Join the 200th Anniversary Celebration
Advanced Search

Correspondence

Privacy and Medical-Records Research

N Engl J Med 1998; 338:1076-1078April 9, 1998

Article

To the Editor:

In his Sounding Board article (Nov. 13 issue),1 Melton ignores the very reasons he lists for why many people support legislation that requires specific consent on the part of patients for access to medical records by medical researchers. Even more disturbing is his incorrect assertion that there is an absence of documented abuses related to approved research projects. Abuses of genetic testing have been amply documented.2

Researchers, members of institutional review boards (IRBs), and health advocacy groups have acknowledged the fact that we can no longer guarantee privacy and confidentiality in an age of electronic medical records.3 The logistic hurdles associated with medical- and research-record gatekeeping make errors inevitable. Because of this reality, it is more important than ever to ensure the use of informed-consent procedures that convey this potential loss of privacy as one of the risks of research. And because the misuse of genetic information could be especially damaging, we need public policies that specifically address genetics research.

Although there are greater costs associated with recontacting individual subjects and gaining renewed consent for any additional research uses of tissue samples or medical records, this is a price we must be willing to pay. Much valuable research will still be able to go forward, and society will not be harmed in any meaningful fashion.

As we move to create better public policies in this area, we must retain our tradition of protecting human subjects and their right to consent or to refuse to consent before any use is made of their medical information for research. As a staff lawyer with the Office for Protection from Research Risks recently stated: “If there's any possible way that you can go back to one identifiable human being, then you have to provide the twin protection of Institutional Review Board review and informed consent. . . . It may be difficult in the context of tissue banking, but at the moment, that is the standard.” 4

As long as we have no national health plan with guaranteed access to health and medical care, and thus the release of research-related information can result in the loss of access to services, the need to guarantee confidentiality will remain essential.

Judy Norsigian
Sally Whelan
Boston Women's Health Book Collective, Somerville, MA 02144

Paul Billings, M.D., Ph.D.
Council for Responsible Genetics, Cambridge, MA 02140

4 References

  1. 1

    Melton LJ III. The threat to medical-records research. N Engl J Med 1997;337:1466-1470
    Full Text | Web of Science | Medline

  2. 2

    Billings PR, Kohn MA, deCuevas M, Beckwith J, Alper JS, Natowicz MR. Discrimination as a consequence of genetic testing. Am J Hum Genet 1992;50:476-482
    Web of Science | Medline

  3. 3

    National Action Plan on Breast Cancer Tissue Banking Working Group. Model consent forms & related information on tissue banking from routine biopsies. Boston: Public Responsibility in Medicine and Research, December 1997.

  4. 4

    Einhorn-Russell M. Presentation at the PRIM&R Conference on Ethical Research in an Ethical Society: Principles, Practicalities and Politics, Boston, December 8–9, 1997.

To the Editor:

In the belief that society can only benefit from epidemiologic studies, Melton proposes that IRBs make all decisions concerning the release of medical records to researchers. He assumes these boards will do little or nothing to impede the kinds of studies that have become possible, or soon will, as a result of the computerization of medical records and the creation of a national system of electronically linked records.

Others are less sanguine than he. The Privacy Commissioner of Canada has written in his recent annual report: “Easy as it is to rationalize data gathering as beneficial for the individual and society, the information might not be used for benevolent purposes. The collection of medical data can slide imperceptibly from health care to medical supervision to lifestyle surveillance and, ultimately, to a more generalized form of surveillance by the state.” 1 By Melton's own account, Mayo's patients are concerned about such dangers and about the migration of their records without their knowledge.

As Edgar and Rothman have noted, the current IRB system is not well designed to protect patients' rights and patients' interests.2 In a recent report to the Department of Health and Human Services, Lowrance questions whether IRBs are “able and willing” to “become more deeply engaged with the privacy and confidentiality aspects of subject protection than they have been.” 3 In recent years, a number of commentators have argued that the IRB system needs restructuring, a view with which I concur.2,4

Some of the issues raised by Melton, including those pertaining to making medical records anonymous, are discussed more fully in a group of papers from a 1997 symposium on medical-record confidentiality and data collection.5 Much more reflection and debate are needed if we are to design satisfactory policies with respect to the handling of personal medical information.

Beverly Woodward, Ph.D.
Brandeis University, Waltham, MA 02254

5 References

  1. 1

    Phillips B. Privacy Commissioner of Canada, 1996–97 annual report. Ottawa: Privacy Commissioner of Canada, 1997. (Or see http://infoweb.magi.com/uprivcan/annrep/english/table.html).

  2. 2

    Edgar H, Rothman DJ. The institutional review board and beyond: future challenges to the ethics of human experimentation. Milbank Q 1995;73:489-506
    CrossRef | Web of Science | Medline

  3. 3

    Lowrance WW. Privacy and health research: a report to the U.S. Secretary of Health and Human Services. Washington, D.C.: Department of Health and Human Services, May 1997.

  4. 4

    Katz J. Do we need another advisory commission on human experimentation? Hastings Cent Rep 1995;25:29-31
    CrossRef | Web of Science | Medline

  5. 5

    Symposium: medical confidentiality & researchJ Law Med Ethics 1997;25:

To the Editor:

Melton states that the Rochester Epidemiology Project, begun 30 years ago, was possible because state law allowed researchers access to medical records. Not so. Melton's quotation of the law supporting his assertion actually comes from a 1992 statute.1 Thirty years ago, Minnesota statutes were silent on the confidentiality of patients' records, but in 1976, a new state law granted that patients of health care facilities “shall be assured confidential treatment of their personal and medical records, and may approve or refuse their release to any individual outside the facility.” 2 Melton's article fails to clarify under what statutory authority this sharing of identified patient records in the Rochester Project occurred.

Melton also neglects to mention that because of lobbying by the Mayo Clinic in 1996 and 1997, the new consent requirement pertains only to records generated on or after January 1, 1997, and only to releases to external researchers.3

In addition, Mayo supported the full release of medical records to external researchers without consent after “reasonable efforts” had been made to obtain consent. The final language of the 1997 law authorizes the release of records without the patient's consent if the patient has not responded within 60 days after the second request for authorization is mailed.4 Therefore, because of Mayo's lobbying efforts, many medical records in Minnesota can be used by researchers without the patients' consent.

It is not comforting to patients that a physician would advocate either “constructed consent” (majority-conferred obligation) or decisions by IRBs as methods to bypass the patients' concern about privacy.

Twila Brase, R.N., P.H.N.
Citizens for Choice in Health Care, St. Paul, MN 55104

4 References

  1. 1

    1992 Minnesota Statutes, Chapter 144.335, p. 1159. St. Paul: State of Minnesota, 1992.

  2. 2

    1976 Minnesota Statutes, Chapter 144.651, No. 15, p. 2158. St. Paul: State of Minnesota, 1976.

  3. 3

    1997 Minnesota Statutes, Chapter 144.335. St. Paul: State of Minnesota, 1997.

  4. 4

    1997 Laws of Minnesota, Chapter 144.335, p. 3199. St. Paul: State of Minnesota, 1997.

To the Editor:

Melton describes an environment at the Mayo Clinic in which there has been a long tradition of researchers' using patients' records in an open manner. But until recently, there existed natural limits that protected patients' privacy; technology now erodes these limits at an alarming rate. For example, the physical labor previously involved in manually reviewing records provided an economic boundary that restricted the dissemination of person-specific data. Researchers were once physically limited to the records facility itself to gather needed information, but in a globally networked society it is possible for a researcher located anywhere in the world to gain immediate electronic access to patients' files. Today's technology does pose unparalleled threats to patients' privacy, but today's technology also offers solutions.

Many details about our lives are documented on computers, and when this information is linked together, the resulting profiles can identify individual persons as accurately as fingerprints, even when the information contains no explicit identifiers such as name and address.1,2 The increase in the availability of detailed data, as well as inexpensive technology to process it, is having a dramatic impact on research. Having more clinical information available will probably lead to more epidemiologic studies, especially since it can help ensure the validity and generalizability of specific studies. Most likely this will result in a dramatic increase in the number of records released.

A Harris–Equifax poll3 implies that the public would be willing to share information for research, provided researchers and others could not identify any person included in the released data. Melton seems intent on complete access to identifiable information. But he could have conducted his hip-fracture study without identifiable data. All he needed was age, sex, diagnosis (i.e., hip fracture), and date of diagnosis for each stratum. Generalization, suppression, and anonymous linking are among the various computational techniques currently available.1,4 These techniques are intended to release the minimal data needed in the most general format possible, ensuring confidentiality, on the one hand, and usefulness, on the other. In cases in which identifying information is required, these techniques reduce unnecessary risk.

Fear and concern about privacy in the computer age are justified, but the options are not limited to past practices; a new spectrum of solutions is emerging. If researchers want patients to release sensitive data, they should be willing to use technology that ensures patients' privacy within the released data.

Latanya Sweeney, S.M.
Massachusetts Institute of Technology, Cambridge, MA 02139

4 References

  1. 1

    Sweeney L. Weaving technology and policy together to maintain confidentiality. J Law Med Ethics 1997;25:
    CrossRef | Web of Science | Medline

  2. 2

    A guide to state-level ambulatory care data collection activities. Falls Church, Va.: National Association of Health Data Organizations, 1996.

  3. 3

    Louis Harris and Associates. The Equifax-Harris consumer privacy survey. Atlanta: Equifax, 1994.

  4. 4

    Sweeney L. Datafly: a system for providing anonymity in medical data. In: Lin T, Qian S, eds. Database security XI: status and prospects. New York: IFIP/IEEE/Chapman & Hall, 1998:356-81.

Author/Editor Response

Dr. Melton replies:

To the Editor: Norsigian and colleagues distort my attempt to report on testimony to the National Committee on Vital and Health Statistics indicating that there were no documented abuses specifically related to approved research projects involving medical-records review,1 the topic of my article. There is legitimate widespread concern about possible abuses of genetic information by insurers and employers, as emphasized by our focus group, whose members also worried about encroaching governmental surveillance and recognized greater risks associated with electronic data. However, informed consent does not solve any of these problems, and my recommendation was that regulations be focused more directly on the potential abuses of medical data.

As Brase points out, there were no restrictions on the release of medical data 30 years ago, although data for the Rochester Epidemiology Project were obtained under custodial agreements with the other providers. When restrictions were imposed, Minnesota legislators provided the exception for epidemiologic studies that I described. The new Minnesota law governing the external release of medical data took effect on January 1, 1997. “External” release was subsequently clarified to be consistent with Minnesota law relating to private data generally. At the Mayo Clinic, however, research access to medical records is denied even within the institution when patients have refused the research authorization.

Investigators in epidemiologic studies would have no interest in patients' identities were it not for the need to link events with their outcomes and to distinguish unique patients cared for by multiple providers. It is obvious that even a patient with a discrete event like hip fracture might be seen at an emergency room, a hospital, an extended care facility, and an outpatient clinic, all of which might report data on the same patient independently. Sweeney's comments in this regard indicate little experience in the conduct of such studies, where these problems have been amply documented.

Ultimately, it seems futile to debate these issues philosophically. In my opinion, the issue is not whether privacy is intruded upon or whether research is hampered but, instead, whether patients are being helped or harmed. It is naive to believe that no unintended adverse consequences will attend more restricted access to medical records for research, and it is irresponsible to ignore them as Norsigian and her colleagues do. Although the issues are complicated, there needs to be a balancing of the concern for privacy with patients' need for accurate data on outcomes and with society's need for information about the causes of disease and the effectiveness of medical care.

L. Joseph Melton, III, M.D.
Mayo Clinic and Foundation, Rochester, MN 55905

1 References

  1. 1

    Health privacy and confidentiality recommendations. Washington, D.C.: National Committee on Vital and Health Statistics, June 25, 1997.

Citing Articles (1)

Citing Articles

  1. 1

    Matthew K. Wynia, Steven S. Coughlin, Sheri Alpert, Deborah S. Cummins, Linda L. Emanuel. (2001) Shared Expectations for Protection of Identifiable Health Care Information. Report of a National Consensus Process. Journal of General Internal Medicine 16:2, 100-111
    CrossRef

My Account
My Alerts
My Saved Items
My CME Exams
Article Category
Research
Reviews
Clinical Cases
Perspective
Commentary
Other
Browse all articles
Multimedia
Videos in Clinical Medicine
Images in Clinical Medicine
Interactive Medical Cases
Weekly Audio Summaries
Browse all multimedia
This Week
Last Week
Browse full index
Selected Specialties
Cardiology
Endocrinology
Gastroenterology
Genetics
Hematology/Oncology
Infectious Disease
Nephrology
Neurology/Neurosurgery
Obstetrics/Gynecology
Pediatrics
Primary Care/Hospitalist
Pulmonary/Critical Care
Surgery
Browse all Specialties & Topics
Featured Topics
Clinical Practice Center
Health Policy and Reform
Author Center
Submit a Manuscript or Letter
Track a Manuscript
Help