Data Privacy and Epidemiologic Research Harry Guess Merck Research Laboratories  Merck & Co., Inc

Download  Data Privacy and Epidemiologic Research Harry Guess Merck Research Laboratories  Merck & Co., Inc

Post on 19-Dec-2015




2 download

Embed Size (px)


<ul><li> Slide 1 </li> <li> . Data Privacy and Epidemiologic Research Harry Guess Merck Research Laboratories Merck &amp; Co., Inc. </li> <li> Slide 2 </li> <li> . Outline Epidemiologic and health services research Contrast with clinical research Human subjects protection in health services research Identifiable data and protection of privacy Public health importance of studies using identifiable medical data Conclusions Where can mathematical research help? </li> <li> Slide 3 </li> <li> . Health Services Research (HSR) * Health services research is a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations * Protecting Data Privacy in Health Services Research: Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection (Editors). Division of Health Care Services. National Academy of Sciences Press. Washington, DC. 2000. ISBN: 0-309-07187-9 </li> <li> Slide 4 </li> <li> . Much Health Services Research Makes Use of Medical Records Previously Collected for Other Purposes </li> <li> Slide 5 </li> <li> . Typical Information available in Claims Databases MEMBERSHIP DATA Member identifier Date of birth Gender Date of enrollment Date of disenrollment Benefit plan number OUTPATIENT PHARMACY CLAIMS Member identifier Pharmacy identifier NDC code Generic code Drug strength Dosage form Quantity dispensed Days supply Prescribing physician ID Date filled HOSPITAL CLAIMS Member identifier Provider identifier Date of admission Date of discharge DRG code ICD-9-CM codes Length of stay PHYSICIAN CLAIMS Member identifier Provider identifier Date of service ICD-9-CM codes or CPT-4 procedure codes </li> <li> Slide 6 </li> <li> . Using the member identification number and the dates of events (e.g., prescriptions, medical diagnoses), the records can be linked over time to produce a longitudinal record of events for each patient: Patient 1234:02/26/01 - prescription for Drug A Patient 1234:03/15/01 - prescription for Drug A Patient 1234:04/10/01 - prescriptions for Drug A, Drug B Patient 1234:04/20/01 - hospitalization for acute renal failure Putting together each patients longitudinal sequence of events yields a record of a cohort of many patients, each of whom has been followed individually over time. Record Linkage can create a longitudinal record of events for each patient </li> <li> Slide 7 </li> <li> . X Patient A Patient C Patient B Patient D Patient E Patient F X </li> <li> Slide 8 </li> <li> . Once longitudinal records have been created, personal identifiers such as member numbers or social security numbers are generally replaced by encrypted numbers or by sequential numbers (0001 for the first patient, 002 for the second, etc) Such data are not fully anonymous as long as someone (e.g, the managed care organization) holds the key whereby the actual member numbers can be re-identified In epidemiologic research and in pharmaceutical clinical trials the patient identifiers maintained for data analyses are typically study site identifiers sequential patient numbers The links between these and actual patient identifiers are almost always held by the investigators (for clinical trials) or managed care organizations (for epidemiologic studies) </li> <li> Slide 9 </li> <li> . Example: Health Care Databases in Saskatchewan All residents have full coverage of medical care services and drugs listed in the provincial formulary. Approximately 1 million current residents. Six separate provincial databases can be linked by an individuals unique Health Services Number (HSN): Eligible population registry Prescription drug data (1975-1987; 1989-present) Hospital services data Physician services data Cancer registry and vital statistics Reference: Downey W, et al: Health Databases in Saskatchewan. Ch. 20, pp. 325-345. In: Pharmacoepidemiology. 3d Ed. B. Strom (Ed). </li> <li> Slide 10 </li> <li> . Clinical and Health Services Research: Two different paradigms Clinical Research Typically prospective Typically involves at most a few thousand patients, except in the most expensive of studies Research risks may involve possibility of physical harm (e.g., from adverse reactions) Study-specific informed consent is easily obtained as part of the investigator - patient interaction Health Services Research Often retrospective Typically involves analyses of medical records that have been collected previously and for other purposes from many thousands or millions of patients Research risks have to do with potential harm from release of health information Study-specific informed consent is often impossible to obtain without either invalidating the study or making it prohibitively expensive </li> <li> Slide 11 </li> <li> . Another difference between clinical and health services research Much health services research is intended to improve the quality of medical care hence the boundary between health care quality assurance and research is often not as sharply defined in health services research as in clinical research Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. (45 CFR 164.501) if there is any element of research in an activity, that activity should undergo review for the protection of human subjects (The Belmont Report) </li> <li> Slide 12 </li> <li> . Human Subjects Protection in Health Services Research Ethical principles * are the same as for clinical research Respect for persons Underlies the requirement for oversight of research by an Institutional Review Board (IRB) / Privacy Board / Ethics Committee Requires patient informed consent - with certain well-defined exceptions Beneficence Requires that risks of the research be reasonable in relation to possible benefits and that any risks to research subjects be minimized Justice Requires fairness in sharing risks and benefits of research * The Belmont Report: </li> <li> Slide 13 </li> <li> . Waiving Informed Consent: The Belmont Report A special problem of consent arises where informing subjects of some pertinent aspect of the research is likely to impair the validity of the research.. In all cases of research involving incomplete disclosure, such research is justified only if it is clear that (1) incomplete disclosure is truly necessary to accomplish the goals of the research, (2) there are no undisclosed risks to subjects that are more than minimal, and (3) there is an adequate plan for debriefing subjects, when appropriate, and for dissemination of research results to them. Care should be taken to distinguish cases in which disclosure would destroy or invalidate the research from cases in which disclosure would simply inconvenience the investigator. </li> <li> Slide 14 </li> <li> . Conditions in The Common Rule under which an IRB may alter or waive the requirement of obtaining informed consent for human subjects research An Institutional Review Board (IRB) may alter or waive the requirements to obtain informed consent if it finds and documents that: (1) The research involves no more than minimal risk to the subjects; (2) The waiver or alteration will not adversely affect the rights and welfare of the subjects; (3) The research could not practicably be carried out without the waiver or alteration; and (4) Whenever appropriate, the subjects will be provided with additional pertinent information after participation. 45 CFR 46.116(d) </li> <li> Slide 15 </li> <li> . HIPPA 45 CFR 160-164: Standards for Privacy of Individually Identifiable Health Information This regulation is the second final regulation to be issued in the package of rules mandated under title II subtitle F section 261264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104191, titled Administrative Simplification. CFR = U.S. Code of Federal Regulations </li> <li> Slide 16 </li> <li> . Privacy Protections for Human Research Participants The HIPAA Privacy Prohibition The HIPAA Privacy Standards generally state that a covered entity may not use or disclose protected health information (PHI), except as permitted or required by the regulation. 45 CFR 164.502 </li> <li> Slide 17 </li> <li> . Covered Entity Health plan; Health care clearinghouse; Health care provider that transmits any health information in electronic form. Protected Health Information (PHI) Individually Identifiable Health Information (IIHI) in the possession of a Covered Entity, whether transmitted or maintained through electronic media, in hard copy, or by other means Individually Identifiable Health Information (IIHI) Information about the physical or mental health of an individual that is created or received by a covered entity and that identifies or can reasonably be used to identify the individual HIPPA: Some Definitions </li> <li> Slide 18 </li> <li> . HIPPA: Privacy Protections for Human Research Participants The Common Rule HIPPA </li> <li> Slide 19 </li> <li> . HIPAA applies to covered entities, not covered individuals. Covered entities include healthcare providers that transmit PHI in electronic form. Thus, a researcher, who is not a healthcare provider or other covered entity, who receives PHI from a covered entity is not directly subject to the HIPAA regulation. Indirect control on how a researcher can access data from a covered entity is provided by HIPPA in several ways, including through requiring that the covered entity obtain authorization from each patient whose data will be used for anything other than treatment, payment, or healthcare operations or through detailed criteria that an IRB or Privacy Board must find to have been met in order for a covered entity to release PHI for a research study without specific authorization from each patient HIPPA: Effect on Researchers </li> <li> Slide 20 </li> <li> . Conditions in HIPPA Regulations under which an IRB or Privacy Board may waive or alter informed consent requirements for releasing identifiable health information (A) The use or disclosure of protected health information involves no more than minimal risk to the individuals; (B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals; (C) The research could not practicably be conducted without the alteration or waiver; (D) The research could not practicably be conducted without access to and use of the protected health information; Continued </li> <li> Slide 21 </li> <li> . (E) The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research; (F) There is an adequate plan to protect the identifiers from improper use and disclosure; (G) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and (H) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart. 45 CFR 164.512(i) HIPPA Conditions for waiving consent (continued) </li> <li> Slide 22 </li> <li> . De-Identification of health information: What are the requirements in HIPPA? </li> <li> Slide 23 </li> <li> . To de-identify medical data under HIPPA, one must either remove all of the following 18 identifiers or provide an expert statistical determination that the risk of identifying an individual would be very small * : Names All geographic subdivisions smaller than a State (some complex exceptions) All elements of dates (except year)for dates...including birth date, admission date, discharge date, date of death; and all ages over 89 Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images and Any other unique identifying number, characteristic, or code * 45 CFR 164.514 </li> <li> Slide 24 </li> <li> . Expert statistical determination that the risk of identifying an individual is very small * A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable: (i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination. * 45 CFR 164.514 </li> <li> Slide 25 </li> <li> . Why such caution? </li> <li> Slide 26 </li> <li> . Database information: DOB, Gender, Zip Code, Public information: e.g. voter registration rolls linking names and addresses with DOB, gender, Zip Codes + = Identification of the patient names with the medical information in the database Use of external public information in combination with databases can reveal patient names and addresses </li> <li> Slide 27 </li> <li> . Using public information to uniquely identify people Cambridge, Massachusetts Voting List - 54,805 voters Data Elements Birth date alone Birth date and gender Birth date and 5-digit ZIP Code Birth date and full postal code Percent of voters whose names and addresses were uniquely identified by the data elements 12% * 29% 69% 97% Sweeney L: Journal of Law, Medicine &amp; Ethics. 1997; 25:98-110 * These results are not surprising. This is about what one would expect from the rough approximation (1- 1/k) N-1 exp(-N/k), where k = available dates of birth in a voter cohort and N = 54,085. The other numbers look plausible as well, by similar reasoning. </li> <li> Slide 28 </li> <li> . Even more stringent forms of data privacy protection than HIPPA are favored by some </li> <li> Slide 29 </li> <li> . Some members of the academic medical community believe that identifiable medical records should generally not...</li></ul>


View more >