Privacy Privacy vs. vs.

ConfidentialityConfidentiality

Presentation for IRB MembersPresentation for IRB Members

What is the difference between Privacy and

Confidentiality?

Privacy is about people.

Confidentiality is about data.

Privacy vs. Privacy vs. ConfidentialityConfidentiality

PrivacyPrivacy

• About peopleAbout people• Sense of being in Sense of being in

control of access control of access that others have to that others have to ourselvesourselves

• a Right to be a Right to be ProtectedProtected

ConfidentialityConfidentiality

• Extension of privacyExtension of privacy• About identifiable dataAbout identifiable data• an Agreement about an Agreement about

maintenance and who maintenance and who has access to has access to identifiable dataidentifiable data

• HIPAA - HIPAA - protects patients protects patients from inappropriate from inappropriate disclosures of "Protected disclosures of "Protected Health Information" (PHI)Health Information" (PHI)

DefinitionsDefinitions

• Privacy Privacy – about people and our sense of – about people and our sense of being in control of others access to being in control of others access to ourselves or to information about ourselves ourselves or to information about ourselves with others.with others.

• Confidentiality Confidentiality – treatment of identifiable, – treatment of identifiable, private information that has been disclosed private information that has been disclosed to others; usually in a relationship of trust to others; usually in a relationship of trust and with the expectation that it will not be and with the expectation that it will not be divulged except in ways that have been divulged except in ways that have been previously agreed upon.previously agreed upon.

Privacy and Confidentiality are Privacy and Confidentiality are supported by two principles of supported by two principles of

the Belmont Reportthe Belmont Report

• Respect for PersonsRespect for Persons– Individuals should be treated as Individuals should be treated as

autonomous agentsautonomous agents– Allows individuals to exercise their Allows individuals to exercise their

autonomy to the fullest extent possible, autonomy to the fullest extent possible, including the right to privacy and the including the right to privacy and the right to have private information right to have private information remain confidential. remain confidential.

• BeneficenceBeneficence– Do not harmDo not harm– Minimize risk and maximize possible Minimize risk and maximize possible

benefitsbenefits

• Maintaining privacy and confidentiality Maintaining privacy and confidentiality helps to protect participants from potential helps to protect participants from potential harms including psychological harm such harms including psychological harm such as embarrassment or distress; social as embarrassment or distress; social harms such as loss of employment or harms such as loss of employment or damage to one‘s financial standing; and damage to one‘s financial standing; and criminal or civil liability. criminal or civil liability.

Per HHS and FDA Per HHS and FDA RegulationsRegulations

In order to approve human subjectsIn order to approve human subjectsresearch, the IRB shall determine thatresearch, the IRB shall determine thatwhere appropriate, there are adequatewhere appropriate, there are adequate

provisions to protect the privacy ofprovisions to protect the privacy ofsubjects and to maintain subjects and to maintain

confidentiality of dataconfidentiality of data..

45 CFR 46.111(a)(7)45 CFR 46.111(a)(7)21 CFR 56.111(a)(7)21 CFR 56.111(a)(7)

When is it appropriate to When is it appropriate to require provisions to protect require provisions to protect

the privacy of the the privacy of the participants?participants?

Consider the following:Consider the following:• Will the participants have an expectation of privacy?Will the participants have an expectation of privacy?

YES YES – adequate provisions for maintaining – adequate provisions for maintaining privacy privacy are requiredare required

NO NO – Provisions not needed– Provisions not needed

• Will participants think that the information sought is Will participants think that the information sought is any of the researcher’s business? If any of the researcher’s business? If NONO, provisions , provisions are required.are required.

• Will participants be comfortable in the research Will participants be comfortable in the research setting? If setting? If NONO, provisions are required., provisions are required.

Privacy Issues Privacy Issues

Consider the following:Consider the following:

• The proposed subject population?The proposed subject population? What are the cultural norms of the proposed What are the cultural norms of the proposed

subject population? subject population? Some cultures are more Some cultures are more private than others. private than others.

What are the ages of the proposed subject What are the ages of the proposed subject population? population? There may be age differences in There may be age differences in privacy preferences (e.g., teenagers less privacy preferences (e.g., teenagers less forthcoming than older adults)forthcoming than older adults)

(continued on next slide)(continued on next slide)

• The proposed recruitment methods: How are The proposed recruitment methods: How are potential participants identified and potential participants identified and contacted?contacted?

Acceptable methods ~Acceptable methods ~ advertisements, notices, and/or mediaadvertisements, notices, and/or media Send introduction letter to colleagues to distribute to Send introduction letter to colleagues to distribute to

eligible individuals – interested individuals contact eligible individuals – interested individuals contact researcherresearcher

Primary care staff contact those patients that qualify to Primary care staff contact those patients that qualify to determine interestdetermine interest

Unacceptable methods ~Unacceptable methods ~ search through medical records for qualified subjects or search through medical records for qualified subjects or

existing database (e.g., registry); then have a researcher existing database (e.g., registry); then have a researcher with no previous contact with potential subject recruit; this with no previous contact with potential subject recruit; this method violates the individuals’ privacymethod violates the individuals’ privacy

recruit subjects immediately prior to sensitive or invasive recruit subjects immediately prior to sensitive or invasive procedure (e.g., in pre-op room)procedure (e.g., in pre-op room)

retain sensitive information obtained at screening without retain sensitive information obtained at screening without the consent of those who either failed to qualify or refused the consent of those who either failed to qualify or refused to participate for possible future studies participation to participate for possible future studies participation

(continued on next slide)(continued on next slide)

• Sensitivity of the information being collected Sensitivity of the information being collected – – greater sensitivity = greater need for greater sensitivity = greater need for privacyprivacy

• Method of data collection (focus group, Method of data collection (focus group, individual interview, covert observation)individual interview, covert observation) Will subjects feel comfortable providing the information in Will subjects feel comfortable providing the information in

this manner?this manner? If passively observing the subject; could the individual have If passively observing the subject; could the individual have

an expectation of privacy (e.g., chat room for breast cancer an expectation of privacy (e.g., chat room for breast cancer patients)? patients)?

Will the researcher collect information about a third party Will the researcher collect information about a third party individual that is consider private (e.g., mental illness, individual that is consider private (e.g., mental illness, substance abuse in family)? If yes, informed consent should substance abuse in family)? If yes, informed consent should be obtained from third party?be obtained from third party?

• Privacy is in the eye of the participant,Privacy is in the eye of the participant, not not the researcher or the IRBthe researcher or the IRB

(continued on next slide)(continued on next slide)

When is it appropriate to When is it appropriate to require provisions to maintain require provisions to maintain the confidentiality of collected the confidentiality of collected

data?data?

• Will confidentiality of identifiable date be offered?Will confidentiality of identifiable date be offered?• Are there legal/ethical requirements (e.g., Are there legal/ethical requirements (e.g.,

HIPAA)?HIPAA)?• Will release of data cause risk of harm?Will release of data cause risk of harm?

YES TO ANYYES TO ANY – adequate provisions for maintaining – adequate provisions for maintaining confidentiality of data are requiredconfidentiality of data are required

NO TO ALLNO TO ALL – Not needed – Not needed

Methods to Maintain Methods to Maintain ConfidentialityConfidentiality

• Restrict access to data (password protect, lock) Restrict access to data (password protect, lock) • If data stored on a computer; maintain on a standalone If data stored on a computer; maintain on a standalone

computer; no network connectioncomputer; no network connection• Use encryption software, if data is accessed it is unable to Use encryption software, if data is accessed it is unable to

be decipheredbe deciphered• Minimize storage of subject identifiable data on a laptop Minimize storage of subject identifiable data on a laptop

computer which can be lost or stolencomputer which can be lost or stolen• Certificates of Confidentiality – protects data from being Certificates of Confidentiality – protects data from being

subpoenaedsubpoenaed• Waiver of Documentation of informed consent - Waiver of Documentation of informed consent - the only the only

record linking the subject and the research would be the consent document record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of and the principal risk would be potential harm resulting from a breach of confidentiality (not applicable for research conducted under FDA regulations). confidentiality (not applicable for research conducted under FDA regulations).

Important Points!Important Points!• The IRB must decide on a protocol-by-protocol basis whether there The IRB must decide on a protocol-by-protocol basis whether there

are adequate provisions to protect the privacy of subjects and to are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of the identifiable data at each segment maintain the confidentiality of the identifiable data at each segment of the research…recruitment to maintenance of the data.of the research…recruitment to maintenance of the data.

• The committee must consider the sensitivity of the information The committee must consider the sensitivity of the information collected and the protections offered the subjects.collected and the protections offered the subjects.

• Especially in social/behavioral research the primary risk to subjects Especially in social/behavioral research the primary risk to subjects is often an invasion of privacy or a breach of confidentiality.is often an invasion of privacy or a breach of confidentiality.

• During the informed consent process, subjects must be informed of During the informed consent process, subjects must be informed of the precautions that will be taken to protect the confidentiality of the precautions that will be taken to protect the confidentiality of the data and be informed of the parties who will or may have access the data and be informed of the parties who will or may have access (e.g., research team, FDA, OHRP). This will allow subjects to decide (e.g., research team, FDA, OHRP). This will allow subjects to decide about the adequacy of the protections and the acceptability of the about the adequacy of the protections and the acceptability of the possible release of private information to the interested parties.possible release of private information to the interested parties.

Questions?Questions?

Please contact:Please contact:

Karen AllenKaren Allen

Director of Research Protections Director of Research Protections

@ @ kallen@uci.edu or 949-824-1558 or 949-824-1558

This presentation was adapted from IRB 201 Presentation by Jeffrey Cooper, M.D., This presentation was adapted from IRB 201 Presentation by Jeffrey Cooper, M.D.,

M.M.M., 2004 and the Institutional Review Board: Management and Function, Amdur M.M.M., 2004 and the Institutional Review Board: Management and Function, Amdur

and Bankert, 2002and Bankert, 2002