Bev White, Manager, Research Ethics Research Services, IWK Health Centre Background ◦ Legislation ◦ Guidelines The Act - PHIA Circle of Care Impracticability Legislation Governs the collection, handling, storage of personal information, including research records. ◦ PIPEDA - Personal Information Protection and Electronics Documents Act ◦ Nova Scotia Hospitals Act ◦ PIIDPA - Nova Scotia Personal Information International Disclosure Protection Act ◦ PHIA - Nova Scotia Personal Health Information Act Guidance document ◦ CIHR Best Practices for Protecting Privacy in Health Research (2005) ◦ PHIA Toolkit CIHR Best Practices for Protecting Privacy in Health Research (2005) – 10 Elements: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Determining the research objectives and justifying the data needed to fulfill these objectives Limiting the collection of personal data Determining if consent from individuals is required Managing and documenting consent Informing prospective research participants about the research Recruiting prospective research participants Safeguarding personal data Controlling access and disclosure of personal data Setting reasonable limits on retention of personal data Ensuring accountability and transparency in the management of personal data TCPS2 Chapter 5 – Privacy - A. Key Concepts Privacy - Privacy is respected if an individual has an opportunity to exercise control over personal information -consenting or withholding consent Confidentiality - Obligation to protect information from unauthorized access, use, disclosure, modification, loss or theft. “Essential to the trust relationship between researcher and participant, and to the integrity of the research project.” Security - Measures used to protect information, both administrative & technical Identifiable Information – …may reasonably be expected to identify an individual, alone or in combination with other available information (“Personal Information”) Types of Information: Directly & Indirectly identifying information, Coded information, Anonymized and Anonymous information TCPS2 Chapter 5 – Privacy - B. Ethical Duty of Confidentiality 5.1 Researchers shall …not misuse or wrongfully disclose it. 5.2 Researchers shall describe measures for meeting obligations and explain foreseeable disclosure requirements to the REB; and in the consent (Participant) 5.3 Researchers shall provide details for the full life cycle …its collection, use, dissemination, retention and/or disposal. 5.4 Institutions or organizations share responsibility to establish safeguards. 5.5 Waiver of Consent for secondary use of identifiable information only if the REB is satisfied that: ◦ (a) identifiable information is essential to the research; ◦ (b) is unlikely to adversely affect the welfare ◦ (c) appropriate measures to protect the privacy ◦ (d) comply with any known preferences of the individual ◦ (e) it is impossible or impracticable to seek consent ◦ (f) the researchers have obtained any other necessary permission (custodian/owner) 5.6 If waiver under 5.5 is approved, researchers who propose to contact individuals for additional information shall seek REB approval. 5.7 Data linkage requires REB approval describing the likelihood that identifiable information will be created through the data linkage IWK – SOP (2004) Privacy is a fundamental value perceived by many as essential for protection and promotion of human dignity. When a research participant confides personal information to a researcher, the researcher has a duty to protect the information from reaching others without the participant’s informed consent. Breaches of confidentiality may cause harm to the researcher and to the research community. Provincial Health Information Legislation Personal Information Protection Act Protection of Personal Information in the Private Sector (1994) (January 2004) eHealth Act (2008/09 ) YK BC AB SK April 2011 MB PQ ON Health Information Act (April 2001) PIPEDA Privacy Act Personal Health Information Act NU NWT Federal Health Information Protection Act Personal Health (September 2003) Information Act NL Personal Health Information Act June 1, 2013 NB Personal Health Information Privacy & Access Act Personal Health Information Protection Act (September 2010) (December 1997) (November 2004) Nova Scotia Personal Health Information Act Came into force June 1, 2013 Aims to achieve a balance between an individual’s right to privacy and the benefits of use of personal health information Includes provisions for: • collection, use, disclosure, destruction and disposal of personal health information • consent • information practices • access and correction • complaints • reviews “ …to govern the collection, use, disclosure, retention, disposal and destruction of personal health information in a manner that recognizes both the right of individuals to protect their personal health information and the need of custodians to collect, use and disclose personal health information to provide, support and manage health care.” “Custodians” • Custodians must have “custody or control” of the personal health information PHIA also applies to “agents” of custodians • Example: employees, volunteers, regulated health professionals with privileges, vendors “Custodians” • Custodians shall limit the collection, use and disclosure …to what users “need to know” to do their job • record of user activity • Specific regarding use of Health Card numbers • Retention Schedules • Required reporting of a Breach: to the individual or the Provincial Privacy Officer • Not Researchers! Express consent • oral or written Knowledgeable implied consent • used only within circle of care Without consent • covered in sections 31 (collection), 35 (use) and 38 (disclosure) • custodian may collect, use and disclose without consent, but may also choose to seek consent Nurses Volunteers Physiotherapist (private) Physician (GP) Health Records Dietician Physicians EXPRESS CONSENT EXPRESS CONSENT District Health Authority Lab techs Knowledgeable implied consent Exceptions DHW initiative Patient invokes s. 17 14 • Rules for use of personal health information by custodian for research purposes include: • development of a research plan • Research Ethics Board approval • prior to commencement of research meets conditions of Research Ethics Board • research plan must address consent & specifically where consent is not being sought, an explanation as to why seeking consent is “impracticable” Requirements regarding the use of information for research are new requirements for custodians A custodian may disclose personal health information for research without consent if: • An Research Ethics Board has determined that the consent of the individual is not required; and • The custodian is satisfied that: • the research cannot be conducted without using personal health information; • the personal health information is limited to the information necessary to accomplish the purpose of the research; • the personal health information is in the most de-identified form possible; Continued… • The custodian is satisfied that: • the personal health information will be used in a manner that ensures its confidentiality; • it is impracticable to obtain consent; and • the custodian informs the provincial Review Officer Penalties & Fines Penalty for an individual: up to $10,000 and/or imprisonment for six months, Penalty for a corporation: up to $50,000 Definitions: 52 In Sections 53 to 60, (a) "data matching" means the creation of individual identifying health information …without the consent of the individuals; (b) "impracticable" means a degree of difficulty higher than inconvenience or impracticality but lower than impossibility; (c) "research" means a systematic investigation designed to develop or establish principles, facts or generalizable knowledge,; 53 Planning and management of the health system does not constitute research for the purpose of this Act. 54 The use and disclosure of personal health information by a custodian is limited to the minimum amount of information necessary to accomplish the research purposes for which it is to be used or disclosed. 55 A custodian may use personal health information for research if, before commencing the research, the custodian ◦ ◦ ◦ ◦ (a) prepares a research plan (b) submits the research plan to the REB; (c) receives the approval of the REB; and (d) meets any of the REB. 56 A custodian may disclose personal health information about an individual to a researcher if the researcher ◦ (a) submits to the custodian ◦ (i) an application in writing, ◦ (ii) a research plan that meets the requirements of Section 59, and ◦ (iii) a copy of the submission to and decision of a research ethics board that approves the research plan; and ◦ (b) enters into the agreement required by Section 60. 57 A custodian may disclose personal health information about an individual to a researcher without the consent of the subject individual if ◦ (a) the researcher has met the requirements in Section 55; ◦ (b) a research ethics board agrees consent is not required; ◦ (c) the custodian is satisfied that (i) the research cannot be conducted without using the PHI (ii) the PHI is limited to that necessary, (iii) the PHI is in the most de-identified form possible, (iv) the PHI will be used in a manner that ensures its confidentiality, and (v) it is impracticable to obtain consent; and ◦ (d) the custodian informs the Review Officer. (Provincial) The Research Plan (a) a description of the research proposed to be conducted; (b) a statement regarding the duration of the research; (c) a description of the personal health information required and the potential sources of the information; (d) a description as to how the personal information will be used in the research; (e) where the personal health information will be linked to other information, a description of the other information as well as how the linkage will be conducted; (f) where the researcher is conducting the research on behalf of or with the support of a person or organization, the name of the person or organization; (g) the nature and objectives of the research and the public or scientific benefit anticipated as a result of the research; (h) where consent is not being sought, an explanation as to why seeking consent is impracticable; (i) an explanation as to why the research cannot reasonably be accomplished without the use of personal health information; (j) where there is to be data matching, an explanation of why data matching is required; (k) a description of the reasonably foreseeable risks arising from the use of personal health information and how those risks are to be mitigated; (l) a statement that the personal health information is to be used in the most de-identified form possible for the conduct of the research; (m) a description of all individuals who will have access to the information, and (i) why their access is necessary, (ii) their roles in relation to the research, and (iii) their qualifications; (n) a description of the safeguards that the researcher will impose to protect the confidentiality and security of the personal health information; (o) information as to how and when the personal health information will be destroyed or returned to the custodian; (p) the funding source of the research; (q) whether the researcher has applied for the approval of another research ethics board and, if so, the response to or status of the application; and (r) whether the researcher's interest in the disclosure of the personal health information or the conduct of the research would potentially result in an actual or perceived conflict of interest on the part of the researcher. 60 (1) Where a custodian discloses PHI to a researcher, the researcher shall enter into an agreement: Terms of Access and Disclosure Agreement By signing below, I, [Principal Investigator], certify that the information I have provided on this form is truthful and accurate. I declare that the information requested is the minimum amount of personal health information that is required to be accessed. In exchange for access to the personal health information requested in this application form, I further agree: to comply with any terms and conditions imposed by the REB and/or the IWK Health Centre; to use the information only for the purposes outlined in the REB approved research plan; Terms of Access and Disclosure Agreement Continued: not to publish the information in a form where it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual, except with the individual’s prior express consent; to allow the IWK Health Centre to access or inspect my premises to confirm that I am complying with the terms and conditions of this agreement; to notify the IWK Health Centre immediately in writing if the personal health information is stolen, lost or subject to unauthorized access, use, disclosure, copying or modification; to notify the IWK Health Centre immediately and in writing of any known or suspected breach of the agreement between the custodian and the researcher; and not to attempt to identify or contact the individuals unless the individuals have provided their consent to do so. Terms of Access and Disclosure Agreement Continued: Signed by the Investigator & the Custodian ◦ Delegated to Research Services on behalf of the custodian. REB approval is active and as described above. Data Transfer, Funding and other agreements have had appropriate review of confidentiality related clauses, and are fully executed. Appropriate security measures are in place for data collection, storage & review process. All personnel provided access to Personal Health Information have signed the IWK Confidentiality Pledge. Access to PHI for this project is valid for 12 months. Application must include approved REB application (EAS Form) and Data Collection Form or Specific Field List. Continuing REB approval must be maintained – amended if the study plan or team changes. For Researchers: Foundation principles are not new! Heightened focus on Impracticability Careful consideration of Circle of Care Heightened institution. sensitivity throughout the Nova Scotia Department of Health and Wellness – Presentation for Custodians TCPS 2—2nd edition of Tri-Council Policy Statement: CIHR Ethical Conduct for Research Involving Humans Best Practices for Protecting Privacy in Health Research (September 2005)