Submission on the consultation document Draft Data Protection Guidelines on research in the Health Sector
The Data Protection Commissioner’s consultation document Draft Data Protection Guidelines on research in the Health Sector is welcome. The document outlines an approach, to fulfil data protection legislation requirements for the processing of “sensitive” personal health information that “should be systematically built into health facility procedures so that the patient fully understands what further use is planned for their personal information and the safeguards that will be put in place.” “Permissible and desired uses of patient data” need to be set down clearly supported by a patient information leaflet. At the earliest opportunity the patient should be invited to provide explicit informed consent to such use of their patient data.
Under the guideline the conduct of independent clinical audit, and the development and maintenance of population based databases and registries designed to promote health nationally require that patients’ provide explicit opt-in consent to such use of their patient data. This requirement for explicit opt-in consent is likely to have far reaching consequences. It is an issue that needs to be addressed by the HSE nationally.
A number of published studies demonstrate the difficulties and the costs involved in seeking explicit opt-in consent to the use of personal health information for research purposes or to develop and maintain a population based longitudinal disease register[i].
There are major differences in the approach being advocated by the Data Protection Commissioner and the methodology employed in much of the published literature that reports on the issue of seeking informed consent. Under the guidelines explicit consent will be sought from the patient before the patient data of potential interest will be generated, the patient being invited to provide consent “at the earliest opportunity” following contact with the health facility. Thus the entire population of patients will be invited to provide consent, rather that the subgroup of specific interest. This gets around the reported difficulty of clinical staff being loathe to approach recently diagnosed or ill patients for consent.[ii] Under the approach advocated by the guidelines consent might be sought and documented by administrative staff. This removes the workload involved from busy clinical staff, clinician lack of time being the reason cited in many studies for the failure to approach many potential participants for consent[iii]. The use of administrative staff would also serve to distance the seeking of consent from the patient from the delivery of patient treatment. A different approach is advocated for ill emergency patients.
There is evidence that when consent is sought from patients, for such uses of their patient data, that consent is usually freely provided[iv]. The main obstacle to consent is a failure to approach the patient to seek consent in the first instance. The need for patients’ to take specific action also limits the provision of consent[v]. There will be a need for the data controller, in this instance the HSE, to require the complete documentation of each patient’s direction with respect to the use of their data. This will be essential also if the Health Information and Quality Authority is to be enabled to carry out its mandate to monitor and assure quality in the Irish health services.
The document explains that under the Data Protection Directive the provision of explicit consent justifies the processing of sensitive health data. The concept of explicit consent is explained in the document. The best practice approach is for the data controller to set out clearly to the patient, at the earliest opportunity, “the specific purposes for which patient identifiable information may be accessed for purposes unrelated to the patient’s treatment.” For example such specific purposes might include the potential use of patient data for clinical audit or for a disease register. The potential (“permissible and desired”) uses of patient data should be comprehensively stated, with “an appropriate consent supported by an informative patient leaflet”. (page 6) This information leaflet should state what type of use will be made of the data, the safeguards for patient confidentiality and whether the patient might be contacted directly for information on their condition. (page 7) Opt-in consent is required. (page 7) The option to revoke consent at any time must be clear. The context of seeking consent should not be directly linked to the patient’s treatment. (page 7)
It is envisaged that further consent from the patient would be required for specific research and in relation to new patient diagnoses. (page 7) The data controller will be responsible for a robust administrative system to effect patient decisions on consent. “Comprehensive security and access controls in relation to the storage of manual and electronic data are key requirements” to ensure that patient personal data is only use for the specified purpose(s) supplied.
An opportunity presents with the newly established Irish National Perinatal Epidemiology Centre’s initiative to implement a national maternity chart to pilot implementation of the Data Protection Commissioner’s Data Protection Guidelines on research in the Health Sector. An approach might be to identify to the patient at the first antenatal booking visit the proposed use of patients’ data for epidemiological monitoring of perinatal outcomes in the republic of Ireland, for the surveillance of congenital anomalies, and for clinical audit purposes. Explicit consent might be sought and recorded on the national maternity chart. An information leaflet to support the process would need to be developed.
There is much merit in the clarity of the guideline. The costs involved in its implementation should be documented. The success rate in the completion and documentation of each patient’s direction needs to be monitored. The option of opt- out consent should be held in reserve and not ruled out as the practical implementation of the guidelines has yet to be tested and opt-out consent has proved successful and acceptable in a number of jurisdictions.[vi] In addition there is evidence that the public viewpoint supports the use of personal health information for the greater good.[vii]
References
1. Tu J, Willison D, Silver F, Fang J, Richards J, Laupacis A, et al. Impracticability of informed consent in the registry of the Canadian Stroke Network. N Engl J Med 2004;350(14):1414-21.
2. Busby A, Ritvanen A, Dolk H, Armstrong N, De Walle H, Riano-Galan I, et al. Survey of informed consent for registration of congenital anomalies in Europe. BMJ 2005;331(7509):140-141.
3. McKinney PA, Jones S, Parslow R, Davey N, Darowski M, Chaudhry B, et al. A feasibility study of signed consent for the collection of patient identifiable information for a national paediatric clinical audit database. BMJ 2005;330(7496):877-879.
4. Nicoll A, Lynn R, Rahi J, Verity C, Haines L. Public health outputs from the British Paediatric Surveillance Unit and similar clinician based systems. Journal of the Royal Society of Medicine 2000;93:580-585.
5. Korkeila K, Suominen S, Ahvenainen J, Ojanlatva A, Rautava P, Helenius H, et al. Non-response and related factors in a nation-wide health survey. Eur J Epidemiol 2001;17(11):991-9.
6. Adams T, Budden M, Hoare C, Sanderson H. Lessons from the central Hampshire electronic health record pilot project: issues of data protection and consent. BMJ 2004;328(7444):871-874.
7. Ford H. The effect of consent guidelines on a multiple sclerosis register. Multiple Sclerosis 2006;12(1):104-7.
8. Littenberg B, MacLean CD. Passive Consent for Clinical Research in the Age of HIPAA. Journal of General Internal Medicine 2006;21(3):207-211.
9. Williamson O, Cameron P, McNeil J. Medical registry governance and patient privacy. MJA 2004;181(3):125-6.
10. Barrett G, Cassell J, Peacock J, Coleman M. National survey of British public's views on use of identifiable medical data by the National Cancer Registry. BMJ 2006;332:1068-72.
[i]Canadian Stroke Network co-ordinators spent 40 minutes on consent related issues for each patient and it was estimated that approximately 25% (Can$500,000) of the Can$2 million budget for the project was spent on consent related issues [1]. Eurocat is the network of 43 population-based registries in 20 countries in Europe, set up for the epidemiologic surveillance of congenital anomalies. It covers 29% of the European birth population, more than 1.5 million births per year. A 2003 Eurocat survey on the issue of informed consent for registration found that in one country the register gives administrative support to treating physicians to facilitate looking for consent and this assistance takes 1-3 hours per case. The registers requiring informed consent have difficulty persuading clinicians to take on this additional workload. The co-ordination required to avoid approaching parents more than once, places added difficulties on the treating physicians [2].
[ii] In the Canadian Stroke project where informed consent was sought, researchers found it difficult to approach patients’ families if the patient was dying or had recently died. In the same study, cognitive impairment of the patient was a factor reducing likelihood of consent as results indicated that contacting a surrogate for consent may not be possible [1].
[iii] In the England and Wales PICANet (Paediatric Intensive Care Audit Network) study, lack of staff time and possibly familiarity with the study protocol appears to have had a very large impact on the consent rates [3]. There was a high level of acceptability of the register as 99.5% of those actually approached gave consent. However, because of the practical difficulties of approaching all those eligible, only 43% of all potential candidates were recruited, resulting in an unacceptably incomplete register. In addition to this, two intensive care units of the seven who initially planned to take part were not included in the analysis at all. This was because they were unable to start the study or follow the protocol due to lack of resources. Workload appeared to be an enrolment issue for a retinopathy of prematurity study also [4].
[iv] In the Canadian Stroke Network registry project 81% of those actually approached consented and 19% refused [1]. In the paediatric intensive care audit network (PICANet) informed consent feasibility study, of the 422 admissions, 239 parents/guardians were not approached for signature. Of those approached for signature only one refused, a 99.5% consent rate [3]. The Royal College of Paediatrics and Child Health (RCPCH)’s Research Unit and the Surveillance Unit of the Royal College of Ophthalmologists performed a combined surveillance and research study that required informed parental consent. Of 180 cases identified for the study, 3 cases refused consent and 112 consents were obtained. Parents of the other identified cases were not approached for consent. Therefore of those where a choice was made by parent(s), 97.4% consented and 2.6% refused. The authors’ opinion was that consent was not so much a function of choice by parents, but a function of the time and effort health care staff can use to seek informed consent [4]. Recruitment took over a year and consent was at 62% three months after recruitment closed.
[v] In a Finnish study looking at factors affecting response to a national psychosocial health baseline survey, the response rate was 40% [5]. Of those that responded early, 94.5% consented to use of medical register based follow-up, whereas 90.9% of those that responded late consented. As there is a statistically significant difference between the consent rates in these two groups, the authors concluded that asking for consent was a factor related to late response and therefore to non-response.
[vi] In the central Hampshire electronic health record pilot project 80,000 households comprising 225,000 residents were sent leaflets [6]. Of those, 6 people asked for their records to be excluded. Eight asked to view their record before making a decision. Of these 8, four asked for information to be excluded. This gives a refusal rate of 0.004%, and therefore consent rate of almost 100%. In addition there were 82 callers to the helpline. Rates of consent to a community-based multiple sclerosis register were studied by looking for written request to opt-out for an existing register of 820 individuals [7]. Only 34 (4.1%) asked for their information to be removed, giving a opt-out consent rate of 95.9%.
In the Vermont Diabetes Information System, 2.8% opted out, with three patients (0.04%) filing complaints which were dealt with satisfactorily [8]. This gives a passive consent rate of at least 97%. In Australia, the Victorian State Trauma Registry used an opt-out approach and achieved over 99.5% completeness [9]. This approach is in compliance with privacy legislation, but it also achieves high enrolment levels, which helps to maintain the scientific integrity of the register. The Eurocat (European network of congenial anomaly registers) informed consent survey showed that in one register which changed to opt-in, the yearly enrolment fell from 249 to 10 [2]. If there is a similar rate of new cases per year, the register was only about 4% complete. When opt-out was introduced instead, the opt-out rate was 0.1%, so the register rose to about 99.9% complete. Another register in the survey estimated that opt-in resulted in 15-20% loss of cases, though only 0.5% of parents actually refused to consent. Another register reported less than 1% parental refusal for enrolment.
[vii] In Britain a national survey of public views on the use of identifiable medical data by the National Cancer Registry was reported by Barrett et al [10]. The nine questions related to cancer registration were included on the omnibus survey operated by the Office of National Statistics. Of 2955 interviewees, 97% answered all nine registry questions. Respondents were shown to be generally representative to the population. Of those interviewed, 82% had not heard of the Cancer Registry before the study. 95% thought that the information collected was useful; 81% said they would support legislation underpinning cancer registration; 95% did not believe that receiving a letter from the health service offering cancer screening was an invasion of privacy however 16% considered inclusion of name and address on the cancer register an invasion of privacy. Overall the majority of respondents (72%) did not consider the use of postcodes, name and address, or receipt of a letter of invitation to a research study as invasion of privacy. Only 2% saw all three of the scenarios as invasion of privacy. The authors suggest that it is not correct to make the assumption that the public wish for their own health information to be used only in direct health care and that the public have an interest in the wider use of their information for the public good.