October
2000
Epidemiologists use health
data in many forms to investigate the magnitude and distribution
of disease, disability, and other health outcomes in populations,
and to develop and evaluate the means for their prevention
and control. Health data are generated by providers, health
systems, public health departments, insurance companies,
and other organizations and are accessed by epidemiologists
according to professional rules of conduct and the regulation
of Institutional Review Boards associated with either the
investigator or with the source of the health information.
Access to health data on individuals has always been critical
to the work of epidemiologists and has allowed them to make
substantial contributions to medical research and public
health. The threat to privacy from such studies has been
very small over the years, while the benefits to the public
health and public interest have been large.
Concern about the privacy of
medical information has alway been a tenet of responsible
medical care. However, these concerns have been hightened
in recent years by new forms of data that are highly sensitive
and could, if discovered and used improperly, damage an individual's
psychological well-being as well as their employability and
insurability. Examples of such data include the results of
HIV tests and genetic susceptability testing and even the
fact that testing was done without the results being known.
Technological developments
in the latter part of the century have created the need for
a re-examination of the use of individually identifiable
health data. The technologic revolution in the electronic
generation, storage, and transmittal of health-related data,
while presenting unparalleled research opportunities for
epidemiologists and other medical and public health scientists,
also presents the potential for the unscrupulous and self-interested
exploitation of health data. Breakdowns in traditional safeguards
for confidentiality and privacy are more easily transgressed
While there are very few documented examples of such transgressions
of privacy by health researchers, the potential exists, and
the public's perception of a threat is very real. Thus, fundamental
societal decisions are needed that balance the need for access
to individually indentified health data for the public good
with the equally important need of the individual for privacy.
Any access are mutually exclusive and a balanced approach
is necessary.
Increased restrictions on access
to personal health data by epidemiologists and other public
health scientists could be harmful to the public good in
several different ways. Routine anonymization of archived
medical data has been suggested. However, such a practice
would make it difficult to trace back to individuals, and
because it is impossible to predict what linkages might be
useful in future investigations, it is imperative that individual
identifiers be retained in some manner. Another way to bolster
the privacy of medical information would be to require individual
informed consent for each seperate use of this information.
However repeated efforts to recontact individuals (or their
next-of-kin) for consent each time archived data are used
for research, years or even decades after an event has occured,
is unrealistic and would impose untenable administrative,
financial, and logistical burdens. The study of medical records
over long periods of time (after persons have died or left
organized health systems) is essential. Personal health data
needs to be available on a population basis and to be free
of serious selection biases, such as nonparticipation, in
the population at risk, because these biases serve to undermine
the scientific validity of medical and public health research.
After due consideration of
the issues, the American College of Epidemiology sets forth
the following principles that it believes strike a workable
and fair balance between data access and confidentiality.
We offer these principles for the benefit of epidemiologists,
and others to whom confidential health information is entrusted,
as well as for the general public at large.
Principles
1. Individuals have a right
to expect that their personal health and medical information
will be protected from unauthorized use. The American College
of Epidemiology endorses principles and practices that encourage
the responsible design and conduct of research that protects
individuals from the unauthorized release of their identified
health and medical information.
2. The public benefits of epidemiologic
and public health research are sufficiently compelling that
any new legislation or regulations must assure the continued
availability of health data for purposes that include monitoring
patterns of disease, the better understanding of the risk
factors for and causes of disease and injury, health care
delivery practices, health care outcomes, health care organization,
financing, and regulation of accreditation.
3. Organizations that deliver
medical care, or conduct biomedical, epidemiologic or health
services research, or retain medical data, such as health
insurers must be responsible and accountable for the development
and implementation of appropriate policies to ensure protection
of confidentiality of medical information through such mechanisms
as adherence to accreditation standards and state laws and
regulations, physical security safeguards, administrative
policies and procedures, and mechanisms should be reviewed
by Institutional Review Boards.
4. Information collected during
the course of health care and medical treatment may be disclosed
to clinical investigators and helath care researchers without
a requirement for informed consent, if approved by an Institutional
Review Board.. Traditional public health surveillance activity
for vital statistics, reportable diseases, and similar statutorily-authorized
data collection mechanisms is a critical non-research activity
that should also not require informed consent. Data from
such activities may be disclosed to clinical investigators
and health care researchers under the standards noted above.
5. Archived health information
on individuals is critical for the work of epidemiologists
whether this information is a medical chart, and electronically
stored data set, or a biologic specimen. These data must
be linkable to other data sets through individual identifiers.
Institutional Review Boards may require that identification
be removed from research databases by coding (i.e. encryption)
with the responsibility for linkage limited to a very few
authorized and legally accountable individuals with an obligation
to ensure confidentiality. For some specific studies complete
anonymization of data or specimens may be appropriate.
6. The American College of
Epidemiology believes that all individually identifiable
health data should be protected by the same measures, rather
than increasing levels of security for some especially sensitive
information (e.g. HIV test results, BRCA1 testing for inherited
susceptibilty to breast cancer). Seperate systems of access
for data perceived to be of different levels of sensitivity
would be difficult to operationalize, and, therefore inefficient
and costly.
7. The American College of
Epidemiology supports efforts to ensure by means of federal
legislation the protection of medical information from unauthorized
disclosure and hurtful misuse. Penalties for misuse should
be established and enforced by policies of the research institution
and by law enforcement agencies.
8. Federal mechanisms are also
needed to protect investigators and research institutions
from the forced disclosure by subpoena of confidential information
created as part of the research process. Researchers should
not be subject to pressures from commercial and special interests
to release individual-level information collected under conditions
of confidentiality. Such protections are needed to ensure
the independance of the process of scientific discovery and
the confidentiality of individuals. The release of anonymized
group data is not included in this restriction.
9. Federal law should preempt
state laws on the subject of data access and confidentiality.
This is needed to ensure consistent nation-wide governance
of access to individually identifiable health data. Many
large epidemiologic and health services research studies
are organized either as multi-center studies in multiple
states or are performed by health care organizations responsible
for the care of individuals in multiple states.
|
