The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics was convened on Wednesday, January 28 in the Hubert Humphrey Building in Washington, D.C. The meeting was open to the public. Present:
Robert M. Gellman, J.D., Chair
Kathleen Frawley, J.D., M.S.
Kathleen
Fyffe
Richard Harding, M.D.
M. Elizabeth Ward, M.N.
George
H. Van Amburg
Don E. Detmer, M.D., NCVHS Chair
Marjorie Greenberg, NCHS, Executive Secretary
John P. Fanning,
J.D., HHS
Nelson Berry, HCFA
Judith Galloway, HHS
Harvey
Schwartz, Ph.D., AHCPR
Lynnette Araki, NCHS
Jackie Adler, NCHS
Stephanie Mounts, NCHS
Nelson Berry, HCFA
Mark Epstein, NAHDO
Chuck Meyer, HBO & Co.
Al Zarate,
NCHS
Joe Posic, CDC
Easley Hoy, Bureau of Census
Robert
Borger, Natl. Wholesale Druggists' Assn.
Roberta Dean, (same)
Susan
Mize, MIE
Susan Panny, M.D., MD Dept. Health and Mental Hygiene
George
Folup, M.D., Merck-Medco Managed Care
Kathleen Weis, Dr. P.H., (same)
Scott Melville, Cephalon, Inc.
Denis Melamed, HCPA
Coreen
McCabe, Assn. of Amer. Med. Colleges
Deanna Mool, IL Dept. of Public
Health
Peggy Schnoor, NIH
Carl Graziano, CAP
D. Boswell
Chris Bergoter, AAHP
Michael Weiner, Johns Hopkins Univ.
Krista
Robinson, FDS
Gail Horlick, CDC
Mike Tate, American Dental Assn.
Michael Langan, NORD
Kepa Zubeldia, Envoy
Gary Persinger,
PhRMA
Mary Ellen Bliss, AARP
Sara Froelich, Glaxo Wellcome
Kenneth
Seymens, Stanford University
Helen Mayhew, HCFA
Yolanda Esparza,
JustUs Communications
Lois Schlar, HCFA
Samantha Silva,
Healthcare Leadership Council
JoAnne Sylvester, Amer. College of
Surgeons
Diane Schneidman, (same)
Michael Fitzmaurice, AHCPR
Mary Moien
Elizabeth Andrews, Glaxo Wellcome
Gwen Moulton,
BNA
R. Suzman, NIH
Susan Abernathy, CDC
Jim Walsh, Amer.
Psychiatric Assn.
Rosanna Coffey, Medstat
Peter Cleary,
Americans for Tax Reform
Rosemarie Clive, Amer. College of Surgeons
Brenda Edwards, Ph.D., Natl. Cancer Institute
Marilyn Whitney,
Covington & Burling
Roerta Dean, NWDA
James Hurly,
Georgetown Univ. Law Center
Deborah Tress, CDC
Lois Alexander,
Amer Stat. Assn.
Marcel Salive, FDA
Mary Lercher, CDC
Grace
D., Eli Lilly
Gracie White, NCHS
Gary Friend, IMS America
Jan
Lovorn, ASTM
Sara Radcliffe, SmithKline Beechum
Diane Schneidman
(Note: A full transcript of the meeting is available on the NCVHS web site.)
The purpose of these two days of discussion was to shed light on issues that are critical to privacy legislation but have not received much attention: the identifiability of data, and health and medical registries. Each day, the Subcommittee met with about 10 invited experts for brief presentations and a roundtable discussion.
On day one, the Subcommittee heard about information activities in the federal, state and private sectors, with a focus on various ways of protecting data. Dr. David Korn emphasized the benefits derived from medical research using linked records and the need for a free flow of information for this purpose. The Subcommittee then was briefed by Latanya Sweeney about her research showing that current technology makes it possible to identify many records that were heretofore considered non- identifiable.
The discussion focused on issues raised by the legitimate need for information and the increasing threats to privacy. There were cautions against putting too much burden on IRBs, and talk of the possible need for a new paradigm of oversight. One panelist noted that confidentiality and security policies need to interlock on a sliding scale, so that when there are fewer technical protections there will be more confidentiality restrictions. Mr. Gellman noted that there is no longer a clear distinction between "identifiable" and "non-identifiable" data; rather, the focus should be on how to get data users to refrain from doing what Ms. Sweeney has shown to be possible. It was noted that a reduction in the broad availability of public record data would help.
The presenters in day two described uses of registries with clear social value, primarily for public health and research. They include registries created by statute, by physicians, by federal agencies, by pharmaceutical companies, and by patients and their families. These registries are operated by federal and state bodies, companies, and voluntary organizations. The group was unable to identify principles by which "good" registries could be distinguished from "bad" ones. They responded favorably to the definition put forward by the CDC representative, which Mr. Gellman thought might be augmented with language on purpose and procedure. It was agreed that most exceptions pertain to research and public health, but the group was unable to specify what would characterize legitimate activities that fall outside those categories.
Mr. Gellman explained that in these two days of discussions, the Subcommittee hopes to shed light on two issues that are critical to privacy legislation but have not received much attention. The first day's topic concerns the identifiability of data. The second day's topic is health and medical registries. He thanked the invited guests for coming and staff for organizing the meeting, and asked all present to introduce themselves.
As an introduction to the day's discussion, Mr. Gellman reviewed four bills that address the question of identifiability: S-1368 (Leahy), HR-52 (Condit), HR-1851 (McDermott), and S-1404 (Brownback, Federal Statistical System Act).
Dr. Zarate described some of the ways that NCHS protects its data. Consent is required for the use of identifiable information, so data are only used for the purposes people were initially informed about. The interagency Confidentiality and Data Access Group, a subgroup of the Federal Committee on Statistical Methodology, has formulated a checklist that he called a start toward treating all survey data in the same way. There is also a disclosure review board. At Dr. Harding's request, he said the Subcommittee would be supplied with any products of the interagency group that are in the public domain. Asked about abuses, he said he knows of none, but they could happen unbeknownst to NCHS. The Center is considering a remote access system by which people could use data without seeing it.
Ms. Sweeney observed that the protections that have worked in the past no longer work, because of current technology, the heightened demand for information, and the increased ease of getting and sharing it. Ms. Mulligan noted the wealth of data in private and non-federal government sectors. Dr. Korn argued for specificity in the approach to this issue rather than thinking of information as "a single huge cosmic thing," which only confuses the issue. He asked if the abuses under consideration are hypothetical or known, and the group discussed actual issues now being addressed in Illinois, New York and Mississippi.
Census surveys are done under Title XIII, two sections of which talk about confidentiality. The Census Bureau uses the Disclosure Board mentioned above, which Mr. Hoy chairs. A major priority is keeping public confidence, to ensure continued participation in surveys and censuses. Mr. Hoy described the Disclosure Board operations and the public use files and 5 percent sample called the PALMS file. The Bureau has two research data centers where researchers come and become special sworn employees. No data are permitted to leave the premises. It is developing new constraints for use in the data and dissemination system (DADS) for 2000 data, through which users will be allowed to define the tables. They also are considering whether any traditional data disclosure activities need to be discontinued in view of new capabilities for identifying people.
Mr. Hoy said sparsity of data (small cell sizes) is a particular concern because this makes it easier to identify people. One approach is to swap data for unique records. The Census Bureau also is looking at mean or median cell sizes to address this. He noted that the protective "noise" the Bureau introduces into data makes the data less valid. Dr. Korn observed that techniques such as data swapping reduce the data's usefulness for research.
VHI is a contractor to the State of Virginia. Many protections are imposed by statute, prohibiting the release of any medical data that could be used to identify patients. VHI licenses data, a practice that establishes additional controls. All linkages for public health purposes are done by them, and they produce many customized reports. VHI is organized as a public-private partnership, with a board that is representative of people involved in state information policy. As a private organization, it is not subject to FOIA.
This Commission was established in 1993 to develop information systems on physician charges. The data augment hospital discharge data. The Commission uses an encrypted identifier provided by the payer. (Thus they cannot link records across payers.) A privacy panel they convened offered recommendations on re-releasing information, but as the Commission is still working on quality it has not yet released any data.
Ms. Sweeney pointed out that state databases such as these are more vulnerable than the federal ones described above. One reason is that there are more elements, which makes it easier to identify people. Mr. Steffen said that a review of 20 years of use of Maryland hospital data revealed no known instances of harm.
In response to a question from Mr. Friend, the panelists reviewed the technical approaches they use to protect data. Dr. Zarate said NCHS may test a software called Argus.
Ms. Mulligan cited a Federal Trade Commission report on the Individual Reference Services Group. The FTC had a series of hearings on data collection, focusing on the Internet. She stressed that the increased ability to use and manipulate data is a serious issue.
A former medical researcher, Dr. Korn emphasized the social benefits derived from research using linked and identifiable records. He noted Secretary Shalala's statement that there is no absolute right to individual privacy, adding that the task is to balance privacy with other public benefits. He stressed that the delivery of health care and medical research depend on identifiable records and, even more important, the ability to link records. He illustrated this with descriptions of medical research into the nature of disease that would not have been possible without such linkages. He urged a policy of minimal interference with the free flow of information in the medical system, a system that depends on that free flow. Protections and restrictions should be imposed for other uses, such as law enforcement.
Mr. Gellman cited a useful paper by Dr. Korn for the National Bioethics Advisory Commission, "Contributions of the Human Tissue Archive to the Advancement of Medical Knowledge and the Public Health."
Mr. Friend said IMS, which handles pharmaceutical industry transactions, generally does not need or want to know the individual identities of the 72 billion records it processes a month. It gets full consent for those uses for which identity is needed. He cited four components for preserving privacy: tools of anonymization, aggregation, addressing who can use the data, and specifying the circumstances under which the data can be disclosed. IMS protects itself and the people whose records it processes by avoiding identifiable data. When they do research for people, they use all four means of protection.
Despite these precautions, IMS is now realizing that the data they handle can be misused by others to identify people. The question is how to protect privacy without "seeking the holy grail, which is anonymity" or non-identifiability. Mr. Friend described the technical and procedural measures his company uses to protect privacy, including contracts with employees and customers.
Dr. Steffen noted that the public sector has an important role to play in collecting health care information, given the money that can be made in the private sector by selling data and the extent to which we now simply rely on the honor and ethics of people in that sector.
Ms. Sweeney is a computer scientist. She stressed the impossibility of guaranteeing anonymity, given the capacities of current and emerging technology. The only recourse is to guard against inappropriate linkages, and in this regard technology can provide solutions.
The threats to privacy come from linking data in a given database to information that is publicly available outside that database. In many cases, people may think a record is not identifiable when in fact it is. She has demonstrated this for the Massachusetts legislature by taking the Cambridge voter registration list and using a few other variables to identify people and get access to their hospital records. She noted that 37 states collect extensive hospital discharge data, and 17 also collect ambulatory data. The general problem is that data that are collected for one purpose are then used for another. She added that the problem will be exacerbated by the pressure insurance companies are now putting on hospitals to release data on doctors' notes. States will soon be under similar pressures for more information.
Ms. Sweeney has developed a "scrub system" that reduces but does not eliminate identifiable information on the record. She noted that it is the accretion of details that lead to identification. The Social Security Administration and Census Bureau use a sampling fraction to produce a public use file, but that cannot be used for medical research. She noted that in general, federal-level guidelines are not appropriate at the state level. Her techniques are effective in specific contexts, and no single solution will work in every context. For example, she said encryption is "not the magic pill": it is effective in some contexts, but not in others. Other techniques include generalization and suppression.
Her approach, Data Flier, uses a process called K-anonymity to determine what "quasi-identifiers" could be linked to other data to identify people. She stressed that the thrust of her research is a challenge to policy makers to be specific about protections, looking at which fields are needed and which can be distorted. These protections can prevent linkage to known external databases, and should be bounded by contractual arrangements. She stressed that the focus is "not what data you get, but what form you get it in." These factors -- what can be generalized, what suppressed, and so on -- must be negotiated between the database steward and the prospective user. She suggested that IRBs may need to rethink their ways of making decisions.
She also challenged epidemiologists, noting that while this type of research has social value and deserves exceptions, sometimes epidemiologists get more data than they need. Dr. Wetterhall stressed the importance of context in determining the level of identifiability. Richard Sussman of the NIH Aging Institute suggested more attention to "retributions" for misuse of data, noting that researchers are seldom punished for such offenses.
The afternoon was dedicated to considering how to deal with the situation outlined by the morning's speakers. Mr. Gellman suggested consideration of IRBs, contracts, statutes, stiffer penalties, and where the burden of responsibility should rest. He also noted that the issue of risk needs to be factored into the discussion. The group discussed what might be gained from access to medical records, and by whom.
Dr. Korn reiterated the point that this is a "lumpy" problem, not a homogeneous one, because of the variety among databases and uses of data. Thus, the means of protecting data need to reflect that variety. With respect to medical research, he advocated an emphasis on confidentiality assurance rather than figuring out reasonable identifiability. He also cautioned against putting too much burden on IRBs, which are composed of volunteers who are themselves researchers. A "totally new paradigm of oversight" may be in order.
Ms. Breitenstein noted that confidentiality and security policies need to interlock on a sliding scale, so that when there are fewer technical protections there will be more confidentiality restrictions. This dynamic relationship should be reflected in legislative language. She urged that the burden be shared by those who originally disclose the data and those who use the data. She also called for systemic checks and balances. While agreeing about not overburdening IRBs, she noted the need for "some choke point" that retains accountability. Making IRBs the universal choke point, she asserted, would be a great advance over the current situation, in which "the vast majority of data usage never has any involvement with an IRB."
Ms. Sweeney observed that the point is to have an overall review process of some sort; it needn't be an IRB. She noted that national statistical offices commonly have review panels that serve this function. Dr. Steffen said Maryland regards a review panel as a critical part of data release.
Mr. Gellman shifted the discussion to contracts. Mr. Friend described IMS practices for both employees and customers, and Mr. Hoy and a HCFA representative described the agreements used by their agencies when releasing identifiable data. Ms. Sweeney noted that very few IRBs require any type of contract. However, Dr. Korn stressed that academic institutions take their data protection responsibilities seriously, and many are tightening up their practices. He stressed the need for a single standard establishing the same stringent process of securing data for management research as for medical research.
Dr. Detmer raised the possibility of putting everyone under contract rather than using IRBs for QA work, for example. He noted that as society moves into the information age we must find a way to operationalize the general view of privacy as an intrinsic value. In the policy arena, it will be more practical to focus on security and confidentiality than on absolute privacy. Several participants noted the limitations of contracts: stemming, for example, from the complexity of data sharing, the time-limited nature of contracts, and the need for enforcement and oversight.
Mr. Friend said the solution seems to be to electronically "white out" some data and combine this practice with a legal mechanism that prohibits "reverse engineering" to identify people. Mr. Gellman noted that the foregoing discussion suggests that there is no longer a clear distinction between "identifiable" and "non-identifiable" data; rather, the focus should be on how to get data users to refrain from doing what Ms. Sweeney has shown to be possible. He added that there would still be security measures, but different data would be handled differently.
Dr. Korn urged the Committee and Department to codify a set of standards rather than simply putting the onus on IRBs to work out means of protecting data.
Mr. Gellman noted the problems caused by the broad availability of public record data, particularly at the state level, and asked if reducing this availability for linking would reduce the problem of identifiability. Ms. Sweeney observed that the proliferation of public information can reach a "point of no return" beyond which it is no longer possible to keep personal data private, and reducing the amount of public information would indeed help.
Mr. Gellman said that the questions underlying the day's discussion are what defines a registry and how those operating in the public interest can be distinguished from those that are not. Other questions concern who is entitled to open a registry and collect health data, and under what terms the data should be collected, stored and used. Proposed privacy legislation has made no effort to address these questions, even to the limited extent that questions about identifiable records have been addressed. Some registries were established by statutes which regulate the disclosure of information. An additional question is whether registries need to be regulated any further. Following introductions, he invited the roundtable participants to talk about what they do.
Dr. Edwards referred people to the NCI Web site for more information. She described the Institute's surveillance program, at the center of which is SEER -- Surveillance, Epidemiology and End Result. Cancer registries are built from state- based and regional registries. The SEER program releases aggregate data on CD- ROM public use files, and they want to make the data more available for analysis by more people. They do not collect personal identifiers, but use a study or case I.D. Dr. Edwards said that as they move to finer levels of detail, they have concerns about how much information should go on the public use file. They also are paying attention to who is using the information, and how.
Management of state registry data is within the state purview. They do maintain identified data in order to avoid counting people more than once, as data are collected on each incidence. The SEER program has quality control activities including field studies in which records are audited. Linkages of data across states is negotiated by the states involved.
The SEER data include information on the cancer, the stage, treatment, and ultimately the patient's survival status. There is no consent issue because data reporting is required by statute. The registry has collected cumulative data since the early 1970s. The information is used to track the national cancer burden. NCI also does special studies using sampling.
For a variety of reasons, including cost, not all states are part of the SEER program. (Dr. Wetterhall of CDC explained that CDC supports 45 states, the District of Columbia and three territories in another cancer registry that they hope will encompass all states.) The principal users of the data are health professionals and health researchers. Patient advocates and businesses trying to gauge the market also use the data. Nine of the SEER program's ten contracts are with universities, and the tenth is a department of health. Many have their own IRBs. Cancer registries build on the hospital-based registry. The North American Association of Central Cancer Registries started in the late 1980s.
Dr. Detmer told of an experience as a physician in which he and colleagues used a cancer registry to aid in clinical decision making with a rare case. He noted that registries such as this and one used to evaluate heart valve replacement work have demonstrated the capacity to help clinicians.
Mr. Van Amburg has operated several registries for the State of Michigan, including its cancer registry. He noted that most state registries that are not SEER- supported are passive registries. The active process is much more expensive and gives better results. The Michigan cancer registry collects and retains identifiable data, in order to eliminate duplicate reporting. Registries, he noted, are not useful in the early stages of development; it took Michigan's registry about ten years to show trends. Another State registry is the End-Stage Renal Disease Registry, which was just defunded after 20 years of operation.
The registries are intended for public health surveillance and for health and health services research. They are strict about not using them for anything else, to protect the data. Michigan has four types or levels of access, the highest of which requires review by a "pretty tough" technical scientific advisory committee. All applications are first reviewed by an IRB. For authorized research, patients' names are released if the physician raises no objections.
Mr. Van Amburg called special attention to new problems for confidentiality and privacy caused by geographic information systems and the mapping of data. He noted that large cell size can be a problem, by identifying populations with a shared risk factor or condition.
Ms. Platner, a cancer survivor and a civil rights lawyer, characterized herself as both a research advocate and a privacy advocate. She described the successful effort to prevent passage of a Massachusetts bill that would have required written informed consent at diagnosis as a precondition for sending information to the cancer registry. The issue raised issues about the notion of consent, procedures for patient contact, and particularly the need to educate people about the existence of the cancer registry. New patient contact procedures have been developed which circumvent physicians as gatekeepers. Many advocates are concerned about the lack of educated consumers on IRBs, and there is interest in trying to establish statewide IRBs.
Ms. Clive directs the activities of the cancer department for the College of Surgeons, which supports the Commission on Cancer. A certified tumor registrar herself, she called attention to the existence of "a whole work force of professionals" in this area whose training includes data management and disclosure and confidentiality issues. The National Cancer Registrars Association has an accreditation exam, and registrars must maintain continuing education.
She stressed the pivotal role of facility-based registries in the infrastructure for cancer surveillance, research, clinical decision making and QA. Some 1,500 facilities in the U.S. are accredited by the College of Surgeons. Confidentiality mechanisms are an integral part of the certification process. It is important that communication between registries and physicians and among registries continue.
Dr. Edwards affirmed that cancer registration is "a discipline and a practice" with a body of literature and ongoing professional development.
NORD is a federation of 140 patient advocacy groups for people with rare, usually genetic diseases. A common goal is to promote greater medical research. The organizations are governed by patients, and their databases are mailing lists or membership lists that also could be viewed as a registry of patients and families with certain hereditary diseases. The groups have careful processes for reviewing the frequent requests for these lists. It is NORD policy not to release the names of patients. When research requests (often seeking patients for clinical trials) are deemed valid, the request is passed on to the community and people are invited to contact the investigator. Generally, many people respond to these invitations, out of a desire to further understanding of the diseases.
The organizations in NORD have been very involved in looking at issues of clinical trials, and worked to get an orphan drug act turned into law. They also want patients to be aware of clinical trials, and succeeded in working with NIH on a rare disease clinical disease research database, providing a central place for patients to get that information.
A major concern of people in these organizations is the loss of health insurance or discrimination at work because of knowledge of their genetic mutation. Mr. Langan stressed that people trust NORD and therefore voluntarily add their names to its lists. He noted that some "supposedly" patient organizations sell their mailing lists. He encouraged more data gathering at the national and federal level on rare diseases, because advocacy efforts are difficult without adequate information about the number of people in the country with a given condition.
In regard to privacy and confidentiality, he urged that the focus of this discussion be widened from state and federal agencies to the conduct of the private sector. He noted that there is nothing in the law to prevent employers from getting lists of employees' prescriptions, and he called for national legislation to protect privacy.
MIN is a system for sharing reported data on in-born errors in metabolism. NIH supported the development of the registry and database for its first four years, starting in 1989. It is a resource for research, used primarily by professionals. An advisory board of national and international experts sets policy for who uses the data and how the data are submitted. It is a volunteer register. The Network has three initiatives: a case register for 13 selected metabolic genetic disorders, a physician directory of 200 disorders (representing about 85 percent of the cases seen in clinics), and a listing of more than 100 worldwide genetic metabolic patient registries and databases.
Anyone who submits cases to the Network may make an inquiry of it. Requests for data are forwarded to the physician who submitted the relevant case. MIN releases aggregate statistics from the database. One means of case identification is the 88 percent of state newborn screening programs who have agreed to submit information. Dr. Panny said that MIN was subjected to careful scrutiny as to how privacy would be protected before the state newborn screening directors agreed to submit information. She added that in Maryland, physicians would need informed consent from patients before submitting information to the MIN.
The main purpose of the database is to do annual tracking. This has revealed that in the last two years, patients are being lost due to HMO systems where they are no longer being seen by a metabolic genetic specialist. Ms. Mise said it is difficult to get some HMOs to help the Network and provide information for annual tracking. Dr. Detmer expressed alarm about this HMO data issue and the evidence of a quality of care problem. Ms. Mise and Mr. Langan described research by Dr. Jess Tanney to "quantify and qualify what is happening to patients being lost to HMOs."
In discussion, Ms. Mize agreed that people on the MIN database can be identified. She said the scientific advisors are concerned that access to the database be confined to professionals.
Mr. Gellman observed that the participants represent registries created by statute, by parents or patients, and (in the case of MIN) by physicians. Ms. Mize said the Network grew out of a recommendation by a congressional commission on orphan or rare diseases. To another question, she said that a patient with one of the diseases might be listed in eight or nine different databases in the country. Both she and Mr. Langan said their organizations have not defined their lists as registries, but they may qualify as such. Dr. Wetterhall commented that he regards self-referral by patients and families as a legitimate source of information for registries. Both the NORD and MIN information systems include diagnosis confirmation.
Dr. Panny observed that a registry is simply "a list of identifiable entities collected for a common purpose." With genetic disorders, the area she works on, there is a "constant problem of N" because of the rarity of the disorders. Moreover, information about an individual represents information about the person's blood relations. While confidentiality is important to people in this area, discrimination is of even greater concern. "As long as there is a profit motive, ... we have a problem."
Maryland has several administrative and clinical databases, including a newborn screening database. It uses a broad, simple type of informed consent and has videos to inform people with low literacy. Every baby's medical chart indicates whether or not consent was given, and almost everyone gives consent. Children with rare diseases receive long-term case management and many free services. The State has extensive medical records on the children, on paper and/or microfiche. The databases are used for many things "that our patients heartily support," such as improving services and putting them in touch with researchers doing studies.
Another clinical database contains information on every patient seen in the genetics outreach clinic -- some 8,000 a year. This database keeps track of services provided and is used to refine the delivery system. Maryland's birth defect reporting and information service keeps track of 12 birth defects specified by WHO. It is a passive reporting system. Maryland's Advisory Committee on Heredity and Congenital Disorders is the oldest in the country.
Dr. Panny said she links the databases to improve ascertainment and case finding. She also participates in various types of collaborative research, including research using extra coded blood spots. Summary aggregate data are published in the medical literature. They do not provide public use tapes. However, under certain circumstances and with IRB approval, they do release patient information and patient samples to researchers.
Dr. Andrews chairs the epidemiology program for her company. It does observational research to identify unmet medical need and conducts structured studies looking at drug safety and outcomes. Several activities involve registries, one of which is for spontaneous adverse experience reporting. Dr. Andrews noted that the FDA encourages the establishment of these registries.
She described in some detail the registry work involved in looking at the safety of medicines used during pregnancy. For this purpose, they have prospective exposure registries that follow pregnancies. Physicians who call to ask about a pregnant patient and a given medication are asked for permission to follow that patient to determine results. The information is analyzed in collaboration with an advisory group which oversees each of the registries and establishes the confidentiality protections. The data are summarized in reports and aggregate data are presented without identifiers. Company staff sign confidentiality agreements.
Dr. Roht said his company operates in much the same way as Glaxo-Wellcome. He noted that many clinical questions (e.g., drug interactions, long-term use, effect on pregnancy) cannot be answered until after a drug is released, so registries are essential. Pharmaceutical companies' attention to confidentiality comes not only from ethical policies and good business practices but from the fact that this is "a very, very highly regulated industry." One source of concern is the rapid proliferation of databases which makes it more difficult to get information. Noting that many pharmaceutical companies are global, he described the extensive efforts in Europe to develop data privacy regulations, and the worldwide effort at harmonization. His company presents its registry information in scientific journals and professional meetings. It does reveal the information to marketing groups.
Dr. Salive is Chief of the Epidemiology Branch of FDA's Center for Biologics, working on post-approval evaluation of drug safety. He described FDA's post-approval adverse event surveillance system, MedWatch, which covers "virtually all the products regulated by FDA" except vaccines, which are covered by the Vaccine Adverse Event Reporting System (VAERS). The latter, a joint project with CDC's national immunization program, is an exposure registry rather than an outcome registry. It was established by legislation, while MedWatch evolved out of FDA's public health responsibility. VAERS has stringent privacy provisions and has patient identifiers because of the need for rapid follow-up. (This applies to other FDA registries as well.) The negotiated data elements for adverse reporting globally are published in the January 15, 1998 Federal Register. Both VAERS and Med Watch data are publicly available under FOIA.
Other FDA registries include pregnancy registries for vaccines and implantable devices registries. FDA regulates blood banks and blood components, and is now considering a xenotransplant registry.
Mr. Gellman noted that in the pharmaceutical area, another kind of registry, and one whose use is not regulated, grows out of calls to companies' 800 numbers. Both Dr. Andrews and Dr. Roht said their companies keep their marketing and research arenas separate.
Mr. Langan called attention to another activity of pharmaceutical companies, related to indigent care or patient assistance for people unable to pay for medications. An 800 number is used for this purpose, to which consumers voluntarily submit information on themselves. This can be done in the public interest, and NORD administers 10 medical assistance programs on behalf of pharmaceutical companies, with standards that dictate that the information will not be used for any other purpose or by any other source. He expressed concern about the contrasting situation in which firms exist solely for this purpose and the fate of the information provided by consumers is uncertain. Mr. Gellman observed that this illustrates the difficulty of drawing clear lines between worthwhile and inappropriate activities.
Dr. Wetterhall presented a broad view of how registries fit into the CDC mission of identifying problems, identifying causes, developing interventions, and implementing programs. Health information systems underpin all of those activities, and CDC supports many of them, following the principle of form following function. He asserted that a registry can be defined (see below), with distinguishing characteristics that include a focus on a particular disease or condition, an ongoing process, and a follow- up component. There is often an ascertainment component, as well.
CDC supports registry efforts on immunization, cancer, birth defects, and environmental exposure. Their operation and maintenance is generally a local function, which is where responsibility for public health protection resides. The federal role is financial support, technical assistance, and model legislation to promote standardization across states.
He then described immunization registries, which were created to remedy the fact that despite the effectiveness of vaccines, children were not being vaccinated because of a lack of information. The registry is still in the formative stage; the goal is to enable physicians all over the country to dial into a database and determine the immunization status of their patients. Current issues include consent (approached differently by different states), disclosure, and how to include people. A major barrier is getting the private sector to submit records.
This registry has an emphasis on immediate treatment and thus a short cycle, and it needs nearly universal participation to be effective. A particular challenge is finding a mechanism for having information shared across state lines in real time.
Dr. Detmer commented on the gap between what is actually done in health care and what could be done. He asserted that achieving excellent care involves a greater commitment to using information, with attendant privacy protections and public education. He noted the potential for using registries as a tool of quality assurance.
Mr. Gellman observed that past expectations that a database will help solve a given problem have not been borne out in cases such as welfare (using social security numbers), skipped fathers, and federal debt collection. The question remains whether a given database will yield the desired results. Dr. Wetterhall agreed, noting that the examples of failed "solutions" in public health are legion. He teaches his students the tenet of "how little information can you get away with?" Mr. Berry observed that the lack of a commitment to data quality is another problem.
Dr. Schwartz characterized the issue as a fear that knowledge about what works will not be translated into practice. In this vein, Dr. Panny described her approach to using her data, which starts with understanding how good the data are and the limits of their uses. She knows it is possible to get a lot done without data that are "100 percent academically perfect," while some people are paralyzed by the lack of perfection in their data. There is a dynamic tension between getting enough information and getting the perfect information. Dr. Detmer hailed this approach to data as a means to ends, and said he'd like to see more action and not just measurement.
Mr. Langan commented that the day's presenters have all described worthwhile uses of information, and the Subcommittee has not heard about "the bad players" -- those who use information in a way that hurts people.
Ms. Sweeney offered the following observations about the day's presentations:
Overall, Ms. Sweeney stressed the need to be aware of both the good and bad potential outcomes from the use of technology, rather than being blinded either by privacy issues or the promise of technology.
In an effort to move the discussion toward common principles, Mr. Gellman observed that proposed bills would affect existing registries in different and fairly arbitrary ways. He pressed them to identify meaningful distinctions that could be used to preserve good registries and keep out the bad ones. He invited comments on a few of the eight principles of fair information practices. The first is openness, which Dr. Panny said was fine as long broad information about what would happen to the information would suffice.
Mr. Gellman noted that all of the fair information practices are the law in Europe. He asked about people's experience with overseas affiliates, and some participants described the greater caution of European practices. It was noted that most European countries have the benefit of state-financed health care, resulting in centralized data and citizen confidence that they can divulge information about themselves without the risk of losing health insurance. Mr. Langan said patient groups in Europe are only now coming together, and they have rich data to share because of people's willingness to provide it.
Asked about the second principle, individual right of access to records, participants said they were comfortable with the broad principle but concerned about how it would be implemented. Randomized, double-blind clinical trials were noted as one issue. The third principle is collection limitation, and the fourth is data quality. Dr. Harding stressed that data sources should be given incentives to increase data accuracy and quality, rather than being driven by the threat of punishment, which could just result in garbage. Mr. Langan noted that notions of data quality vary with the context, citing Dr. Panny's views about "good enough" data.
Dr. Detmer asked what various states are doing with respect to registries. Ms. Platner described "an agonizing struggle" in Massachusetts to match different privacy levels to different needs. Gail Horlick of the National Immunization Program described her survey of all 50 states in regard to their immunization registry legislation, noting the tremendous variability.
Returning to the overarching question, Mr. Gellman proposed the idea of a description of registries that is combined with procedures for research, requiring either consent or IRB approval. The participants commented that some uses of registry data are for public health and some are for research, both of which would need exceptions. The group briefly discussed the notion of newspaper research as legitimate research.
Dr. Andrews asserted that there are activities other than public health and research, and she also expressed concern about swamping the IRB mechanism. Mr. Gellman again asked the group how to characterize the activities that are neither public health nor health research. At his request, Dr. Wetterhall shared CDC's definition of a registry: "an organized system for the collection, storage, retrieval, analysis, and dissemination of information on individuals who have either a particular disease, a condition that predisposes the occurrence of a health-related event, or prior exposure to substances or circumstances known or suspected to cause adverse health effects."
Mr. Gellman said this goes part way toward the needed definition, but it may need some language on purpose and procedure. In conclusion, he observed that as with the previous day's topic, the group had not reached conclusions but had learned more about the issues involved. He urged the people who deal with registries to spend time thinking about the issues raised in this discussion. He then adjourned the meeting.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/
Kathleen A. Frawley 10/3/98
_______________________________________________________
Chair Date