example, the IRB chair and administrator at one integrated health system told us that they rely on the general expectation that all employees will safeguard information about patient medical records. They viewed this as part of the culture of the organization and saw it as a primary mechanism for protecting patient privacy. Organizational policies to protect information may include restricting access to personally identifiable information to authorized individuals. For example, two integrated health systems we met with require that researchers have an IRB project number, indicating approval to access individually identifiable data. Organizations may also have data security safeguards and policies for imposing sanctions for unauthorized access to or dissemination of personally identifiable medical information. Some Breaches of Privacy The actual number of instances in which patient privacy is breached is not Have Been Reported fully known. While there are few documented cases of privacy breaches, other reports provide evidence that such problems occur. For example, in an NIH-sponsored study, IRB chairs reported that complaints about the lack of privacy and confidentiality were among the most common complaints made by research subjects. Over the past 8 years, OPRR’s compliance staff have investigated several allegations involving human subject protection violations resulting from a breach of confidentiality. In the 10 cases provided to us, complaints related both to research subject to IRB review and to research outside federal protection.14 In certain cases involving a breach in confidentiality, OPRR has authority, for example, to restrict an institution’s authority to conduct research that involves human subjects or to require corrective action. For example, in one investigation, a university inadvertently released the names of multiple study participants testing positive for HIV to parties outside the research project, including a local television station. In this case, OPRR worked with the university to evaluate the extent of the breach of confidentiality and form a plan to discuss the events with study subjects. In response, the university revised internal systems to prevent the release of private information in the future. 14 Additional cases may have been reported to OPRR, but these were examples the staff could readily identify that involved breaches of confidentiality. Page 16 GAO/HEHS-99-55 Medical Records Privacy B-280657 However, in other cases, OPRR determined that it could not take action because the research was not subject to the Common Rule and, thus, it lacked jurisdiction. For example, in one reported case, OPRR learned that during a research presentation at a national meeting, notes on a patient suffering from extreme depression and suicidal impulses stemming from a history of childhood sexual abuse were distributed. The notes included the patient’s identity, medical history, mental status and diagnosis, as well as extensive intimate details about the patient’s experience. In another case, which was reported in the media, OPRR learned of an experiment that plastic surgeons had performed on 21 patients using two different facelift operations—one on each half of the face—to see which came out better. OPRR staff learned that the study was not approved by an IRB and that the physicians did not give the patients consent forms explaining in detail the procedures and risks associated with the experiment. In addition, the surgeons published a journal article describing their research that included before and after photographs of the patients. Because the research was performed in physician practices and was not federally supported, it fell outside the Common Rule and OPRR could take no action. Each organization that we contacted reported that it has taken one or Organizations more steps to limit access to personally identifiable information in its Conducting Research research. Many have limited the number of individuals who are afforded Have Measures to access to personally identifiable information or limited the span of time they are given access to the information, or both. Some have used Reduce Access to encrypted or encoded identifiers to enhance the protection of research Personally Identifiable and survey subjects.15 Most, but not all, of the organizations have additional management practices to protect medical information, Information including written policies governing confidentiality. Some organizations have also instituted a number of technical measures and physical safeguards to protect the confidentiality of information. While each organization has taken one or more of these measures, not all have written policies. Officials from two of the companies that we contacted told us that they did not have written policies to share with us, and two other companies were unable to provide us with such documentation, although officials described several practices related to 15 Data are considered “encoded” or “encrypted” when personal identifiers and means of directly contacting an individual (for example, name, address, and social security number) are replaced with numeric or other coding. “Anonymized” data are those from which all personal identifiers have been removed or information aggregated in a manner so that individuals cannot be identified. Medical and health data used by organizations when they conduct health research is viewed as fully identifiable when a name, address, or another identifier is associated with the data. Page 17 GAO/HEHS-99-55 Medical Records Privacy B-280657 confidentiality. The organizations that did provide us with documentation appear to use similar management practices and technical measures to protect health information used in their health research, whether they generate patient records or receive them from other organizations. Officials at one integrated health system that we contacted told us that they have an institutional policy on confidentiality of health information, an institutional policy directing access to and security of medical records information, and a human resources policy for maintaining the confidentiality and privacy of personally identifiable patient data. Special Databases and To limit access, several organizations have created special subset Encrypted Data Help databases to enable them to limit researchers’ access to information that is Organizations Limit Access relevant to their studies. For example, researchers at one MCO conduct studies using a special research database that links hospital, physician to Patient Data visit, and pharmacy claims data for each enrollee and includes information on procedures, diagnoses, and costs of care. Typically, data—with each patient’s identity encoded—are extracted from this database for analysis. The researchers do not have routine access to the MCO’s larger, fully identifiable claims database. In addition to limiting access to certain individuals for specific purposes, some organizations have encrypted or encoded patient information. For example, researchers at one integrated health system that we contacted do not see fully identifiable information. Rather, they work with information that has been encoded by computer programmers on the research team—the only individuals who have access to the fully identifiable data. The pharmaceutical companies that we contacted also limit access to and encode personally identifiable health information used in research. For example, the clinical trials data that they receive typically do not include the identities of the patients enrolled. Instead, the pharmaceutical companies receive data files with identities encoded, and the identifiable data are retained at the research site. Only designated company officials can access the identifiable information during site visits and only for purposes of monitoring the progress of a clinical trial. In conducting collaborative research, the organizations that we contacted tend to use special data sets and contracting processes to protect medical information. For example, one MCO, which conducts over half of its research with government agencies and academic and research institutions, transfers data in either encrypted or anonymized form and provides detailed specifications in its contracts that limit use of the data to Page 18 GAO/HEHS-99-55 Medical Records Privacy B-280657 the specific research project. The contracts specify that collaborators are not permitted to reidentify or transfer the data. Another MCO that we contacted uses multiple measures to ensure confidentiality of its medical data. In addition to requiring collaborators to follow the same confidentiality requirements as the MCO, they can only access medical data through an MCO researcher assigned to the project. Most of the data are aggregated, but any patient-specific data that are provided are encrypted and the coding methodology remains in-house. In addition, research data provided on a computer disk and mailed are tracked to verify delivery. At another MCO, the lead investigators annually review a list of the names of the individuals who have access to each research project to ensure that the list is current, which is acknowledged by the investigators’ signatures. Similarly, one of the integrated health systems that we contacted requires researchers from outside the organization to seek collaborative relationships with internal researchers and obtain approval for an adjunct appointment. The adjunct researchers would then become subject to the organization’s policies and controls. Management Practices Most of the organizations we contacted have established confidentiality Establish Parameters for policies delineating who can have access to what information, and most Protections provide employee education and training programs on these policies. Most also have established monitoring practices and sanctions for breaches of confidentiality. Some organizations also used employee agreements and their contract processes to ensure confidentiality. Ten of the 12 organizations that we contacted had written confidentiality policies that limit and control access to personally identifiable information, although 2 of the 10 did not provide us with documentation of their policies. The policies define the circumstances under which such information may be disclosed and the penalties for unauthorized release of confidential information. Most company policies permit access only to the information that is needed to perform one’s job; some dictate that such information should be shared with other employees only on a need-to-know basis. Some organizations provide training to ensure employees understand the confidentiality policy in effect. One MCO’s training sessions teach employees to keep records in locked file cabinets, shut down computers when not in use, and not share data with associates. Eight of the 12 organizations that we contacted also require their employees to sign agreements—typically upon hiring and annually Page 19 GAO/HEHS-99-55 Medical Records Privacy B-280657 thereafter—stating that they will maintain the privacy of protected health information. To ensure adherence to confidentiality policies, the organizations reportedly have established various monitoring and disciplinary mechanisms. One MCO told us it reviews a sample of all active research projects and conducts reviews of research study files. In addition to periodic reviews of local area network files, the MCO said it also conducts quarterly inspections of its databases. The MCO’s parent organization reportedly conducts internal audits to determine compliance with approved protocols and reviews third-party vendor contracts and system security controls. Each organization that we contacted said it uses disciplinary sanctions to address employee violations of confidentiality or failure to protect medical information from accidental or unauthorized access. Generally, officials at organizations that we contacted said that an intentional breach of confidentiality could result in employee termination—which may be immediate. But they also pointed out that few employees have been terminated, and when they have, the incidents were not related to the conduct of research. According to officials at one health information organization, the company’s overriding principle regarding health information is that each employee is responsible for keeping patient data confidential consistent with the organization’s policies and prescribed practices. Companies Report Use of The organizations that we contacted said they use a number of electronic Electronic and Physical measures to safeguard their electronic health data. Most reported using Safeguards individual user authentications or personal passwords—controls that ensure users access only the information that they need. These organizations may also use encryption or coding technologies to mask personally identifiable data and other technical information system mechanisms, including firewalls, to prevent external access to computer systems. Officials at one MCO we visited said that their computer system maintains an electronic record of each employee that accesses medical data. The MCO periodically reviews the records to determine if use was appropriate. In addition to electronic security, officials at some of the organizations we contacted told us they use various security measures to prevent unauthorized physical access to medical record-based information, including computer workstations and servers. For example, officials at one MCO told us that protections for paper records include storing the Page 20 GAO/HEHS-99-55 Medical Records Privacy B-280657 information in locked offices and file cabinets and shredding paper-based information when it is no longer needed. Personally identifiable information is often an important component of Conclusions research using medical records, and the companies we met with provided many examples of useful research that could not have been conducted without it. Because our study focused on only a limited number of companies—in particular, those that were willing to share information about corporate practices—it is difficult to judge the extent to which their policies may be typical, nor do we know the extent to which their policies are followed. Nevertheless, most of the organizations we surveyed do have policies to limit and control access to medical information that identifies individuals, and many of them have adopted techniques, such as encryption and encoding, to further safeguard individual privacy. However, while reasonable safeguards may be in place in these companies, external oversight of their research is limited. Not all research is subject to outside review, and even in those cases where IRBs are involved, they are not required to give substantial attention to privacy protection. Further, in light of the problems that IRBs have had in meeting current workloads—a key finding in our earlier work as well as in work conducted by HHS’ Office of Inspector General—it is not clear that the current IRB-based system could accommodate more extensive review responsibilities. In weighing the desirability of additional oversight of medical records-based research, it will be important to take account of existing constraints on the IRB system and the recommendations that have already been made for changes to that system. We obtained technical comments from officials at several HHS agencies Agency and Other with significant research responsibilities—FDA, the Centers for Disease Reviewer Comments Control and Prevention, the Agency for Health Care Policy and Research, and NIH, including its OPRR—and HHS’ Privacy Advocate. We also obtained comments from two outside reviewers with expertise in medical research and privacy issues. A number of the HHS program officials provided additional or corrective information on the provisions of the Common Rule and aspects of research, which we incorporated in the report. Our other expert reviewers found the report to be, on the whole, helpful in the current debate on privacy and research. One of these reviewers, however, questioned our conclusion about how well the IRB system protects privacy, arguing that the evidence pointed out that the system is working well. Our Page 21 GAO/HEHS-99-55 Medical Records Privacy B-280657 second reviewer, on the other hand, agreed that the IRB system is already heavily burdened. In response to their concerns and views, we made some changes where we believed it was appropriate to do so, but we continue to believe that the IRB system has limitations that need to be highlighted as policymakers consider expanding its responsibilities. We are sending copies of this report to the Secretary of HHS and other interested parties. We will also make copies available to others upon request. If you have any questions or would like additional information, please call one of the major contributors listed in appendix II. Sincerely yours, Bernice Steinhardt Director, Health Services Quality and Public Health Issues Page 22 GAO/HEHS-99-55 Medical Records Privacy Page 23 GAO/HEHS-99-55 Medical Records Privacy Contents Letter 1 Appendix I 26 Scope and Methodology Appendix II 28 Major Contributors to This Report Abbreviations FDA Food and Drug Administration HHS Department of Health and Human Services HIPAA Health Insurance Portability and Accountability Act IRB institutional review board MCO managed care organization MPA multiple project assurance NIH National Institutes of Health OPRR Office for Protection From Research Risks PBM pharmacy benefit management Page 24 GAO/HEHS-99-55 Medical Records Privacy Page 25 GAO/HEHS-99-55 Medical Records Privacy Appendix I Scope and Methodology To help us understand the nature of research that uses medical records and the types of oversight and safeguards that might be used, we identified and reviewed literature on the use of medical information in health research and met with individuals and representatives from associations and organizations knowledgeable about issues surrounding the use of medical information in health research. We also met with officials and reviewed documents from NIH, the Office for Protection From Research Risks, FDA, and the National Bioethics Advisory Commission. Additionally, we met with HHS’ Privacy Advocate. We also met with officials of two state departments of public health. For this work, we used the Common Rule’s definition of research: “a systematic investigation . . . designed to develop or contribute to generalizable knowledge.” After we determined that there is no inventory of health research conducted outside Common Rule requirements, with the exception of an informal categorical listing developed by OPRR, we focused our examination on health care organizations conducting research with extensive databases. We chose such organizations because of the potential risk to large numbers of individuals if medical information is not adequately safeguarded. Twelve organizations that conduct health research participated in our review, including managed care organizations, integrated health systems, pharmaceutical companies, health information organizations, pharmacy benefit management companies, and biotechnology companies. We also screened indemnity insurers, utilization review organizations, and similar organizations for possible participation in our review. Indemnity insurers told us that they do not carry out research on the fee-for-service portion of their business, noting the limitations of existing data on medical care received on a fee-for-service basis. They often do not know the identities of family members of subscribers. They also pointed out that claims are often filed under one policyholder number, and as a result, the care received by one individual cannot be separated from the care received by another for purposes of analysis. The utilization review organizations that we contacted stated that their activities only cover utilization patterns for specific individuals, which they do not classify as research. We interviewed representatives of the 12 organizations that participated and, to the extent available, reviewed their policies for safeguarding identifiable medical information. However, three organizations did not provide us with these policies. In addition, we did not verify the Page 26 GAO/HEHS-99-55 Medical Records Privacy Appendix I Scope and Methodology information received from the nine other organizations. Although the organizations identified their procedures to us, we did not assess the implementation of those procedures. Because of the small number of organizations included in our study, the information we collected is not generalizable to the health care industry as a whole. Further, four organizations we contacted were unwilling to participate in this study. In addition, we obtained information from seven IRBs. Five of these IRBs were at institutions that conduct research for the federal government, and two are freestanding IRBs that are hired for their services. Again, because of the small number of review boards in our study, the information we collected from IRBs is not generalizable. We conducted our work between July 1998 and February 1999 in accordance with generally accepted government auditing standards. Page 27 GAO/HEHS-99-55 Medical Records Privacy Appendix II Major Contributors to This Report Marcia Crosse, Assistant Director, (202) 512-3407 Nancy Donovan, Evaluator-in-Charge, (202) 512-7136 Donna Bulvin, Senior Evaluator Roy Hogberg, Senior Evaluator Gloria Taylor, Senior Evaluator Barry Bedrick, Associate General Counsel Dayna Shah, Assistant General Counsel Mary Reich, Senior Attorney Karen Sloan, Writer (108378) Page 28 GAO/HEHS-99-55 Medical Records Privacy Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Medical Records Privacy: Access Needed for Health Research, but Oversight of Privacy Protections Is Limited
Published by the Government Accountability Office on 1999-02-24.
Below is a raw (and likely hideous) rendition of the original report. (PDF)