1 SEPTEMBER 1997
Amended 19 August 1998
Table of Contents
A. Definitions
B. Rationale
II. Major Contributions of Pharmacoepidemiology to the Public’s Health
A. Appropriate Use of Drugs
B. Birth Defects
C. Reye’s Syndrome
D. Vaginal Cancer in Young Women
E. Endometrial Cancer
F. Heart Disease
III. Methods And their Related Data Privacy Issues
A. Record-linkage
B. Case Control Studies
C. Prospective Surveillance (Cohort) Studies
A. Professional codes
B. Institutional Review Boards (IRBs)
C. Different types of consent
D. Technological safeguards
E. Secondary use of data
F. Databases that do not contain potentially identifiable records
G. Cross-national transfer of data
H. Patient access to inspect and amend their medical records
I. Penalties for inappropriate disclosures
V. Summary
Appendices
Appendix 1: Principles for protecting data privacy
Appendix 2: Acknowledgments
Addendum 1 - Genetic Information - 8/19/98
Addendum 2 - Pregnancy Registry - 8/19/98
Protection of the privacy of personal health records is an issue of concern to most people, including those who conduct research to benefit the public’s health. The International Society for Pharmacoepidemiology (ISPE) embraces the principle of protecting the confidentiality of individually identifiable medical information while preserving justified research access to such information in the interest of the public’s health.
Epidemiology studies populations to understand the extent, natural course, and burden of diseases. This information provides background for the safe and effective use of medicines. Pharmacoepidemiology1 is an observational, non-experimental science. In contrast to clinical trials, which are experimental, an epidemiologic observational study observes patients in the real world of clinical medicine, and the patient is at no medical risk from being part of the study. It is the science of pharmacoepidemiology that is used to evaluate the risks and benefits of medications in large numbers of patients in the real world setting. While patients are at no increased medical risk from being included in an observational pharmacoepidemiologic study, they could potentially be at risk of inappropriate disclosure of sensitive medical information if that information is not carefully safeguarded.
Pharmacoepidemiologic studies have had a major impact on the public’s health in general and on our understanding of the risks and benefits of medications in particular. For example, such studies documented the risk of aspirin and Reye’s Syndrome in children and the risk of vaginal cancer in daughters of women who took diethylstilbestrol (DES) while pregnant. Pharmacoepidemiologic studies will continue to be important in the future. ISPE urges that any new laws or changes in existing laws aimed at further protecting data privacy be formulated with an acknowledgment of the value to society of pharmacoepidemiologic research.
To balance the individual privacy interests with society's need for sound information on medical and public health issues, we should build on current laws and ethical guidelines, including the use of Institutional Review Boards (IRBs), Ethics Committees, or their equivalent, that have served well in the past. Among our specific recommendations are the following:
We support legislation to prevent the inappropriate disclosure of personally identifying health information. Additional privacy safeguards may become necessary to address the technologic changes in the way health information is shared among physicians, other providers, payers, and other third parties. However, additional data privacy laws should not unduly restrict research that may protect the public’s interests and inadvertently reduce availability of important data resources for pharmacoepidemiologic research.
1 The document was endorsed by the International Society for Pharmacoeconomics and Outcomes Research April 17, 1998. The scope of the entire document is intended to cover pharmacoepidemiology, pharmacoeconomics, and outcomes research.
Protection of the privacy of personal records is an important issue. Privacy is increasingly felt to be threatened by two forces: the growth of information technology, making transmission and manipulation of large amounts of data possible; and the increasing demand for information in decision making. A common response to these changes is the consideration of new legislation to address public concern and to control access to and use of information. It will be important for legislators to acknowledge the changing information environment and assure adequate safeguards over personal health information without compromising the conduct of valuable health research.
Epidemiology is a public health research discipline which has the ultimate aim of improving the health of the population. Epidemiology is the study of the distribution and determinants of health-related conditions in specified populations and the application of this research to better the public health. Pharmacoepidemiology2 is the specialized application of this approach to the risks and benefits of the use of medicines.
Pharmacoepidemiologic evaluations, if done properly, lead to safer use of medicines. This research may lead, at one extreme, to removal of a drug from the market if the documented safety risks outweigh the medicine’s therapeutic value, or, at the other extreme, may prevent a useful and safe drug from being inappropriately restricted or even removed from the market. It is therefore in the public's benefit that this type of research be conducted. In the creation of new legislation, a balance needs to be achieved between protection of privacy when individual medical records are used for such research, and the generation of new knowledge that is critical for improving public health. As pharmacoepidemiologists, we submit that the balance between individual privacy and public health concerns can be achieved.
The International Society for Pharmacoepidemiology (ISPE)3 embraces the principle of protecting the confidentiality of individually identifiable medical information while preserving justified research access to such information in the interest of the public’s health. ISPE urges that any new laws aimed at further protecting data privacy should be formulated with the awareness of the value to society of epidemiologic research.
To balance the individual privacy interests with society's need for sound information on medical and public health issues, legislators should build on current laws and ethical guidelines that have served society well.
In this document, ISPE provides a description of the discipline of pharmacoepidemiology, examples of its contributions to the public’s health, some of the unique issues surrounding data privacy encountered in conducting pharmacoepidemiology research, and some suggestions for public policy.
2 The document was endorsed by the International Society for Pharmacoeconomics and Outcomes Research April 17, 1998. The scope of the entire document is intended to cover pharmacoepidemiology, pharmacoeconomics, and outcomes research.
Epidemiology is the study of the distribution and determinants of health and disease in populations. Pharmacoepidemiology is a subspecialty of epidemiology that applies epidemiologic techniques to the study of medications. This scientific discipline uses data on populations to understand the extent, natural course, and burden of diseases, which provides background for the development of medicines and for their safe and effective use. Pharmacoepidemiologic research examines the population and the diseases the medications are used to treat, and the problems and benefits the medications may cause. Such research is critical for assuring that medicines meet health needs and are used safely and optimally.
Pharmacoepidemiology is mainly an observational, non-experimental science which differs from the other common form of medical research, clinical trials. In clinical trials, each patient is assigned to receive a new treatment, an existing accepted treatment, or a placebo. Were it not for the clinical trial, the patient’s physician might have chosen any of these treatments or other treatments for the patient. In contrast, in an observational study, the patient receives the treatment a physician chooses in the real world of clinical medicine, without influence of the research effort. Therefore, a patient is at no medical risk from being part of an observational study since the treatment and follow-up received by the patient are not changed in the slightest by the study design itself. While clinical trials are important to test the safety and efficacy of a new medication in an experimental environment, it is also crucial to see how the drug functions in the real world. Pharmacoepidemiology is the science used to evaluate the risks and benefits of a medication in routine medical practice.
In both clinical trials and observational studies, harm could potentially result from inappropriate disclosure of private information. These risks need to be minimized through appropriate controls on data use and data users.
The protection of patient privacy has been a long-standing concern of pharmacoepidemiologists and has been safeguarded by law in some countries. Most studies that use potentially identifiable information are reviewed in advance by ethics review boards, usually called Institutional Review Boards (IRBs), sometimes known as Research Ethics Boards. IRBs are carefully constituted, certified and continually monitored. They operate independently of the researcher and represent the interest of the patients. IRBs evaluate research in the context of the local setting. Their main function is to evaluate research proposals to protect study participants from unwarranted medical and privacy risks. Among the important functions of IRBs is the careful review of the type of patient informed consent needed within the context of each study they evaluate.
Other existing privacy protection practices routinely include the careful handling and storage of data by trained and authorized individuals, and strict controls over the access to and use of any data that could be used to identify individual patients.
ISPE shares the concern that current mechanisms for safeguarding privacy must be evaluated and updated to be sensitive to the concerns of individuals to protect the privacy of their medical information and to meet the new demands of the evolving information technology age.
Pharmacoepidemiologic studies have had a major impact on the public’s health in general and on our understanding of the risks and benefits of medications in particular. Numerous studies have identified previously unrecognized hazards of medicines, while others have refuted what proved to be false allegations about medication-induced diseases. Selected examples of the impact of pharmacoepidemiologic research are provided below.
Pharmacoepidemiologists are concerned not only with adverse effects, but also with appropriate uses of drugs. For example, underuse of medication may lead to avoidable morbidity and mortality. A recent study documented the underuse of beta blockers following heart attacks in the elderly and the serious consequences of that underuse. That study relied on large linked databases in New Jersey, and showed that many physicians ignored the advice of the national cardiology consensus committees that urged the use of these drugs after heart attacks for appropriate patients. This new study showed that only 21% of eligible patients received beta-blockers, and that this underuse led to a 43% excess mortality over 2 years and a 20% increase in cardiovascular hospitalization. This finding is likely to lead to changes in medical practice that will reduce hospitalizations and save lives.1
The well known epidemic of phocomelia (abnormal or missing limbs) and other malformations due to the use of thalidomide during pregnancy2 has led to many improvements in the drug regulatory process. However, the safety of medication use during pregnancy has continued to be a major concern. Epidemiologic studies identified increased risks for spina bifida among the offspring of women treated with the antiepileptic medication valproic acid3 as well as the adverse effects of the anti-acne medication Accutane.4 Other epidemiologic studies demonstrated that folic acid supplementation in early pregnancy appreciably reduced the risk of spina bifida,5 leading to public policy actions recommending the consumption of adequate folic acid among women of childbearing age and mandating fortification of certain foodstuffs with folic acid. Epidemiologic studies also were critical in refuting allegations that various birth defects were caused by drugs commonly used in pregnancy, such as the antinausea drug Bendectin6 7 and spermicidal contraceptives. 8 9
This rare but often fatal condition in young children was shown by epidemiologic studies to be strongly associated with use of aspirin,10 leading to cautions by the Centers for Disease Control and Prevention (CDC) and professional pediatric societies against the use of aspirin in children. As a consequence, many national regulatory authorities mandated changes in labeling of aspirin products to warn physicians and parents. The actions led to decreased aspirin use in children, and that, in turn, led to a dramatic decline in Reye’s Syndrome incidence.
It was through epidemiologic studies that researchers demonstrated a strong association between diethylstilbestrol (DES) use during pregnancy and the development of vaginal cancer in adolescence and early adult life among females who were exposed in-utero. This finding not only identified an unacceptably large risk of DES, but it also was the first to show that drugs taken in pregnancy could, decades later, lead to cancer in exposed children.11 12
A number of epidemiologic studies showed that estrogen replacement therapy without the addition of progesterone substantially increased the risk of endometrial (uterine) cancer. This finding was of critical importance from a scientific and public health perspective. It resulted in a change in the patterns of use of these drugs, so that the risk will be reduced in the millions of women who now take them.13
Epidemiologic studies were the first to show that aspirin can reduce the risk of heart attacks in men,14an association that was confirmed only decades later in large scale clinical trials.15 This finding has become incorporated into routine medical practice on a world-wide basis.1617 Similarly, epidemiologic studies also revealed that higher-dose oral contraceptives increased the risk of venous thromboembolic disease in women,18a finding that contributed to the development of the currently available lower-dose oralcontraceptives.
The primary methods of pharmacoepidemiologic research involve collection of observational data from existing medical records, secondary data sources, and/or directly from patients. The approaches may include using record-linkage and the conduct of case-control and prospective cohort studies. Each of these approaches raises unique issues relating to data privacy.
1. Description
Record linkage may be defined as the procedure of combining large datasets so that records about the same individual will be united into one record. It joins in a single record information from multiple different sources which relate to the same individual or event.
It is important to distinguish between administrative and statistical use of these data. In administrative use (for example, in billing for services) the identification of the individual is of paramount importance: if the name and address and/or other identification are lost, the record becomes useless because the person cannot be identified or contacted. In contrast, epidemiologic research uses linked records statistically, so the identity of the individual is unnecessary to the interpretation of the study. The identity is important only during the linkage process; once the study database is complete, all identifiers can be removed from the study files. The linked data do not need to include identifying information about individuals, such as name or unique identifiers such as Social Security number. Rather, pharmacoepidemiologists are looking for patterns in the health experience of groups so that associations between medicines and potential side effects can be studied. The technology of data linkage and encryption of identifying variables has made it possible to encrypt the dataset in such a way that the researcher is unable to identify any individual subject.
For epidemiologic research, the process of record linkage takes a subset of information from each of two or more databases to create a new database. Sources of health-related databases may be computerized medical records, hospital discharge summaries, pharmacies’ dispensing records, health insurance records, records of Health Maintenance Organizations (HMOs), vital statistics, etc. The simplest use of databases is to monitor drug use, diseases, and frequency of hospitalizations in a specific population. A more complicated research effort, for example, links medical or hospital records of individuals who have used certain medicines. This yields a great deal more information on whether a given drug is safe to use or whether there are problems which need to be explored further. Research that utilizes record-linkage databases frequently requires the inclusion of a large sample in the study and requires the follow-up of patients for many years through the databases. Depending on the problem studied, data on as few as several hundred and as many as several million patients need to be included in a study.
Retaining within the database a code that allows the ability to re-link under predefined conditions to identifiable data sources is often useful for the following three purposes: 1) to perform quality assurance functions (e.g., to verify the accuracy of the linkage process, to identify duplicate records, to validate the accuracy of computer-recorded data against original records, and to verify the presence of consent records if required), 2) to enrich a study database (e.g., to add data on clinical events or other relevant data not recorded in the computer record), and 3) to address unforeseen needs at a later date (e.g., to follow-up the same cohort of patients to evaluate safety questions that might extend beyond the duration of the original study).
2. Data Privacy Issues
While it is not necessary for researchers to be able to identify patients in the analysis of the resulting linked dataset, occasionally it is necessary to update records on this dataset at a later date, as described above. For example, it may be necessary to obtain further information on potential late onset adverse reactions, such as cancer. There are several ways of dealing with this. Using the same program, the data could again be extracted from the updated datasets. Alternately, authorized or legally appointed third-party data custodians, or the original holder of the data, could keep a coded list that identifies individual patients in a confidential place with controlled access. Any use of the list would either be described and approved as part of original research protocol or evaluated as a new research project with a review of the appropriate safeguards.
A related issue is whether existing databases can be used for secondary analysis, i.e., a use not originally planned when the data were collected without specific informed consent. Ideally, researchers would inform each subject in a study and obtain informed consent. This is hardly feasible when using linked records, especially if the data were collected years in the past and the numbers of subjects are large (e.g., 10,000 or 100,000 or even larger). In some studies, the study design requires complete capture of the experience of a large population. If the study excluded those persons who could not be located and did not provide consent, the study results might produce erroneous findings. As a result, the requirement for individual consent would preclude the conduct of many important epidemiologic studies. Moreover, this type of study imposes no medical risk to the patients. In contrast, in these studies, contacting an individual for consent would compromise patient confidentiality, since obtaining consent would require access to name, address, or telephone number.
For research studies based on linked data, investigators and other researchers generally have no interest in the patients’ identities. They must, however, have assurance that records of the same person can be joined, and the assurance that those records are protected at the source with suitable safeguards. For such secondary data analyses, IRBs review the importance of the research and the adequacy of privacy protections, and determine whether a secondary analysis without specific informed consent is appropriate.
1. Description
Case-control studies are one of the two major designs in pharmacoepidemiology. In case control studies, patients (cases) are identified who are affected with a specific condition that might be a medication side effect (e.g., Reye’s Syndrome). Subjects without that disease (controls) are also identified. By comparing differences in medication exposures and other circumstances between cases and controls, researchers can estimate whether the medication was associated with the adverse event. This type of design is especially useful for rare adverse events.
Most case-control studies require access to confidential information, since such data are critical to identify and recruit potential subjects, and to learn from their medical records or directly from the patient about the medicines they have taken and other relevant exposure history. As typical examples, studies of infants with birth defects, children with Reye’s syndrome, or adults with various cancers require direct interviews about a wide range of exposures. This is particularly important for drug exposures that are unlikely to be recorded in any medical record, such as over-the-counter drugs, vitamins, and certain other medications. In addition, critical information on smoking, alcohol consumption, and other health habits that can affect the risks of medications is usually available only through direct interviews.
2. Data Privacy Issues
To be sure that all potentially eligible subjects are identified, researchers may need access to identifiable patient information that may include hospital admission and discharge lists, medical records, and clinic logs. Once the researchers have determined which subjects are eligible, they contact them to invite them to participate in the study. Researchers need access to very limited information to identify potential subjects and describe possible differences between participants and non-participants. IRBs review the procedures for these studies to determine the need for access to the confidential information, the effect on privacy of the individuals whose records will be reviewed, and the mechanisms for assuring appropriate access to and use of personal data. For reasons related to research validity, subjects need to be followed up with a high degree of fidelity. In these types of studies, assigning responsibility for contacting subjects to health care providers places an inordinate burden on them and may result in accrual rates which do not meet the needs for scientific rigor and validity. Again, IRBs review procedures for each such study to determine if the research design needs outweigh the risks to the patients from loss of privacy, and the IRBs review the safeguards to be used in the conduct of the research. After eligible patients have been identified and contacted, they retain the right to decline participation. Current procedures mandated by IRBs and by researchers themselves have proved highly effective in protecting confidentiality.
1. Description
In prospective cohort studies, data on drug exposure, risk factors, and outcomes are gathered prospectively; i.e., subjects are enrolled and followed over time according to their exposure to a drug at the beginning of the study. These studies will reflect general clinical practice, since they are conducted in a non-interfering, wholly observational fashion. Medication use is determined by the physician, and no additional physician visits or laboratory measurements beyond usual clinical practices are required; nor does the study interfere in any way with the physicians’ normal clinical decisions.
A prospective cohort study may continue for many years to estimate the increased risk, if any, of a disease among patients who start taking a new drug in comparison with those who take other therapies. Patients taking the medication of interest are identified. Data on these patients may be collected directly from the patients or their friends/relatives or from the patients’ health care providers. Data may also be collected solely from the patients’ medical records.
2. Data Privacy Issues
Most prospective studies receive IRB review and approval. In many studies, the patients provide some form of consent to the use of their identifiable health data for research purposes. Again, IRBs review procedures for each such study to determine whether the study can be accomplished without access to confidential data, whether the benefits outweigh the risks to the individual from loss of privacy, and whether there are appropriate safeguards for data confidentiality and security. An example of a type of study that has been considered not to require patient informed consent follows.
A long-standing important type of prospective study is the Prescription-Event Monitoring program at the University of Southampton in the UK, in which patients on specific medications are identified from the government Prescription Pricing Authority that pays for dispensed medications. Follow-up is conducted on this registered cohort by a mailed form that requests information from the medication prescribers on all adverse events that occurred during a designated period following the prescription. Since this kind of study usually captures data from more than 10,000 patients, such surveillance would not be possible if patient informed consent were required. Since this approach is a directed monitoring of new or suspected high risk drugs, it is a very important source of information for enhancing drug safety. Such studies may be considered essential public health surveillance that cannot be conducted in any other fashion. The potential value to the public’s health of such research has generally been considered to outweigh the possible privacy intrusion, in the existing setting that assures excellent controls over the privacy of patient data.
Historically, such studies have been considered to fall below the level of minimal risk required for full IRB review (the studies were based on existing chart information, no direct identifiers were collected and retained, and linkage back to private information was only possible through the treating physician). Local circumstances, through laws and/or codes of practice, may continue to exempt specific public health research studies from IRB review. It may now be desirable for IRBs to review other studies not specifically exempted and weigh the importance of gathering the information for the overall benefit to society, the appropriateness (or inappropriateness) of requiring consent, and the procedures that are in place to safeguard patient privacy.
The protection of the individual patient’s right to confidentiality should be a paramount concern in the design and conduct of a pharmacoepidemiologic study, and should be addressed as an integral part of the study protocol. Specific recommendations to protect patient confidentiality while preserving important research access to medical information are detailed below:
The Guidelines for Good Epidemiology Practices for Drug, Device, and Vaccine Research were developed by ISPE to assure proper study conduct.19 These guidelines could be refined to provide additional guidance to researchers regarding data privacy protections. ISPE will continue to produce professional codes of conduct as needed and as technological advances in research methodology lead to substantial revisions in working practices. The development of such codes of conduct will have an educational and promotional influence over members of the discipline, since the codes will outline clearly what is to be achieved and what is to be avoided.
Recommendation
Studies should, in their design, address issues concerning data privacy and contain measures to protect the confidentiality of the individuals’ records. The existing Guidelines for Good Epidemiology Practices should be enhanced to include specific recommendations for protecting the confidentiality of individuals’ records.
ISPE and other professional associations should continue to produce codes of conduct for research and encourage adherence to those codes. Though codes from different disciplines will tailor specific recommendations to the characteristics of the individual disciplines, they should all be based on universal principles. Basic principles have recently been outlined in a report to the US Secretary of Health and Human Services entitled Privacy and Health Research. ISPE adopts these principles, which are given in Appendix I.
Protection of the research subjects from potential adverse effects of research is a main concern of an IRB. In addition to physical and emotional safety, the IRB serves to ensure protection of the patient’s data confidentiality. Currently there are different requirements in various countries regarding the use of review boards for the public and the private sector.
Recommendation
All pharmacoepidemiologic studies that use personally identifiable data should be subject to ethics review board approval before study commences. The IRB mechanism has been and should continue to be the keystone for protecting patient confidentiality by evaluating the use of potentially identifiable data and considering such use in the light of privacy and confidentiality concerns. ISPE also recommends that the same IRB mechanisms for protecting data confidentiality be available to both the public and private sector. ISPE recognizes the need for active, competent, and objective IRBs in this field.
Several studies have shown that the large majority of people will consent to the use of their records for research if they understand the reason for the studies. Since observational studies do not have the same impact on individuals’ medical risk as clinical trials do, the consent needed should be commensurate with this lower risk as well as with the different circumstances of an observational study.
Recommendation
Reliance on ethics review boards, such as Institutional Review Boards (IRBs), has been and should continue to be the primary method for protecting subjects’ privacy. IRBs may waive a requirement for written informed consent when a study is conducted in the interest of the public's health, direct harm to the individual is extremely unlikely, and individually identifiable data are not made public. Legislation should protect and strengthen IRBs’ ability to waive individual informed consent under these circumstances.
For studies based on linking datasets to produce a new dataset with linked records, technological safeguards can virtually guarantee protection from unauthorized release of identifying information.
Recommendation
The use of sophisticated information technology should be encouraged to assure, where appropriate, that no identifying information remains on the datasets used for analysis by researchers. Access to identifying information before, during, and after the process of linking potentially identifiable data files to create a research dataset should be limited to a very few authorized and legally responsible individuals with an obligation to assure confidentiality. ISPE encourages the development of technologies to assure the appropriate safeguards.
Frequently data are used for scientific analyses although they were originally collected for other purposes. The use of administrative datasets collected primarily for financial purposes is one of the major advances in pharmacoepidemiology. Thus insurance databases are recognized as an important resource of data which can be used to address public health issues.
Recommendation
The secondary use of datasets for purposes other than those for which they were originally collected should be allowed for scientific and statistical analyses in the interest of pubic health, with the appropriate safeguards.
Many databases have been created as secondary data sources and have been stripped of all codes that could be used to link records back to the original source to identify the patient. Important research databases, including many available publicly (e.g., through the US National Center for Health Statistics), have been "anonymized." Studies that use these databases pose no risk to the patients, and fall well below the criteria of minimal risk that necessitates IRB consideration.
Recommendation
ISPE concurs with most of the currently proposed legislation: Research using completely anonymized databases should not require IRB approval and specific patient authorization for each use of the data.
On occasion, datasets need to be transferred across national borders. Restrictions against such transfer of information have been addressed in some international laws, such as the European Union Data Privacy Directive (Article 25), which permits cross-national data transfer only if the receiving country outside the European Union ensures an "adequate level of protection." An exemption provides that this requirement may be waived if the person responsible for the data ensures adequate protection of data privacy.
Recommendation
The cross-national transfer of data should be permitted under the condition that either a comparable legal level of data protection exists in the recipient country or special provisions are made by the person responsible for the data to ensure the same level of data privacy as exists in the country from which the data are transferred.
Various proposals would grant specific rights to individuals to obtain access to their medical records and have those records amended under certain circumstances. Such rights are important as they apply to the patients’ medical chart because of the implications of accurate health information for the patients’ subsequent medical care. Observational data abstracted from those records and stored in research databases have little or no potential impact on the patients’ future medical care. Although the researcher may welcome improvements in the accuracy of the data, allowing access by patients to all research databases in which their data might reside would present logistical challenges.
Recommendation
ISPE supports legislative proposals that specify individuals’ rights of access to inspect and amend their primary medical records.
Recognizing the importance of privacy protection, ISPE believes that investigators should be subject to legal penalties for committing willful breaches in confidentiality and to penalties when damage ensues from a breach of confidentiality.
Recommendation
Unauthorized access to or dissemination of personally identifiable medical information should be subject to legal penalties sufficient to act as a deterrent.
Current well-established and generally-accepted mechanisms for conducting pharmacoepidemiologic studies, strengthened by appropriate formalized protections of patient confidentiality (e.g., through codes of conduct, expansion of the functions and scope of IRBs, and legal penalties for breaches of confidentiality), can support future research that will be of great benefit to the public health without putting patients at risk from inappropriate disclosure of personal medical information. Pharmacoepidemiologists agree with legislation to prevent the inappropriate disclosure of personally identifying health information. Additional privacy safeguards may become necessary to address the technologic changes in the way health information is shared among physicians, other providers, payers, and other third parties. However, additional data privacy laws should not unduly restrict research that may protect the public’s interests. ISPE hopes that new legislation does not inadvertently reduce availability of important data resources for pharmacoepidemiologic research.
1Soumerai SB, McLaughlin TJ, Spiegelman D, Hertzmark E, Thibault G, Goldman L. Adverse outcomes of underuse of beta-blockers in elderly survivors of 1975 acute myocardial infarction. JAMA.277(2):115-21, 1997, Jan 8.
2Lenz W, Knapp K. Thalidomide embryopathy Arch Environ Health 5:100-105, 1962.
3Robert E., Francannet C, Robert JM, Registries of malformations in the Rhone-Alps/Auvergne region. Value and limits of monitoring teratogenesis. 11 years' experience (1976-1986)]. Journal de Gynecologie, Obstetrique et Biologie de la Reproduction. 17(5):601-7, 1988.
4Lammer EJ, Chen DT, Hoar RM, Agnish ND, Benke PJ, Braun JT, Curry CJ, Fernhoff PM, Grix AW Jr., Lott IT, et al. Retinoic acid embryopathy. N Engl J Med. 313(14):837-41, 1985 Oct 3.
5Werler MM, Shapiro S, Mitchell AA. Periconceptional folic acid exposure and risk of occurrent neural tube defects. JAMA. 269(10):1257-61, 1993.
6McKeigue PM, Lamm SH, Linn S, Kutcher JS. Bendectin and birth defects: I. A meta-analysis of the epidemiologic studies. Teratology. 50(1):27-37, 1994 Jul.
7Holmes LB. Teratogen update: Bendectin. Teratology. 27(2):277-81, 1983 Apr.
8Louik C, Mitchell AA, Werler M, Hanson J, Shapiro S. Maternal exposure to spermicides in relation to certain birth defects. N Engl J Med 1987;317:474-478.
9Warburton D, Neugut RH, Lustenberger A, Nicholas AG, Kline J. Lack of association between spermicide use and trisomy. N Engl J Med. 317:478-482, 1987.
10Hurwitz ES, Barrett MJ, Bregman D, Gunn WJ, Pinsky P, Schonberger LB, Drage JS, Kaslow RA, Burlington DB, Quinnan GV, et al. Public Health Service study of Reye's syndrome and medications. Report of the main study [published erratum appears in JAMA. 257(24):3366, 1987 Jun26.]. JAMA. 257(14):1905-11, 1987 Aprn 10.
11Herbst AL, Robboy SJ, Scully RE, Poskanzer DC. Clear-cell adenomcarcinoma of the vagina and cervix in girls: An analysis of 170 registry cases Am J Obstet Gynecol 119:713-724, 1974.
12Herbst AL, Poskanzer DC, Robboy SJ, Friedlander L, Scully RE. Prenatal exposure to stilbestrol A prospective comparison of exposed female offspring with unexposed controls N Engl J Med 292:334-339, 1975.
13Smith DC, Prentice R, Thompson DJ, Herrmann WL. Association of Exogenous Estrogen and Endometrial Carcinoma. N Engl J Med 293:1164-1167, 1975.
14Anonymous (Boston Collaborative Drug Surveillance Program). Regular aspirin intake and acute myocardial infarction. Brit Med J. 1(905):440-443, 1974.
15Anonymous. Final report on the aspirin component of the ongoing Physicians' Health Study. Steering Committee of the Physicians' Health Study Research Group Randomized Controlled Trial. New England Journal of Medicine. 321(3):129-35, 1989 Jul 20.
16Manson JE, Tosteson H, Ridker PM, Satterfield S, Herbert P, O'Conner GT, Buring JE, Hennekens CH. Primary prevention of myocardial infarction. N Engl J Med. 326:1406-1416, 1992.
17Koenig W, Loewel H, Lewis M, Hoermann A. Long-term survival after myocardial infarction: relationship with thrombolysis and discharge medication. Eur Heart. 17:1199-1206, 1996.
18Inman WHW, Vessey MP, Weterholm B, Engleland A. Thromboembolic disease and the steroidal content of oral contraceptives. A report to the committee on safety drugs. Brit Med J. 203-209, 1970.
19Anonymous (ISPE). Guidelines for good epidemiology practices for drug, device, and vaccine research in the United States. Pharmacoepidemiology and Drug Safety. 5:333-338, 1996. Web address: http://www.hsph.harvard.edu/Organizations/DDIL/gep.html
These principles are taken from a report prepared at the request of the US Secretary of Health and Human Services. The report was delivered in May, 1997 by Dr. William W. Lowrance as background for public policy discussions relating to US and international data privacy legislation, policy and practice. ISPE endorses these principles, and insofar as they do not conform with the existing legal situation in different countries, ISPE encourages the revision of existing laws.
"The following principles are recommended for organizations that conduct, sponsor, or regulate health research involving personally identifiable data. They can be transposed into professional guidelines, standard operating principles, regulations, or laws. Criteria and procedures should be established that are specific to the context.
Reference: Privacy and Health Research: A Report to the US Secretary of Health and Human Services from William W. Lowrance. May, 1997. (Web site: http://aspe.os.dhhs.gov/datacncl/PHR.htm)
This document was developed with participation of many ISPE members from government, academic and industry settings, and from a variety of geographic locations. This version of the document is intended as an international document. Additional versions may be tailored by the ad hoc committees to meet local circumstances (e.g., to reference specific legislation).
The following individuals contributed to the development of this document.
Members of the Ad Hoc Committee on Data Privacy in the US and Canada:
Elizabeth Andrews, Chair
Jerry Avorn
Wanju Dai
Stanley Edlavitch
Lourdes Frau
Vincent Guinee
James Kotsanos
Allen Mitchell
Ineke Neutel
Lewis Roht
Brian Strom
Alexander Walker
Robert Wise
Donald Willison
Members of the Ad Hoc Committee on Data Privacy in the European Union:
Annekarin Bertelsmann, Chair
Joanna Haas
Michael Lewis
Gottfried Kreutz
Nicholas Moore
Susanne Perez Gutthann
Public Policy and Ethics Committee:
Ronald Mann, Chair
Background
The growth in the field of genetics has been enormous over the last decade, with the Human Genome Project making great strides in mapping, characterizing, and understanding the genome. The development of new medicines will benefit from this research in a series of ways. Better understanding of the genetic mechanisms of disease initiation will identify targets for medicines that may prevent or treat disease. Of equal importance will be the discovery of genetically mediated risk factors for responsiveness to therapies. Genetic tests may, in the future, help identify subgroups of the population who are most likely to respond favorably to a particular therapy or who are most likely to experience certain adverse reactions. Such knowledge will lead to more selective drug development and testing. Epidemiologists will be involved in association studies to better describe and quantify links between genetic information and clinical disease in populations. Moreover, pharmacoepidemiologists will evaluate the extent to which information obtained through small intensive genetic association studies may be generalized to broader, more heterogeneous populations. Epidemiologic studies of drug safety will continue to be important; some such studies will also evaluate genetic predictors of toxicity.
Public sensitivity about genetic information is currently high, with important concerns over employment and insurance discrimination. This sensitivity has led to suggestions that genetic information should be treated separately from other medical information and that privacy standards for genetic information should be higher. Others have asserted that genetic information should be considered a part of the medical records and treated with no additional protections.
Information that might be considered "genetic" has variety of forms, including information that relates to a person’s genetic predisposition to disease, such as results of specific genetic tests, or family history of diseases with known patterns of inheritance. Other "non-genetic" information about predisposition to disease is a routine component of medical records. For example, patient stature, blood pressure measurement, and family history of heart disease represent important risk factors to guide the appropriate preventive, diagnostic and treatment services for patients at risk for cardiovascular disease. With rare exceptions, the development of disease is not predicted absolutely by a genetic test; results of other physiologic and laboratory tests are often equally or more predictive of clinical disease.
Genetic information also includes diagnoses of heritable medical conditions. Medical diagnoses are a necessary part of a patient’s medical record. Concerns that employers or insurers may deny employment or health care benefits based on a diagnosis or a future probability of a diagnosis, are not unique to diseases of clear genetic origin.
Any distinction between genetic and other measures is arbitrary. Segregating clinical from genetic information would likely be counterproductive both to the provision of medical care and to clinical and epidemiologic research.
Recommendation
ISPE considers genetic information to be an integral part of individuals’ health records. All medical information should be held to the same high standards of confidentiality.
Background
Traditionally, it has usually been assumed that it would be unethical to conduct experiments (clinical trials) to learn whether medicines given during pregnancy to treat a woman’s illness may harm the fetus. However, both intended and unintended pregnancies do occur during drug exposures. Unintended drug exposures in pregnancy can occur when a woman does not realize that she is pregnant, even during the period of organogenesis. Intended pregnancy exposures to drugs occur when there is a need to maintain life-long drug therapy by the mother, such as in the case of epilepsy, and there is thus no other option but to become pregnant while taking a medication. A future possibility could be direct therapy of the developing fetus, whose safety and efficacy may require systematic evaluation.
An essential way to directly evaluate the risks of such exposures in humans is through observational (i.e., nonexperimental) studies. One very important observational approach is the pregnancy registry, which is established to collect information from voluntary reporters who identify pregnancies that occur during drug treatment. Registries serve a vital purpose in protecting the public by providing information about risks and safety of in utero drug exposures. The critical value in such registries comes from their ability to follow up with reporters to gather subsequent information on pregnancy outcomes. Obviously, clear patient identifying information is crucial for continued communication with reporters, some of whom may be providing key information about several patients.
The purposes of pregnancy registries in monitoring drug exposures in utero are similar to those of other pharmacovigilance efforts designed to monitor adverse events associated with drug use. Pharmacovigilance is mandated by law in many countries to monitor drugs, especially the newest products, to discover any possible hints of unanticipated hazards as early as possible and to systematically evaluate such signals. Such efforts are implemented to collect voluntary adverse event reports associated with medical products, and pharmacovigilance therefore is an essential tool to protect public health. As in all pharmacovigilance activities, pregnancy registries require neither IRB approval nor individual patient informed consent, but the same stringent rules to protect patient’s confidentiality in data collection, processing, and transferring should also be followed in dealing with pregnancy registry reports.
Pregnancy registries differ from other pharmacovigilance approaches in one area. In most pharmacovigilance efforts, the event associated with a drug exposure (e.g., heart attack) is known to the reporter, and typically prompts the report itself. In pregnancy registries, on the other hand, the reported event is the pregnancy exposure; to learn about the outcome of that pregnancy (i.e., the potential effects of that drug on the fetus) requires that registry staff be able to follow up on the pregnant patient to identify the outcome.
Recommendation
Protection of the public health requires pregnancy registries and follow-up of in utero drug exposures. With the same diligence to protect personal information as in all aspects of pharmacovigilance, the acknowledged value of pregnancy registries to the public health outweighs their limited intrusion into patient privacy.
3The International Society for Pharmacoepidemiology (ISPE) is a non-profit international professional membership organization dedicated to promoting pharmacoepidemiology, the science which applies epidemiologic approaches to studying the use, effectiveness, value and safety of pharmaceuticals. ISPE is firmly committed to providing an unbiased scientific forum to the views of all parties with interests in drug development, drug delivery, drug use, drug costs, and drug effects. The organization includes more than 1100 members from 45 countries. The largest proportion of the membership represents academic institutions (40.8%), followed by industry (35.6%), government agencies (11.0%) and professionals working in clinical practice and consulting (12.6%).
Last updated: 17 April 1998
