IRB Case: Reasonable right to privacy for patients accessing
Process, privacy, and PR
At its core, this case involves a conflict in judgment between an IRB chair and the IRB as a whole. The chair took the view, in expedited review and thereafter, that a set of researchers had successfully made the case for gaining access to hospital patients’ private health information, in order to locate and contact appropriate participants for a low-risk study. The IRB argued in its turn that the researchers hadn’t met the legal burden of demonstrating that their research could not be conducted without such access. By the end of the case, we learn that the research team is able to be creative with its protocol design, and to improve its historically less-than-perfect relationship with some area physicians, in ways that may facilitate adequate subject-recruitment without need for access to anyone’s private health information. It’s a research-ethics happy ending: the IRB forces the researchers to do a little bit of extra thinking, and a little bit of extra work; and by the end, not only does the research seem poised to go forward without any Waiver of HIPAA Authorization, but the researchers have developed new alliances in the medical community that may facilitate and enhance their future research. Along the way, though, there are a few questions raised about the way this IRB conducts its business.
First, there’s the question of expedited review. It is the practice of this IRB to permit its chair to conduct expedited review, but then to have those already-reviewed protocols re-reviewed by the committee as a whole. This procedure has to be handled very carefully, or it risks destroying the entire point of expedited review, which is to permit low-risk research to move forward expeditiously. Are the researchers told that the initial expedited review is merely provisional, and that they can’t really go forward with their research until the full IRB meets? In that case, of what value to them is the availability of expedited review? On the other hand, if they are told that their research can go forward immediately upon receiving favorable expedited review, then they may incur expenses or take other steps (such as looking at patients’ private health information), only to have their research or recruitment shut down in mid-stream by the full IRB. It may be useful to an IRB for its members to be kept informed of the research that’s been approved pursuant to expedited review; it’s good for IRB members to have a general grip on the research that’s going on at their institutions. But a regular practice of following expedited review at some distance in time with full IRB review risks making expedited review look superfluous; risks putting researchers to inconvenience and expense; risks creating inconsistencies in research practices; and, by exposing differences in judgment between the expedited reviewer and the committee as a whole, risks undermining researchers’ and subjects’ respect for one or the other or both.
Next, the IRB noticed the inconsistency between the terms of the proposed waiver of privacy rights and the information contained in forms given patients by the hospital. They framed this as a potential public relations problem for the hospital, and predicted that the CEO of the hospital would see the waiver in the same light. There is some danger in an IRB’s appealing to these sorts of reasons. After all, some vital research is unpopular; concern with public relations cannot be allowed to drive or limit the institution’s research agenda. On the other hand, mistrust can be created by inconsistencies between announced policies and actions, and mistrust in the community can be disastrous both for researchers and for their subjects. The IRB correctly resolved the inconsistency here by requiring researchers to work a little harder on their recruitment strategies.
Finally there is the CEO’s proposal that the IRB chair and the hospital Privacy Officer work to revise the hospital’s Notice of Privacy and Patient Acknowledgment forms “to inform patients utilizing routine hospital services of the possibility that their identified information might be used in research conducted at the hospital.” This recommendation meshes with the IRB’s concern that “disclosing patient PHI to researchers for use in direct subject recruitment without patient authorization might result in a public relations problem for the hospital in the community.” But caution needs to be used in implementing this proposal. The legal waiver mechanism exists precisely to permit privacy waivers without patient authorization; its high regulatory standards are designed to make privacy waivers difficult to obtain, but obtainable when necessary. The hospital should not issue an authorization form that purports either to waive privacy rights established by law, or to override the law that permits the hospital to waive such rights in defined circumstances. The best solution would be to create or modify informational documents only, so that patients are aware a) that researchers may have access to their non-identifiable health information, and b) that in certain rare, legally-defined circumstances, researchers may also gain access to identifiable information.