International Journal of Cardiology 177 (2014) 510–511
Contents lists available at ScienceDirect
International Journal of Cardiology journal homepage: www.elsevier.com/locate/ijcard
Letter to the Editor
The challenge of performing effective medical research in the era of healthcare data protection☆ Giuseppe Rosano a,b, Francesco Pelliccia c,⁎, Carlo Gaudio c,d, Andrew J. Coats e,f a
IRCCS San Raffaele Pisana, Rome, Italy Cardiovascular and Cell Sciences Research Institute, St. George's, University of London, London, UK Department ‘Attilio Reale’, Sapienza University, Rome, Italy d Eleonora Lorillard Spencer Cenci Foundation, Rome, Italy e Monash University, Australia f University of Warwick, UK b c
a r t i c l e
i n f o
Article history: Received 9 August 2014 Accepted 14 August 2014 Available online 23 August 2014 Keywords: Data masking Information privacy Systems development
Scientific research is invaluable for improving diagnostic and therapeutic management of our patients, and to this end the use of individual patient records is crucial. Using electronic health records, cardiovascular investigators have been able to develop important prognostic and other clinical scoring systems, such as those for individuals at risk of coronary artery disease (i.e., Framingham score, the EUROScore) or those for patients with atrial fibrillation (i.e., CHA2DS2-VASc, HAS-BLED). In addition, electronic health records help to improve the design of newer pharmacological studies as they allow timely recognition of serious adverse events of marketed drugs [1]. With the widespread availability of health informatic tools, there is an increasing demand for electronic medical records also by healthcare providers in order to improve quality of care and reduce costs [2]. Despite the many advantages that patient records might offer to medical care and research, the explosion of digital medical data collection is increasingly been paralleled by a rise in privacy concerns. This serious issue has been recently addressed by American and European regulatory organizations which have tightened laws to enforce data protection. The U.S. Congress has enacted amendments to existing Health Insurance Portability and Accountability Act (HIPAA) rules that might limit the use of health data for medical studies. HIPAA, which has been designed to give patients more control over their personal ☆ Authorship: All authors had access to and participated in writing this manuscript. ⁎ Corresponding author at: Via Tommaso Inghirami 85, 00179 Rome, Italy. Tel.: +39 348 3392006; fax: +39 06 330 62516. E-mail address: [email protected] (F. Pelliccia).
http://dx.doi.org/10.1016/j.ijcard.2014.08.077 0167-5273/© 2014 Elsevier Ireland Ltd. All rights reserved.
medical information [3], now explicitly outlines how and in what circumstances medical records can be given to third parties and it carries the provision of stiff penalties for violations [4]. According to HIPAA, the use of protected health information requires consent by each individual whose data are included, unless the consent requirement is waived by an Institutional Review Board which can determine whether or not the research “poses no more than a minimal risk to the privacy of individuals” and could not practicably be conducted if individuals' consent was required [4]. In Europe, new legislation is going to soon jeopardize most epidemiological and medical investigations [5]. The European Union first planned to reform European data protection laws in January 2012. To this end, the European Commission proposed that new data protection rules would replace the former 1995 Data Protection Directive 95/46/EC [6]. The original draft regulation admitted that access to patient data is of utmost importance for medical research and ruled out the strictest requirements being applied to scientific activities. One year later, however, the Civil Liberties, Justice and Home Affairs (LIBE) Committee made amendments to Articles 81 and 83 of the original draft that might substantially limit the exemptions and could therefore prevent the use of medical data unless specific consent has been given. Member states are allowed to make exceptions only in cases of scientific research “of an exceptionally high public interest” [7]. Updates of American and European legislations on data protection can have serious consequences on medical research activities. While HIPAA was intended to protect patient privacy [3], it has a significant impact on medical and health studies involving collection of data from a variety of healthcare organizations. Indeed, some researchers now believe that HIPAA creates significant barriers for them to conduct research, without meaningfully increasing privacy protection for the patient [4]. Because HIPAA guidelines are so stringent, many healthcare organizations may opt not to provide data for medical research at all. Similarly, the data protection rules being proposed by the European Union, that likely will be finalized by the newly elected European parliament in 2015, are said to make conducting research using data in the European Union “impractical” [8]. The problems posed by new legislations at both sides of the Atlantic must be faced and possibly solved to prevent medical research to be halted. The 111th Congress has set aside substantial resources for effectiveness research—1.1 billion dollars in the American Recovery and
G. Rosano et al. / International Journal of Cardiology 177 (2014) 510–511
Reinvestment Act of 2009 and about 500 million dollars/year for the Patient-Centered Outcomes Research Institute under the Patient Protection and Affordable Care Act of 2010. These incentives have prompted many healthcare providers to make heavy economic investments for adopting electronic health care systems which can become unavailable in the near future to clinical investigators [9]. Similarly, in Europe, medical research would soon be interrupted without access to individual data [10], thus posing a significant risk to economic investments in scientific infrastructures, registries, cohort studies and biologic banks. These investments have been done because millions of Europeans have already given their own consent to the use of personal medical data for research purposes. As a matter of fact, the majority of patients in Western countries are generally more interested in the quality of their health care than to healthcare data protection and are increasingly involved in electronic tracking and messaging. It has been estimated that up to 75% of Americans would like to communicate with their physicians via e-mail and 60% would like to track their medical records electronically [11]. All these observations support the search for effective strategies for balancing collection and management of medical records and privacy protection. In this respect, modern technology might offer possible solutions to the problem [12]. Development of an electronic healthcare privacy protection tool can address the concerns. At present, various data masking algorithms, i.e. data swapping, noise-based perturbation, microaggregation, generalization and suppression, are being proposed in protecting patient privacy [13]. These novel informatic approaches satisfy HIPAA compliance requirements, while providing full access to data to both healthcare organizations and clinical investigators. Apart from technological solutions, however, a balance between the fundamental right of data protection and the need for medical research has to be reached. To this end, a paradigm shift from the previous era of individuals working alone on resolving problem situations to the newer era of collaborative problem solving is mandatory. In fact, a definitive solution to the challenge of performing effective medical research in the era of healthcare data protection might originate only if all stakeholders — patients, providers, government, and researchers — look at health information from a common perspective [14]. Indeed, patients have the right to be aware of the potential use of their own medical records, but nevertheless should consider information-based research as a valuable resource. On the other hand, medical researchers should recognize the vulnerability of the data and therefore encourage privacy and security controls that provide meaningful safeguards [15]. This paradigm shift should eventually lead both patients and investigators to consider the use of medical records not as a potential threat to individual's autonomy but rather as a fundamental source for providing the best clinical research and care.
511
Conflict of interest for all authors None.
References [1] Pelliccia F, Rosano G. Medical research could soon be jeopardized by new European Union data protection regulations. Eur Heart J 2014;35:1497–503. [2] Berkman ND, Lohr KN, Ansari M, et al. Grading the strength of a body of evidence when assessing health care interventions for the Effective Health Care Program of the Agency for Healthcare Research and Quality: an update. Methods guide for comparative effectiveness reviews (prepared by the RTI-UNC Evidence-based Practice Center under contract no. 290-2007-10056-I). AHRQ Publication No. 13(14)EHC130-EFRockville, MD: Agency for Healthcare Research and Quality; November 2013 [www.effectivehealthcare.ahrq.gov/reports/final.cfm]. [3] Kulynych J, Korn D. The new HIPAA (Health Insurance Portability and Accountability Act of 1996) Medical Privacy Rule: help or hindrance for clinical research? Circulation 2003;108:912–4. [4] Nass S, Levit L, Gostin L, editors. Beyond the HIPAA privacy rule: enhancing privacy, improving health through research. Washington (DC): National Academies Press; 2009. [5] Ploem MC, Essink-Bot ML, Stronks K. Proposed EU data protection regulation is a threat to medical research. BMJ 2013;346:f3534. [6] European Commission. Proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012) 11 final; 2012 [http://ec.europa.eu/justice/data-protection/document/ review2012/com2012_11_en.pdf]. [7] European Parliament. Draft report on the proposal for a regulation of the European parliament and of the council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012)0011-C7-0025/2012-2012/0011(COD); 2012 [www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+ A7-2013-0402+0+DOC+PDF+V0//EN]. [8] Stenbeck M, Allebeck P. Do the planned changes to European data protection threaten or facilitate important health research? Eur J Public Health 2011;21:682–3. [9] Sibona C, Walczak S, Brickey J, Parthasarathy M. Patient perceptions of electronic medical records: physician satisfaction, portability, security and quality. Int J Health Care Technol Manag 2011;12:62–84. [10] Hakulinen T, Arbyn M, Brewster DH, et al. Harmonization may be counterproductive — at least for parts of Europe where public health research operates effectively. Eur J Public Health 2011;21:686–7. [11] Kaelber DC, Jha AK, Johnston D, Middleton B, Bates DW. A research agenda for personal health records (PHRs). J Am Med Inform Assoc 2008;15:729–36. [12] Motiwalla L, Li XB. Developing privacy solutions for sharing and analyzing healthcare data. Int J Bus Inf Syst 2013;13(2). [13] Gkoulalas-Divanis A, Loukides G, Sun J. Publishing data from electronic health records while preserving privacy: a survey of algorithms. J Biomed Inform 2014; 50C:4–19. [14] Peddicord D, Waldo AB, Boutin M, Grande T, Gutierrez Jr L. A proposal to protect privacy of health information while accelerating comparative effectiveness research. Health Aff (Millwood) 2010;29:2082–90. [15] Brown I, Brown L, Korff D. Using patient data for research without consent. Law Innov Technol 2010;2:219–58.
Contents lists available at ScienceDirect
International Journal of Cardiology journal homepage: www.elsevier.com/locate/ijcard
Letter to the Editor
The challenge of performing effective medical research in the era of healthcare data protection☆ Giuseppe Rosano a,b, Francesco Pelliccia c,⁎, Carlo Gaudio c,d, Andrew J. Coats e,f a
IRCCS San Raffaele Pisana, Rome, Italy Cardiovascular and Cell Sciences Research Institute, St. George's, University of London, London, UK Department ‘Attilio Reale’, Sapienza University, Rome, Italy d Eleonora Lorillard Spencer Cenci Foundation, Rome, Italy e Monash University, Australia f University of Warwick, UK b c
a r t i c l e
i n f o
Article history: Received 9 August 2014 Accepted 14 August 2014 Available online 23 August 2014 Keywords: Data masking Information privacy Systems development
Scientific research is invaluable for improving diagnostic and therapeutic management of our patients, and to this end the use of individual patient records is crucial. Using electronic health records, cardiovascular investigators have been able to develop important prognostic and other clinical scoring systems, such as those for individuals at risk of coronary artery disease (i.e., Framingham score, the EUROScore) or those for patients with atrial fibrillation (i.e., CHA2DS2-VASc, HAS-BLED). In addition, electronic health records help to improve the design of newer pharmacological studies as they allow timely recognition of serious adverse events of marketed drugs [1]. With the widespread availability of health informatic tools, there is an increasing demand for electronic medical records also by healthcare providers in order to improve quality of care and reduce costs [2]. Despite the many advantages that patient records might offer to medical care and research, the explosion of digital medical data collection is increasingly been paralleled by a rise in privacy concerns. This serious issue has been recently addressed by American and European regulatory organizations which have tightened laws to enforce data protection. The U.S. Congress has enacted amendments to existing Health Insurance Portability and Accountability Act (HIPAA) rules that might limit the use of health data for medical studies. HIPAA, which has been designed to give patients more control over their personal ☆ Authorship: All authors had access to and participated in writing this manuscript. ⁎ Corresponding author at: Via Tommaso Inghirami 85, 00179 Rome, Italy. Tel.: +39 348 3392006; fax: +39 06 330 62516. E-mail address: [email protected] (F. Pelliccia).
http://dx.doi.org/10.1016/j.ijcard.2014.08.077 0167-5273/© 2014 Elsevier Ireland Ltd. All rights reserved.
medical information [3], now explicitly outlines how and in what circumstances medical records can be given to third parties and it carries the provision of stiff penalties for violations [4]. According to HIPAA, the use of protected health information requires consent by each individual whose data are included, unless the consent requirement is waived by an Institutional Review Board which can determine whether or not the research “poses no more than a minimal risk to the privacy of individuals” and could not practicably be conducted if individuals' consent was required [4]. In Europe, new legislation is going to soon jeopardize most epidemiological and medical investigations [5]. The European Union first planned to reform European data protection laws in January 2012. To this end, the European Commission proposed that new data protection rules would replace the former 1995 Data Protection Directive 95/46/EC [6]. The original draft regulation admitted that access to patient data is of utmost importance for medical research and ruled out the strictest requirements being applied to scientific activities. One year later, however, the Civil Liberties, Justice and Home Affairs (LIBE) Committee made amendments to Articles 81 and 83 of the original draft that might substantially limit the exemptions and could therefore prevent the use of medical data unless specific consent has been given. Member states are allowed to make exceptions only in cases of scientific research “of an exceptionally high public interest” [7]. Updates of American and European legislations on data protection can have serious consequences on medical research activities. While HIPAA was intended to protect patient privacy [3], it has a significant impact on medical and health studies involving collection of data from a variety of healthcare organizations. Indeed, some researchers now believe that HIPAA creates significant barriers for them to conduct research, without meaningfully increasing privacy protection for the patient [4]. Because HIPAA guidelines are so stringent, many healthcare organizations may opt not to provide data for medical research at all. Similarly, the data protection rules being proposed by the European Union, that likely will be finalized by the newly elected European parliament in 2015, are said to make conducting research using data in the European Union “impractical” [8]. The problems posed by new legislations at both sides of the Atlantic must be faced and possibly solved to prevent medical research to be halted. The 111th Congress has set aside substantial resources for effectiveness research—1.1 billion dollars in the American Recovery and
G. Rosano et al. / International Journal of Cardiology 177 (2014) 510–511
Reinvestment Act of 2009 and about 500 million dollars/year for the Patient-Centered Outcomes Research Institute under the Patient Protection and Affordable Care Act of 2010. These incentives have prompted many healthcare providers to make heavy economic investments for adopting electronic health care systems which can become unavailable in the near future to clinical investigators [9]. Similarly, in Europe, medical research would soon be interrupted without access to individual data [10], thus posing a significant risk to economic investments in scientific infrastructures, registries, cohort studies and biologic banks. These investments have been done because millions of Europeans have already given their own consent to the use of personal medical data for research purposes. As a matter of fact, the majority of patients in Western countries are generally more interested in the quality of their health care than to healthcare data protection and are increasingly involved in electronic tracking and messaging. It has been estimated that up to 75% of Americans would like to communicate with their physicians via e-mail and 60% would like to track their medical records electronically [11]. All these observations support the search for effective strategies for balancing collection and management of medical records and privacy protection. In this respect, modern technology might offer possible solutions to the problem [12]. Development of an electronic healthcare privacy protection tool can address the concerns. At present, various data masking algorithms, i.e. data swapping, noise-based perturbation, microaggregation, generalization and suppression, are being proposed in protecting patient privacy [13]. These novel informatic approaches satisfy HIPAA compliance requirements, while providing full access to data to both healthcare organizations and clinical investigators. Apart from technological solutions, however, a balance between the fundamental right of data protection and the need for medical research has to be reached. To this end, a paradigm shift from the previous era of individuals working alone on resolving problem situations to the newer era of collaborative problem solving is mandatory. In fact, a definitive solution to the challenge of performing effective medical research in the era of healthcare data protection might originate only if all stakeholders — patients, providers, government, and researchers — look at health information from a common perspective [14]. Indeed, patients have the right to be aware of the potential use of their own medical records, but nevertheless should consider information-based research as a valuable resource. On the other hand, medical researchers should recognize the vulnerability of the data and therefore encourage privacy and security controls that provide meaningful safeguards [15]. This paradigm shift should eventually lead both patients and investigators to consider the use of medical records not as a potential threat to individual's autonomy but rather as a fundamental source for providing the best clinical research and care.
511
Conflict of interest for all authors None.
References [1] Pelliccia F, Rosano G. Medical research could soon be jeopardized by new European Union data protection regulations. Eur Heart J 2014;35:1497–503. [2] Berkman ND, Lohr KN, Ansari M, et al. Grading the strength of a body of evidence when assessing health care interventions for the Effective Health Care Program of the Agency for Healthcare Research and Quality: an update. Methods guide for comparative effectiveness reviews (prepared by the RTI-UNC Evidence-based Practice Center under contract no. 290-2007-10056-I). AHRQ Publication No. 13(14)EHC130-EFRockville, MD: Agency for Healthcare Research and Quality; November 2013 [www.effectivehealthcare.ahrq.gov/reports/final.cfm]. [3] Kulynych J, Korn D. The new HIPAA (Health Insurance Portability and Accountability Act of 1996) Medical Privacy Rule: help or hindrance for clinical research? Circulation 2003;108:912–4. [4] Nass S, Levit L, Gostin L, editors. Beyond the HIPAA privacy rule: enhancing privacy, improving health through research. Washington (DC): National Academies Press; 2009. [5] Ploem MC, Essink-Bot ML, Stronks K. Proposed EU data protection regulation is a threat to medical research. BMJ 2013;346:f3534. [6] European Commission. Proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012) 11 final; 2012 [http://ec.europa.eu/justice/data-protection/document/ review2012/com2012_11_en.pdf]. [7] European Parliament. Draft report on the proposal for a regulation of the European parliament and of the council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012)0011-C7-0025/2012-2012/0011(COD); 2012 [www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+ A7-2013-0402+0+DOC+PDF+V0//EN]. [8] Stenbeck M, Allebeck P. Do the planned changes to European data protection threaten or facilitate important health research? Eur J Public Health 2011;21:682–3. [9] Sibona C, Walczak S, Brickey J, Parthasarathy M. Patient perceptions of electronic medical records: physician satisfaction, portability, security and quality. Int J Health Care Technol Manag 2011;12:62–84. [10] Hakulinen T, Arbyn M, Brewster DH, et al. Harmonization may be counterproductive — at least for parts of Europe where public health research operates effectively. Eur J Public Health 2011;21:686–7. [11] Kaelber DC, Jha AK, Johnston D, Middleton B, Bates DW. A research agenda for personal health records (PHRs). J Am Med Inform Assoc 2008;15:729–36. [12] Motiwalla L, Li XB. Developing privacy solutions for sharing and analyzing healthcare data. Int J Bus Inf Syst 2013;13(2). [13] Gkoulalas-Divanis A, Loukides G, Sun J. Publishing data from electronic health records while preserving privacy: a survey of algorithms. J Biomed Inform 2014; 50C:4–19. [14] Peddicord D, Waldo AB, Boutin M, Grande T, Gutierrez Jr L. A proposal to protect privacy of health information while accelerating comparative effectiveness research. Health Aff (Millwood) 2010;29:2082–90. [15] Brown I, Brown L, Korff D. Using patient data for research without consent. Law Innov Technol 2010;2:219–58.
