Protecting Privacy and Confidentiality

1
Protecting Privacy and Confidentiality

• Ethics in Mental Health Research

2
American Love of Privacy

• Court cases involving right to privacy address a
  wide range of behaviors (Alderman Kennedy,
  1997)
• strip searching, drug testing, contraception,
  abortion, forced C-sections, press coverage of
  deaths and adoptions, voyeurism, sex tapes,
  workplace monitoring and psychological profiling
• Privacy laws protect health records, financial
  records, communication, and other acts
• What is privacy?

3
Defining Privacy and Confidentiality

• Privacy can be defined in terms of having
  control over the extent, timing, and
  circumstances of sharing oneself (physically,
  behaviorally, or intellectually) with others.
  Confidentiality pertains to the treatment of
  information that an individual has disclosed in a
  relationship of trust and with the expectation
  that it will not be divulged to others in ways
  that are inconsistent with the understanding of
  the original disclosure without permission. (IRB
  Guidebook, ch. 3, section 4, intro)

4
Is Privacy a Universal Value?

• In certain cultures privacy is less emphasized
  (e.g., Sri Lanka and China)
• Decreased emphasis on individual and autonomy is
  typically accompanied by decreased emphasis on
  privacy
• But often privacy is witnessed in at least
  certain spheres (e.g., touching skin)

5
Why is Privacy an Ethical Issue?

• Privacy is related to
• Autonomy or self-determination insofar as it
  pertains to our control over self-disclosure
• Nonmaleficence insofar as some violations harm
  people (e.g., sexual practices, HIV status,
  criminal record)
• Beneficence insofar as it enables intimacy or
  greater self-disclosure based on trust

6
Is Privacy an Absolute Value?

• Recall story of HG Wells, The Invisible Man.
• Absolute privacy would allow us to avoid
  accountability for actions while, ironically,
  forcing isolation upon us
• Why, e.g., can psychiatric records not be
  absolutely private?
• 3rd party payers benefits of research
  verification mitigating factors claims drug
  interactions
• Laws and ethical systems treat privacy as a good
  to be balanced duties vary with the sphere of
  privacy (sexual vs. financial) and need to know
  (e.g. HIV positive or taxes trump marketing needs)

7
Threats to Privacy in Research Data Gathering

• Location during interviews/observations
• Identifiers on envelopes
• Amount of info given (names, zip codes)
• Interviewer / interpreter behavior (must maintain
  confidentiality)
• Info about 3rd parties (e.g., parents, partners)

8
Threats to Privacy in Research Data Transfer and
Storage

• Identifiers not eliminated
• Code sheets left unsecured
• Security breaches (shared password, hackers)
• Carelessness (leaving data unlock or lying around)

9
Threats to Privacy Data Analysis and
Dissemination

• Too much info published (combined variables yield
  identification)
• Sharing more info than needed (e.g., failing to
  remove identifiers from existing data)

10
Confidentiality Protection Strategies

• Anonymity
• De-identification (e.g., stripping data of
  HIPAAs 18 safe harbor variables)
• Coding secure separation of code sheets codes
  generated safely, e.g., sealed envelope strategy
  using removable cover sheets, entering data and
  destroying immediately
• Protecting data with identifiers using security
  passwords, firewalls, audit trails, encryption
  during backup and transmission, physical
  security, quantity of info limited by need to
  know

11
Institutional Responsibilities

• Individual researchers typically CANNOT protect
  privacy alone
• Institutions need to
• Educate
• Develop clear policies
• Provide needed technology
• Provide review, monitoring, sanctions
• Provide examples of best practices

12
Certificates of Confidentiality

• Researchers can use a Certificate to avoid
  compelled "involuntary disclosure" (e.g.,
  subpoenas) of names and other identifying
  information about any individual who participates
  as a research subject (i.e., about whom the
  investigator maintains identifying information)
  during any time the Certificate is in effect. It
  does not protect against voluntary disclosures by
  the researcher, but those disclosures must be
  specified in the informed consent form
  (http//grants1.nih.gov/grants/policy/coc/faqs.htm
  )

13
Waiving consent Common Rule

• 116 (c) An IRB may waive the requirement to
  obtain informed consent provided the IRB finds
  and documents that
• (1) the research or demonstration project is to
  be conducted by or subject to the approval of
  state or local government officials and is
  designed to study, evaluate, or otherwise
  examine (i) public benefit or service programs
  and
• (2) the research could not practicably be carried
  out without the waiver or alteration.

14
Waiving consent Common Rule

• Or (d) if
• (1) the research involves no more than minimal
  risk to the subjects (2) the waiver or
  alteration will not adversely affect the rights
  and welfare of the subjects (3) the research
  could not practicably be carried out without the
  waiver or alteration and (4) whenever
  appropriate, the subjects will be provided with
  additional pertinent information after
  participation.