Is deidentification sufficient to protect health privacy in research?
- Am J Bioeth
Author/s: -Rothstein, MA
Journal: Am J Bioeth
Pages: 3 - 11
The revolution in health information technology has enabled the compilation and use of large data sets of health records for genomic and other research. Extensive collections of health records, especially those linked with biological specimens, are also extremely valuable for outcomes research, quality assurance, public health surveillance, and other beneficial purposes. The manipulation of large quantities of health information, however, creates substantial challenges for protecting the privacy of patients and research subjects. The strategy of choice for many health care providers and research institutions in dealing with this challenge has been to deidentify individual health information.
Under the current regulatory framework in the United States, studies involving deidentified health records are exempt from regulations governing research with human subjects (45 C.F.R. § 46.101(b)(4)). Similarly, deidentified health records are outside the definition of “protected health information” (45 C.F.R. § 164.514(a)) and therefore are exempt from federal privacy protections. Determining whether legal requirements for privacy protection have been satisfied for deidentified health information usually involves narrowly evaluating the technical standards used in deidentification. There is usually little or no consideration by institutional review boards and regulators of the broader issues of the risks to privacy raised by the research and whether reasonable measures have been taken to reduce the risk.
This article considers the effects on privacy and related interests of creating, using, and disclosing deidentified health information in research without the knowledge, consent, or authorization of the individual. It also evaluates other potential harms from the nonconsensual use of deidentified health information in research, including undermining of trust in research. Many of the same issues apply to the use of deidentified biological specimens in research, and the article addresses these issues as well.
The article concludes that the use of deidentified health information and biological specimens in research creates a range of privacy and other risks to individuals and groups. The current regulatory system, under which privacy protections are afforded identifiable information but no protections apply to deidentified information, needs to be revised. A range of options should be considered to extend some level of protection to deidentified information without unduly burdening research.