 |
Rationale for
the URMC policy: |
|
Data sets generated through the care of patients have always been a research resource of enormous potential. In the past, access to this information has been made available to researchers via approved review of paper medical records from which data elements were copied. The trend toward capture and storage of patient information in digital form provides researchers with a new, efficient means of accessing these data. Digital patient data are sought for numerous research purposes, ranging from epidemiological studies to technology testing to software/interface development. The desire to exploit easy access to patient data for purposes that are not directly related to the care of patients must be tempered with the same careful consideration of confidentiality and security protections that governs access to paper medical records.
Research use of electronic clinical information must not impede fast, dependable access to digital clinical information by caregivers. The URMC approach addresses this by providing extracted data sets from the live online systems, rather than allowing direct researcher access to live data.
|
|
Resources Relating
to Public Policy
in this Area: |
|
- For the Record:
Protecting Electronic Health Information. Committee on Maintaining
Privacy and Security in Health Care Applications of the National Information
Infrastructure. National Academy of Science.
Washington, D.C. 1997
In 1997, a government panel issued recommendations concerning the
protection of electronic health information. Among the basic elements:
- Explicit policies should be developed that "...clearly state the
types of information considered confidential, the people authorized
to release the information, the procedures that must be followed...and
the types of people who are authorized to receive information."
- Health care organizations should develop authorization forms that
improve patients' understanding of health data flows and limit the
time period for which authorizations are valid.
- Health care organizations should allow patients to request audits
of all accesses to their records.
The panel notes: "Organizations (especially those linked to either
a medical school or a medical research program) must also develop
policies to guide researchers in procedures for maintaining privacy
while using health information. These policies should contain a clearly
formulated statement that defines "intended use" and defines identifiable
versus aggregate data access. Procedures for removing identifying
factors need to be clearly specified for both the paper and electronic
medical record and for record abstracts or audit material. The standard
(and generally acceptable) pathway for review of requests for research
access to medical record information is through an organization's
institutional review board (IRB), whose members evaluate the potential
for patient risk as a result of granting access." (For the Record,
p. 134)
- Health Privacy and Confidentiality Recommendations of the National
Committee on Vital and Health Statistics. Approved on June 25,
1997. Published on the Internet at http://aspe.os.dhhs.gov/ncvhs/privrecs.htm.
Accessed 1/15/98.
- Selection 1, from Additional Discussion. B: Technology and
Identifiable Information
"At Committee hearings, most users of health data said
that some functions could be accomplished without the need for
identified data. With traditional paper records, the difficulties
of creating non-identifiable data are typically significant. It
may be impractical and very time-consuming to make a complete
copy of a paper record with all identifying data removed. With
a computer record, the administrative burden of creating anonymized
records may be insignificant.
"Determining when a record is truly non-identifiable, however,
is not always simple. Records can often be linked or identified
through use of combination of non-unique identifiers (e.g.,
birth date, birth place, mother's first name). The Committee
suggests that additional study about the line between identifiable
and non-identifiable health data is needed.
"Other protections can be provided by releasing data with
non-unique identifiers that have been changed in a way that
does not affect the utility of the data to the user. For example,
if a research project requires age information, birth dates
might be altered by randomly selecting a date within thirty
or sixty days of the actual date. This change would make it
much more unlikely that any particular individual could be identified,
but it would not interfere with the conduct of the research.
Similar changes in other data elements may also be possible.
In a computer-based environment, these types of changes are
highly recommended.
"The Committee concludes that we need to do more to develop
and implement technological protections for health records.
Technology offers the possibility that we can use records for
socially beneficial purposes while fully protecting privacy
at the same time. Greater use of nonidentifiable, coded, or
encrypted records can make everyone better off at little or
no cost. Technology will not cure all problems related to the
use of identifiable information, but it can diminish the intensity
and scope of the problems. This may be the most promising area
for additional development."
- Selection 2, from Additional Discussion. G. Health Research
"The Committee has no difficulty in taking a position
on the thorny issue of researcher access to health records. The
Committee strongly supports the use of health records for health
research. Identifiers should only be available when necessary,
and there must be some independent review of research access.
Institutional review boards provide one model for independent
review. Patients must also be protected against the possibility
that they will be identified through publication of research findings.
"The Committee recognizes the conflict between research and
privacy, but requiring patient consent as a condition of researcher
access is impractical and expensive. It would also most likely
stop a significant amount of useful investigation. This is not
in the health interest of individual patients or the general
population. Patient privacy interests are adequately protected
by independent review of research protocols, the earliest possible
removal of identifiers, prohibitions against use of research
records for actions against patients, and strict penalties against
researchers who violate the rules."
- Health Data Security, Patient Privacy, and the Use of Archival
Patient Materials in Research. AAMC Policy Statement. Approved:
AAMC Executive Council, February 27, 1997. Published on the Internet
at http://www.aamc.org/advocacy/issues/research/confplcy.htm.
Accessed 1/15/98.
- Selection 1, from Principles:
"5. Organizations that deliver medical care, or conduct
biomedical, epidemiological or health services research, must
be responsible and accountable for the development and implementation
of appropriate policies to ensure protection of confidentiality
of medical information through such mechanisms as informed consent,
IRB review and approval, and adherence to accreditation standards
and state laws and regulations. One possible approach to this
task would be to give each patient at his/her first encounter
with the health care system two unique identifiers, one for clinical
use, the other for research. Both numbers would be permanently
associated with the specific individual. The linkage between the
two numbers would be securely maintained in a protected location
with controlled access, in accordance with the provisions of recommendation
7. This approach would help to achieve the objectives both of
strengthening the security of confidential medical information
and promoting the accessibility over time of archival patient
materials for research."
|
