Medical Records Privacy

A considerable amount of health research relies on personally identifiable information. Although some of this research is subject to review by institutional review boards -- either because it is federally supported or regulated research or because the organization voluntarily applies federal rules to all of its research -- some of the organizations conduct records-based research that is not reviewed by an institutional review board. In any case, the process of institutional review board review does not ensure the confidentiality of medical information used in research, primarily because the provisions of the Common Rule related to confidentiality are limited. Moreover, according to recent studies, the institutional review board system on the whole is strained. Nevertheless, although external review of their research is limited, most of the organizations in GAO's study indicated that they have security safeguards in place to limit internal and external access to paper and electronic databases, and many say that they have taken steps to ensure the anonymity of research and survey subjects. GAO summarized this report in testimony before Congress, Medical Records Privacy: Uses and Oversight of Patient Information in Research, by Bernice Steinhardt, Director of Health Services Quality and Public Health Issues, before the Senate Committee on Health, Education, Labor and Pensions. GAO/T-HEHS-99-70, Feb. 24 (10 pages).

GAO noted that: (1) medical information is used for a number of research purposes--to advance biomedical science, understand health care utilization, evaluate and improve health care practices, and determine causes and patterns of disease; (2) while such research is sometimes conducted without information tied to identifiable patient records, other research relies on personal identifiers to track treatment of an individual over time, link multiple sources of patient information, or verify such information; (3) some of the research conducted by the organizations GAO contacted must conform to the Common Rule or FDA regulations because the research is either federally supported or regulated; (4) but many of these same organizations voluntarily apply federal rules, including IRB review, to all their research, regardless of source of funding; (5) other organizations choose not to apply the Common Rule and IRB review where not required; (6) IRB review does not ensure the confidentiality of medical information used in research because the provisions of the Common Rule related to confidentiality are limited; (7) records-based research is often subject to an expedited review process--under which only one board member, rather than the full IRB, considers the research proposal; (8) IRBs can waive informed consent requirements, including the requirement to inform people of the extent to which their data will be kept confidential, if they judge that research subjects are not likely to be harmed and that the research could not be carried out without the waiver--as in cases where there are too many subjects to inform; (9) the IRBs contacted rely on the existence of general organizational confidentiality policies for protecting personal information; (10) while the extent to which IRB practices protect the privacy of research subjects is not fully known, several examples of breaches of confidentiality reported to the National Institutes of Health's Office for Protection From Research Risks illustrate the potential for harm resulting when medical information used in research is not adequately protected; (11) although external review of their research is limited, the organizations contacted have taken steps to limit access to personally identifiable information; (12) most of the organizations have various security safeguards to limit internal and external access to paper and electronic databases, and many have taken measures to ensure the anonymity of research and survey subjects; and (13) all but two of the organizations GAO contacted have written confidentiality policies restricting employee access to health information.