Pursuant to a congressional request, GAO discussed the privacy of medical records used for health research, focusing on: (1) to what extent medical information used for research depends on personally identifiable information; (2) research that is and is not subject to current federal oversight requirements; (3) how the institutional review board (IRB) ensures the confidentiality of health information used in research; and (4) what steps organizations have taken to safeguard information.

GAO noted that: (1) the survey revealed that a considerable amount of health research relies on personally identifiable information; (2) while some of this research is subject to IRB review--either because it is federally supported or regulated research or because the organization voluntarily applies federal rules to all of its research--some of the organizations conduct records-based research that is not reviewed by an IRB; (3) the process of IRB review does not ensure the confidentiality of medical information used in research--primarily because the provisions of the Common Rule related to confidentiality are limited; (4) according to recent studies, the IRB system on the whole is strained; and (5) nevertheless, although external review of their research is limited, most of the organizations in GAO's study told GAO that they have various security safeguards in place to limit internal and external access to paper and electronic databases, and many say they have taken measures to ensure the anonymity of research and survey subjects.