Learning from experience: privacy and the secondary use of data in health research

Health services research must continually address the question: Under what conditions may data not collected specifically for research, such as primary medical data, be re-used for research without compromising the privacy of the data-subjects? For secondary use of data in research there are basically three options. Option A: Use personal data with consent or other assent from the data-subjects. To make this both fairer and more practical, in many circumstances broader construals of consent, or permission or approval, need to be explored and instituted. Option B: Anonymise the data, then use them. For many studies, this is the most practical and desirable option. The craft of anonymisation, including reversible anonymisation, or key-coding, needs to be developed and more fully supported under law. Option C: Use personal data without explicit consent, under a public interest mandate. Whether and how the data should be anonymised will depend on the situation. Public health mandates and protections deserve to be clarified, strengthened and extended for a variety of surveillance, registration, clinical audit, health services research and other types of investigation. Safeguards are an integral part of the research promise to the public, offer crucial reassurance and should be emphasised. For health services research, databases are core resources, and their stewardship must be cultivated.     

Ethics,big data and computing in epidemiology and public health

PurposeThis article reflects on the activities of the Ethics Committee of the American College of Epidemiology (ACE). Members of the Ethics Committee identified an opportunity to elaborate on knowledge gained since the inception of the original Ethics Guidelines published by the ACE Ethics and Standards of Practice Committee in 2000.MethodsThe ACE Ethics Committee presented a symposium session at the 2016 Epidemiology Congress of the Americas in Miami on the evolving complexities of ethics and epidemiology as it pertains to “big data.” This article presents a summary and further discussion of that symposium session.ResultsThree topic areas were presented: the policy implications of big data and computing, the fallacy of “secondary” data sources, and the duty of citizens to contribute to big data. A balanced perspective is needed that provides safeguards for individuals but also furthers research to improve population health. Our in-depth review offers next steps for teaching of ethics and epidemiology, as well as for epidemiological research, public health practice, and health policy.ConclusionsTo address contemporary topics in the area of ethics and epidemiology, the Ethics Committee hosted a symposium session on the timely topic of big data. Technological advancements in clinical medicine and genetic epidemiology research coupled with rapid advancements in data networks, storage, and computation at a lower cost are resulting in the growth of huge data repositories. Big data increases concerns about data integrity; informed consent; protection of individual privacy, confidentiality, and harm; data reidentification; and the reporting of faulty inferences.     

Bioethics: problems and prospects within a research institute

Bioethics aims to identify an ethical framework by means of a multidisciplinary debate open to the scientific community, in order to allow support to scientists involved in biomedical research. The Istituto Superiore di Sanità (Italian National Institute of Health) has recognized the need for an ethical review board to cope with the problems of different researches carried on within the Institute. An Ethics Committee, better defined as an Independent Review Board, has therefore been appointed by the Minister of Health in order to evaluate different research proposals ranging from clinical trials to non clinical biomedical research. The experience of the first Committee is described.     

The Patient Information Advisory Group and the use of patient-identifiable data

Patient confidentiality has been a matter of concern in the English National Health Service (NHS) for many years. A number of recent events have triggered the demand for a more concerted programme of change to eliminate the use of patient-identifiable data and to devise more acceptable alternatives. The Caldicott Committee, in 1997, set out the case for change and legislation in 1998 (the Data Protection Act and Human Rights Act) and emphasised the need for urgent action. A number of public inquiries into failures of care in the NHS (at Bristol Royal Infirmary and Alder Hey Hospital) pointed to the failure to seek consent as a major issue for the NHS. Whilst accepting the need for change, the Government, in drafting the Health and Social Care Act 2001, allowed for the fact that some organisations and individuals would need time to move towards anonymisation of data (reversible or irreversible) or to obtain patient consent. Under Section 60 of the Act it established the Patient Information Advisory Group (PIAG). PIAG advises government ministers on circumstances in which the continued use of patient-identifiable data should be permitted, as a temporary measure. PIAG faces a number of challenges as it develops its programme of work: how to maintain the pace of change towards anonymisation, how to ensure compliance with the law, how or whether to share information across organisational boundaries in the interests of citizens, how consent should be obtained and how to achieve 'joined up' working across those organisations that are charged with promoting confidentiality and privacy.     

Privacy and the secondary use of data in health research in Scotland

In response to new data protection legislation for the UK and widespread concern about its implications, the Scottish Executive set up the Confidentiality and Security Advisory Group for Scotland (CSAGS) to place the use of personal health information in a modern setting. The group affirmed the principle of consent and, more broadly, the importance of involving patients and the public in decisions about their health information. It promoted methods of acceptable anonymisation of data, and the need for good stewardship and disclosure of data uses to the greatest extent possible, where explicit individual consent and anonymisation were not practicable. They did not recommend pursuit of legislation, preferring consensus, informed debate and widespread acceptance of the proposed arrangements. The Scottish Executive is now responding to the work of CSAGS to develop systems that command public and patient confidence, promote good practice for clinicians and researchers, and preserve important public health and research functions.     

Ethics,privacy and the legal framework governing medical data: opportunities or threats for biomedical and public health research?

Privacy is an important concern in any research programme that deals with personal medical data. In recent years, ethics and privacy have become key considerations when conducting any form of scientific research that involves personal data. These issues are now addressed in healthcare professional training programmes. Indeed, ethics, legal frameworks and privacy are often the subject of much confusion in discussions among healthcare professionals. They tend to group these different concepts under the same heading and delegate responsibility for “ethical” approval of their research programmes to ethics committees. Public health researchers therefore need to ask questions about how changes to legal frameworks and ethical codes governing privacy in the use of personal medical data are to be applied in practice. What types of data do these laws and codes cover? Who is involved? What restrictions and requirements apply to any research programme that involves medical data?     

Guía de buenas prácticas de seguridad informática en el tratamiento de datos de salud para el personal sanitario en atención primaria

The appearance of electronic health records has led to the need to strengthen the security of personal health data in order to ensure privacy. Despite the large number of technical security measures and recommendations that exist to protect the security of health data, there is an increase in violations of the privacy of patients’ personal data in healthcare organizations, which is in many cases caused by the mistakes or oversights of healthcare professionals. In this paper, we present a guide to good practice for information security in the handling of personal health data by health personnel, drawn from recommendations, regulations and national and international standards. The material presented in this paper can be used in the security audit of health professionals, or as a part of continuing education programs in ambulatory care facilities.     

Confidentiality and confidence: is data aggregation a means to achieve both?

The recent adoption of electronic technologies for use in management of personal health data have been accompanied by a commensurate level of concern about privacy. Public health authorities have been able to continue their full access to personal information, while restricting the information given to academic health researchers through the practice of aggregation. Through this band-aid strategy, there is a very real potential that critical pieces of information are missing for the purposes of research. While this might be a logical sacrifice in order to preserve individual privacy, quantitative analysis of the privacy gained through this method of aggregation shows that little, if any, benefit is achieved. If aggregation were the sole available means to reach the aims of both privacy and research, then further analysis of the practice of aggregation would be unnecessary. Yet suitable privacy protection techniques abound, enabling academic research to progress while adding true protection to individual health information.     

Ethics guidelines for the creation and use of registries for biomedical research purposes

The clinical information stored in registries and records of different types is a fundamental tool for biomedical research. Up until just a few years ago, hardly any limitations existed on the creation and use of epidemiological registries or the use of information from pre-existing records for research purposes. This situation has changed substantially due mainly to the growing importance current laws place upon the safeguarding of the privacy and confidentiality of personal data. Although the legal framework is already quite explicit, a certain degree of leeway exists for ethical debate and prudence advice for the purpose of conducting valid, useful research with this information which will also respect the rights of the subjects and the laws in force. These guidelines deal with those aspects which have been considered relevant from an ethical standpoint in the handling of records and registries for research-related purposes, including not only the use but also the creation proper of the registries. A total of twenty-four recommendations are provided, grouped into ten sections: warranting of the creation of registry, organization and definition of responsibilities, scientific validity of the research project, ethical requirements of the collections of anonymous and anonymized data, ethical requirements of the registries including personal data, uses of medical records for research purposes, use of historical records of deceased individuals, contact with the research subjects, notification of results and review by a Research Ethics Committee.     

Evaluación de los aspectos metodológicos, éticos,legales y sociales de proyectos de investigación en salud con datos masivos (big data)

The current model for reviewing research with human beings basically depends on decision-making processes within research ethics committees. These committees must be aware of the importance of the new digital paradigm based on the large-scale exploitation of datasets, including personal data on health. This article offers guidelines, with the application of the EU's General Data Protection Regulation, for the appropriate evaluation of projects that are based on the use of big data analytics in healthcare. The processes for gathering and using this data constitute a niche where current research is developed. In this context, the existing protocols for obtaining informed consent from participants are outdated, as they are based not only on the assumption that personal data are anonymized, but that they will continue to be so in the future. As a result, it is essential that research ethics committees take on new capabilities and revisit values such as privacy and freedom, updating protocols, methodologies and working procedures. This change in the work culture will provide legal security to the personnel involved in research, will make it possible to guarantee the protection of the privacy of the subjects of the data, and will permit orienting the exploitation of data to avoid the commodification of personal data in this era of deidentification, so that research meets actual social needs and not spurious or opportunistic interests disguised as research.     

健康医疗大数据应用背景下个人隐私权问题探究

对健康医疗大数据的数据挖掘、数据预测以及全方位的数字监控,使得个人隐私权控制困境凸显。大数据技术对个人隐私权控制的弱化、民众的数据主义信仰以及利益多样性与利益冲突是健康医疗大数据应用背景下个人隐私权问题的主要成因。为此在健康医疗大数据应用中,通过增强大数据技术的价值透明度、回归和重塑人本主义以及挖掘共同价值减少利益冲突是健康医疗大数据应用背景下个人隐私权问题的解决之道。     

河北省医疗机构伦理委员会运行现状评价及其影响因素研究△

目的:以河北省为例,对其医疗机构伦理委员会制度、管理、审查等方面进行评价,分析其影响因素,发现医疗机构伦理委员会运行中的问题并提出建议。方法:通过专家咨询确定伦理委员会评价指标与方法,对河北省44家医疗机构伦理委员会进行评价并采用线性回归分析法分析其影响因素。结果:确定3个一级指标、11个二级指标、29个三级指标,44家医疗机构伦理委员会的评分总分平均为74.75分,不同级别医院差异较大。接受过GCP等伦理培训的成员比例、委员职称、伦理委员会审查范围三个因素是影响伦理委员会运行的相关因素,P <0.05。结论:河北省医疗机构伦理委员会运行情况良好,但仍有较大提升空间,管理水平和审查能力有待进一步提高。     

Is what's mine my own?

This paper examines the key issues around privacy and the secondary use of data in health research from the perspective of patients and the public. It argues that there is low public awareness and understanding of the issues around medical privacy and deep public unease over the extent to which public and private bodies have access to personal information. Quoting a recent example from the field of dementia, it challenges the notion that all research is necessarily in the public interest. It argues that a socially sustainable system for the secondary use of data that preserves the gift relationship in research is dependent on there being strong systems to enforce privacy and confidentiality. Underpinning this is a need to involve patients and their representatives in the development of any new system.     

Secondary use of personal data for health and health services research: why identifiable data are essential

Databases provide a powerful and essential resource for health and health services research. There are seven reasons why the identification of individuals may be needed: linkage within a database; linkage between databases; ensuring comparisons are meaningful; ensuring completeness of recruitment; investigation of social factors; analysis of trends over time; and assessing the applicability of primary research findings. Examples of recent British research studies for which identifiable data were essential are described to illustrate six research applications: to understand the natural history and development of disease; to identify causes of disease; to evaluate health care interventions; to assess equity of care; to describe trends in health care utilisation; and to ensure the methodological rigour of research. Given the benefits to the public of such research activities, methods need to be found to ensure the continuation of such research while meeting legitimate concerns about individual privacy and confidentiality.     

Data linkage capabilities in Australia: practical issues identified by a Population Health Research Network ‘Proof of Concept project’

Objective: To describe the practical issues that need to be overcome to conduct national data linkage projects in Australia and propose recommendations to improve efficiency. Methods: Review of the processes, documentation and applications required to conduct national data linkage in Australia. Results: The establishment of state and national data linkage centres in Australia has placed Australia at the forefront of research linking health‐related administrative data collections. However, improvements are needed to reduce the clerical burden on researchers, simplify the process of obtaining ethics approval, improve data accessibility, and thus improve the efficiency of data linkage research. Conclusions: While a sound state and national data linkage infrastructure is in place, the current complexity, duplication and lack of cohesion undermines any attempts to conduct research involving national record linkage in a timely manner. Implications: Data linkage applications and Human Research Ethics Committee approval processes need to be streamlined and duplication removed, in order to reduce the administrative and financial burden on researchers if national data linkage research is to be viable.     

Datenschutzrechtliche und methodische Aspekte beim Aufbau einer Routinedatenbasis aus der Gesetzlichen Krankenversicherung zu Forschungszwecken

Personally identifiable routine data generated by the SHI (statutory health insurance) offer inexpensive and large amounts of data gathered over long periods of observation for use in numerous fields of application including health services research and epidemiology of health care. As a source of medical health information, these data are subject to particular EU data protection directives according to which they can only be used under certain conditions and following careful consideration of the various interests involved. These interests include the protection of personal privacy, on the one hand, and the freedom of research, on the other. As personally identifiable data, these data are fully subject to general and specific data privacy regulations, such as the consideration of intended use; the specification of forms of data processing, duration of use, and group of users; and the development of a data protection concept. If primary data are additionally collected, the patient is to be fully informed about the intended contents of analysis and the use of his/her data in order that informed consent can be provided. Methodological standards such as the verification of completeness and plausibility are also to be met when compiling an insuree database.     

Informational privacy and the public's health: the Model State Public Health Privacy Act

Protecting public health requires the acquisition, use, and storage of extensive health-related information about individuals.The electronic accumulation and exchange of personal data promises significant public health benefits but also threatens individual privacy; breaches of privacy can lead to individual discrimination in employment, insurance, and government programs. Individuals concerned about privacy invasions may avoid clinical or public health tests, treatments, or research. Although individual privacy protections are critical, comprehensive federal privacy protections do not adequately protect public health data, and existing state privacy laws are inconsistent and fragmented. The Model State Public Health Privacy Act provides strong privacy safeguards for public health data while preserving the ability of state and local public health departments to act for the common good.     

Encryption technique for linkable anonymizing

Linkage of different records such as health insurance claims or medical records for the purpose of cohort studies or cancer registration usually requires matching with personal names and other personally identifiable data. The present study was conducted to examine the possibility of performing such privacy-sensitive procedures in a "linkable anonymizing" manner using encryption. While bidirectional communication entails encryption and deciphering, necessitating both senders and receivers sharing a common secret "key", record linkage entails only encryption and not deciphering because researchers do not need to know the identity of the linked person. This unidirectional nature relieves researchers from the historical problem of "key sharing" and enables data holders such as municipal governments and insurers to encrypt personal names in a relatively easy manner. The author demonstrates an encryption technique using readily available spread-sheet software, Microsoft Excel in a step-by-step fashion. Encoding Chinese characters into the numeric JIS codes and replacing the codes with a randomly assigned case-sensitive alphabet, all names of Japanese nationals will be encrypted into gibberish strings of alphabet, which can not be deciphered without the secret key. Data holders are able to release personal data without sacrificing privacy, even when accidental leakage occurs and researchers are still able to link records of the same name because encrypted texts, although gibberish, are unique to each name. Such a technical assurance of privacy protection is expected to satisfy the Privacy Protection Act or the Ethical Guidelines for Epidemiological Research and enhance public health research. Traditional encryption techniques, however, cannot be applied to cancer or stroke registration, because the registrar receives reports from numerous unspecified senders. The new public key encryption technique will enable disease registry in a linkable anonymizing manner. However various technical problems such as complexity, difficulties in registrar inquiries and risk of code-breaking make the encryption technique unsuitable for disease registry in the foreseeable future.     

Privacy Versus Public Health: The Impact of Current Confidentiality Rules

Public health research and practice often have been facilitated through the evaluation and study of population-based data collected by local, state, and federal governments. However, recent concerns about identify theft, confidentiality, and patient privacy have led to increasingly restrictive policies on data access, often preventing researchers from using these valuable data.We believe that these restrictions, and the research impeded or precluded by their implementation and enforcement, have had a significant negative impact on important public health research. Members of the public health community should challenge these policies through their professional societies and by lobbying legislators and health officials to advocate for changes that establish a more appropriate balance between privacy concerns and the protection of public health.WITH INCREASING frequency, valid concerns are being raised about the privacy of medical records (hereafter, protected health information) and other personal information. Consequences of breaches in the privacy of this information are extremely serious. Negative effects include inappropriate and unjustified employment termination, loss of individual health insurance, and illegal use of one''s identity in a host of ways, from charges on credit cards to passport fraud.In response to these privacy concerns, various professional groups, such as local institutional review boards (specially constituted review bodies established or designated by an entity to protect the welfare of human participants in biomedical or behavioral research¹) and the National Institutes of Health''s Office of Human Subjects Protection, have introduced rules and regulations to ensure the confidentiality of patients and participants more effectively. Most notably, the US Congress passed the Health Insurance Portability and Accountability Act (HIPAA; 42 USC §201 et seq) in 1996 and promulgated HIPAA''s Privacy Rule in 2003, in part in an effort to strike a balance between protecting the confidentiality of personal health information and legitimate use of these data. According to the US Department of Health and Human Services,

The HIPAA Privacy Rule establishes national standards to protect individuals'' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.²

In short, this broad-reaching rule regulates the use and disclosure of protected health information throughout the United States.²     

Privacy and ethics in pediatric environmental health research-part I: genetic and prenatal testing

The pressing need for empirically informed public policies aimed at understanding and promoting children's health has challenged environmental scientists to modify traditional research paradigms and reevaluate their roles and obligations toward research participants. Methodologic approaches to children's environmental health research raise ethical challenges for which federal regulations may provide insufficient guidance. In this article I begin with a general discussion of privacy concerns and informed consent within pediatric environmental health research contexts. I then turn to specific ethical challenges associated with research on genetic determinants of environmental risk, prenatal studies and maternal privacy, and data causing inflicted insight or affecting the informational rights of third parties.