Introduction: Variation across research ethics boards (REBs) in conditions placed on access to medical records for research purposes raises concerns around negative impacts on research quality and on human subject protection, including privacy.
Aim: To study variation in REB consent requirements for retrospective chart review and who may have access to the medical record for data abstraction.
Methods: Thirty 90-min face-to-face interviews were conducted with REB chairs and administrators affiliated with faculties of medicine in Canadian universities, using structured questions around a case study with open-ended responses. Interviews were recorded, transcribed and coded manually.
Results: Fourteen sites (47%) required individual patient consent for the study to proceed as proposed. Three (10%) indicated that their response would depend on how potentially identifying variables would be managed. Eleven sites (38%) did not require consent. Two (7%) suggested a notification and opt-out process. Most stated that consent would be required if identifiable information was being abstracted from the record. Among those not requiring consent, there was substantial variation in recognising that the abstracted information could potentially indirectly re-identify individuals. Concern over access to medical records by an outside individual was also associated with requirement for consent. Eighteen sites (60%) required full committee review. Sixteen (53%) allowed an external research assistant to abstract information from the health record.
Conclusions: Large variation was found across sites in the requirement for consent for research involving access to medical records. REBs need training in best practices for protecting privacy and confidentiality in health research. A forum for REB chairs to confidentially share concerns and decisions about specific studies could also reduce variation in decisions.
Statistics from Altmetric.com
Much health research is heavily dependent on access to information from medical records. In the past, access to these records without consent was common, and abstraction of data from medical records was routinely carried out by trained research assistants. Although new privacy laws allow access to personal information for health research without consent in certain circumstances, these laws provide little guidance for research ethics boards (REBs) and data holders as to the circumstances under which this may occur. Nor is there clear guidance in this matter in leading standards for research ethics, such as the Tri-Council Policy Statement (TCPS) in Canada.1 Lack of clear guidance raises concern over possible variation across REBs and data holders in conditions placed on access to this information and negative impacts on both research quality2–5 and protection of human subjects.6 7 We believe the issues addressed here are similar in most Western jurisdictions and therefore apply also to institutional review boards (USA), research ethics committees (Great Britain) and institutional ethics committees (GCP guidelines7a).
There is growing interest in studying the decision-making process among ethics boards8–10 and a recognition of the need for more consistent frameworks for the governance of research using potentially identifiable data.11 We are aware of little previous research in REB decisions regarding privacy and access to medical records for research. A 1999 report of the US General Accounting Office remarked that oversight of privacy protections in research was limited. It found that many institutional review boards did not even consider confidentiality if the study was eligible for expedited review or exemption from consent requirement and that they relied on institutional policies to address this.12 However, the privacy regulatory environment in Canada and the USA has changed substantially since publication of this report, and we were interested in examining this issue in the Canadian context. Specifically, we conducted a study to examine REB approaches to privacy, confidentiality and security-related issues in observational health research involving both retrospective chart record review and prospective collection of data for registries and biobanks. In this paper, we report on that part of the study that examines variation in consent requirements for retrospective chart review and who may have access to the medical records for data abstraction.
In Canada, all research involving humans is subject to review by an REB. REBs operate under the guidance of the TCPS, a document produced jointly in 1998 by the three primary public granting agencies: the Canadian Institutes of Health Research, the Social Sciences and Humanities Research Council and the National Science and Engineering Research Council.1 The historical context of research governance in Canada may be found elsewhere.13
The TCPS stipulates that REBs are to consist of at least five members. Two must have expertise in the research areas reviewed by the REB, one must be knowledgeable in bioethics, one knowledgeable in law (for biomedical research), and one community member with no affiliation with the institution. These requirements are similar to those for institutional review boards in the USA.14
The TCPS adopts a proportionate approach to research review based on the degree of invasiveness of the research. This approach allows expedited review by the chair or designated member or subcommittee of the REB for studies posing minimal risk, again similar to the law governing institutional review boards in the USA. As there is no central REB in Canada, and as each local REB is responsible for approving research within its institution, the TCPS recognises that ethics review of multi-centred research may result in different conclusions (Section 1.G). This study examines the reasons for and implications of such different conclusions on issues around the use of personal health information and respect for privacy.
The sampling frame for this study consisted of all REBs that review biomedical research conducted by researchers in faculties of medicine in Canadian universities. A list held by the National Council on Ethics in Human Research was updated, and contacts were verified through telephone calls to the REB offices. Invitations were sent out to all REBs on the list. Because of a high response rate, we subsequently excluded specialty REBs that review protocols for selected types of research or populations. Before invoking this exclusion criterion, some specialty REBs were included in the sample.
We conducted thirty 90-min face-to-face interviews with REB chairs and/or administrators. We also invited the chair to present our invitation to their REB meeting and invite other REB members to the interview.
Interviews were structured around four scenarios involving diagnosis or treatment of diabetes. The scenarios were developed in consultation with a diabetologist who is active in clinical research. We asked structured questions with open-ended responses. Although fictional, the scenarios were based on actual real-world protocols. We deliberately incorporated into the protocol aspects that should raise questions, such as the collection of enough data to potentially re-identify individuals. We encouraged interviewees to explain the rationale behind their responses. Interviews were transcribed and sent to respondents, to review for accuracy and to seek clarification where responses were unclear.
We report here only on the portion of the interviews related to the scenario involving retrospective medical-record review. The complete scenario is presented in the appendix. Briefly, researchers wished to screen the medical records of family doctors for women receiving prenatal visits to determine the rate at which they are being tested for gestational diabetes. Although no directly identifying data were to be abstracted from the medical record, the combination of data abstracted from the medical records—specifically birth date, full postal code and ethnic origin—raised the potential to indirectly re-identify individuals. This issue of indirect identifiability was not explicitly pointed out in the scenario, as one goal of the scenario was to determine if interviewees would identify this.
For the retrospective record review scenario, we focused on the following questions:
Was individual patient consent required to conduct this research? Why or why not?
What kind of review would this protocol receive? (Full REB vs review by a sub-committee or individual)
Were there restrictions on who was permitted to identify health records for review and who could abstract data from the records?
Interviews were recorded and transcribed. Transcript review moved through several iterations. In stage 1, transcripts from the first 11 interviews were entered into an analytical table so that the responses across sites to each question were juxtaposed. This table was reviewed by the entire team (co-investigators and staff), and suggested themes were identified at a 1-day retreat. At this time, a coding and categorising scheme was developed for the responses. In stage 2, the two interviewers and a doctoral student reviewed transcripts, coded responses to questions, and summarised the rationale for the response.
Occasionally, it was difficult to identify a final response. As there was more than one person coding the interviews, we developed the following quality-control system. A subset of interviews was identified, in which the responses were difficult to categorise. Responses to these questions were independently coded by the principal investigator, the two research staff and the doctoral student. Answers and rationales were then compared, and a single response agreed upon. For the remaining sections, ambiguous responses were reviewed in the weekly operations meeting, and a response category agreed upon. In a few remaining cases, participant responses remained unclear or qualified to the extent that they were not readily classifiable, and the participant did not answer our requests for clarification.
Of 34 REB chairs approached, 30 (88%) agreed to be interviewed. Fourteen of the 30 REBs (47%) were university-based, and 16 (53%) were hospital-based. Six of the 16 hospital-based REBs were specialised (eg, geriatric, cardiac). Although all provinces with a medical school were represented in the sample, owing to the size of the provinces, 19 of the 30 interviews (63%) were with representatives of REBs based in Ontario or Quebec. The median number of interviewees per interview was two (minimum one, in 13 cases, and maximum six, in two cases). In the following paragraphs, when discussing the responses provided, we will refer to “the site”, rather than “the REB”, as responses were provided by a subsample of the REB. We do not distinguish among respondents when there was more than one interviewee.
Is consent required to conduct this research?
Fourteen of the 30 sites (47%) indicated that individual patient consent would be required for this study to proceed as proposed in the scenario. In addition, three indicated that their response would depend on how certain potentially identifying variables would be managed. They indicated that they would first question whether the investigators really needed the full postal code and precise date of birth. If so, consent would be required. Functionally, then, 17 of the 30 sites (57%) required consent under the circumstances proposed in the protocol.
Eleven sites (37%) indicated that consent was not required. Two suggested that a notification and opt-out process would be acceptable. One site (3%) indicated that this proposal was more like quality assurance than research. Given this rationale, responses from this site were dropped from the remainder of the analyses.
Rationales for responses regarding need for consent
Most sites cited multiple reasons for their decisions (summarised in table 1).
Sites requiring consent (n = 14)
All 14 sites that required consent raised the principle of respect for persons. Five of these also cited legislative requirements. Two indicated that their REBs had a general policy requiring consent in such circumstances. Another three felt consent was feasible, so should be sought.
Ten of the 14 sites (71%) indicated that data collected from the health record allowed potential re-identification of individuals, and that this was the chief reason consent was required. Particular variables raised were: ethnic origin, date of birth, and postal code of mother.
All 14 sites requiring consent were concerned about an outside person having access to the billing or the health records. For seven (50%), outsider access to identifiable records was either the reason for requiring consent or an important factor. Several also pointed out that the issue was not just the identifiability of information abstracted from the chart but also the fact that researchers would be going through the record itself, which, by nature, is identifying. This is exemplified in one encounter:
…as soon as there’s any suggestion about the researchers having identifiable information, then the default position is consent would be required; and simply receiving the chart, knowing there’s a name on the chart, and opening up to access the non-identifiable elements, … that would require consent to even access that. (Site 15, lines 122–126)
Sites replying “It depends” (n = 3)
For these, the decision whether or not consent would be required hinged entirely on the potential for indirectly identifying individuals from the combination of full postal code with ethnic origin or date of birth. If the investigators insisted that they needed this information, then consent would be required. If they could make do with truncated postal code or age/age category, consent would not be required, as it would be much more difficult to identify individuals. None of these sites raised the issue of an outside person accessing the records in their decision-making regarding consent requirement.
Sites not requiring consent (n = 10)
Seven (70%) cited the minimal risk nature of the research as their chief rationale for not requiring consent. These were deemed minimal risk because either (a) lack of direct contact with the individuals whose records were being reviewed or (b) anonymity of the data being extracted from the health record. Four said that their general policy is to not require consent for research involving retrospective chart review.
Two (20% of those not requiring consent) indicated that their provincial body that regulates doctors specifically permitted release of personal information without consent for research purposes if they reasonably believe that the researcher will protect the patient’s identity. One of these commented regarding provincial legislation:
There’s an enormous amount of discretion and interpretation there. … We need to take account of the practicality there; we need to take account of the balancing [of] the public interest in the research against the public interest in the protection of privacy. So it’s phrased in very broad sort of wording. (Site 17, lines 135–139)
Another site simply indicated that obtaining consent was not feasible.
Identifiability was deemed a relevant consideration by six of the 10 sites not requiring consent. These seven indicated that consent would be required if the data being abstracted were identifiable. In this case, however, they judged that the abstracted data were anonymous, making consent unnecessary. They did not raise as factors in their decision-making the potential for indirectly re-identifying individuals through combinations of date of birth, ethnic origin, postal code and sex. The remaining 4/10 (40%) indicated that identifiability was not a relevant consideration when determining the need for individual patient consent. None of the 10 mentioned access to records by an outside research assistant when citing the rationale for their decision.
Sites replying “Notification and opt-out” (n = 2)
Little rationale was offered by the two sites that suggested notification and opt-out. One simply cited precedent and the other no rationale for its decision.
Full versus expedited review: analysis by consent requirement (table 2)
We anticipated that there may be a relationship between requirement of individual consent and the nature of the review required. In examining this relationship, we combined the responses of (a) sites requiring consent and those answering “it depends” and (b) sites not requiring consent and those requiring notification and opt-out because, functionally, they were equivalent.
Sites requiring consent and those answering “It depends” (n = 17)
Twelve (71%) indicated that the protocol would be reviewed by the full REB. Of these, nine (75%) specifically cited privacy issues.
… would be full committee review because this has got many difficult issues about confidentiality that no Chairman would want to stick his neck out over on his own. (Site 16, lines 49–51)
Three of these nine (33%) explicitly identified that it was because an outside person would have access to the data and not because of the data themselves.
Three sites would provide some sort of expedited review, all citing that this is “minimal risk” research.
I think that it would be perfectly appropriate to do an expedited review of this in that it constitutes some minimal risks, so…the risks are information, privacy will be at risk. (Site 14, lines 11–14)
For this particular site, privacy risks were explicitly deemed to be “minimal risk”.
Sites not requiring consent or requiring notification and opt-out (n = 12)
These were evenly split between full committee review and some form of expedited review. Three of the six sites requiring full REB review specifically cited privacy issues. Three of the six that would provide expedited review cited minimal risk of the research and one because the information is not personally identifying (table 2).
Who may screen health records for review? Who may abstract data from the records?
Responses to this question were categorised into three chief groups: (1) Must be a healthcare professional within the practice; (2) may include office staff; (3) external research assistant allowed. Each represents a widening circle of individuals, so that response 2 encompasses response 1, and response 3 encompasses responses 1 and 2. There was one exception to this, where the respondent identified that an outside research assistant could have access but not the office secretary.
The focal issue for the purposes of this scenario is whether an outsider would be allowed to either identify records for abstracting or abstract data from the charts. Sixteen sites (55%) allowed both (table 3). Two allowed an outsider to abstract from charts but not screen them. One allowed an outsider to abstract data but was unclear as to who would be allowed to screen. Sites requiring consent or replying “it depends” were less likely (9/17 (53%)) to allow an external research assistant to abstract information from the health record than sites not requiring consent or requiring notice with opt-out (10/12 (83%)).
Whether or not they required individual consent to conduct the study, several sites placed similar conditions on access by an external individual:
a specific confidentiality agreement must be in place (mentioned in five sites requiring consent and six not requiring)
the external research assistant must have specific training in confidentiality (four sites requiring consent/three not requiring)
the name of the external research assistant must be provided to the REB (two sites requiring consent/one site not requiring)
the doctor must remain responsible and accountable (one site requiring consent/one site not requiring)
the patients must be informed that an outside individual is reviewing their records for a research study (one site requiring consent)
At the end of the interview, participants were given the opportunity to raise additional challenges they face regarding privacy, confidentiality and security when reviewing similar proposals. Nine sites (31%) expressed a desire for greater guidance in how they should interpret the laws and the TCPS in these matters. In particular, they wanted national guidelines where there were currently “gaps”. Specifics mentioned included:
the maximum duration of retention of data/samples;
the interface between law and the TCPS;
how to distinguish between quality improvement activities and research.
Seven sites expressed the need for better education of REB members and researchers in these matters. A commonly cited request was for more detail in the TCPS and review templates for research involving access to charts.
DISCUSSION AND CONCLUSIONS
We found substantial variation across sites in opinion as to the need for individual consent for research involving access to medical records. Variation in requirements across REBs has been observed in other contexts.10 15–18 Variation itself is not necessarily negative. One REB may identify important concerns that were missed by another REB. In this case, some of the differences in the consent requirement were from differences in values as to the importance of individual autonomy (ie, privacy concerns) versus public benefit that would accrue from the research, in the light of a judgement that the research posed minimal risk. Unjustifiable variation, though, should be minimised, as variation introduces both uneven protection of human subjects (including individual autonomy) and challenges to scientific validity.
Most sites indicated that, in principle, consent is required if identifiable information is being abstracted from the records. However, there seemed to be considerable lack of recognition, particularly among the sites not requiring consent, that, together, the data elements collected raised a high probability of indirectly being able to re-identify individuals. In part, this may reflect a lack of specific training in these issues. One site explicitly acknowledged the privacy risk but minimised it, citing a high level of trust that, although they could, researchers will not attempt to re-identify these individuals. Other sites were not so explicit in stating this but did so indirectly, by virtue of their policies that research involving medical-record review did not require consent because of minimal risk.
Some of the differences in approach across sites—in need for consent, expedited versus full review, and who may screen and abstract data—may reflect ambiguity in the relevant sections of the TCPS on ethical conduct for research involving humans. For example, article 3.4 of the TCPS states that the “REB may [our emphasis] also require that a researcher’s access to secondary use of data involving identifying information be dependent on: (a) the informed consent of those who contributed data or of authorized third parties; …”19 Although some of that ambiguity may be intentional—for example, to provide decision latitude for REBs—our sense is that REBs are seeking greater clarity.
Also, both information privacy and healthcare fall primarily under provincial jurisdiction. This may contribute to the inconsistency in decisions across the country. However, Canadian provincial privacy laws are generally based on the same fair information principles established in 1981 by the Organisation for Economic Cooperation and Development, which have been refined and enhanced by the Canadian Standards Association.20 21 The greater problem may be that, like the TCPS, our privacy laws generally offer such broad concessions for non-consensual use of personal information for health research that they offer little to no guidance for REBs.22 Indeed, in many interviews, respondents expressed the need for greater guidance to reconcile the laws and the TCPS. The Canadian Institutes of Health Research (CIHR) have recently promulgated best practices for protection of privacy in health research.23 These guidelines were intended to augment the TCPS. If widely adopted, they may have a harmonising effect on the operational interpretation of the laws across the country.
Our findings differ substantially from the US General Accounting Office report which stated that the ethics boards it surveyed uniformly were in the habit of waiving consent requirements for this kind of research.12 This may simply be a function of changing times. In the years that have elapsed since this report, many jurisdictions in Canada, the USA and Europe have introduced or updated their privacy laws to be consistent with the fair information principles agreed upon by the Organisation for Economic Cooperation and Development,30 and to address particular needs around health information privacy.
Our findings may also reflect an initial cautious response to new legislation, because of uncertainty as to how to interpret the law. This has been observed in the USA, where the initial response to the regulations to the Health Information Portability and Accountability Act was toward unnecessarily complex consent forms.24
Some of the ambiguous responses that we encountered are probably a product of having artificial scenarios for the interviewees to consider. When encountering an actual case, a decision must be made. With the hypothetical, one has more opportunity to “fence sit”. It is also possible that responses included some “social desirability” bias, wherein some respondents may have provided answers that were more stringent than those actually taken in real cases under similar conditions.
Interviewees were asked to represent the position of their REB, and not their own individual response. Where there was more than one interviewee, the opening responses often were not identical, although convergence of opinion was usually achieved during the discussion. Also, in general, the more people participating in the interview, the richer the discussion became. So, we cannot be certain that the responses always represented the REB’s position, as opposed to the chair’s opinion.
Interviewees reported on their response to the scenario as presented. We did not systematically ask whether the consent requirement would change if the concerns they raised about the protocol (eg, the collection of date of birth as opposed to age) were addressed. This may have reduced the apparent split in opinion as to the need for consent.
Decisions in response to the scenarios were made by particular individuals at a particular point in time. People’s opinions change depending on many factors, including changes to policies and personal experience issues that may have arisen in protocols they may have reviewed recently. The absence of a full committee review of the scenarios has the potential to amplify this limitation.
We attempted to corroborate the responses we received through review of written REB policies in these matters. However, we found that most REBs did not have written policies. Several indicated that they were in the process of developing such policies.
Respondents expressed the strong need for training of REB members in privacy and confidentiality in health research. The CIHR privacy best practices document mentioned above is a helpful first step in this regard, but the knowledge-transfer literature suggests that more active outreach strategies such as case-based workshops are needed for effective uptake.25 Educational efforts should not be limited to REBs but extended to practising researchers and the graduate curricula of future researchers.
Some issues are highly technical and fall outside the scope of expertise that one might expect to exist in most REBs and by most researchers. Examples include: verification of disclosure control safeguards embedded in the electronic health record, security measures for data repositories (beyond the basics, such as locked files and passwords), and statistical techniques to minimise the risk of re-identification.26 In such circumstances, relevant external expertise should be available to REBs. In the long run, there is a need for capacity building in these areas, to facilitate secure access to these data.
A factor strongly associated with responses requiring individual consent was that an outside research employee was to be sent in to abstract data from the health records. Some respondents expressed concern over the credentials of this individual. The CIHR best practices document does not speak directly to the question of who may access medical records for identifying target records and abstraction of data. It recommends that the number of research staff with access to directly identifying information be limited on a “need-to-know” basis. It further recommends that research staff have appropriate training in confidentiality and security, and that they become “deemed employees” subject to confidentiality agreements.27 In future revisions of that document, the CIHR should consider addressing the question of minimum qualifications of research staff external to the care providers. It is worth noting also that the general public is more comfortable with a trained research assistant abstracting data from their health record than the doctor’s secretary or receptionist.28
A certain amount of variation in REB requirements in multicentred studies could be resolved if there were some formal structure for REBs to share with one another, in confidence, their concerns and potential solutions around specific studies that they are reviewing in common. The need for a forum or a national database of REB decisions was identified in the 2000 McDonald report for the Law Commission of Canada.29 Currently, there may be informal one-on-one discussions between individual REBs over specific protocols on an ad hoc basis. At the other extreme, there are also general electronic forums for REB members that are accessible by subscription but remain “semi-public”. Although not a panacea, a much more restrictive and secure discussion forum where concerns are discussed among REB chairs reviewing a specific protocol could go a long way toward resolving differences and would, in itself, be educational.
Finally, in shining the spotlight on REBs, the individual researcher is not absolved from responsibility in this matter. When conducting research involving abstraction of data from medical records, researchers should anticipate questions such as:
Why should this research be exempt from individual consent?
Do I really need potentially identifying data such as full date of birth, full postal code and other potentially re-identifying information or can I make do with age or age category and similar less identifying data?
What safeguards will be in place with regard to people, processes and data?
What are the potential privacy-related harms that may emerge from the results of the study?
Having first consulted the relevant guidelines and legal authorities, researchers should be prepared to present to the REB options for conducting the research with justification for their chosen approach. This, too, could go a long way in averting differences in opinion across reviews.
We thank Ms Anita Diloreto for her assistance in manuscript preparation. We also thank members of the project advisory committee for their thoughtful comments and feedback throughout the study: Richard Carpentier (National Council on Ethics in Human Research); Sheila Chapman (Canadian Institutes of Health Research); Debra Grant (Office of the Information and Privacy Commissioner of Ontario); Ross Hodgins (Health Canada); Susan Hoddinott (University of Western Ontario) and Ray Saginur (University of Ottawa) (representing the Canadian Association of Research Ethics Boards); Joan Roch (Canadian Institute for Health Information); Valerie Steeves (University of Ottawa).
Research scenario: retrospective chart review
What proportion of pregnant women in family doctors’ practices receive a glucose challenge test and/or glucose tolerance test for gestational diabetes between weeks 24 and 28 in their pregnancy, as recommended by current practice guidelines?
Among those women with a positive glucose tolerance test, what percentage receive follow-up testing for diabetes within 6 months of delivery?
Summary of research methods
A. The study will be carried out in 50 family practices in the vicinity of your institution.
B. The records of all women who have delivered in the past 2 years will be identified through a review of the electronic billing records to identify those with a diagnostic code indicating a prenatal visit. This information is available through the doctor’s in-house computerised billing records which are submitted electronically to the public insurer. This will be done in one of two ways:
Where possible, the family doctor’s office staff will screen the billing submissions to identify women with prenatal visits and pull their charts.
A pilot survey revealed that 30% of the doctors who were willing to participate felt their office staff were too busy to help prepare a list or pull charts, even if paid to do this off-hours. In this case, the project research assistant would both identify the target patients and pull the charts.
C. Data will be abstracted and entered directly into a portable computer. This will be done in the doctor’s office outside of any care-giving area. This may include the basement, the filing room, or even the back-room closet.
D. The research assistant will screen the pulled charts for lab reports indicating a glucose challenge and/or tolerance test between weeks 24 and 28 of gestation. Among those with a positive tolerance test, the research assistant will scan for further tests up to 6 months after delivery.
E. In addition to recording the presence and the values of glucose tolerance tests, the following patient information will be abstracted from the charts: family/personal history of diabetes; ethnic origin; height, weight; postal code; parity; mother’s date of birth. Directly identifying information will not be extracted (name, address, telephone number, health card number.)
F. The following data will be gathered during brief interviews with each doctor: physician study code, gender, date of birth, location where doctor received medical training and family medicine residency.
G. Each abstracted record will be given a unique study ID by the research assistant, who will create a record that links each study ID with a corresponding woman’s chart. This linking file will remain in a separate file.
H. On completion of the chart reviews at a site, information will be up-loaded to a computer in the office of the principal investigator, an academic family doctor, who will be responsible for data analysis.
Funding: This research was funded by a grant from the Canadian Institutes of Health Research (grant number MOP-577484).
Competing interests: At the time of the study, KMW and MDC served on research ethics boards that participated in the study. In neither of these two cases did they attend the interview or attempt to coach or influence the response of the interviewee(s).
If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.