Download - Data Privacy and Epidemiologic Research Harry Guess Merck Research Laboratories Merck & Co., Inc
.
Data Privacy and Epidemiologic Research
Harry Guess
Merck Research Laboratories
Merck & Co., Inc.
.
Outline• Epidemiologic and health services research• Contrast with clinical research• Human subjects protection in health services research• Identifiable data and protection of privacy• Public health importance of studies using identifiable
medical data• Conclusions• Where can mathematical research help?
.
Health Services Research (HSR)*
• Health services research is a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations
*Protecting Data Privacy in Health Services Research: Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection (Editors). Division of Health Care Services. National Academy of Sciences Press. Washington, DC. 2000. ISBN: 0-309-07187-9
.
Much Health Services Research Makes Use of Medical Records Previously
Collected for Other Purposes
.
Typical Information available in Claims Databases
MEMBERSHIP DATA
Member identifierDate of birthGenderDate of enrollmentDate of disenrollmentBenefit plan number
OUTPATIENTPHARMACY CLAIMS
Member identifier Pharmacy identifierNDC codeGeneric codeDrug strengthDosage formQuantity dispensedDays supplyPrescribing physician IDDate filled
HOSPITAL CLAIMS
Member identifierProvider identifierDate of admissionDate of dischargeDRG codeICD-9-CM codesLength of stay
PHYSICIAN CLAIMS
Member identifierProvider identifierDate of serviceICD-9-CM codes orCPT-4 procedure codes
.
• Using the member identification number and the dates of events
(e.g., prescriptions, medical diagnoses), the records can be linked over time to produce a longitudinal record of events for each patient:
– Patient 1234: 02/26/01 - prescription for Drug A
– Patient 1234: 03/15/01 - prescription for Drug A
– Patient 1234: 04/10/01 - prescriptions for Drug A, Drug B
– Patient 1234: 04/20/01 - hospitalization for acute renal failure
• Putting together each patient’s longitudinal sequence of events yields a record of a cohort of many patients, each of whom has been followed individually over time.
Record Linkage can create a longitudinal record of events for each patient
.
X
Patient A
Patient C
Patient B
Patient D
Patient E
Patient F
X
.
• Once longitudinal records have been created, personal identifiers such as member
numbers or social security numbers are generally replaced by encrypted numbers or by sequential numbers (0001 for the first patient, 002 for the second, etc)
• Such data are not fully anonymous as long as someone (e.g, the managed care organization) holds the key whereby the actual member numbers can be re-identified
• In epidemiologic research and in pharmaceutical clinical trials the patient identifiers maintained for data analyses are typically – study site identifiers
– sequential patient numbers
• The links between these and actual patient identifiers are almost always held by the investigators (for clinical trials) or managed care organizations (for epidemiologic studies)
.
Example:
Health Care Databases in Saskatchewan
• All residents have full coverage of medical care services and drugs listed in the provincial formulary.
• Approximately 1 million current residents.• Six separate provincial databases can be linked by an individual’s unique
Health Services Number (HSN): – Eligible population registry – Prescription drug data (1975-1987; 1989-present)– Hospital services data– Physician services data – Cancer registry and vital statistics
• Reference: Downey W, et al: Health Databases in Saskatchewan. Ch. 20, pp. 325-345. In: Pharmacoepidemiology. 3d Ed. B. Strom (Ed).
.
Clinical and Health Services Research: Two different paradigms
• Clinical Research– Typically prospective
– Typically involves at most a few thousand patients, except in the most expensive of studies
– Research risks may involve possibility of physical harm (e.g., from adverse reactions)
– Study-specific informed consent is easily obtained as part of the investigator - patient interaction
• Health Services Research– Often retrospective– Typically involves analyses of
medical records that have been collected previously and for other purposes from many thousands or millions of patients
– Research risks have to do with potential harm from release of health information
– Study-specific informed consent is often impossible to obtain without either invalidating the study or making it prohibitively expensive
.
Another difference between clinical and health services research
• Much health services research is intended to improve the quality of medical care
– hence the boundary between “health care quality assurance” and “research” is often not as sharply defined in health services research as in clinical research
– Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. (45 CFR 164.501)
– “…if there is any element of research in an activity, that activity should undergo review for the protection of human subjects” (The Belmont Report)
.
Human Subjects Protection in Health Services Research
• Ethical principles* are the same as for clinical research– Respect for persons
• Underlies the requirement for oversight of research by an Institutional Review Board (IRB) / Privacy Board / Ethics Committee
• Requires patient informed consent - with certain well-defined exceptions
– Beneficence • Requires that risks of the research be reasonable in relation to possible
benefits and that any risks to research subjects be minimized
– Justice• Requires fairness in sharing risks and benefits of research
*The Belmont Report: http://ohrp.osophs.dhhs.gov/humansubjects/guidance/belmont.htm
.
Waiving Informed Consent:
The Belmont Report • “A special problem of consent arises where informing subjects of some
pertinent aspect of the research is likely to impair the validity of the research…..
• In all cases of research involving incomplete disclosure, such research is justified only if it is clear that
– (1) incomplete disclosure is truly necessary to accomplish the goals of the research, – (2) there are no undisclosed risks to subjects that are more than minimal, and – (3) there is an adequate plan for debriefing subjects, when appropriate, and for
dissemination of research results to them.”
• “Care should be taken to distinguish cases in which disclosure would destroy or invalidate the research from cases in which disclosure would simply inconvenience the investigator.”
.
Conditions in “The Common Rule” under which an IRB may alter or waive the requirement of obtaining informed
consent for human subjects research
• An Institutional Review Board (IRB) may alter or waive the requirements to obtain informed consent if it finds and documents that: – (1) The research involves no more than minimal risk to the subjects;
– (2) The waiver or alteration will not adversely affect the rights and welfare of the subjects;
– (3) The research could not practicably be carried out without the waiver or alteration; and
– (4) Whenever appropriate, the subjects will be provided with additional pertinent information after participation.
45 CFR 46.116(d)
.
HIPPA• 45 CFR 160-164: Standards for Privacy of Individually Identifiable
Health Information
• This regulation is the second final regulation to be issued in the package of rules mandated under title II subtitle F section 261–264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104–191, titled ‘‘Administrative Simplification.’’
CFR = U.S. Code of Federal Regulations
.
Privacy Protections for Human Research Participants
• The HIPAA Privacy Prohibition
• The HIPAA Privacy Standards generally state that a “covered entity may not use or disclose protected health information (PHI), except as permitted or required by” the regulation.
• 45 CFR 164.502
.
Covered Entity
Health plan; Health care clearinghouse; Health care provider that transmits any health information in electronic form.
Protected Health Information (PHI)
Individually Identifiable Health Information (IIHI) in the possession of a Covered Entity, whether transmitted or maintained through electronic media, in hard copy, or by other means
Individually Identifiable Health Information (IIHI)
Information about the physical or mental health of an individual that is created or received by a covered entity and that identifies or can reasonably be used to identify the individual
HIPPA: Some Definitions
.
HIPPA: Privacy Protections for Human Research Participants
The Common Rule HIPPA Applies to federally funded or regulatedresearch
Applies to all research for which HIPAAcovered entities use or disclose PHI
Protects rights and welfare Protects privacy and welfare
Human subject: a living individual; subjectof data or information
Individual: subject of information; a livingor deceased person
Establishes IRBs Establishes Privacy Boards; recognizesIRBs
Board reviews all research protocols Board reviews only the waiver or alterationof authorization
Annual and continuing reviews No requirement
Informed Consent Authorization and Consent
.
• HIPAA applies to covered entities, not covered individuals.
– Covered entities include healthcare providers that transmit PHI in electronic form.
• Thus, a researcher, who is not a healthcare provider or other covered entity, who receives PHI from a covered entity is not directly subject to the HIPAA regulation.
• Indirect control on how a researcher can access data from a covered entity is provided by HIPPA in several ways, including
– through requiring that the covered entity obtain authorization from each patient whose data will be used for anything other than treatment, payment, or healthcare operations
– or through detailed criteria that an IRB or Privacy Board must find to have been met in order for a covered entity to release PHI for a research study without specific authorization from each patient
HIPPA: Effect on Researchers
.
Conditions in HIPPA Regulations under which an IRB or Privacy Board may waive or alter informed consent
requirements for releasing identifiable health information
• (A) The use or disclosure of protected health information involves no more than minimal risk to the individuals;
• (B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;
• (C) The research could not practicably be conducted without the alteration or waiver;
• (D) The research could not practicably be conducted without access to and use of the protected health information;
Continued
.
• (E) The privacy risks to individuals whose protected health information is to be used or
disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;
• (F) There is an adequate plan to protect the identifiers from improper use and disclosure; • (G) There is an adequate plan to destroy the identifiers at the earliest opportunity
consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and
• (H) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.
45 CFR 164.512(i)
HIPPA Conditions for waiving consent (continued)
.
De-Identification of health information:
What are the requirements in HIPPA?
.
To “de-identify” medical data under HIPPA, one must either remove all of the following 18 identifiers or provide an expert statistical determination that the risk of identifying an individual would be very small*:
• Names• All geographic subdivisions
smaller than a State (some complex exceptions)
• All elements of dates (except year)for dates ...including birth date, admission date, discharge date, date of death; and all ages over 89…
• Telephone numbers• Fax numbers• Electronic mail addresses• Social security numbers• Medical record numbers• Health plan beneficiary numbers
• Account numbers• Certificate/license numbers• Vehicle identifiers and serial numbers,
including license plate numbers• Device identifiers and serial numbers• Web Universal Resource Locators
(URLs)• Internet Protocol (IP) address
numbers• Biometric identifiers, including finger
and voice prints• Full face photographic images and
any comparable images and• Any other unique identifying number,
characteristic, or code
*45 CFR 164.514
.
Expert statistical determination that the risk of identifying an individual is “very small”*
“A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination….”
*45 CFR 164.514
.
Why such caution?
.
Database information:DOB, Gender, Zip Code,…
Public information: e.g. voter registration rolls linking names and addresses with DOB, gender, Zip Codes +
= Identification of the patient names with themedical information in the database
Use of external public information in combination with databases can reveal patient
names and addresses
.
Using public information to uniquely identify people
Cambridge, Massachusetts Voting List - 54,805 voters
• Data Elements
– Birth date alone
– Birth date and gender
– Birth date and 5-digit ZIP Code
– Birth date and full postal code
• Percent of voters whose names and addresses were uniquely identified by the data elements
– 12%*
– 29%
– 69%
– 97%
Sweeney L: Journal of Law, Medicine & Ethics. 1997; 25:98-110
*These results are not surprising. This is about what one would expect from the rough approximation (1- 1/k)N-1 exp(-N/k), where k = available dates of birth in a voter cohort and N = 54,085. The other numbers look plausible as well, by similar reasoning.
.
Even more stringent forms of data privacy protection than HIPPA are favored by some
.
• Some members of the academic medical community believe that identifiable medical records should generally not be used for public health research or quality assurance without specific informed consent and that these objectives can be accomplished sufficiently well by use of fully anonymous data:
– “In addition, we must abandon the use of identifiable medical records for quality assurance, detection of fraud, and public health, with narrowly defined exceptions. In most cases, mathematical algorithms applied to anonymous data perform these functions more effectively, more quickly, more accurately, and more cheaply.”
*Welch CA. NEJM August 2001; 345:371-2
.
Some states have required individual patient informed consent for all medical records research
• In 1996, Minnesota enacted a law that placed stringent consent requirements on the use of patient data for research.
• Records created since January 1, 1997 could not be used for research without the patient’s written authorization.
.
• STUDY DESIGN: Seizures associated with a pain medication -- part of FDA post-marketing surveillance to evaluate adverse events with approved drugs.
• DATA COLLECTION: Informed consent for Minnesota plan members consisted of: (1) letter from health plan medical director, (2) 2nd mailing to non-respondents, and (3) a follow-up telephone call to non-respondents.
• PRINCIPAL FINDING --- very low participation rates: – 19% (26/140) of health plan members in Minnesota, where informed consent was required,
returned a signed consent form
– In 5 other states, where patient informed consent was not required, health care providers granted access to patient medical records for 93% (123/132) of the members.
• CONCLUSION:Legislation requiring study-specific consent was associated with low participation and increased time to completion. Efforts to protect privacy may conflict with ability to produce valid research to safeguard and improve public health.
McCarthy DB, et al: Medical records and privacy: empirical effects of legislation. Health Serv Res 1999 34:417-25.
Effect of Minnesota legislation requiring specific informed consent on response rate for a medical records study
.
• The Minnesota law has subsequently been amended to permit use of records where the patient does not respond to 2 requests for authorization mailed to the patient’s last known address.
• At Mayo Clinic, that change decreased the percentage of patient records that the patient consent requirement made unavailable for studies from 20.7 percent to 3.2 percent. Mayo Clinic researchers remain concerned that variations in the rate of refusal among different patient groups, for example, young versus old, may tend to skew the results obtained from these data1,2.
1MEDICAL PRIVACY REGULATION. GAO Report 01-584. April 2001.2S. J. Jacobsen and others, “Potential Effect of Authorization Bias on Medical Record Research,” Mayo Clinic Proceedings, Vol. 74, No. 3 (April 1999), p. 333
.
Informed Consent for all Medical Records Research using identifiable patient data is required by the
October 2000 Declaration of Helsinki• Paragraph 1
– ….Medical research involving human subjects includes research on identifiable human material or identifiable data.
• Paragraph 22– In any research on human beings, each potential subject must be adequately informed of the aims,
methods, sources of funding, any possible conflicts of interest, institutional affiliations of the researcher, the anticipated benefits and potential risks of the study and the discomfort it may entail. The subject should be informed of the right to abstain from participation in the study or to withdraw consent to participate at any time without reprisal. After ensuring that the subject has understood the information, the physician should then obtain the subject's freely-given informed consent, preferably in writing. If the consent cannot be obtained in writing, the non-written consent must be formally documented and witnessed.
• These paragraphs imply that informed consent must be obtained for all research involving identifiable medical records. The Declaration provides no exceptions, unlike the Belmont Report, the “Common Rule”, and the HIPPA regulations
.
The new Declaration of Helsinki requirement of informed consent for all research using identifiable
human data has prompted criticism
• “Strict application of the declaration’s principles would make a wide range of clinical, biological, and epidemiological research impractical or invalid.”
Sir Richard Doll. BMJ 2001; 323:1421-1422
• He gave 2 examples of epidemiological research which he judged would have been impossible to conduct validly if individual informed consent had been required
– His 1957 study in 14,000 patients documenting that radiation therapy increased the risk of subsequent cancer
– A recently published epidemiological study showing that neither induced nor spontaneous abortion increased breast cancer risks
.
Medical records databases are essential for addressing many important research
questions in public health
.
Effectiveness of Influenza Vaccine in the Elderly
Retrospective cohort study using administrative database1:
Setting: Minnesota HMO: 25,000+ persons 65+ years of age
Results: About 50% reduction in influenza and pneumonia hospitalizations
Almost 50% reduction in all-cause mortality Direct cost saving of $117 per person vaccinated
Conclusion: Influenza vaccination of the elderly reduces both mortality & costs
Comment:To have required individual informed consent for this study would have made it prohibitively expensive, and could have impaired validity because of selection bias
2NJEM 1994, 331:778-84
.
Evaluating Effects of Reimbursement Rule Changes on Health Care Utilization and Costs
Example: Effect of legislatively-mandated Medicaid drug-payment limits on admissions to hospitals and nursing homes1
Methods: Matched cohort study of Medicaid claims in two states for high-risk elderly patients before, during, and after the limit
Conclusion: "Limiting reimbursement for effective drugs puts frail, low-income, elderly patients at increased risk of institutionalization in nursing homes and may increase Medicaid costs."
Comment: The study required Medicaid claims data from 2 states. If individual informed consent had been required, the study would have been impossible to conduct
1Soumerai SB, et al: Effects of Medicaid drug-payment limits on admission to hospitals and nursing homes. NEJM 1991; 325:1072-7.
.
Why medical records studies are important in public health
• To monitor the health of populations and to detect emerging disease problems, e.g., trends and patterns in asthma, renal disease, coronary heart disease, cancer
• To identify populations at high risk for disease and to identify factors that are either potentially harmful or helpful
• To determine the effectiveness of health interventions as they are used in clinical practice, e.g., monitoring effects of new vaccines
• To quantify prognosis, e.g., survival statistics for various stages and grades of cancer and for cardiovascular disease
• To assess usefulness of diagnostic tests and screening programs, e.g., colon cancer screening, mammography for breast cancer screening
Melton LJ: The threat to medical records research. NEJM 1997; 337:1466-1470
.
Conclusions• Epidemiologic research using identifiable medical records has
played a vital role in advancing public health and medical knowledge
• There is every indication that it should be able to play as great or greater role in the future, especially as larger records linkage systems are put into place
• A requirement for individual study-specific informed consent for each medical records study, as advocated by some, would make much health services and epidemiologic research either invalid or so expensive as to be impossible
.
How can mathematical research help?
• Improving methodology for protecting patient privacy while permitting use of large data sets for epidemiologic research and surveillance
• Defining acceptable professional standards for what needs to be done to certify that a releasing a given data set to a given recipient poses a “very small risk” of identifying any individuals
