Exemplo: eBook como Livro
Records Based Research
Content Author
Judy Matuk, M.S.
Stony Brook University
Stony Brook, New York USA
This module was revised and adapted from the original module authored by:
Barbara Young, Ph.D.
Group Health Cooperative
Seattle, Washington USA
Acknowledgement: The author would like to thank Dr. Bruce Gordon and Ms. Ada Sue Selwitz for their editorial review of this module.
Introduction
Researchers can make important advances in the fields of education, medicine, psychology, and public policy without any in-person interaction with human subjects. Rather, hypotheses can be posed and answered by analysis of documented information in various types of paper or electronic records, including, e.g., medical, motor vehicle, criminal justice, or school records.
Each person conducting scientific research based on records should:
•Understand the specific risks to human subjects associated with such research;
•Ensure that the research protocol specifies procedures that minimize those risks;
And
•Obtain all required approvals (institutional, state, federal, and international, if applicable) prior to conducting the research.
Before collecting information from records for purposes of research, an investigator should consult with:
(a) the Institutional Review Board (IRB) Office at his/her own institution to determine the type of review required, if any;
(b) the applicable administrator at the institution where the actual records are owned or maintained to ensure ability to access them for research purposes;
In addition, the researcher needs to determine if there are other regulations impacting the record- review. Examples include the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule for medical records research, or the Family Educational Rights and Privacy Act (FERPA) for student education records.
LEARNING OBJECTIVES
After completing this module, the learner will be able to:
•Discuss the risks associated with conducting records-based research;
•Identify the types of review that apply to records-based research.
Risks of Records-Based Research: Privacy and Confidentiality
Risks associated with records-based research stem from possible invasion of privacy and breaches of confidentiality, i.e., the possibility that disclosure of the information could reasonably place the subject at risk of criminal or civil liability and/or be damaging to the subject's financial standing, employability, or reputation.
Privacy can be defined in terms of having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) or information about oneself with others. In the context of research, privacy risk pertains primarily to the methods used to obtain information about subjects. Whereas privacy risks are obviously very low in studies when a subject actually consents to providing personal information, they are much higher, in records-based research, when information is obtained for research purposes without the consent of subjects.
Confidentiality pertains to the actual treatment of the personal information once it is obtained. In other words, now that the researcher has obtained private information, how will it be used, stored, and reported in a way that is consistent with the manner under which it was originally obtained from the individual? Information from public records, and information obtained under a relationship of trust, as in doctor-patient relationship, will require different considerations for protecting confidentiality.
Records-based research must balance the possible benefits of answering important research questions with the possible risks of using information about individuals, especially if information is used without their consent.
You can imagine the consequences to an individual if information provided to their medical doctor about their drug addiction was revealed to law enforcement officials, or their mental illness was revealed to an employer. The IRB carefully reviews the procedures that are described by the investigator to protect the confidentiality of the information being accessed, including identification of all individuals or groups who may also be able to access that information. For example, a University’s audit office, or a research sponsor may require access to the information to ensure that the research activity is being conducted appropriately.
Minimizing Risks
There is an ethical and regulatory responsibility to minimize the risks to subjects of research.
The risks of invasion of privacy can be minimized through by obtaining informed consent from subjects (even, perhaps, before their records are accessed to determine their eligibility). However, for a variety of reasons, obtaining informed consent may be impracticable, or may compromise the goal or the research, or may actually put the subject at greater risk. In these circumstances, the IRB may waive the necessity for informed consent if specific regulatory criteria are met:
•The research involves no more than minimal risk; and
•The risks and welfare of the subjects will not be adversely affected by the waiver; and
•The research could not practicably be carried out without the waiver of consent; and
•When appropriate, the subjects will be provided with pertinent information after participation.
The risks of breach of confidentiality associated with records-based research are necessarily tied to how identifiable and how sensitive the requested information is. If the information is recorded without identifiers, the sensitivity of the information is less of a concern. If the information is both identifiable and sensitive, methods to protect confidentiality must be carefully considered by the investigator, and reviewed by the IRB. Therefore, in considering the research hypothesis, the investigator must assess how important it is to be able to associate the individual with his/her information in research records.
Whenever possible, and to the greatest extent possible, de-identified or anonymous information should be recorded.
Assuming the research cannot be conducted anonymously, the following questions speak to protection of the collected information. Based on an investigator’s answers, an IRB will carefully assess whether possible risks from breaches of confidentiality have been minimized:
•What kind of identifiable information, if any, will be collected?
•Who will have access to the identifiable information?
•Where will the identifiable information be kept?
•What kinds of codes or encryption will be used to separate research data from subject identifiers?
•How will limitations on access be ensured?
•How will research staff persons be trained about privacy and confidentiality?
•How long will identifiable information or linkages to personal identifiers be kept?
•For data being transmitted physically and/or electronically, what encryption methods will be used?
•What procedures will be used for disposal/destruction of identifiers and research documents, once no longer required?
Certificates of Confidentiality
For studys in which identifiable, sensitive information is being accessed (HIV status, history of alcoholism, mental illness, etc), the investigator may obtain protection from subpoena of his/her records by receiving a study specific Certificate of Confidentiality from the NIH.. For more information, visit: http://www.nih.gov/grants/oprr/humansubjects/guidance/cert-con.htm
What type of review is required for records-based research?
Record-based research can fall into one of four types of review. To identify the appropriate type of review the following four questions should be considered:
•Do the activities meet the Federal definition of “human subject research”?
•Is the research eligible for exemption from the Federal regulations?
•Is the research eligible for expedited review under the Federal regulations?
•Does the record-based research need review by the full convened IRB?
Some institutions have criteria more stringent than the federal guidance, so the information provided in this specific section may not describe policies and procedures at the investigators own institution. Check with your IRB office to find out how your institution makes such determinations.
Do the activities meet the Federal definition of “human subject” research?
Record–based research activities may not meet the Federal definition of “human subjects” research. A human subject is “a living individual about whom an investigator (whether professional or student) conducting research obtains (1) Data through intervention or interaction with the individual, or (2) Identifiable private information.”
To apply this definition, the individual designated by the institution to make this decision, will consider:
•Do the records involve living individuals?
•Were the records collected specifically for this research project through intervention or interaction with the individual?
•Can the investigator readily ascertain the identity of any of the individuals either directly or indirectly through coding systems?
The investigator should check with the IRB to determine who has the authority to make this decision whether the research constitutes “human subjects” research, or whether the institution policy is more stringent.
If the research involves coded private information, the Office of Human Research Protection has issued additional guidance [insert link to “OHRP Guidance on Research Involving Coded Private Information or Biological Specimens”]
Is the research eligible for exemption from the Federal regulations?
Record-based research may be exempt if:
•The information is existing (ie, on the shelf) at the time the exemption is requested, AND
•the sources of information are publically available (ie, any person can obtain the data), or the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects, i.e., although the researcher may actually see identifiers while reviewing the data set, they cannot record any of them in any research record, or data collection instrument.
The Office of Human Research Protections (OHRP) recommend that researchers not determine if their research qualifies as exempt. Rather, the institution should designate an applicable institutional official (or the IRB) to conduct this review. Institutions may have internal rules and policies in addition to the federal regulations that will determine whether to grant this exemption.
Is the research eligible for expedited review under the Federal regulations?
Record-based research may qualify for expedited review if the research activity:
•poses no more than minimal risk of harm or discomfort to the subjects AND
•is described in one of the expedited review categories: (http://www.hhs.gov/ohrp/humansubjects/guidance/expedited98.htm). Records-based research that is eligible for expedited review generally falls under Category 5, “Research involving materials (data, documents, records, or specimens) that have been collected, or will be collected solely for non-research purposes (such as medical treatment or diagnosis).”
The expedited category 5 described above differs from the exemption existing record category. The exemption category applies only to retrospective research; the expedited category applies to prospective as well as retrospective research.
Does the record-based research need review by the full convened IRB?
If the human research does not qualify for exemption or expedited review, then it must undergo full review by the IRB at a convened meeting.
When Health Information is Involved: The Federal Privacy Law
When records-based research requires access to individually identifiable (“protected”) health information, additional requirements of the federal Health Insurance Portability and Accountability Act (HIPAA) must be met. This includes the need for written authorization from the patient, above and beyond informed consent requirements under the Common Rule. Promulgated through the Office of Civil Rights (OCR), requirements under the Act vary depending on the type and number of identifiers that are being associated with the accessed health information. If most, but not all, mandated identifiers are removed (a “limited data set”), written patient authorization may not be required, provided there is a data use agreement between the investigator and the institution holding the medical records. If any more identifiers are added to the set, either written patient authorization is required, or a HIPAA Privacy Board (can grant a waiver of authorization based on similar criteria to those required for waiver of consent under 45 CFR 46. Health information that is completely ‘de-identified’ as defined under HIPAA, is not subject to the privacy law.
If you are conducting records-based research involving health information, you should review the "HIPAA and Human Subjects Research" module for more information about HIPAA requirements to which your research may be subject.
Conclusion
Although there is no direct interaction with human subjects in record-based research, there may be risks to those individuals who originally provided the information used in such activities. Those risks must be minimized, informed consent must be considered, and review and approval from your institution must be obtained, per local and/or federal regulations. Research involving identifiable health information requires compliance with additional federal requirements.