September 2008: The differences between protecting privacy and maintaining confidentiality

advertisement
New York University Langone Medical Center
Institutional Review Board
Continuing Education
September 2008
Regulatory Criteria #2
The differences between protecting privacy
AND maintaining confidentiality
Privacy
• Having control over the extent, timing, and circumstances of sharing one’s self
(physically, behaviorally, or intellectually) with others.
• Having control over how others may have access to one’s self.
Confidentiality
• Pertains to the treatment of information that an individual has disclosed in a
relationship of trust with the expectation that it will not be divulged to others in
ways that are inconsistent with the understanding of the original disclosure
without permission.
• Information given about oneself or identifiable information via an agreement and
in a trusting relationship.
• Agreement about maintenance and who has access to identifiable data
Differences between the two:
Privacy is the control a person has over one self and who may access information about
him/her or about how to access them directly. Example in a violation of privacy: A
researcher receives a batch of patient names from a Primary Care Physician to contact for
a research study. The patients do not have a relationship with the researcher. The
researcher calls the patients. In the first phone call regarding the study, the patient states
to the researcher “My phone number is unlisted. How did you get this phone number?”
The patient’s privacy has been violated because the information was not publicly
available nor did the patient grant permission for this researcher to contact him/her.
Confidentiality is when there is a relationship and an exchange of information is
completed under the influence of trust plus an agreement of on who may have access to
this information. Confidentiality is breached when information is accessed by individuals
who had not been named in the agreement to have access. For example, a consent form
for a multi-center study states that the researcher team will be the only individuals to
have access to the data collected in the proposed research study and the data will be
coded with a unique identifier that links the data back to the individual subjects. Only the
local research team will have access to the linkage. The researchers later share the
linkage information with a Co- Investigator at another site. Confidentiality has been
breached because the subject were not told that the research team at another site would
have access to their data and names. Regulations
In order to approve human subjects research, the IRB shall determine that where
appropriate, there are adequate provisions to protect the privacy of subjects and to
maintain confidentiality of data. 45 CFR 46.111(a)(7); 21 CFR 56.111(a)(7). In a
protocol, privacy is typically addressed in the recruitment of subjects section while
confidentiality is addressed in the section discussing how data collected in the research
will be kept confidential (see Section H of the Consent Form template).
Important Points for IRB Review of Provisions for Privacy and Confidentiality
• The IRB must decide on a protocol-by-protocol basis whether there are adequate
provisions to protect the privacy of subjects AND to maintain the confidentiality
of the identifiable data at each segment of the research…recruitment to
maintenance of the data.
• The committee must consider the sensitivity of the information collected and the
protections offered the subjects.
• Especially in social/behavioral research the primary risk to subjects is often an
invasion of privacy or a breach of confidentiality.
• During the informed consent process, subjects must be informed of the
precautions that will be taken to protect the confidentiality of the data and be
informed of the parties who will or may have access (e.g., research team, FDA,
OHRP). This will allow subjects to decide about the adequacy of the protections
and the acceptability of the possible release of private information to the
interested parties.
References:
IRB 201 Presentation by Jeffrey Cooper, M.D., M.M.M., 2004 and the Institutional
Review Board: Management and Function, Amdur and Bankert, 2002 from the
University of California at Irvine
Office for Human Research Protection - IRB Guidebook
http://www.hhs.gov/ohrp/irb/irb_guidebook.htm
Download