Medical Records Privacy:
Access Needed for Health Research, but Oversight of Privacy Protections Is Limited
HEHS-99-55: Published: Feb 24, 1999. Publicly Released: Feb 24, 1999.
Pursuant to a congressional request, GAO reviewed the types of health research conducted outside the Common Rule and Federal Drug Administration (FDA) regulations, focusing on: (1) examining how medical information is used for research and the need for personally identifiable information; (2) identifying research that is and is not subject to current federal oversight requirements; (3) examining how institutional review boards (IRB) ensure the confidentiality of health information used in research; and (4) identifying the safeguards health care organizations have put in place to protect the confidentiality of health information used in research.
GAO noted that: (1) medical information is used for a number of research purposes--to advance biomedical science, understand health care utilization, evaluate and improve health care practices, and determine causes and patterns of disease; (2) while such research is sometimes conducted without information tied to identifiable patient records, other research relies on personal identifiers to track treatment of an individual over time, link multiple sources of patient information, or verify such information; (3) some of the research conducted by the organizations GAO contacted must conform to the Common Rule or FDA regulations because the research is either federally supported or regulated; (4) but many of these same organizations voluntarily apply federal rules, including IRB review, to all their research, regardless of source of funding; (5) other organizations choose not to apply the Common Rule and IRB review where not required; (6) IRB review does not ensure the confidentiality of medical information used in research because the provisions of the Common Rule related to confidentiality are limited; (7) records-based research is often subject to an expedited review process--under which only one board member, rather than the full IRB, considers the research proposal; (8) IRBs can waive informed consent requirements, including the requirement to inform people of the extent to which their data will be kept confidential, if they judge that research subjects are not likely to be harmed and that the research could not be carried out without the waiver--as in cases where there are too many subjects to inform; (9) the IRBs contacted rely on the existence of general organizational confidentiality policies for protecting personal information; (10) while the extent to which IRB practices protect the privacy of research subjects is not fully known, several examples of breaches of confidentiality reported to the National Institutes of Health's Office for Protection From Research Risks illustrate the potential for harm resulting when medical information used in research is not adequately protected; (11) although external review of their research is limited, the organizations contacted have taken steps to limit access to personally identifiable information; (12) most of the organizations have various security safeguards to limit internal and external access to paper and electronic databases, and many have taken measures to ensure the anonymity of research and survey subjects; and (13) all but two of the organizations GAO contacted have written confidentiality policies restricting employee access to health information.