Research Ethics

RESEARCH ETHICS

ROOTS IN INTERVENTION AND MANIPULATION

Almost every paper or book on research ethics includes a cautionary reference to atrocities committed in the name of science or abuses resulting from a researcher’s crass objectification of research subjects. Lurking in the background of the calls for more laws protecting human subjects are memories of the abuses at Auschwitz and in the Tuskegee and Willowbrook studies. Contemporary research ethics is grounded in the desire to protect the individual from unknown and at some level unknowable risks. Both the Declaration of Helsinki³⁸ and the ‘Common Rule’³⁹ (which forms the basis for laws protecting human subjects in the United States) reflect a philosophical framework that prioritizes individual autonomy, well-being and just distribution of burdens and benefits in the conduct of research, as well as the subject’s beneficence and contribution to benefit others.

Under the Common Rule, there are two different types of protection for research participants:

·    review of specific research protocols by an Institutional Review Board (IRB) to identify the risks to participants presented by the specific research protocol and

·    consent of each research participant which is informed by disclosure of the risks and benefits of the research.

The two protections become co-mingled because US regulations assign the IRB two different tasks. In addi-tion to identifying and weighing the risks presented by the protocol and deciding whether it can go forward or needs modification, the IRB also reviews the forms and documents used to inform the subject and to obtain consent, and under certain limited circum-stances, is authorized to waive the consent require-ment with respect to a given research protocol. All things considered, this approach has been quite effec-tive in protecting human participants from risk in research that involves intervention or manipulation of health care, such as clinical trials and other experi-mentation.

REVIEW OF RESEARCH RISK VERSUS NON-RESEARCH RISK

As clinical interventions become more complex and involve newer scientific approaches, it is increasingly clear that competent and independent IRB analysis and review are indispensable for identifying and eval-uating the desirability of subjecting individuals to the known and unknown risks of a researcher’s proposed protocol.

With respect to research using medical archives, however, the research risks are essentially the same in every study: all of the risks stem from the privacy interests of a data subject and the potential damage from potential non-research misuses of personal infor-mation in our society. The risk to the data subject from the research, therefore, is a direct function of the arrangements for data security and the potential for breaches of the security arrangements or dishonest behaviour by a researcher in using or disclosing information for non-research purposes. Assuming that the researcher is obliged to use information only for research and to maintain adequate security to protect it from further disclosure or unauthorized use, none of the privacy risks stems from any specific research protocol itself. Rather, to the extent that different data analyses appear to involve more or less risk, the differences can be traced to social values and attitudes towards the subject matter of the investigation.

For example most people would say that research relating to HIV or genetics involves greater privacy risk than research on the common cold. This perceived difference in the risk of the research is an illu-sion. Assume that a single database, maintained under tight security arrangements, is made available to two different researchers under confidentiality agreements that bind the two investigators to the same obligations regarding use and protection of the data. One is study-ing HIV infection, and the other is studying staphy-lococcus infection. The privacy risks in both cases are the same; they stem from the adequacy of data security arrangements and the obligations imposed on the investigators. The appearance of differential risk stems from the current cultural perceptions of HIV and that people or institutions – other than the researcher – might misuse the information to embarrass or harm the data subject if they were to gain access to the information. Similarly, test results from the various breast cancer genes only appear to be more sensi-tive than information about a family history of breast cancer. In fact, both could be misused in precisely the same way if they were to fall into the wrong hands. The fact that there are persons in our society who, if unchecked, might discriminate against indi-viduals in violation of the law, or misuse information to disadvantage or harm a data subject, does not vary based on the subject matter of the research. Rather, the perceived differences among data projects reflect differences in the potential for social, psychological or financial damage to the data subject in our soci-ety, assuming that there is a negligent or intentional failure of data security arrangements.

Unlike the approach IRBs take in interventional research involving physical manipulation or interven-tion in the subject’s care, nothing in the research design in a data-analysis project can control, eliminate or mitigate these societal risks. In a data study, one cannot modify the dosing, the subject selection crite-ria or the laboratory tests used to monitor the effect of the research manipulation on the individual. The events to be examined in the research have already occurred. The epidemiologic or outcomes researcher is an active observer of natural processes that have been recorded in the history of an individual’s health care and health benefit interactions. An epidemio-logic study, by definition, seldom can be shown to have a potential benefit to the individuals who are the data subjects. Rather, because the observed events and interventions have already occurred in the natu-ral course of events, the benefit of the research is to the public health in general or to succeeding genera-tions that may benefit from innovations that may be developed. Accordingly, when, as is required by the Common Rule, the Review Board attempts to deter-mine whether the ‘[r]isks to subjects are reasonable in relation to anticipated benefits, if any, to subjects, and the importance of the knowledge that may reason-ably be expected to result from the research’, the Review Board is not being asked to weigh the risks the protocol poses to an individual in relation to the importance of the knowledge to be gained. Rather, the Review Board is being asked to consider the poten-tial sociopsychological damage to an individual in our society based on the fact that he or she evidences the character under investigation, assuming that there is a breach of data security that results in a disclosure of data outside the research context where the data are used for an impermissible purpose.

As a result, the ‘weighing’ question posed to the Review Board with respect to archival research misses the mark entirely. It largely becomes a philosophical question about the importance of the knowledge that might be gained in comparison with the IRB’s beliefs about how badly US society discriminates or misuses the particular characteristics that are under study. By comparison, for interventional research, the Review Board evaluates the risk of the research protocol and proposes modifications to minimize the risk posed by the research. The Board evaluates the research risk in relation to benefits to the participant and the impor-tance of the potential knowledge. The risk equation does not include consideration of the possibility that a negligent or intentional action that is not a part of the research protocol – for example an auto accident on the way to the clinical trial site – could result in the death or serious bodily harm of a participant.

The critical problem is that as formulated, the Common Rule’s risk equation – when applied in review of a data-only project – is almost certain to devolve into a referendum on the value of the researcher’s hypothesis. In fact, the vast majority of IRBs appear to avoid such tangled debates by estab-lishing procedures under which most data-only studies fall into the category posing ‘minimal risk’ to data subjects. The categories of studies eligible for expe-dited review under the Common Rule are specified in a guidance document promulgated by the Office for Human Research Protections.⁴³ Under this guidance, where there is a risk of discrimination based on disclo-sure of the subject’s responses or data, the research is not eligible for expedited review unless ‘reasonable and appropriate protections will be implemented’.⁴⁴

The Department’s introduction of ‘reasonable and appropriate protections’ in evaluating the risks inher-ent in data-only studies hints at the underlying issue that, in our view, should be of concern in any Board Review of a data study: does the study design appro-priately limit use and disclosure of personal iden-tifying information? And, does the researcher have adequate arrangements for data security? However, as currently formulated, this decision is made only in considering whether or not to have a full Board review of a study. The review itself is still premised on a risk-value enquiry that does not address the real questions about the risk posed by the research, i.e. the risk that identifying data might be used or disclosed for non-research purposes.

INFORMED CONSENT AND CONTROL

The concept of consent is critical in interventional research because the physical risks and rigors of the research will directly affect the individual and his or her health and well-being. The informed consent process helps to minimize the potential for coercion and for ensuring that the individual maintains control over what is done to him or her in the research proto-col. In effect, it is a recognition of the value our society places on an individual’s physical integrity and autonomy. A properly informed individual may decide to accept fairly significant risks. However, only in rare circumstances where the risk is judged to be minimal would our values and our current laws permit a researcher or Board to decide to subject others to physical risks without their knowledge; never would we expect an IRB to permit experimentation on human beings against their will.

ANOMALY: Consent in Archival Research

In the context of archival research, where the researcher will access only information in existing records, the role of informed consent is conceptu-ally different from consent to physical participation. As discussed above, assuming adequate data secu-rity arrangements and protection of direct identi-fiers, the research itself does not pose a risk to the data subject. Epidemiologic and outcomes research is concerned not with a specific individual but with populations.

At best, therefore, any ‘informed consent’ discus-sion with individual data subjects is little more than an explanation of the researcher’s hypotheses and research interests and his or her promises and arrange-ments regarding the safeguarding of data. Because epidemiologic researchers are concerned with popu-lations and not individuals, both of these discussions could be addressed in a more general manner, such as a researcher’s data practices, and more effective communication to the public regarding research topics and how data archives are used in investigating them. A discussion between a researcher and an individ-ual data subject may elicit sympathy or the ‘benefi-cence’ of the data subject and a motivation to permit the records to be used. However, to the extent that the data subject dislikes the topic or the philosophi-cal underpinnings of the research question, consent is little more than an invitation for the data subject to exert control over the researcher’s inquiry by deny-ing access to data.⁴⁶ If this very natural exercise of power can be expected to occur fairly systematically (e.g. those who favour the researcher’s point of view or value the subject matter consent to use of their records and those who do not, decline to consent), then the records sample available for analysis of any kind is systematically biased and may not meet the criteria to be considered a valid sample for conducting the research.

Suppose that the discussion of the research topic is more neutral to minimize adverse selection and the informed consent documents seek merely to inform the individual of the risks. As discussed above, the risks to the individual from data-only studies are from the potential misuses of information by non-researchers who obtain it through illegal or negligent activities. As such, the risk statement is a statement about the society in which we live and not about the research, per se. In fact, a full statement of the ‘risks’ might very well detail the various possible illegal acts that could cause damage to the individual’s reputation, employment, insurability and so on. But these are not research risks. The individual has little or no way of estimating or evaluating the probability of these occurrences. Arguably, this is what the Review Board should have done in evaluating the researcher’s data security arrangements. The prudent individual, when confronted with a catalogue of abuses that might occur if the information found its way outside the research lab, would be hard pressed to find a reason why he or she should authorize the information to go to the laboratory in the first place.

As a practical matter, in institutions where data-only studies are subject to the Common Rule, it is widely understood that the rule ‘works’ only because these studies typically are considered to be eligible for expe-dited review, and the IRB’s reviewer decides to waive the requirement for obtaining the consent of data subjects. Any additional requirement that threatens to disrupt this accommodation, either by requiring the Board to debate and review the relative merits of the research question and society’s potential for discrim-ination and privacy invasion, can do little more than increase the probability that the existing regulatory scheme may threaten the viability of valid epidemio-logic and outcomes research.

ANOMALY: Consent to Future Use of Research Data

Since the promulgation of the HIPAA medical privacy regulations, a very troubling phenomenon has started occurring at several clinical research sites in the United States. In part because of a fusion and confu-sion of the HIPAA authorization requirements and the Common Rule’s informed consent requirements, some IRB administrators and/or privacy officers advising IRBs at clinical research sites are prohibiting the inclusion of provisions in the informed consent that govern future use of the research data created in a clinical trial.

Under the Common Rule, the consent signed by the individual is the vehicle for informing the indi-vidual of the potential physical and personal risks of the research as well as of the potential uses and disclosures of the data. It is important to note that in a research institution acting in accord with best research practices, the data are not the same as the clinical record of care rendered to the clinical trial participant. With respect to the research site, the data are extracted from the more comprehensive record of care at the site and are disclosed to the researcher and/or research sponsor. Typically, direct personal identifiers and contact information are not furnished to the researcher/sponsor, although best clinical prac-tices necessitate some sort of code number or other arrangement under which the specific research partic-ipant can be linked to the data, such as for follow-up on adverse findings or other matters of concern to the individual and/or to the integrity of the research, and of course, medical device serial numbers must be included in data reports. The informed consent traditionally has provided both for the disclosure by the research site to the researcher/sponsor and the purposes or uses of the data by the researcher/sponsor, including any limitations on future use or publication of the data.

Where an IRB chooses to prohibit or limit the researcher’s ability to obtain informed consent to future research use of the data created from an indi-vidual’s participation in the clinical trial, we think this is in part due to two problematic developments. First, there is great confusion surrounding a new prohibi-tion under the HIPAA medical privacy regulation.⁴⁷ HIPAA prohibits providers (and health plans) from obtaining blanket authorizations to research use of medical records or the conditioning of treatment or health benefits on the signing of such authorizations. This formerly occurred with some regularity as part of the consent to admission for treatment in some medical facilities. Second, we think that this is further evidence of the same troubling phenomenon we have seen with respect to the criteria for waiver of consent for epidemiologic and outcomes research using medi-cal archives. In effect, there is an increasing tendency of some IRBs to substitute an in loco parentis deci-sion by the IRB regarding the ‘societal risk/value’ of the researcher’s use of the data for the individual’s role in giving consent to use of the data from the clinical trial.

Although this result is not required by law, no law prohibits it either. The IRB has broad discretion under the Common Rule to determine what is to be included in the informed consent protocol. However, over time, this type of decision by IRBs could significantly increase the cost of research in the United States, as it could preclude the otherwise secure and confidential use of the research database by the researcher for purposes of formulating future hypotheses, looking back for evidence of unexpected adverse events, looking for new correlates or patterns in the data that were not part of the initial research protocol and other valid epidemiologic and outcomes hypotheses. Given the cost of obtaining clinical trial data, such a practice, over time, would likely make facilities whose IRBs elect to impose such limitations on the use of research data undesirable, unaffordable sites for clinical trials.

Ironically, some of the privacy officers advising IRBs have urged them to instead inform researchers that they should rely on one of the mandatory asser-tions in the HIPAA authorization for research – that information disclosed under a HIPAA authorization may be redisclosed by the recipient and that it is not subject to the protections of the HIPAA rule. This is not a solution at all for researcher, who wishes to review a clinical database for evidence of untoward effects or anomalies that may have been undetected in the original analysis.