Registry Research and Medical Privacy
http://www.100md.com
《新英格兰医药杂志》
Medical progress is possible largely because we learn from our successes and our failures. Researchers often make an assessment of where things stand for a given medical condition through disease registries that attempt to include everyone who has received a diagnosis of and been treated for a given condition in an institution, a region, or a nation. These critical data bases have been used to help us understand how care is delivered and the outcomes achieved. Sadly, around the world, data repositories are now at risk of significant bias because concern about privacy has led to the requirement that consent be obtained before an individual person's data can be included.
Legislation protecting the privacy of personal health information stems from the recognition of past abuses — unauthorized disclosure and use of individually identifiable information for marketing, recruitment, fund-raising, and other purposes. Furthermore, the fear of discrimination by insurers, employers, and others has led to questions about maintaining privacy that must be addressed. In our opinion, however, the pendulum has swung too far. Public health is threatened by incomplete data more than individual privacy is threatened by disease registries.
The 1996 Health Insurance Portability and Accountability Act (HIPAA), the first federal legislation that provides comprehensive protection of the privacy of personal health information, includes a requirement for specific approval before any part of a person's identifiable health information can be used for research. On the surface, this requirement seems reasonable for the preservation of privacy. Sources of health information such as archived medical records, hospital discharge records, epidemiologic data bases, disease registries, tissue repositories, and government compilations of vital statistics contain very sensitive private information that should not be in the public domain. However, it is possible to compile and analyze information in the aggregate without revealing to any single person the identity of those concerned. With adequate safeguards for privacy, ensured by the interposition of a dispassionate third party between identifiable and unidentifiable data, the requirement for specific consent could be waived.
The Privacy Rule that followed HIPAA in the United States permits an institutional review board (IRB) or privacy board to waive the requirement for consent, provided that specific criteria relevant to the protection of individual privacy and confidentiality are met; similarly, under the Common Rule, an IRB is allowed to modify or even waive the requirement for informed consent, given specific criteria. These two processes and sets of criteria are related but distinct. In practice, however, IRBs are reluctant to waive the requirement for consent, and the process of obtaining access to limited data that could be used without consent is cumbersome at best and prohibitive in many cases.
Before the passage of HIPAA and the establishment of the Privacy Rule, several types of registries or data banks provided invaluable information about the natural history and responsiveness to therapy of certain diseases, the prevalence of various conditions in the general population, and population effects of unsuspected toxins, to name just a few examples. Cancer registries have provided invaluable information about case clusters, the course of malignant conditions, and changes in the behavior of various cancers. Now that consent is required, universal inclusion of data may no longer be possible. For example, the city of Hamburg, in Germany, had a cancer registry that included data on all cases of cancer for more than 50 years. The data were published annually for the use of practitioners in making treatment decisions and counseling patients. In the mid-1980s, two regions, Hamburg and Nordrhein-Westfalen, passed laws requiring informed consent.1 After the laws were passed, no more than 70 percent of potential cases were included in the registry, and the situation deteriorated to the point that data were no longer made available, since they were deemed incomplete. This problem led to a new policy, established by the German government in 1994, requiring the registration of cases in the cancer registry through a two-part body, a trust center and the registry itself. The trust center assigned number codes to identifiable information in order to maintain privacy, and the key to the codes was kept separately. However, since the trust center kept identifiable data only temporarily, destroying it within three to six months, this particular system led to duplicate registrations and lack of cooperation between the trust center and the registry. As a consequence, the registry failed to achieve its mission.
As another example, consider the Program to Improve Care in Acute Renal Disease, a multicenter registry established to identify clinical characteristics and practice patterns associated with favorable and unfavorable outcomes among patients receiving care for acute renal failure in intensive care units.2 The registry used no interventions, but informed consent was required of all study subjects. Since only 52 percent of the subjects provided informed consent, the data gathered were of limited usefulness.
The need for complete data is again clearly brought home in this issue of the Journal. Tu et al. report on a prospective study of the Registry of the Canadian Stroke Network.3 Even with valiant efforts to obtain informed consent from patients with stroke, only 39.3 percent of patients in phase 1 of the study and 50.6 percent in phase 2 provided consent for their inclusion in the registry. Tu et al. report that obtaining written informed consent led to selection bias; the patients who were more seriously ill or impaired were left out. This study and the other two examples given above underscore the inherent problem with registries that require written informed consent: they achieve only partial enrollment, which vitiates the value of their data.
Although privacy must be safeguarded, the safeguards need not be inconsistent with the goal of obtaining complete data. What elements are essential in registries? And what safeguards are required to prevent misuse of the information they contain? For a registry to be most effective, it must contain information that answers the broad questions relevant to the particular disease. Inclusivity and universality are key. For example, the registries in Nordic countries that contain data on all births and all deaths, as well as some personal information, are particularly valuable because the entire population is included. When participation is not universal, the registry is affected both by those included and by those not included. When that occurs, incomplete information and data-bank bias prevent us from tracking our successes and failures, and eventually progress ceases.
We think that the combination of IRB approval for the registry as a whole and two tiers of separation could solve these problems. With IRB approval, a disease registry could keep sensitive vital information under code, and the responsibility for holding the codes that link data to identifiable persons could be assigned to persons other than those entering and analyzing the data.
Clearly, the main requirement for an encoding system used for a disease registry, tissue archive, or the like is that each patient be assigned a unique identifier to avoid duplication and confusion. As an extra safeguard, a National Institutes of Health Certificate of Confidentiality (http://grants1.nih.gov/grants/policy/coc/) could be obtained to prevent third parties from gaining access to the codes linking identification numbers with individual persons. If we have the whole story about patients' outcomes, we can learn from our mistakes and successes and optimize care for patients in the future. If we do not have the whole story, owing to partial participation in registries, our knowledge — and the care we can provide — will remain imperfect.
References
Dudeck J. Informed consent for cancer registration. Lancet Oncol 2001;2:8-9.
Chertow GM, Pascual MT, Soroko S, et al. Reasons for non-enrollment in a cohort study of ARF: the Program to Improve Care in Acute Renal Disease (PICARD) experience and implications for a clinical trials network. Am J Kidney Dis 2003;42:507-551.
Tu JV, Willison DJ, Silver FL, et al. Impracticability of informed consent in the Registry of the Canadian Stroke Network. N Engl J Med 2004;350:1414-1421.(Julie R. Ingelfinger, M.D)
Legislation protecting the privacy of personal health information stems from the recognition of past abuses — unauthorized disclosure and use of individually identifiable information for marketing, recruitment, fund-raising, and other purposes. Furthermore, the fear of discrimination by insurers, employers, and others has led to questions about maintaining privacy that must be addressed. In our opinion, however, the pendulum has swung too far. Public health is threatened by incomplete data more than individual privacy is threatened by disease registries.
The 1996 Health Insurance Portability and Accountability Act (HIPAA), the first federal legislation that provides comprehensive protection of the privacy of personal health information, includes a requirement for specific approval before any part of a person's identifiable health information can be used for research. On the surface, this requirement seems reasonable for the preservation of privacy. Sources of health information such as archived medical records, hospital discharge records, epidemiologic data bases, disease registries, tissue repositories, and government compilations of vital statistics contain very sensitive private information that should not be in the public domain. However, it is possible to compile and analyze information in the aggregate without revealing to any single person the identity of those concerned. With adequate safeguards for privacy, ensured by the interposition of a dispassionate third party between identifiable and unidentifiable data, the requirement for specific consent could be waived.
The Privacy Rule that followed HIPAA in the United States permits an institutional review board (IRB) or privacy board to waive the requirement for consent, provided that specific criteria relevant to the protection of individual privacy and confidentiality are met; similarly, under the Common Rule, an IRB is allowed to modify or even waive the requirement for informed consent, given specific criteria. These two processes and sets of criteria are related but distinct. In practice, however, IRBs are reluctant to waive the requirement for consent, and the process of obtaining access to limited data that could be used without consent is cumbersome at best and prohibitive in many cases.
Before the passage of HIPAA and the establishment of the Privacy Rule, several types of registries or data banks provided invaluable information about the natural history and responsiveness to therapy of certain diseases, the prevalence of various conditions in the general population, and population effects of unsuspected toxins, to name just a few examples. Cancer registries have provided invaluable information about case clusters, the course of malignant conditions, and changes in the behavior of various cancers. Now that consent is required, universal inclusion of data may no longer be possible. For example, the city of Hamburg, in Germany, had a cancer registry that included data on all cases of cancer for more than 50 years. The data were published annually for the use of practitioners in making treatment decisions and counseling patients. In the mid-1980s, two regions, Hamburg and Nordrhein-Westfalen, passed laws requiring informed consent.1 After the laws were passed, no more than 70 percent of potential cases were included in the registry, and the situation deteriorated to the point that data were no longer made available, since they were deemed incomplete. This problem led to a new policy, established by the German government in 1994, requiring the registration of cases in the cancer registry through a two-part body, a trust center and the registry itself. The trust center assigned number codes to identifiable information in order to maintain privacy, and the key to the codes was kept separately. However, since the trust center kept identifiable data only temporarily, destroying it within three to six months, this particular system led to duplicate registrations and lack of cooperation between the trust center and the registry. As a consequence, the registry failed to achieve its mission.
As another example, consider the Program to Improve Care in Acute Renal Disease, a multicenter registry established to identify clinical characteristics and practice patterns associated with favorable and unfavorable outcomes among patients receiving care for acute renal failure in intensive care units.2 The registry used no interventions, but informed consent was required of all study subjects. Since only 52 percent of the subjects provided informed consent, the data gathered were of limited usefulness.
The need for complete data is again clearly brought home in this issue of the Journal. Tu et al. report on a prospective study of the Registry of the Canadian Stroke Network.3 Even with valiant efforts to obtain informed consent from patients with stroke, only 39.3 percent of patients in phase 1 of the study and 50.6 percent in phase 2 provided consent for their inclusion in the registry. Tu et al. report that obtaining written informed consent led to selection bias; the patients who were more seriously ill or impaired were left out. This study and the other two examples given above underscore the inherent problem with registries that require written informed consent: they achieve only partial enrollment, which vitiates the value of their data.
Although privacy must be safeguarded, the safeguards need not be inconsistent with the goal of obtaining complete data. What elements are essential in registries? And what safeguards are required to prevent misuse of the information they contain? For a registry to be most effective, it must contain information that answers the broad questions relevant to the particular disease. Inclusivity and universality are key. For example, the registries in Nordic countries that contain data on all births and all deaths, as well as some personal information, are particularly valuable because the entire population is included. When participation is not universal, the registry is affected both by those included and by those not included. When that occurs, incomplete information and data-bank bias prevent us from tracking our successes and failures, and eventually progress ceases.
We think that the combination of IRB approval for the registry as a whole and two tiers of separation could solve these problems. With IRB approval, a disease registry could keep sensitive vital information under code, and the responsibility for holding the codes that link data to identifiable persons could be assigned to persons other than those entering and analyzing the data.
Clearly, the main requirement for an encoding system used for a disease registry, tissue archive, or the like is that each patient be assigned a unique identifier to avoid duplication and confusion. As an extra safeguard, a National Institutes of Health Certificate of Confidentiality (http://grants1.nih.gov/grants/policy/coc/) could be obtained to prevent third parties from gaining access to the codes linking identification numbers with individual persons. If we have the whole story about patients' outcomes, we can learn from our mistakes and successes and optimize care for patients in the future. If we do not have the whole story, owing to partial participation in registries, our knowledge — and the care we can provide — will remain imperfect.
References
Dudeck J. Informed consent for cancer registration. Lancet Oncol 2001;2:8-9.
Chertow GM, Pascual MT, Soroko S, et al. Reasons for non-enrollment in a cohort study of ARF: the Program to Improve Care in Acute Renal Disease (PICARD) experience and implications for a clinical trials network. Am J Kidney Dis 2003;42:507-551.
Tu JV, Willison DJ, Silver FL, et al. Impracticability of informed consent in the Registry of the Canadian Stroke Network. N Engl J Med 2004;350:1414-1421.(Julie R. Ingelfinger, M.D)