Law & Governance
Sorry, You Can't Have That Information: Data Holder Confusion Regarding Privacy Requirements for Personal Health Information and the Potential Chilling Effect on Health Research
This study, conducted in Newfoundland and Labrador, assessed the level of awareness, perceptions and concerns of healthcare providers, health researchers, data managers and the general public about the collection, use and disclosure of personal health information (PHI) for research purposes. Data collection involved surveys and follow-up focus groups with participants. Results indicate a poor understanding generally with regard to privacy rights and responsibilities. Many professionals are unfamiliar with the legislative environment for PHI, particularly as it pertains to the access and use of PHI for research purposes. Lack of familiarity with basic requirements for patient-based research, coupled with heightened sensitivity to privacy issues owing to various federal and provincial regulatory initiatives, could have a chilling effect on health research. Importantly, our results indicate that the public is much less concerned about the use of their PHI for health research purposes than are professionals who collect, store and share it.
Efforts to preserve individual privacy while facilitating health research have been ongoing in Canada as well. The Canadian Institutes of Health Research (CIHR 2005) have provided guidance to researchers with regard to best practices for protecting PHI in health research. Various studies have examined the public's opinions with regard to access to PHI for research, and their preferences as to if and when individual consent should be required (Willison et al. 2003; Page and Mitchell 2006; Jones et al. 2006). However, comparatively little, if anything, is known about the awareness, perceptions and concerns of health professionals and data managers who collect, store and maintain the PHI of patients and clients. Indeed, although the vast majority of healthcare providers are not themselves health researchers, they often act as gatekeepers in either granting or denying access to PHI when approached by health researchers.
This study, conducted in Newfoundland and Labrador, assessed the levels of awareness among health professionals and data managers with regard to their legal and professional responsibilities vis-à-vis the PHI they control, and their perceptions and concerns about sharing PHI for research purposes. A survey of the public was included to compare and contrast public perceptions with those of professionals, and to gauge whether the public displays a similar range and intensity of concern.
Participants and Methods
The interdisciplinary project team involved researchers from the fields of bioethics, sociology, business and epidemiology, along with those experienced in health legal issues and others in database management. An advisory committee was convened early in the project to bring together persons from the target groups for consultation as the project progressed.
Target groups included nurses, social workers, physicians and pharmacists, as well as health researchers, database managers and the public. All were surveyed for their knowledge and attitudes about the access, use and disclosure of PHI. Focus groups of participants from each target group were convened subsequent to the survey to clarify and expand on survey responses. (See Figure 1.)
Survey questions were developed through a review of the literature and communication with other projects and agencies exploring privacy issues. Early drafts of the questionnaires were developed by a working group within the research team and reviewed by the team as a whole. All surveys included core questions that addressed awareness of privacy legislation and its impact, concerns about privacy issues and questions about acceptable access and uses of PHI in research. In addition, each target group was presented with brief scenarios appropriate to its practice environment, and participants were asked to respond to specific questions. Responses were framed as five-point Likert scales with "not applicable" as appropriate. The instruments were pre-tested with representatives of each group and revised as indicated. In most cases, following the suggestions of the pre-test groups, wording was made more specific to the target group in question. These revisions led to more diverse wording of some questions than had been anticipated.
Potential participants were identified through their professional organizations in the case of physicians, nurses, social workers and pharmacists. Database managers are individuals responsible for the day-to-day operation of a database, including adding new entries, data quality and the release of data. Their clients are the people who request access to the data. Database managers were identified through researchers and institutional administrators. Faculty research descriptions on the Memorial University website were used to identify health researchers. The research team contacted the full list of potential participants in each group. A random sample of 600 (200 respondents to questions based on each of three scenarios) of the general public was identified using a list provided by Aliant Newfoundland, with monitoring during recruitment to ensure a balance of males and females and educational levels. Statistical analysis was not a primary goal, as our aim was to obtain descriptive data.
Three survey methods were used: mail, online and telephone. The method chosen for each professional group was determined by its respective provincial association. Nurses, social workers and pharmacists were contacted via mail; physicians, researchers and database managers received an online survey. Experienced interviewers, trained on the questionnaire, surveyed a sample of the general public by telephone. A list of 2,766 randomly generated telephone numbers was necessary to make contact with 855 eligible participants.
Two follow-up e-mails were sent to physicians and database managers and four to health researchers. Budget constraints did not allow mailed reminders for the 540 pharmacists, 1,926 nurses or 1,080 social workers, but reminders were sent through their respective professional association newsletters and postings on their websites. Consent was implied by return of online and mailed questionnaires and obtained verbally in telephone interviews.
The study was reviewed and received ethics approval from the Human Investigation Committee, Memorial University.
Results were analyzed according to three major themes: (1) awareness of privacy-related issues, policies and initiatives, (2) concerns with regard to privacy of PHI and (3) use of PHI for research purposes.
1. Awareness of privacy-related issues, policies and initiatives
In general, professional respondents indicated a low level of awareness about various provincial initiatives pertaining to the collection, storage and use of PHI, including efforts to create an electronic health record (EHR) and to develop a Pharmacy Network that will eventually track all prescriptions in the province. Overall, only 45% of professional respondents reported familiarity with the EHR, while 34% expressed awareness of the Pharmacy Network. Public respondents were not asked specifically about these initiatives.
When asked if the provincial government was doing enough to protect PHI, 49% of the public agreed on average, while only 32% of professionals agreed. However, there was wide variation among professional groups: physicians and health researchers were the least in agreement (18% and 21%, respectively), while pharmacists were the most confident (58%). Many professionals gave a "neutral" response to this question (70% for health researchers; 57% for physicians), while only 16% of the public gave a neutral response.
All professional participants were asked if they understood the meaning of the technical terms "anonymous data" and "de-identified data." Overall, 78% of professionals stated they understood the meaning of the former, while 58% agreed they knew the meaning of the latter. Health researchers expressed the highest level of confidence in their understanding of these terms (91% anonymous data; 97% de-identified data). Physicians were least confident about their understanding (66% anonymous; 42% de-identified).
Professional groups, in general, did not believe enough had been done within their profession to educate them about privacy-related issues, although database managers were an exception in this regard. Professionals were even less confident that enough had been done to educate their patients/clients (Figure 2).
2. Concerns with regard to privacy of PHI
All participants were asked about their general level of concern over the safety and security of their own PHI. Figure 3 compares the responses of each group.
Only 34% of the general public was concerned about the privacy of their PHI, compared to almost 85% of professionals. Professionals reported a similar level of concern about the privacy of their clients'/patients' PHI.
Participants in all professional groups were asked whether they had ever (a) had a patient/client mention an infringement of his/her privacy in the health system, or (b) experienced an infringement of their own privacy in the health system. Overall, just under half of all professionals surveyed reported that at least one of their patients or clients had mentioned an infringement of privacy in the health system at some point, and one-quarter of professionals reported they themselves had experienced such an infringement. Only 10% of the general public surveyed reported experiencing a breach. It should be noted that all such reports were anecdotal, and were not confined to complaints that had been reported to an oversight body that subsequently investigated and confirmed the breach.
Professional groups expressed greater confidence in the security of computer files than paper files, while the public was more likely to trust the security of paper files. However, none of the participant groups expressed much confidence with either option. Only 16% of all professionals agreed that paper files are safe and secure, and only 20% trusted the security of computer files. The public expressed greater confidence in paper files (34%) than in computer files (24%). Among professionals, pharmacists were noticeably more comfortable with both types of files, with 39% agreeing that computer files are secure, and 31% agreeing that paper files are secure. However, even among this group, well over half did not trust the security of either type of file.
A series of questions was designed to assess the degree to which health professionals understand and appreciate the need for health research in order to improve the delivery of health services. Figure 4 summarizes the responses to one such question in which professionals who deal directly with patients/clients were asked if they agreed they would be able to provide better care if researchers had easier access to health information in general. There was wide variation on this question, from a low of 13% of nurses who agreed, to a high of 36% of physicians. However, 33% of physicians and 43% of nurses disagreed with this statement. Again, there were a large number of neutral responses among all groups.
3. Use of PHI for research purposes
Earlier in the survey, professionals were asked whether they understood the meanings of the terms "anonymous data" and "de-identified data." Before completing this section of the survey, respondents were provided with clear definitions of these terms. Pharmacists, physicians, social workers and nurses were then asked whether sharing their patients'/clients' de-identified data for health research purposes without the consent of the patient would be acceptable. On average, 74% of respondents either would not or were not sure that sharing de-identified information without consent would be appropriate. Physicians (37%) were the most likely to agree that they would share such information, but they also had the largest neutral response (27%). Thirty per cent of pharmacists agreed that sharing without consent would be permissible. Nurses (24%) and social workers (23%) were the least likely to agree.
Further examination of these results revealed that respondents with previous research experience were more likely to agree that sharing de-identified information for health research purposes without consent was acceptable. The current convention permits such disclosure if approval has been obtained from a research ethics board.
Professionals who routinely manage PHI for patients/clients in their workplace were asked whether sharing such information would be acceptable if they had either (a) explicit or (b) implicit consent.
On average, 88% of professionals who responded agreed that sharing their patients'/clients' PHI with explicit consent was acceptable, but only 17% agreed if the consent was only implicit (Figure 5). On average, 12% of professionals were not willing to share PHI even with explicit consent. Again, further analysis of these results indicated that professionals with research experience were more likely to share information with implicit consent than were those without this experience.
All respondents were asked whether it would be okay for new researchers to view de-identified information that had been collected for a previous study with patient/client consent, without re-contacting for consent to the second study. Among the professional groups surveyed, database managers (67%) and health researchers (47%) were most likely to agree that this would be acceptable, followed closely by pharmacists (43%) (Figure 6). Those professionals who have clinical relationships with their patients/clients were less likely to agree (nurses 39%; physicians 35%; social workers 27%). The most important observation with regard to these data, however, is that the public appears to be much less concerned about the use of PHI for research purposes: 88% were willing to allow other researchers to view their de-identified PHI for a new study, even though they had not consented explicitly to this subsequent use.
The tension between an individual's right to privacy and the broader public good accomplished through public health research admits no easy solutions. Regulators and research ethics boards have been criticized for giving undue weight to the privacy of the individual (National Academy of Sciences 2006), and researchers continue to complain that privacy rules impede research (Cressey 2007; Ness 2007). Some have questioned whether individual informed consent is even necessary for participation in health services research (Cassell and Young 2002), while others struggle to interpret how privacy guidelines may affect the work of research ethics boards and researchers (National Academy of Sciences 2000; Willison et al. 2008).
Data custodians, various institutions that collect data and research ethics boards have struggled to determine what PHI can or should be shared among institutions and with researchers (Kulynych and Korn 2003; Willison et al. 2008). The results of the present study indicate that this uncertainty extends to the level of members of various professional groups as well.
Our results indicate that individuals responsible for collecting and retaining PHI are often unfamiliar with privacy legislation and with policies and procedures regarding the use of PHI for health research. This finding is evidenced, for example, by the fact that between 7% and 15% of professionals surveyed would not share PHI for research purposes even with the explicit consent of the individuals to whom the information belongs. This result is both interesting and disturbing. Explicit consent is the highest standard imposed to effect release of PHI to a third party. Our result could indicate respondents' lack of familiarity with the legislative and policy environment with regard to PHI, a lack of awareness and understanding regarding the meaning of explicit consent and what it permits, or the existence of an institutional policy or procedure within the professional's organization that requires someone else to decide if and when release of PHI is appropriate. Many nurses and social workers do not have direct authority to share information with other parties unless they receive permission to do so. This stipulation may explain, in part, the greater reluctance of nurses and social workers to share PHI with either explicit or implicit consent. Our results indicate that those with research experience appear to be more familiar and comfortable with the research process and with privacy requirements with regard to PHI, and are thus more inclined to support maximum use of research data.
All health research involving human subjects must be submitted to a research ethics board for review and approval prior to proceeding (NSERCC 2009). This is a requirement even for studies that utilize data collected previously with consent. Researchers and database managers who participated in this study were reminded of this requirement prior to being asked if using previously collected data would be acceptable without re-consent, because the professional representatives who screened the questionnaire thought that failing to make this point explicit might confuse respondents. However, respondents from other professional groups were not reminded of this requirement. Hence, it is possible that more health researchers and database managers may have agreed that use of previously collected data was permissible than might otherwise have done so. Nevertheless, even with this reminder, 33% of database managers either disagreed or were neutral on this question, while more than half (55%) of health researchers did not agree that such research could proceed without re-consent. Again, it is noteworthy that the public respondents to this question were not reminded of the role of the ethics review board either, yet 88% were still willing to let new researchers look at their previously collected PHI without re-consent. However, as one anonymous reviewer of an earlier version of this paper observed, the public's lack of concern in this regard could be due to a naïve sense of security that is not shared by professionals who are more familiar with the manner in which PHI is managed on an ongoing basis within the healthcare system. Private citizens are not responsible to collect, store or share the PHI of other persons, and hence are likely not as concerned about their individual responsibilities vis-à-vis relevant legislation and regulations.
The high percentage of professionals who either disagree or were unsure of the appropriateness of sharing de-identified information for research purposes portends a rather chilly climate for health research. Inasmuch as it would be impractical to get consent for much of the research conducted on de-identified PHI, professionals who are less inclined to grant access to de-identified information need to be better informed about the ethical standards in this regard, about the role of research ethics boards and about what constitutes acceptable practice according to current standards. However, it is noteworthy that a recent study indicates wide variation among research ethics boards on these matters as well (Willison et al. 2008).
In the spring of 2008, the Government of Newfoundland and Labrador introduced the Personal Health Information Act, which is expected to be proclaimed in 2009. The process leading up to the proclamation will be an opportune time for professional bodies to educate members and for the government to educate the public as to their respective rights and responsibilities under this legislation.
Previous research indicates the public is generally convinced that the benefits of access to PHI outweigh privacy risks (Bright 2007; Campbell et al. 2007). The results of the present study confirm that the public in general is not nearly as concerned about the sharing of their PHI for health research purposes as are various groups of professionals. This finding could be due to the fact that those professionals who collect and store PHI feel a special fiduciary responsibility for their patients/clients. Social workers, for example, often deal with highly sensitive information on some of the most vulnerable individuals and families, and thus may be particularly concerned.
We interpret the high percentage of neutral responses among professionals to indicate that often professionals are unsure of what is required of them. This finding was suggested by a number of comments received in the post-survey focus groups. One respondent commented that the consensus among his group was: "If in doubt, don't share." This position is congruent with a common observation in both the United States (National Academy of Sciences 2006) and the United Kingdom (Haynes et al. 2007) to the effect that those responsible for collecting and managing PHI simply are not clear on what is required of them. When a lack of familiarity with basic requirements for patient-based research is coupled with a heightened sensitivity to privacy issues due to various federal and provincial regulatory initiatives, the potentially negative impact on health research efforts could be significant. It is worth noting that members of the public generally did not give neutral responses.
Key recommendations of the study
Recommendations for governments, departments of health and community services, and regional health boards
A concerted, systematic effort must be made to educate the public about:
- health research in general and the respective roles of government, university, industry health professionals and research ethics boards in research;
- their privacy rights with regard to the uses of PHI in the context of currently existing privacy protections.
Recommendations for professional associations
Professional associations should provide privacy training for health professionals to:
- remind them of the benefits of health research for improving patient care;
- alert them to their specific responsibilities vis-à-vis PHI and the requirements with regard to privacy and access;
- educate them about research guidelines and procedures, privacy standards, and the role of research ethics boards;
- instruct them about privacy-related legislation;
- provide information about the various levels and strengths of privacy protection
Recommendations for universities
When training researchers and fostering research, universities must:
- ensure that all health researchers receive specific training with regard to the access, collection, use, maintenance, storage and disclosure of PHI;
- ensure that all health researchers are educated in research ethics policies and procedures and, in particular, the role of the research ethics board;
- promote the opportunity for additional research to gain a more in-depth understanding of health professionals' specific concerns and the implications for health research.
Recommendations for data guardians
Healthcare institutions and government agencies that hold PHI must:
- develop and maintain comprehensive security systems and procedures to address health professionals' legitimate concerns while balancing the equally legitimate need for access to PHI for research purposes.
Limitations of the study
The complex design of this study, which included seven target groups and three different survey methods, resulted in a number of methodological challenges. Consultation and pre-testing of survey questions with representatives of the target groups resulted in revisions that increased the diversity of question wordings. The analysis of even some core questions was complicated by these differences. For example, some questions included a "not applicable" option and some did not. As well, certain questions elicited large numbers of neutral responses, which seemed to indicate lack of knowledge. Had this outcome been anticipated, a "don't know" option would have been added.
Although it was possible for potential participants to be on two lists (e.g., pharmacist and faculty researcher) and thus to receive two questionnaires, there was no way to detect such duplication. The research team agreed it was unlikely that any such person would take the time to complete two questionnaires. Despite these and other challenges, we are confident of our results. Our study design included post-survey focus group consultations with target group members, which enabled us to clarify and confirm our interpretations of the survey data.
Désolé, vous ne pouvez obtenir cette information : confusion face aux exigences en matière de renseignements personnels sur la santé et revers potentiels pour la recherche
La présente étude, menée à Terre-Neuve-et-Labrador, évalue le degré de sensibilisation, de perception et de préoccupation des fournisseurs de soins de santé, des chercheurs, des gestionnaires de données et du grand public au sujet de la collecte, de l'utilisation et de la divulgation des renseignements personnels sur la santé (RPS) à des fins de recherche. Les données ont été recueillies au moyen de sondages et de groupes de discussion auprès des répondants. Les résultats indiquent une faible compréhension générale des droits et des responsabilités au sujet des renseignements personnels. Plusieurs professionnels ne sont pas familiers avec le contexte législatif des RPS, particulièrement en ce qui concerne l'accès et l'utilisation des RPS à des fins de recherche. Le manque de connaissances des exigences de base pour la recherche axée sur les patients, conjugué à la sensibilité des questions touchant aux renseignements personnels en raison des nombreux règlements fédéraux et provinciaux, pourrait causer des revers pour la recherche sur la santé. De plus, nos résultats indiquent que le public est beaucoup moins préoccupé par l'utilisation de leurs RPS à des fins de recherche que ne le sont les professionnels qui recueillent, gèrent et partagent ces renseignements.
About the Author(s)
Daryl Pullman, PhD
Professor of Medical Ethics, Division of Community Health and Humanities
Faculty of Medicine, Memorial University
St. John's, NL
Sharon K. Buehler, PhD
Honorary Research Professor, Division of Community Health and Humanities
Faculty of Medicine, Memorial University
St. John's, NL
Larry Felt, PhD
Professor, Department of Sociology
Faculty of Arts, Memorial University
St. John's, NL
Katherine Gallagher, PhD
Faculty of Business Administration, Memorial University
St. John's, NL
Jeannie House, LLB
Director, Advocacy and Information
Newfoundland and Labrador Health Boards Association
St. John's, NL
T. Montgomery Keough, BSc (Hons)
Senior Researcher, Health Research Unit
Division of Community Health and Humanities
Faculty of Medicine, Memorial University
St. John's, NL
Lucy McDonald, BES
Director, Privacy and Corporate Services
Newfoundland and Labrador Centre for Health Information
St. John's, NL
Angela Power, BA
Privacy Lead-Senior Privacy Analyst, ATIPP Office
Department of Justice, Government of Newfoundland and Labrador
St. John's, NL
Ann Ryan, MSc
Manager, Health Research Unit
Division of Community Health and Humanities
Faculty of Medicine, Memorial University
St. John's, NL
Roy West, PHD
Professor Emeritus, Division of Community Health and Humanities Faculty of Medicine, Memorial University St. John's, NL
Correspondence may be directed to: Daryl Pullman, PhD, Professor of Medical Ethics, Division of Community Health and Humanities, Faculty of Medicine, Memorial University, 300 Prince Philip Drive, St. John's, NL A1B 3V6; tel.: 709-777-6220; e-mail: email@example.com.
AcknowledgmentThis research was funded by the Canadian Institutes of Health Research. We are grateful to anonymous referees of an earlier version of the manuscript for suggestions to help clarify a number of salient points.
Bright, B. 2007. "Benefits of Electronic Health Records Seen as Outweighing Privacy Risks." The Wall Street Journal. Retrieved March 25, 2009. < http://online.wsj.com/article/SB1195652442 62500549.html > .
Campbell, B., H. Thomson, J. Slater, C. Coward, K. Wyatt and K. Sweeney. 2007. "Extracting Information from Hospital Records: What Patients Think about Consent." Quality and Safety in Health Care 16: 404-8. doi:10.1136/qshc.2006.020313.
Canadian Institutes of Health Research (CIHR). 2005. "CIHR Best Practices for Protecting Privacy in Health Research." Ottawa: Public Works and Government Services Canada.
Cassell, J. and A. Young. 2002. "Why We Should Not Seek Individual Informed Consent for Participation in Health Services Research." Journal of Medical Ethics 28: 313-17.
Cressey, D. 2007 (November 13). "Researchers Complain of Privacy Rules." Nature doi:10.1038/news.2007.238.
Fost, N. and R.J. Levine. 2007. "The Dysregulation of Human Subjects Research." Journal of the American Medical Association 298(18): 2196-98.
Government of Newfoundland and Labrador. 2008. Bill 7: An Act to Provide for the Protection of Personal Health Information. Retrieved March 25, 2009. < http://www.assembly.nl.ca/business/bills/ Bill0807.htm > .
Haynes, C.L., G.A. Cook and M.A. Jones. 2007. "Legal and Ethical Considerations in Processing Patient-Identifiable Data without Patient Consent: Lessons Learnt from Developing a Disease Register." Journal of Medical Ethics 33: 302-7. doi:10.1136/jme.2006.016907.
Jones, R.B., J. Pearson, A.J. Cawsey, D. Bental, A. Barrett, J. White, C.A. White and W.H. Gilmour. 2006 (April 5). "Effect of Different Forms of Information Produced for Cancer Patients on Their Use of the Information, Social Support and Anxiety: Randomized Trial." British Medical Journal. doi:10.1136/bmj.38807.571042.68.
Kaiser, J. 2006 "Rule to Protect Privacy May Doom Long-Term Heart Study." Science 311: 1547-48.
Kulynych, J. and D. Korn. 2003. "The New HIPAA (Health Insurance Portability and Accountability Act of 1996) Medical Privacy Rule: Help or Hindrance for Clinical Research?" Circulation 108(8): 919-20.
National Academy of Sciences. 2000. Protecting Data Privacy in Health Services Research. Washington, DC: Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection, Division of Healthcare Services, Institute of Medicine, National Academy Press. Retrieved March 25, 2009. < http://www.nap.edu/openbook.php?record_id=9952 > .
National Academy of Sciences. 2006. Effect of the HIPAA Privacy Rule on Health Research: Proceedings of a Workshop Presented to the National Cancer Policy Forum. Washington, DC: Institute of Medicine, National Academies Press. Retrieved March 25, 2009. < http://www.nap.edu/catalog.php?record_id=11749 > .
Natural Sciences and Engineering Research Council of Canada (NSERCC). 2009 (February 19). Tri-Council Policy Statement: Integrity in Research and Scholarship. Retrieved March 25, 2009. < http://www.nserc-crsng.gc.ca/NSERC-CRSNG/ Policies-Politiques/tpsintegrity-picintegritie_eng.asp > .
Ness, R.B. 2007. "Influence of the HIPAA Privacy Rules on Health Research." Journal of the American Medical Association 298(18): 2164-70.
Page, S.A. and I. Mitchell. 2006. "Patients' Opinions on Privacy, Consent and the Disclosure of Health Information for Medical Research." Chronic Diseases in Canada 27(2): 60-67.
Willison, D.J., K. Keshavjee, K. Nair, C. Goldsmith and A.M. Holbrook. 2003 (February 15). "Patients' Consent Preferences for Research Uses of Information in Electronic Medical Records: Interview and Survey Data." British Medical Journal 326: 373. doi:10.1136/bmj.326.7385.373.
Willison, D.J., C. Emerson, K.V. Szala-Meneok, E. Gibson, L. Schwartz, K.M. Weisbaum, F. Founier, K. Brazil and M.D. Coughlin. 2008. "Access to Medical Records for Research Purposes: Varying Perceptions across Research Ethics Boards." Journal of Medical Ethics 34: 308-14.
Be the first to comment on this!
Personal Subscriber? Sign In
Note: Please enter a display name. Your email address will not be publically displayed