Yale University.
Calendar. A-Z Index.
Yale Bioethics

IRB Case: Reasonable right to privacy for patients accessing

hospital services

This time, keep it private

Susan Bouregy

IRBs are often thought of as acting solely to ensure that the rights and welfare of research participants are protected.  If so, then the IRB need only approve those projects that are most protective of research participants’ rights and welfare.  In reality, the role of the IRB is much more complex and requires striking balances between myriad competing interests.  This case highlights the struggle to find the appropriate balance between respecting individual privacy on the one hand and facilitating the conduct of research on the other.  IRBs are often called upon to weigh these competing concerns and the determination in any given case will depend on the specifics of the project and the nature of the proposed privacy violation.  The IRB must attempt to incorporate the privacy standards that would be held by the anticipated research participants in making their determination.  In effect, the IRB must determine how bothersome the privacy violation would be to the participants and whether it is reasonable to ignore that “bothersomeness” because of the research needs. 

The term privacy is generally used to refer to an individual’s desire to limit and control access to information about him or herself. An individual right to privacy has not always been a given and what constitutes appropriate respect for individual privacy varies across time and culture.  Only in modern times, has the concept of doctor-patient privilege become a professional standard and a personal right to privacy is a concept that rose to prominence only in the last half century.  Classic court decisions, most notably the 1965 U.S. Supreme Court ruling in Griswald v Connecticut1, have established a right to medical privacy in the courts as well as in public opinion.  As medical research was conducted largely by or in partnership with these same medical providers, privacy concerns related to researcher access to medical records also only recently became a public concern.  It is interesting to note that the concept of privacy and confidentiality are not explicitly mentioned in the seminal IRB document, the Belmont Report2.  The federal regulations for research with human subjects, however, require that the IRB consider research participant privacy as well as provisions to protect the data collected from further disclosure3.

Identity theft, medical identity theft and use of medical information to deny insurance or employment, has led many to consider the privacy and security of their medical information.  In 2005, 67% of respondents in the National Consumer Health Privacy Survey4 considered themselves to be somewhat or very concerned about the privacy of their health information with 1 of 8 respondents engaging in such behaviors as avoiding their regular doctor, asking their doctor to fudge a diagnosis, paying for tests because they didn’t want to submit a claim, or avoiding a test altogether.  These findings are disconcerting as they reflect lingering public concern even following the implementation of the HIPAA Privacy and Security Rules.  In response, state legislatures have enacted a variety of privacy statutes and on the federal level, the stringency of requirements and enforcement provisions of privacy legislation was enhanced in 20095

Against this backdrop of increasing public concern over the privacy of medical information, researchers continue to want to conduct research to improve medical care.  The ability to conduct research is predicated on the willingness of individuals to allow access to themselves and to their private information which requires a level of trust that the information will not be misused or mishandled.  In cases where medical information will be used for research without participant consent, the IRB may approve a waiver of consent6 and, in the case of protected health information, a waiver of authorization.7  Both of these regulatory provisions require that the access be necessary for the conduct of the research and that the rights, including privacy rights, of the participants are taken into consideration. 

The case presented here describes a common scenario for the IRB.  The request to gain access to information without patient consent can be granted within the constraints of federal regulations.  The real question though is should the access be granted?  Based on the information provided, I am inclined to agree with the IRB that the answer in this case is no.  This response is based in large part on what the expectations are of the patient population with regard to research use of their medical record.  While it is true that patients receive a notice regarding the privacy practices of the hospital, many patients nonetheless retain an expectation that their records will be used only for their treatment.  The use of a form at this particular hospital that requests patient consent for use of de-identified data for research purposes further reinforces the expectation of limitations on use of medical information.  The request for consent to use de-identified data implies that identified data, which poses a larger risk of harm from disclosure and hence would be expected to be subject to more stringent privacy requirements, will also not be used for research without consent.  It then follows that the patients would be surprised to receive a recruitment letter based on researchers screening lab records.

In some cases it may be reasonable to overlook these privacy expectations e.g. if the privacy concern pales in comparison to the anticipated benefits of the research.  The scenario described here suggests, however, that privacy concerns may be relevant.  The case description indicates that there are plenty of patients who would meet the eligibility criteria but few were actually referred to the study.  This begs the question of whether the lack of referrals and response to advertising and outreach is actually an active decision not to participate which commands respect.  It is possible that recruitment was low because potential participants were considering the study and choosing not to participate.  In such a scenario, to invade the privacy of patient records to contact eligible patients could be considered harassing. 

In my view, the current case doesn’t adequately justify overriding patient privacy concerns.  One must also consider the practical level, however, of the operational practices of this particular IRB and consider whether the privacy concerns are sufficiently universal to overturn the expedited approval.  Is the invasion of patient privacy in this case of sufficient concern to reverse a prior IRB determination by the Chair?  IRBs have a reputation amongst the research community for being either too capricious or too rigid and to reverse the decision could serve to undermine the respect needed for an IRB to function.  The extent of action taken in reliance on the initial approval for this recruitment method should be considered along with the IRB’s practices and guidelines with regard to expedited review of requests to access identified data under a waiver of consent.

  1. Griswald v Connecticut 381 U.S. 479 (1965)
  2. Belmont Report:  Ethical Principles and Guidance for the Protection of Human Subjects of Research.  Federal Register 79-12065. (1979)
  3. 45 Code of Federal Regulations 46.111
  4. National Consumer Health Privacy Survey, (2005)  available at http://www.chcf.org/topics/view.cfm?itemID=115694
  5. Health Information Technology for Economic and Clinical Health Act (2009)
  6. 45CFR46.116(d)
  7. 45CFR164.512

Return to case description

Return to IRB cases main page