Abstract

Privacy legislation addresses concerns regarding the privacy of personal information; however, its interpretation by research ethics boards has resulted in significant challenges to the collection, management, use and disclosure of personal health information for multi-centre research studies. This paper describes the strategy used to develop the national Rick Hansen Spinal Cord Injury Registry (RHSCIR) in accordance with privacy statutes and benchmarked against best practices. An analysis of the regional and national privacy legislation was conducted to determine the requirements for each of the 31 local RHSCIR sites and the national RHSCIR office. A national privacy and security framework was created for RHSCIR that includes a governance structure, standard operating procedures, training processes, physical and technical security and privacy impact assessments. The framework meets a high-water mark in ensuring privacy and security of personal health information nationally and may assist in the development of other national or international research initiatives.

Data related to an individual's health is one of the most sensitive types of personal information. Broadly speaking, research that utilizes such personal health information can guide healthcare policies, advance medical practices, improve healthcare outcomes and provide a better understanding of disease etiology, progression and economic costs (Black 2003). Patient registries are repositories of personal health information and have been defined as "an organized system that uses observational study methods to collect uniform data (clinical and other) to evaluate specified outcomes for a population defined by a particular disease, condition, or exposure, that serves predetermined scientific, clinical, or policy purpose(s)" (Gliklich and Dreyer 2010). Registries that contain high-quality patient data can provide important information regarding the epidemiology of health conditions and the outcomes of treatment. In Canada, the publicly funded structure of the healthcare system enables the collection of uniform and detailed information for health conditions nationally.

There are a number of Canadian patient registries that collect health information and are used by researchers, clinicians, administrators and policy makers. Most registries are developed for disease surveillance and accumulate data passively; few have been developed to facilitate prospective clinical and patient-reported data for specific health conditions.

The purpose of this paper is to describe the challenges encountered during the development of a national privacy and security framework for a prospective longitudinal patient registry of traumatic spinal cord injury (SCI), the Rick Hansen Spinal Cord Injury Registry (RHSCIR). Privacy regarding personal health information is an important aspect of the public's trust and acceptance; disclosure of collected data can lead to discrimination and emotional distress. Impairment resulting from a SCI can be highly sensitive in nature, often affecting sexual health and bladder and bowel function. National registries are an important resource for health research, but unfortunately, logistical difficulties have hindered their development. Seven years into this registry, we are in a position to describe the challenges encountered in conducting a multi-centre project and the processes we took to overcome them. It is hoped that by sharing these experiences we will assist others who face similar challenges while seeking to implement patient registries in Canada.

The Rick Hansen Spinal Cord Injury Registry

RHSCIR is a national Canadian registry of persons who have sustained a traumatic SCI, with 31 participating sites in nine provinces (Figure 1). Launched in 2004, RHSCIR is sponsored by the Rick Hansen Institute and funded by Health Canada and the governments of Alberta, British Columbia, Newfoundland and Ontario. RHSCIR was initiated as a research study and was developed to facilitate the translation of research into clinical practice and promote evidence-based care (Noonan et al. 2012).


Click to Enlarge
 

The inception of RHSCIR coincided with the enactment of federal privacy legislation governing personal health information and similar individual provincial legislation. The standardization of policies and procedures across all local RHSCIR sites has been challenging because of variation in the interpretation of legislative language. In response to these challenges, we created a national privacy and security framework to address personal privacy and security issues and operationalize the vision of RHSCIR.

Development of a Privacy and Security Framework

The development of a privacy and security framework at the Rick Hansen Institute initially required the commission of a national privacy analysis to be completed by legal experts in Canadian privacy practice. Because RHSCIR operates across several jurisdictions in Canada and in various types of facilities (e.g., rehabilitation, acute care), the privacy analysis identified multiple and overlapping requirements for RHSCIR (see Figure 2). The requirements for each local RHSCIR site were determined by the province and the facility-specific policies, procedures and ethical/research guidelines for the local handling, transmission and storage of health data.


Click to Enlarge
 

Because the national RHSCIR site handles only de-identified patient data, it is not bound by specific privacy legislation. However, to meet a high privacy standard, the national RHSCIR site complies with the federal Personal Information Protection and Electronic Documents Act (Department of Justice 2011) and all provincial and territorial data protection legislation, including provincial privacy laws specific to the health sector. A close working relationship exists between the national and local RHSCIR sites to ensure that privacy obligations are met.

The RHSCIR also adheres to the following research guidelines: (a) Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (CIHR 2005), (b) Canadian Institutes for Health Research: Best Practices for Protecting Privacy in Health Research (CIHR 2005), (c) ICH Guidance E6: Good Clinical Practice: Consolidated Guideline (Health Canada 2004) and (d) standards issued by the International Organization for Standardization (ISO 2005, 2008). To ensure a gold standard of privacy compliance, the privacy requirements were benchmarked against the 10 elements of privacy best practices advocated by the Canadian Institutes for Health Research (CIHR 2005).

The Rick Hansen Institute developed a comprehensive framework in consultation with privacy experts that could be used by RHSCIR. The framework includes the formation of a privacy governance structure, the development of standard operating procedures, the establishment of training processes, the creation of physical and technical security, and a privacy impact assessment (see Figure 2). The framework is reviewed and updated bi-annually to ensure relevance to the current legislation, best practices and organizational structure at the Rick Hansen Institute.

Governance structure

The implementation and monitoring of privacy-related activities for RHSCIR required a chief privacy officer, reporting directly to the chief executive officer, and a Privacy Team that under the guidance of a legal expert enhanced accountability and oversight. The Privacy Team at the Rick Hansen Institute is composed of the chief privacy officer, compliance coordinator, RHSCIR project manager, director of information technology and the RHSCIR data management lead. The Privacy Team's responsibility is to foster awareness and implement, monitor and address current and potential privacy issues. Monitoring of the local RHSCIR sites is conducted regularly to ensure their compliance with all requirements, including the RHSCIR study protocol and privacy legislation.

In addition to the Privacy Team, the Rick Hansen Institute has established a Data Executive Scientific Committee and a Data Access Committee to oversee the use and disclosure of the national RHSCIR data (Noonan et al. 2012). The Data Executive Scientific Committee consists of three of the lead investigators whose local RHSCIR sites contributed data to the requested data holding. This committee is responsible for reviewing data requests for scientific merit and ensuring that the use of data aligns with the permitted purposes of RHSCIR. The Data Access Committee comprises custodians from each of the local RHSCIR sites (there are currently 31) and provides approval for disclosure of the site data for each request.

Standard operating procedures

A central feature of any privacy and security framework is the system of documented policies, procedures, records and agreements/contracts that govern and allow the traceability of data handling. The key documents developed by the Rick Hansen Institute and their scopes are described in Table 1. These standard operating procedures were created under the guidance of a lawyer with privacy expertise to comply with the 10 principles of fair information practices, as outlined in the Personal Information Protection and Electronic Documents Act and best practices. The documents are created and managed in a document control system that is maintained by the compliance coordinator.


TABLE 1. Key documents to oversee control of RHSCIR data
Document Description
Privacy Policy Privacy obligations at RHI and its mandate and commitment to ensuring privacy of patient information.
Data Use and Disclosure Policy RHI's data access request and approval process applicable to requestors seeking access for authorized purposes to record-level health data stored at RHI; ensures that strict physical, technical and administrative controls are in place.
Data Storage, Retention and Destruction Policy Physical and electronic measures required for data storage, the acceptable periods of data retention and destruction procedures.
Privacy and Information Security Standard of Conduct

Responsibilities and requirements of those associated with RHSCIR to uphold RHI's commitment to data protection, which abides by Canadian legislative requirements, international data protection standards and privacy best practices. Helps to foster an understanding of:

  • legal and organizational requirements that relate to privacy and information security
  • expectations of such staff who must ensure and protect the privacy and security of the information they create, collect, use, access, disclose or otherwise manage.
Privacy Breach Management Protocol The procedure for managing privacy breaches in a timely and effective manner and the process for reporting, containing, notifying, investigating and remediating privacy breaches.
Handling Access Requests, Corrections and Complaints

How RHI staff must handle and respond to:

  • access and correction requests to be made to personal (health) data in the custody or control of RHI
  • complaints about RHI's personal information handling practices.
Information Security Policy Provides high-level information on physical and electronic security measures at RHI and describes how RHI maintains the confidentiality, integrity and availability of all personal health data and other sensitive information.
RHSCIR Data Sharing Agreement An agreement among RHI, the RHSCIR lead investigator and the relevant health authorities associated with the participating facilities/sites. It sets out the responsibilities of each party with respect to RHSCIR, the conditions for implementation funding of RHSCIR at the participating facilities/sites and an accountability framework for data sharing between the local and national sites.
Confidentiality Agreement Describes individuals' obligation to maintain confidentiality and compliance with RHI privacy and security policies.
Data Disclosure Agreement An agreement between RHI and the recipients of RHSCIR and other research data; outlines the obligation of the recipients to ensure security of the research data and clarifies data ownership and publication procedures.
Abbreviations: RHI, Rick Hansen Institute; RHSCIR, Rick Hansen Spinal Cord Injury Registry

 

Training processes

The Rick Hansen Institute has an extensive training program, focused on privacy and security, in place for staff and local RHSCIR coordinators. The Privacy Team ensures that all staff members receive mandatory training annually, consistent with current policies and procedures for data and information handling. The privacy obligations of all the local RHSCIR sites are contained in the RHSCIR study protocol, and all site coordinators receive mandatory annual privacy training at RHSCIR site coordinators' meetings. These meetings also provide a forum to discuss privacy issues that arise from RHSCIR, across all the sites.

Physical and technical security

In order to maintain the privacy of participants enrolled in RHSCIR, physical and technical safeguards have been incorporated in the collection, storage, transmission of and access to data (see Table 2). These security measures have been implemented at the local and national RHSCIR sites and undergo continuous review and revision.


TABLE 2. Key examples of RHSCIR-associated safeguards
Feature Description
De-identification of local RHSCIR data during transmission and storage at the national RHSCIR site Participants are given a unique RHSCIR ID number at the local RHSCIR site. The key matching participant name and RHSCIR ID number are stored at the local site in a separate, encrypted password-protected file, accessible only to authorized RHSCIR staff at the local site. RHSCIR data exported to the national site are identified by the RHSCIR ID number.
The RHSCIR software has built-in technology to de-identify the data before they are securely transmitted to the national RHSCIR site.
Restriction of data access to authorized users
  • For data at the local RHSCIR sites:
    Only the local RHSCIR sites store local RHSCIR data collected from participants in identifiable form on their internal, secure network or encrypted protected laptops, which can be accessed only by authorized RHSCIR staff with a unique username and password.
  • For data at the national RHSCIR site at RHI:
    No external access is available to the RHI server that stores national RHSCIR data.
Data accuracy Data accuracy is ensured by built-in data validation checks at the local RHSCIR sites and manual inspection at the national RHSCIR site.
Data back-up
  • For data at the local RHSCIR sites:
    Encrypted drives are used to securely store, manage and provide back-ups to restore data.
  • For data at the national RHSCIR site at RHI:
    The RHI server with national RHSCIR data is protected by regular system back-ups. Back-up tapes are stored securely off-site.
Transmission from the local to the national RHSCIR site Data encryption software is used for electronic export of coded, de-identified RHSCIR data elements to the national RHSCIR database at RHI through a secure (https://) RHI SharePoint location.
Abbreviations: RHI, Rick Hansen Institute; RHSCIR, Rick Hansen Spinal Cord Injury Registry

 

Privacy impact assessments

A privacy impact assessment (PIA) is a formal risk management tool used to identify the actual or potential effects that an activity may have on individuals' privacy and provides solutions to eliminate or mitigate the risks. A PIA is desirable to assess the following types of risks in healthcare arising from:

  • a new technology or the convergence of existing technologies;
  • the deployment of existing information technology systems to new user groups;
  • the use of a known privacy-intrusive technology in new circumstances; or
  • a new project, or from changes to information handling practices with significant privacy effects (Cavoukian 2005).

The practice of conducting PIAs is becoming increasingly common, as it is an informative exercise that is mandatory for government agencies and public sector organizations (Treasury Board of Canada Secretariat 2010). Even when PIAs are not required under legislation, they are often required as a condition of funding. The Rick Hansen Institute is required by its primary funder, Health Canada, to undertake an annual PIA. Our PIAs have been performed by an external professional service company. The PIA process assesses how the RHSCIR data are collected, used, disclosed, stored and destroyed. It involves a risk analysis and mitigation strategy for impacts on privacy through the identification of threats and vulnerabilities, and procedural technical strategies to mitigate them.

As part of the privacy and security framework, a PIA is conducted to analyze the status of data collection, use, disclosure and retention via RHSCIR and the related technical, administrative and physical safeguards in place to protect such data. The PIA reflects the current state of the privacy and security framework, the data flow and how the information technology application is currently used. Additionally, the PIA identifies and quantifies the privacy risks associated with the use of RHSCIR data by the national and local RHSCIR sites. The PIAs help identify any gaps in the privacy framework and provide an indication of the areas requiring remediation.

Key Challenges

The development of a national prospective patient registry to translate research into clinical practice and promote evidence-based care was viewed as a necessary step to improve the care of SCI in Canada. However, the creation of such a research study proved to be a daunting task, complicated by multi-centre and interprovincial challenges with the feasibility of a national site and the complexity of consent, bias and data collection. There are few national registries that are not mandated by the government and that go beyond the collection of administrative data.

Multi-centre and national scope

To capture data throughout the healthcare continuum and have a sufficient volume of data for research, the registry was required to be multi-centred, including both acute and rehabilitation facilities. As a result of the multi-centred nature, the ethics approval process was completed on a site-by-site basis, dependent on the local research ethics board (REB). Since some REBs cover more than one site, the collection of data from all 31 local RHSCIR sites (see Figure 1) required approval from 19 individual REBs, each with distinct submission and review processes.

In a study that involves several REBs in multiple provinces, interpretation of the complex legislation landscape is a time-intensive process that leads to delays in research, increased costs and protocol inconsistencies (de Champlain and Patenaude 2006; Kotecha et al. 2011; Willison 2007; Willison et al. 2008). The legal structure governing research is suited for discrete research studies with distinct goals, data sets and endpoints, not for prospective longitudinal studies, such as registries, with multiple research goals and complex national data sets (Willison 2007). In the case of RHSCIR, the REB submissions increased cost, time and human resources, and ultimately resulted in decisions that varied within a single jurisdiction.

For the RHSCIR data to be useful for national studies, the collection should be standardized across all provinces and centres. Standardization was a challenge because of the differing decisions of several REBs and the feasibility of collection among sites that have differing standards and data collection methods. We attempted to standardize the sites as best we could to collect the same data elements; however, in some cases this was not possible, as described below.

Consent and bias

The requirement for individuals' explicit consent was intended to respect their right to privacy and control of their personal health information. However, it has been shown that consent for research purposes can reduce participation and create an ascertainment bias, such that the research sample is non-random and does not reflect the entire population for a specific health condition (El Emam et al. 2009; Harris et al. 2008; Ingelfinger and Drazen 2004; Kho et al. 2009; Tu et al. 2004). A review by El Emam and colleagues (2009) found that 32 of 37 studies reviewed reported lower recruitment rates as a result of consent and 27 found differences between consenters and non-consenters. The factors most often cited to differ were age, sex, race, socio-economic status, education and health status (El Emam et al. 2009; Kho et al. 2009). An example is the National Stroke Registry, where initial participation was 39.3% and consenting patients were younger and more likely to be mildly affected (Tu et al. 2004).

For RHSCIR, minimizing ascertainment bias was an important issue that was affected by the variability in the interpretation of provincial legislation. For consenting patients, there is a full data set of approximately 265 data elements (Noonan et al. 2012); however, to limit bias, a minimal data set is collected from individuals who have not consented or who were missed in the study. The collection of a minimal data set is permissible under privacy legislation in cases where REBs have requested a waiver of consent in research studies that utilize medical records and confer minimal or no risks. Therefore, the content of the minimal data set was decided on a site-by-site basis by the local REB. Not all REBs agreed to collect the same minimal data set; while some REBs permitted minimal data related to age, gender, details of injury, neurological assessment, diagnoses and clinical procedures, others limited collection to age, gender and date of injury. The collection of only three variables at certain sites makes determining bias beyond age and sex difficult. In theory, the idea of waiving consent is thought to reduce bias and loss of data; in practice, however, this was not the case for RHSCIR based on discrepancies between REB decisions.

Despite the efforts to reduce bias, it is still possible that the data are not entirely representative of the population of SCI in Canada. The local RHSCIR sites represent high-volume acute trauma facilities and specialized rehabilitation facilities. These sites were selected to be representative of Canadian provinces and have similar attributes whereby they provide grouping of patients with a traumatic SCI, acute and rehabilitation programs located within the same SCI centre and an in-patient SCI program. We recognize that the selection of such sites may influence the data collected, and studies are underway to compare our data to national administrative trauma data.

Data collection

A national registry required a national site to house the data and oversee operation of the RHSCIR network. The national site data do not contain identifiable patient information owing to the challenges with identifiable data crossing provincial borders. Identifiable information is required to link SCI patient data to other data sources (e.g., hospital administrative databases and the national trauma registry), a situation that is currently unachievable at the national level. To address this challenge, local RHSCIR sites collect data from chart review, patient interviews and local hospital databases. All data are entered into the local RHSCIR site database where they are linked to local databases, assigned a unique RHSCIR identification number, de-identified and electronically sent to the national RHSCIR site. Creating data linkages at each of the local RHSCIR sites was difficult and remains an ongoing challenge. By not having identifiable data at the national level, we are not able to coordinate additional data linkages – for example, linkages to national vital statistics for information on mortality are not currently possible.

Conclusion

Today's healthcare environment is changing from the use of paper-based medical records to the implementation of computer-based documentation systems. This networking of health information has created exciting research opportunities and different privacy challenges in safeguarding personal health data. In this environment, there is a need to develop privacy architectures to protect privacy and minimize risks (Diamond et al. 2008; Lane and Schur 2010). The use of electronic health records highlights the issues surrounding secondary use of health information for research purposes and patient consent (Kosseim and Brady 2008).

The development of RHSCIR has highlighted several challenges in the creation and maintenance of a multi-centre, national, prospective registry in Canada. Specifically, the interpretation of privacy legislation by the REBs resulted in variation across RHSCIR sites. There are several provincial initiatives (Hebert and Saginur 2009) and one national initiative (CIHR 2010) for streamlining the research ethics review of multi-centre clinical studies that have brought together diverse groups of stakeholders. Based on our experience in developing RHSCIR, we support initiatives that will improve the effectiveness and efficiency of the ethics review process to enable the development of registries that collect standardized data across Canada and protect patient privacy.

The challenges encountered in launching RHSCIR are neither unique nor specific to spinal cord injury, but are applicable to any national research study requiring access to personal health information. Given the rapid advances in information technology and the need for data sharing and integration, the creation of large-scale, national research registries that collect data on whole populations and serve as platforms for future research are becoming more common. Canadian jurisprudence recognizes that patients maintain a legitimate expectation of privacy in and control over their personal health information. For RHSCIR, the development of a privacy and security framework ensured compliance and accountability, and provided assurance to patients; however, the maintenance of such a framework is an ongoing challenge and a dynamic process that continues to evolve. The lessons learned regarding the process for approval of RHSCIR may aid in the development of and collaboration with similar national disease registries in Canada and other countries.

 


 

Satisfaire les exigences en matière de confidentialité pour la création d'un registre multicentrique de patients : le Registre Rick Hansen sur les lésions médullaires

Résumé

Les lois sur la protection de la vie privée prévoient la confidentialité des renseignements personnels; cependant, leur interprétation par les conseils de déontologie présente d'importants défis en matière de collecte, de gestion, d'utilisation et de divulgation d'informations personnelles sur la santé dans les études de recherche multicentriques. Cet article décrit la stratégie employée pour créer le Registre Rick Hansen sur les lésions médullaires (RHLM) conformément aux lois sur la protection de la vie privée et en tenant compte des pratiques exemplaires. Une analyse des lois régionales et nationales sur la protection de la vie privée a été menée afin de dégager les exigences de chacun des 31 sites du Registre RHLM ainsi que de son bureau national. Un cadre national de confidentialité et de sécurité a été créé pour le Registre RHLM. Ce cadre comprend une structure de gouvernance, des procédures d'exploitation normalisées, un processus de formation, des mesures de sécurité matérielle et technique ainsi que des évaluations d'impact sur la vie privée. Le cadre représente un important jalon pour garantir la confidentialité et la protection des informations personnelles sur la santé à l'échelle nationale et peut servir à la création d'autres initiatives de recherche nationales ou internationales.

About the Author

Vanessa K. Noonan, PT, PhD, Director of Research, Rick Hansen Institute, Vancouver, BC

Nancy P. Thorogood, PhD, Research Associate, Rick Hansen Institute, Vancouver, BC

Phalgun B. Joshi, PhD, Managing Director & Chief Privacy Officer, Rick Hansen Institute, Vancouver, BC

Michael G. Fehlings, MD, PhD, Professor, Department of Surgery and Spinal Program, University of Toronto, Toronto, ON

B. Catharine Craven, MSc, MD, Assistant Professor, Department of Medicine, Toronto Rehabilitation Institute, University of Toronto, Toronto, ON

Gary Linassi, MB, Associate Professor, Department of Physical Medicine and Rehabilitation, College of Medicine, University of Saskatchewan, Saskatoon, SK

Daryl R. Fourney, MD, Professor, Division of Neurosurgery, University of Saskatchewan, Saskatoon, SK

Brian K. Kwon, MD, PhD, Associate Professor, Division of Spine, Department of Orthopaedics, University of British Columbia, Vancouver, BC

Christopher S. Bailey, MD, Associate Professor, Division of Orthopaedic Surgery, Department of Surgery, Western University, London, ON

Eve C. Tsai, MD, Assistant Professor, Division of Neurosurgery, Department of Surgery, University of Ottawa, Ottawa, ON

Brian M. Drew, MD, Associate Clinical Professor, Division of Orthopaedic Surgery, Department of Surgery, McMaster University, Hamilton, ON

Henry Ahn, MD, Assistant Professor, Department of Surgery and Spinal Program, University of Toronto, Toronto, ON Deborah Tsui, PT, MScPT, Physiotherapist/Research Coordinator, Hamilton Health Sciences Regional Rehabilitation Centre, Hamilton, ON

Marcel F. Dvorak, MD, Scientific Director, Rick Hansen Institute, Vancouver, BC

Correspondence may be directed to: Vanessa K. Noonan, PhD, PT, Director of Research, Rick Hansen Institute, 6th Floor, Blusson Spinal Cord Centre, 6400–818 W. 10th Avenue, Vancouver, BC V5Z 1M9; tel.: 604-707-2126; e-mail: vnoonan@rickhanseninstitute.org.

Acknowledgment

We would like to acknowledge the contributions of Tamara Leys, Jennifer Zander, Catherine McGuiness, Rob Hickling, Kris Walden and Jacquie Wong in the preparation of this manuscript. We would also like to thank the RHSCIR network and all the participating local RHSCIR sites: GF Strong Rehabilitation Centre, Vancouver General Hospital, Foothills Hospital, Glenrose Rehabilitation Hospital, Royal Alexandra Hospital, University of Alberta Hospital, Royal University Hospital, Saskatoon City Hospital, Winnipeg Health Sciences Centre, Toronto Western Hospital, Toronto Rehabilitation Institute, St. Michael's Hospital, Sunnybrook Health Sciences Centre, Hamilton General Hospital, Hamilton Health Sciences Regional Rehabilitation Centre, Victoria Hospital, University Hospital, Parkwood Hospital, Ottawa Hospital, The Rehabilitation Centre, Ottawa Hospital, Civic Campus, Hôpital de l'Enfant-Jésus, Institut de réadaptation en déficience physique de Québec, Centre de réadaptation Lucie-Bruneau, Institut de réadaptation Gingras-Lindsay-de-Montreal, Hôpital du Sacré-Cœur de Montréal, Nova Scotia Rehabilitation Centre, QEII Health Sciences Centre, St. John Regional Hospital, Stan Cassidy Centre for Rehabilitation, St. John's Health Sciences Centre and L.A. Miller Rehabilitation Centre.

Development of this manuscript has been made possible through financial contribution from Health Canada. The views expressed herein represent the views of the Rick Hansen Institute. Provincial financial contributions for RHSCIR have been received from Alberta, British Columbia, Newfoundland and Ontario.

References

Black, N. 2003. "Secondary Use of Personal Data for Health and Health Services Research: Why Identifiable Data Are Essential." Journal of Health Services Research & Policy 8 (Suppl. 1): 36–40.

Canadian Institutes of Health Research (CIHR). 2005. Best Practice for Protecting Privacy in Health Research. Retrieved March 22, 2013. <http://www.cihr-irsc.gc.ca/e/22085.html>.

Canadian Institutes of Health Research (CIHR). 2010. Strategy for Patient-Oriented Research. Retrieved March 22, 2013. <http://www.cihr-irsc.gc.ca/e/41232.html>.

Cavoukian, A. 2005. "Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act." Retrieved March 22, 2013. <http://www.ipc.on.ca/images/Resources/up-phipa_pia_e.pdf>.

de Champlain, J. and J. Patenaude. 2006. "Review of a Mock Research Protocol in Functional Neuroimaging by Canadian Research Ethics Boards." Journal of Medical Ethics 32(9): 530–34.

Department of Justice, Government of Canada. 2011. Personal Information Protection and Electronic Documents Act (PIPEDA). Retrieved March 22, 2013. <http://laws-lois.justice.gc.ca/eng/acts/P-8.6/>.

Diamond, C., M. Goldstein, D. Lansky and S. Verhulst. 2008. "An Architecture for Privacy in a Networked Health Information Environment." Cambridge Quarterly of Healthcare Ethics 17(4): 429–40.

El Emam, K., F.K. Dankar, R. Issa, E. Jonker, D. Amyot, E. Cogo et al. 2009. "A Globally Optimal k-Anonymity Method for the De-Identification of Health Data. Appendix A: Systematic Reviews on the Impact of Consent on Health Research." Journal of the American Medical Informatics Association 16(5): 670–82.

Gliklich, R.E. and N.A. Dreyer. 2010. Registries for Evaluating Patient Outcomes: A User's Guide (2nd ed.). Publication no. 10-EHC049. Rockville, MD: Agency for Healthcare Research and Quality.

Harris, M.A., A.R. Levy and K.E. Teschke. 2008. "Personal Privacy and Public Health: Potential Impacts of Privacy Legislation on Health Research in Canada." Canadian Journal of Public Health 99(4): 293–96.

Health Canada. 2004. ICH Guidance E6: Good Clinical Practice: Consolidated Guideline. Retrieved March 22, 2013. <http://www.hc-sc.gc.ca/dhp-mps/prodpharma/applic-demande/guide-ld/ich/efficac/e6-eng.php>.

Hebert, P. and R. Saginur. 2009. "Research Ethics Review: Do It Once and Do It Well." Canadian Medical Association Journal 180(6): 597–98.

Ingelfinger, J.R. and J.M. Drazen. 2004. "Registry Research and Medical Privacy." New England Journal of Medicine 350(14): 1452–53.

International Organization for Standardization (ISO). 2005. ISO/IEC 27002: Information Technology – Security Techniques – Code of Practice for Information Security Management. Retrieved March 22, 2013. <http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297>.

International Organization for Standardization (ISO). 2008. ISO 27799: Health Informatics – Information Security Management in Health Using ISO/IEC 27002. Retrieved March 22, 2013. <http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41298>.

Kho, M.E., M. Duffett, D.J. Willison, D.J. Cook and M.C. Brouwers. 2009. "Written Informed Consent and Selection Bias in Observational Studies Using Medical Records: Systematic Review." British Medical Journal (Clinical Research) 338: b866.

Kosseim, P. and M. Brady. 2008. "Policy by Procrastination: Secondary Use of Electronic Health Records for Health Research Purposes." McGill Journal of Law and Health 2: 5–46.

Kotecha, J.A., D. Manca, A. Lambert-Lanning, K. Keshavjee, N. Drummond, M. Godwin et al. 2011. "Ethics and Privacy Issues of a Practice-Based Surveillance System: Need for a National-Level Institutional Research Ethics Board and Consent Standards." Canadian Family Physician 57(10): 1165–73.

Lane, J. and C. Schur. 2010. "Balancing Access to Health Data and Privacy: A Review of the Issues and Approaches for the Future." Health Services Research 45(5 Pt. 2): 1456–67.

Noonan, V.K., B.K. Kwon, L. Soril, M.G. Fehlings, R.J. Hurlbert, A. Townson et al. 2012. "The Rick Hansen Spinal Cord Injury Registry (RHSCIR): A National Patient Registry." Spinal Cord 50(1): 22–27.

Treasury Board of Canada Secretariat, Government of Canada. 2010. Directive on Privacy Impact Assessment. Retrieved March 22, 2013. <http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308>.

Tu, J.V., D.J. Willison, F.L. Silver, J. Fang, J.A. Richards, A. Laupacis et al. 2004. "Impracticability of Informed Consent in the Registry of the Canadian Stroke Network." New England Journal of Medicine 350(14): 1414–21.

Willison, D.J. 2007. "Data Protection and the Promotion of Health Research: If the Laws Are Not the Problem, Then What Is?" Healthcare Policy 2(3): 39–43.

Willison, D.J., C. Emerson, K.V. Szala-Meneok, E. Gibson, L. Schwartz, K.M. Weisbaum et al. 2008. "Access to Medical Records for Research Purposes: Varying Perceptions across Research Ethics Boards." Journal of Medical Ethics 34(4): 308–14.