资源预览内容
第1页 / 共40页
第2页 / 共40页
第3页 / 共40页
第4页 / 共40页
第5页 / 共40页
第6页 / 共40页
第7页 / 共40页
第8页 / 共40页
第9页 / 共40页
第10页 / 共40页
亲,该文档总共40页,到这儿已超出免费预览范围,如果喜欢就下载吧!
资源描述
Data Privacy and Epidemiologic ResearchHarry GuessMerck Research LaboratoriesMerck & Co., Inc. 1OutlineEpidemiologic and health services researchContrast with clinical researchHuman subjects protection in health services researchIdentifiable data and protection of privacyPublic health importance of studies using identifiable medical dataConclusionsWhere can mathematical research help?2Health Services Research (HSR)*Health services research is a multidisciplinary field of inquiry, both basic and applied, that examines the use, costs, quality, accessibility, delivery, organization, financing, and outcomes of health care services to increase knowledge and understanding of the structure, processes, and effects of health services for individuals and populations*Protecting Data Privacy in Health Services Research: Committee on the Role of Institutional Review Boards in Health Services Research Data Privacy Protection (Editors). Division of Health Care Services. National Academy of Sciences Press. Washington, DC. 2000. ISBN: 0-309-07187-93Much Health Services Research Makes Use of Medical Records Previously Collected for Other Purposes4Typical Information available in Claims DatabasesMEMBERSHIP DATAMember identifierDate of birthGenderDate of enrollmentDate of disenrollmentBenefit plan numberOUTPATIENTPHARMACY CLAIMS Member identifier Pharmacy identifierNDC codeGeneric codeDrug strengthDosage formQuantity dispensedDays supplyPrescribing physician IDDate filledHOSPITAL CLAIMSMember identifierProvider identifierDate of admissionDate of dischargeDRG codeICD-9-CM codesLength of stayPHYSICIAN CLAIMS Member identifierProvider identifierDate of serviceICD-9-CM codes orCPT-4 procedure codes5Using the member identification number and the dates of events (e.g., prescriptions, medical diagnoses), the records can be linked over time to produce a longitudinal record of events for each patient:Patient 1234:02/26/01 - prescription for Drug APatient 1234:03/15/01 - prescription for Drug APatient 1234:04/10/01 - prescriptions for Drug A, Drug BPatient 1234:04/20/01 - hospitalization for acute renal failurePutting together each patients longitudinal sequence of events yields a record of a cohort of many patients, each of whom has been followed individually over time. Record Linkage can create a longitudinal record of events for each patient6XPatient APatient CPatient BPatient DPatient EPatient FX7Once longitudinal records have been created, personal identifiers such as member numbers or social security numbers are generally replaced by encrypted numbers or by sequential numbers (0001 for the first patient, 002 for the second, etc)Such data are not fully anonymous as long as someone (e.g, the managed care organization) holds the key whereby the actual member numbers can be re-identifiedIn epidemiologic research and in pharmaceutical clinical trials the patient identifiers maintained for data analyses are typically study site identifiers sequential patient numbers The links between these and actual patient identifiers are almost always held by the investigators (for clinical trials) or managed care organizations (for epidemiologic studies)8Example: Health Care Databases in SaskatchewanAll residents have full coverage of medical care services and drugs listed in the provincial formulary.Approximately 1 million current residents.Six separate provincial databases can be linked by an individuals unique Health Services Number (HSN): Eligible population registry Prescription drug data (1975-1987; 1989-present)Hospital services dataPhysician services data Cancer registry and vital statisticsReference: Downey W, et al: Health Databases in Saskatchewan. Ch. 20, pp. 325-345. In: Pharmacoepidemiology. 3d Ed. B. Strom (Ed). 9Clinical and Health Services Research: Two different paradigmsClinical ResearchTypically prospectiveTypically involves at most a few thousand patients, except in the most expensive of studiesResearch risks may involve possibility of physical harm (e.g., from adverse reactions)Study-specific informed consent is easily obtained as part of the investigator - patient interactionHealth Services ResearchOften retrospectiveTypically involves analyses of medical records that have been collected previously and for other purposes from many thousands or millions of patientsResearch risks have to do with potential harm from release of health informationStudy-specific informed consent is often impossible to obtain without either invalidating the study or making it prohibitively expensive10Another difference between clinical and health services researchMuch health services research is intended to improve the quality of medical carehence the boundary between “health care quality assurance” and “research” is often not as sharply defined in health services research as in clinical researchResearch means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. (45 CFR 164.501)“if there is any element of research in an activity, that activity should undergo review for the protection of human subjects” (The Belmont Report)11Human Subjects Protection in Health Services ResearchEthical principles* are the same as for clinical researchRespect for personsUnderlies the requirement for oversight of research by an Institutional Review Board (IRB) / Privacy Board / Ethics CommitteeRequires patient informed consent - with certain well-defined exceptionsBeneficence Requires that risks of the research be reasonable in relation to possible benefits and that any risks to research subjects be minimizedJusticeRequires fairness in sharing risks and benefits of research*The Belmont Report: 12Waiving Informed Consent: The Belmont Report “A special problem of consent arises where informing subjects of some pertinent aspect of the research is likely to impair the validity of the research. In all cases of research involving incomplete disclosure, such research is justified only if it is clear that (1) incomplete disclosure is truly necessary to accomplish the goals of the research, (2) there are no undisclosed risks to subjects that are more than minimal, and (3) there is an adequate plan for debriefing subjects, when appropriate, and for dissemination of research results to them.” “Care should be taken to distinguish cases in which disclosure would destroy or invalidate the research from cases in which disclosure would simply inconvenience the investigator.”13Conditions in “The Common Rule” under which an IRB may alter or waive the requirement of obtaining informed consent for human subjects researchAn Institutional Review Board (IRB) may alter or waive the requirements to obtain informed consent if it finds and documents that: (1) The research involves no more than minimal risk to the subjects; (2) The waiver or alteration will not adversely affect the rights and welfare of the subjects; (3) The research could not practicably be carried out without the waiver or alteration; and (4) Whenever appropriate, the subjects will be provided with additional pertinent information after participation. 45 CFR 46.116(d)14HIPPA45 CFR 160-164: Standards for Privacy of Individually Identifiable Health InformationThis regulation is the second final regulation to be issued in the package of rules mandated under title II subtitle F section 261264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104191, titled Administrative Simplification.CFR = U.S. Code of Federal Regulations15Privacy Protections for Human Research ParticipantsThe HIPAA Privacy Prohibition The HIPAA Privacy Standards generally state that a “covered entity may not use or disclose protected health information (PHI), except as permitted or required by” the regulation.45 CFR 164.502 16Covered EntityHealth plan; Health care clearinghouse; Health care provider that transmits any health information in electronic form.Protected Health Information (PHI) Individually Identifiable Health Information (IIHI) in the possession of a Covered Entity, whether transmitted or maintained through electronic media, in hard copy, or by other meansIndividually Identifiable Health Information (IIHI)Information about the physical or mental health of an individual that is created or received by a covered entity and that identifies or can reasonably be used to identify the individualHIPPA: Some Definitions17HIPPA: Privacy Protections for Human Research Participants The Common Rule HIPPA 18 HIPAA applies to covered entities, not covered individuals.Covered entities include healthcare providers that transmit PHI in electronic form.Thus, a researcher, who is not a healthcare provider or other covered entity, who receives PHI from a covered entity is not directly subject to the HIPAA regulation.Indirect control on how a researcher can access data from a covered entity is provided by HIPPA in several ways, including through requiring that the covered entity obtain authorization from each patient whose data will be used for anything other than treatment, payment, or healthcare operationsor through detailed criteria that an IRB or Privacy Board must find to have been met in order for a covered entity to release PHI for a research study without specific authorization from each patientHIPPA: Effect on Researchers19Conditions in HIPPA Regulations under which an IRB or Privacy Board may waive or alter informed consent requirements for releasing identifiable health information(A) The use or disclosure of protected health information involves no more than minimal risk to the individuals; (B) The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals; (C) The research could not practicably be conducted without the alteration or waiver; (D) The research could not practicably be conducted without access to and use of the protected health information; Continued20(E) The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research; (F) There is an adequate plan to protect the identifiers from improper use and disclosure; (G) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and (H) There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart. 45 CFR 164.512(i)HIPPA Conditions for waiving consent (continued)21De-Identification of health information: What are the requirements in HIPPA?22To “de-identify” medical data under HIPPA, one must either remove all of the following 18 identifiers or provide an expert statistical determination that the risk of identifying an individual would be very small*:NamesAll geographic subdivisions smaller than a State (some complex exceptions)All elements of dates (except year)for dates .including birth date, admission date, discharge date, date of death; and all ages over 89Telephone numbersFax numbersElectronic mail addressesSocial security numbersMedical record numbersHealth plan beneficiary numbersAccount numbersCertificate/license numbersVehicle identifiers and serial numbers, including license plate numbersDevice identifiers and serial numbersWeb Universal Resource Locators (URLs)Internet Protocol (IP) address numbersBiometric identifiers, including finger and voice printsFull face photographic images and any comparable images andAny other unique identifying number, characteristic, or code*45 CFR 164.51423Expert statistical determination that the risk of identifying an individual is “very small”*“A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination.”*45 CFR 164.51424Why such caution?25Database information:DOB, Gender, Zip Code,Public information: e.g. voter registration rolls linking names and addresses with DOB, gender, Zip Codes +=Identification of the patient names with themedical information in the databaseUse of external public information in combination with databases can reveal patient names and addresses26Using public information to uniquely identify people Cambridge, Massachusetts Voting List - 54,805 votersData ElementsBirth date aloneBirth date and genderBirth date and 5-digit ZIP CodeBirth date and full postal codePercent of voters whose names and addresses were uniquely identified by the data elements12%*29%69%97%Sweeney L: Journal of Law, Medicine & Ethics. 1997; 25:98-110*These results are not surprising. This is about what one would expect from the rough approximation (1- 1/k)N-1 exp(-N/k), where k = available dates of birth in a voter cohort and N = 54,085. The other numbers look plausible as well, by similar reasoning.27Even more stringent forms of data privacy protection than HIPPA are favored by some28Some members of the academic medical community believe that identifiable medical records should generally not be used for public health research or quality assurance without specific informed consent and that these objectives can be accomplished sufficiently well by use of fully anonymous data:“In addition, we must abandon the use of identifiable medical records for quality assurance, detection of fraud, and public health, with narrowly defined exceptions. In most cases, mathematical algorithms applied to anonymous data perform these functions more effectively, more quickly, more accurately, and more cheaply.”*Welch CA. NEJM August 2001; 345:371-229Some states have required individual patient informed consent for all medical records researchIn 1996, Minnesota enacted a law that placed stringent consent requirements on the use of patient data for research.Records created since January 1, 1997 could not be used for research without the patients written authorization. 30STUDY DESIGN: Seizures associated with a pain medication - part of FDA post-marketing surveillance to evaluate adverse events with approved drugs. DATA COLLECTION: Informed consent for Minnesota plan members consisted of: (1) letter from health plan medical director, (2) 2nd mailing to non-respondents, and (3) a follow-up telephone call to non-respondents.PRINCIPAL FINDING - very low participation rates: 19% (26/140) of health plan members in Minnesota, where informed consent was required, returned a signed consent form In 5 other states, where patient informed consent was not required, health care providers granted access to patient medical records for 93% (123/132) of the members. CONCLUSION:Legislation requiring study-specific consent was associated with low participation and increased time to completion. Efforts to protect privacy may conflict with ability to produce valid research to safeguard and improve public health.McCarthy DB, et al: Medical records and privacy: empirical effects of legislation. Health Serv Res 1999 34:417-25.Effect of Minnesota legislation requiring specific informed consent on response rate for a medical records study31The Minnesota law has subsequently been amended to permit use of records where the patient does not respond to 2 requests for authorization mailed to the patients last known address. At Mayo Clinic, that change decreased the percentage of patient records that the patient consent requirement made unavailable for studies from 20.7 percent to 3.2 percent. Mayo Clinic researchers remain concerned that variations in the rate of refusal among different patient groups, for example, young versus old, may tend to skew the results obtained from these data1,2.1MEDICAL PRIVACY REGULATION. GAO Report 01-584. April 2001.2S. J. Jacobsen and others, “Potential Effect of Authorization Bias on Medical Record Research,” Mayo Clinic Proceedings, Vol. 74, No. 3 (April 1999), p. 33332Informed Consent for all Medical Records Research using identifiable patient data is required by the October 2000 Declaration of HelsinkiParagraph 1.Medical research involving human subjects includes research on identifiable human material or identifiable data. Paragraph 22In any research on human beings, each potential subject must be adequately informed of the aims, methods, sources of funding, any possible conflicts of interest, institutional affiliations of the researcher, the anticipated benefits and potential risks of the study and the discomfort it may entail. The subject should be informed of the right to abstain from participation in the study or to withdraw consent to participate at any time without reprisal. After ensuring that the subject has understood the information, the physician should then obtain the subjects freely-given informed consent, preferably in writing. If the consent cannot be obtained in writing, the non-written consent must be formally documented and witnessed.These paragraphs imply that informed consent must be obtained for all research involving identifiable medical records. The Declaration provides no exceptions, unlike the Belmont Report, the “Common Rule”, and the HIPPA regulations33The new Declaration of Helsinki requirement of informed consent for all research using identifiable human data has prompted criticism“Strict application of the declarations principles would make a wide range of clinical, biological, and epidemiological research impractical or invalid.”Sir Richard Doll. BMJ 2001; 323:1421-1422He gave 2 examples of epidemiological research which he judged would have been impossible to conduct validly if individual informed consent had been required His 1957 study in 14,000 patients documenting that radiation therapy increased the risk of subsequent cancer A recently published epidemiological study showing that neither induced nor spontaneous abortion increased breast cancer risks34Medical records databases are essential for addressing many important research questions in public health35Effectiveness of Influenza Vaccine in the Elderlyr Retrospective cohort study using administrative database1:Setting: Minnesota HMO: 25,000+ persons 65+ years of ageResults: About 50% reduction in influenza and pneumonia hospitalizations Almost 50% reduction in all-cause mortality Direct cost saving of $117 per person vaccinatedConclusion: Influenza vaccination of the elderly reduces both mortality & costs rComment:To have required individual informed consent for this study would have made it prohibitively expensive, and could have impaired validity because of selection bias2NJEM 1994, 331:778-8436Evaluating Effects of Reimbursement Rule Changes on Health Care Utilization and CostsExample:r Effect of legislatively-mandated Medicaid drug-payment limits on admissions to hospitals and nursing homes1Methods:r Matched cohort study of Medicaid claims in two states for high-risk elderly patients before, during, and after the limitConclusion:r Limiting reimbursement for effective drugs puts frail, low-income, elderly patients at increased risk of institutionalization in nursing homes and may increase Medicaid costs.Comment:r The study required Medicaid claims data from 2 states. If individual informed consent had been required, the study would have been impossible to conduct1Soumerai SB, et al: Effects of Medicaid drug-payment limits on admission to hospitals and nursing homes. NEJM 1991; 325:1072-7.37Why medical records studies are important in public healthTo monitor the health of populations and to detect emerging disease problems, e.g., trends and patterns in asthma, renal disease, coronary heart disease, cancerTo identify populations at high risk for disease and to identify factors that are either potentially harmful or helpful To determine the effectiveness of health interventions as they are used in clinical practice, e.g., monitoring effects of new vaccinesTo quantify prognosis, e.g., survival statistics for various stages and grades of cancer and for cardiovascular diseaseTo assess usefulness of diagnostic tests and screening programs, e.g., colon cancer screening, mammography for breast cancer screeningMelton LJ: The threat to medical records research. NEJM 1997; 337:1466-147038ConclusionsEpidemiologic research using identifiable medical records has played a vital role in advancing public health and medical knowledgeThere is every indication that it should be able to play as great or greater role in the future, especially as larger records linkage systems are put into placeA requirement for individual study-specific informed consent for each medical records study, as advocated by some, would make much health services and epidemiologic research either invalid or so expensive as to be impossible39How can mathematical research help?Improving methodology for protecting patient privacy while permitting use of large data sets for epidemiologic research and surveillanceDefining acceptable professional standards for what needs to be done to certify that a releasing a given data set to a given recipient poses a “very small risk” of identifying any individuals40
网站客服QQ:2055934822
金锄头文库版权所有
经营许可证:蜀ICP备13022795号 | 川公网安备 51140202000112号