Privacy

My last post was on confidentiality so I thought I’d write about privacy in this post. First of all, “privacyandconfidentiality” are not one word. Privacy and confidentiality are two different things. Unfortunately, most IRBs and investigators treat it as one thing and, when they address it at all, usually only address how data is being protected from disclosure. Also, because HIPPA is called the “Privacy Rule”, many IRBs and investigators feel that they are addressing privacy if they are complying with HIPPA.

Privacy means having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others, while confidentiality refers to the methods used to ensure that information obtained by researchers about their subjects is not improperly divulged. So, we invade someone’s privacy when we access them or their information without appropriate authorization. The problem is that privacy is a very ambiguous term, so it is often hard to determine when we’ve invaded privacy. The federal regulations [45 CFR 46.102(f)] give us some guidance on this. They define “private information” as “…behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record).” Based on this, it is the context and the person’s reasonable expectation that determines privacy.

Some examples might help clarify when privacy might be considered to be invaded. One common procedure for recruiting subjects that meet certain enrollment criteria is for the investigator to access records, such as medical records or school records), select individuals who meet the criteria and contact them to recruit them for the research. Often subjects, when contacted in this manner, ask “How did you get my name?” indicating that the investigator has invaded their privacy. They provided the information in the record with a reasonable expectation that the information would be used for the purposes for which it had been given and not for research purposes. If, however, they had been informed when they gave the information that it might be used for research purposes, then they would not have a reasonable expectation of privacy.

Another recruitment procedure is to go up to people in a certain location and ask them to participate. Whether this constitutes an invasion of privacy depends on the circumstances. Going up to people in a mall or on the street is not a problem because their presence in that setting is not private. However, going up to people in an emergency room waiting area, at their hospital bed or in a public restroom would be an invasion of privacy. In these contexts, people have a reasonable expectation of privacy.

This brings up another issue related to privacy. When is behavior “public behavior”? In our society, not all behavior which occurs in public is “public behavior” and we can invade people’s privacy even when they are in public. For example, if you were walking down a street talking with a friend, you would naturally assume that the people around you could overhear your conversation. The fact that they overhear your conversation is not an invasion of privacy. However, if you turned around and a researcher was following you and writing down everything you said, you would feel that your privacy was invaded. While we expect people to casually overhear us, we don’t expect to be systematically recorded. This is similar to investigators studying online chatroom behavior who say that it is public behavior since anyone can access the chatroom. However, participants in a chatroom don’t reasonably expect that their conversations are going to be systematically recorded and analyzed. I would say that such research could be considered an invasion of privacy.

Of course, all of this depends on the nature of the research and the sensitivity of the information. There are many innocuous research studies where most people could care less whether the investigator has appropriate authorization to access them or their information.

So, protection of privacy is an important ethical issue in human subjects research, but privacy issues are more complicated than they seem. Investigators need to carefully consider the privacy interests of their subjects and IRBs need to ensure that the research adequately protects those privacy issues.

Confidentiality

Confidentiality is a crucial topic in human subjects research. However, this is an area where some IRBs have gone overboard in applying the principle. Confidentiality is not some absolute principle that must be guaranteed in all research. Rather, confidentiality protection is based on risk. The degree of confidentiality protection is directly related to the harm that could befall subjects if the information is inappropriately divulged. The regulations make this clear when they say, in the criteria for IRB approval (Section 111, #7), that "When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data." Also, in the required elements of informed consent (#5) the regulations say that researchers must include "A statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained," So, the regulations don't require confidentiality for all information in all research, only when it is appropriate. When is it appropriate? When the information, if it became know to others outside the research, could put the subjects at risk of harm. IRBs need to weigh the risk of harm from the information when deciding on appropriate confidentiality.

For some research there is no way that any of the information from could possible harm the subjects, even if it were to be divulged (such as innocuous surveys). For other research, the subjects expect or give permission for their identities to be divulged (such as some oral history research). In these cases, it is inappropriate for the IRB to require extensive confidentiality procedures. Some IRBs have even required anonymizing oral history narratives where the subjects want to have their story identified.

In other research, especially much biomedical research and some sensitive social science research, the information “could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation” as the regulations state in the exemption categories. In these cases, the IRB must carefully weigh appropriate confidentiality procedures to protect subjects. Here too, however, if subjects fully understand the consequences and agree to have their information identified, then IRBs should not impose severe confidentiality requirements.

On a related note, the risk when investigators gather sensitive information is not that the investigators have the information (the subjects have agreed to that), but that the information is inappropriately divulged. Therefore, even when extremely sensitive information is gathered in a study, if the confidentiality procedures are adequate to reasonably ensure that the information will not be inappropriately divulged, the research may still be no more than minimal risk. Some IRBs, when they see sensitive information gathered in study, immediately classify the research as more than minimal risk. This is inappropriate.

IRB Expertise

One of the major criticisms of IRBs that are raised by unhappy with IRB review is the expertise of the IRB. IRB expertise is a crucial element in effective IRB review of research. The regulations, at §46.107(a) state: "Each IRB shall have at least five members, with varying backgrounds to promote complete and adequate review of research activities commonly conducted by the institution. The IRB shall be sufficiently qualified through the experience and expertise of its members, and the diversity of the members, including consideration of race, gender, and cultural backgrounds and sensitivity to such issues as community attitudes, to promote respect for its advice and counsel in safeguarding the rights and welfare of human subjects. In addition to possessing the professional competence necessary to review specific research activities, the IRB shall be able to ascertain the acceptability of proposed research in terms of institutional commitments and regulations, applicable law, and standards of professional conduct and practice. The IRB shall therefore include persons knowledgeable in these areas." Therefore, an IRB that reviews a research study without the necessary expertise is not in compliance with the regulations. If it does not have that expertise on its membership, then it must use consultants to advice it.

The reason that the regulations, and best practice, requires appropriate expertise is that one cannot evaluate the risk in a research project unless one has expertise in that research area. The reviewers need to know the scientific background of the research and be knowledgeable about common practice and experience in the field.

When I was at the medical college, the IRB, which was primarily made up of health care professionals, received a qualitative, social science project to review. The IRB promptly disapproved it because it wasn't "science" in the view of the IRB members. I told them that they didn't have the necessary expertise to even review the project and had the research sent out to consultants with expertise in qualitative research. The IRB, after taking into account the reviews by the consultants, ultimately approved the project. This is an appropriate action by an Institutional Official. I did not overrule the decision by the IRB, but I made sure that the research was approved appropriately.

The same thing can happen when a social/behavioral IRB is made up of quantitative researchers, such as psychologists and sociologist and reviews an anthropology or oral history study.

It is the responsibility of the Chair and the IRB staff to determine whether the reviewers have the necessary expertise to review the research. If not, then they have to call on consultants to assist in the review. Researchers have the right under the regulations to have their research reviewed with the appropriate expertise and it is the Institutional Official's responsibility to ensure that the review is appropriate to the research.

Some IRB critics say that research should only be reviewed by people from the same field or let "ethnographers review ethnographers and experimental psychologists review experimental psychologists", as Zach Schrag has said. So, what's wrong with that? First of all, as noted above, the regulations require IRB members "with varying backgrounds". In addition, at §46.107(b), the regulations state "No IRB may consist entirely of members of one profession." Why? Because when IRBs are homogeneous they can become "blinded by the science". I have seen this happen many times on IRBs. The scientific members are focusing on the importance of the research and then a member from outside the field says, "Why is that so important? What about the impact on the subjects?". At that point, they other members say, "Oh, yeah. We forgot about that." Diversity of opinion helps ensure that all of the aspects of the research is taken into account.

Also, one aspect of human nature is that the more familiar we are about something, the more likely we are to underestimate the risks involved. It is very important to have input from people with diverse backgrounds to evaluate risk in research.

The strength of the IRB process is that it is a group decision-making process. I strongly believe that when a diverse group of people who understand the issues can come to a consensus, that is a close to a truly objective decision as is possible. After almost 30 years working with many IRBs, I have great faith in the system.