Clinical Research Ethics: Protecting Patient Rights and Privacy

August 15, 2023

Clinical Research Ethics: Protecting Patient Rights and Privacy

“Whatsoever things I see or hear, in my attendance in the sick or even apart there from, which on no account one must spread abroad, I will keep to myself holding such things as sacred secrets “.

Hippocratic Oath, 4th century, B.C, E.

With growing complexities of today’s digital era, protection of individual privacy is one of the greatest challenges in research. Privacy applies to person having control over extent, timing and circumstances of sharing oneself. It means keeping the medical records restricted from public interest because it protects patient’s identity. While Confidentiality is protecting individual’s data. It refers to an individual’s right to have personal and datable medical information which remains private between the subject and the researcher. It is the extension of privacy.

Privacy and confidentiality are considered an essential element in research for gaining and sustaining trust between patient and researcher. Violating a patient’s confidentiality can have a legal and ethical consequence for the healthcare provider according to the Health Insurance Portability and Accountability Act (HIPAA).

For example, withholding information about a patient’ condition could be unethical because it could harm the patient. The opposite can be harmful as well. A health care practitioner can be suspended for posting information about cases in social media without their consent.

In limited circumstances, personal information may be disclosed in the public interest without an individual’s consent when the benefit to society outweighs the individual’s interest in keeping the information confidential.

Privacy and confidentiality-A Right.

They are so many rights which the patient has and can duly exercise them whenever they require:

Right to Appropriate Medical care and Humane treatment
Right to Information
Right to Choose Health care Provider and Facility.
Right to Medical Records, Right to Privacy and Confidentiality.

Exceptions include:

If the physical or mental conditions is in question and the court orders the patient to surrender himself to a physical and mental examination.
When the public health or safety demands.
When the patient himself gives up his rights in writing
It can be disclosed to the legal guardian of the patients where the patients is not of legal age or mentally in captivated.

Benefits of maintaining confidentiality include:

It establishes the trust between the participants and the researcher.
It reduced worry on the part of individual, gives control and promotes autonomy.
It maintains the participants dignity.
The participants feel respected

Federal Regulation, Guidance and Protections

The Belmont Report (1979)

The Belmont Report, written by the National commission for the Protection of Human subjects of Biomedical and Behavioural Research, is the most ethical statement guiding human research in the United States and is the basis for U.S federal research protections. The reports set out three fundamental ethical principles: Respect for person, Beneficence, and Justice. Individual privacy and autonomy are described in the report as to honour these ethical principles.

Code of federal regulation Title 45 part 46-The Common Rule

Title 45, Part 46 of the code of Federal Regulation also know as Common rule, defines human subjects as living individuals about whom a researcher obtains:

Data through interaction with the individual.
Identifiable private information.

The common rule is that these data need to be protected.

Food and Drug administration-21 CFR

The Food and Drug administration requires statement in the Informed consent form.

that describes the extent to which confidentiality can identify the participants in the research will be maintained.
that inform the participants that the FDA may view the research records.

Certificates of Confidentiality (CoC)

Issued by National Institute of Health (NIH), USA allow the researcher to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceedings, whether at the federal, state, or local level, unless the participants consent.

HIPAA Privacy Rule

HIPPA was introduced in 1996 with the underlying goal of increasing access to healthcare across the USA. The HIPAA Privacy rue was foremost in and entered through works of Department of Health and Human services (HHS). This created a system where digital transmission were created more safely and prevents major privacy complication.

HIPAA Privacy rule took effect on April 14,2003. This safeguards all information pertaining to an individual’s health that a covered entity or its business associate might hold, whether verbal, electronic, or paper. All the regulatory data falls under PHI (Public Health Information). Healthcare providers are responsible for protecting your privacy. Hence, they must acquire your consent before disclosing any PHI to provide treatment, manage payment and handle operations.

Disclosing PHI under public health authorities

The HIPAA Privacy rule allows a covered healthcare institution to disclose Protected Health Information for research under following conditions:

If research participants provide a written authorisation
If the privacy officer has granted a Waiver of authorisation requirement.
If PIH has been de-identified.
If the researcher uses limited data set and a Data use agreement.
If legal permission to disclose the PHI was ongoing, or originated before HIPAA went onto effect, and has been grandfathered by the HIPAA transition provisions.
For research on a decedent’ information if the researcher provides the required documentation.

For record reviews Preparatory to research, the researcher should provide the required documentation to the Privacy officer.

When researchers need to review medical records in preparation for research, he or she is allowed to identify, but not contact, potential study participants under the Preparatory to Research provision. During this review, a covered entity including PHI must receive the proper documentation from the researcher and it is reported and reviewed by IRB.

Recruiting the appropriate participants is critical during trial. Individual needs to be interviewed to determine who among them is eligible to be in the study. The physician should contact a potential patient first to get permission to be contacted by the researcher. If the nature of the study makes this very difficult, A researcher must provide reasons to the privacy officer and obtain waiver for recruitment

Subsequent authorisation must be obtained from the participant in written before a covered entity researcher disclose the participant’s PHI for the clinical trial itself, unless permitted by the HIPAA Privacy rule.

In cases, when it is difficult for researcher to obtain written authorisation from research participants, HIPAA contains criteria for the Waiver by the Privacy officer. In such cases researcher can disclose any of that information to other researcher and he or she becomes responsible for keeping an Account of Disclosures for PHI.

In cases of HIV/AIDS information, the disclosure and the use of HIV test data should be directed to Privacy officer and it is mandatory to report positive HIV test data to state health department. And state would report it to Centre for Disease and Prevention (CDC)

In cases of Diseased information, it is still protected under the HIPAA policy and doesn’t require IRB approval

To disclose PHI of diseased persons for research, covered entities are not required to obtain an Authorisation, A Waiver, from the personal representative.

The HIPAA Privacy rule permits the sharing of PHI for public health purpose without individual Authorisation if the PHI is provided to a legally authorised Public Health Authority for the purpose of preventing and Controlling disease, injury and disability.

Data storage devices

HIPAA required researchers to use secure procedures for all computer based storage (servers, laptops and handheld computers) through security procedures(encryption, password protection) whenever conducting research.

Fines Imposed for violation of HIPAA

Violations of the HIPAA Privacy policy can result in both Civil and criminal penalties including fines and possible time in jail. It allows fine of up to 100$ per person for each violation of the law, to a limit of 25,000$ per year for violation of a single standard per calendar year.

IRB’s role in Protecting Privacy.

IRBs and privacy boards, which may/may not be separate entities, depending on the institution, are designed to protect the privacy of participants and to maintain confidentiality of data.

Informed consent-

It plays a critical role in addressing issues related to Privacy, Confidentiality, and reporting illegal or dangerous activities to authorities. Federal require investigator to inform research subjects about how confidentially and privacy will be protected. And under what circumstances they are obligated to breach it to protect people from imminent harm or if required by the law.

Data protection: Protecting data is key to reducing risk.

Certain research conducted that is not a covered entity may not fall under HIPAA rule must be protected. It is important to develop data protection plan which includes

Identifying who has access to the data
Who is maintaining the confidentiality of the data
Describing the measures to protect physical security and software security of the data.
Ensuring the authentication and authorisation for those who have access to medical data.
A contingency plan for dealing with breach of confidentiality

A breach of confidentiality should be reported to IRB and Privacy officer.

Conclusion

The right of research participants to privacy and to have PIH kept confidential is both respected and expected today. Researchers and IRB members needs to recognise the threat to privacy the participants face, and use of appropriate strategies to promote confidentiality. Consistent Vigilance is required to improve health and welfare of society.

References