Almost every paper or book on research ethics includes a cautionary reference to atrocities committed in the name of science or abuses resulting from a researcher’s crass objectification of research subjects.
RESEARCH ETHICS
Almost
every paper or book on research ethics includes a cautionary reference to
atrocities committed in the name of science or abuses resulting from a
researcher’s crass objectification of research subjects. Lurking in the
background of the calls for more laws protecting human subjects are memories of
the abuses at Auschwitz and in the Tuskegee and Willowbrook studies.
Contemporary research ethics is grounded in the desire to protect the individual
from unknown and at some level unknowable risks. Both the Declaration of
Helsinki38 and the ‘Common Rule’39 (which forms the basis
for laws protecting human subjects in the United States) reflect a
philosophical framework that prioritizes individual autonomy, well-being and
just distribution of burdens and benefits in the conduct of research, as well
as the subject’s beneficence and contribution to benefit others.
Under
the Common Rule, there are two different types of protection for research
participants:
·
review of specific research protocols by an Institutional
Review Board (IRB) to identify the risks to participants presented by the
specific research protocol and
·
consent of each research participant which is informed by
disclosure of the risks and benefits of the research.
The
two protections become co-mingled because US regulations assign the IRB two
different tasks. In addi-tion to identifying and weighing the risks presented
by the protocol and deciding whether it can go forward or needs modification, the
IRB also reviews the forms and documents used to inform the subject and to
obtain consent, and under certain
limited circum-stances, is authorized to waive the consent require-ment with
respect to a given research protocol. All things considered, this approach has
been quite effec-tive in protecting human participants from risk in research
that involves intervention or manipulation of health care, such as clinical
trials and other experi-mentation.
As
clinical interventions become more complex and involve newer scientific
approaches, it is increasingly clear that competent and independent IRB
analysis and review are indispensable for identifying and eval-uating the
desirability of subjecting individuals to the known and unknown risks of a
researcher’s proposed protocol.
With
respect to research using medical archives, however, the research risks are
essentially the same in every study: all of the risks stem from the privacy
interests of a data subject and the potential damage from potential non-research misuses of personal
infor-mation in our society. The risk to the data subject from the research,
therefore, is a direct function of the arrangements for data security and the
potential for breaches of the security arrangements or dishonest behaviour by a
researcher in using or disclosing information for non-research purposes.
Assuming that the researcher is obliged to use information only for research
and to maintain adequate security to protect it from further disclosure or
unauthorized use, none of the privacy risks stems from any specific research
protocol itself. Rather, to the extent that different data analyses appear to
involve more or less risk, the differences can be traced to social values and
attitudes towards the subject matter
of the investigation.
For
example most people would say that research relating to HIV or genetics
involves greater privacy risk than research on the common cold. This perceived
difference in the risk of the research
is an illu-sion. Assume that a single database, maintained under tight security
arrangements, is made available to two different researchers under
confidentiality agreements that bind the two investigators to the same
obligations regarding use and protection of the data. One is study-ing HIV
infection, and the other is studying staphy-lococcus infection. The privacy
risks in both cases are the same; they stem from the adequacy of data security
arrangements and the obligations imposed on the investigators. The appearance
of differential risk stems from the current cultural perceptions of HIV and
that people or institutions – other than the researcher – might misuse the
information to embarrass or harm the data subject if they were to gain access to the information. Similarly, test
results from the various breast cancer genes only appear to be more sensi-tive
than information about a family history of breast cancer. In fact, both could
be misused in precisely the same way if
they were to fall into the wrong hands. The fact that there are persons in our
society who, if unchecked, might discriminate against indi-viduals in violation
of the law, or misuse information to disadvantage or harm a data subject, does
not vary based on the subject matter of the research. Rather, the perceived
differences among data projects reflect differences in the potential for
social, psychological or financial damage
to the data subject in our soci-ety, assuming that there is a negligent or
intentional failure of data security arrangements.
Unlike
the approach IRBs take in interventional research involving physical
manipulation or interven-tion in the subject’s care, nothing in the research
design in a data-analysis project can control, eliminate or mitigate these
societal risks. In a data study, one cannot modify the dosing, the subject
selection crite-ria or the laboratory tests used to monitor the effect of the
research manipulation on the individual. The events to be examined in the
research have already occurred. The epidemiologic or outcomes researcher is an
active observer of natural processes that have been recorded in the history of
an individual’s health care and health benefit interactions. An epidemio-logic
study, by definition, seldom can be shown to have a potential benefit to the individuals
who are the data subjects. Rather, because the observed events and
interventions have already occurred in the natu-ral course of events, the
benefit of the research is to the
public health in general or to succeeding genera-tions that may benefit from
innovations that may be developed. Accordingly, when, as is required by the
Common Rule, the Review Board attempts to deter-mine whether the ‘[r]isks to
subjects are reasonable in relation to anticipated benefits, if any, to
subjects, and the importance of the knowledge that may reason-ably be expected
to result from the research’, the Review Board is not being asked to weigh the
risks the protocol poses to an individual in relation to the importance of the
knowledge to be gained. Rather, the Review Board is being asked to consider the
poten-tial sociopsychological damage to an individual in our society based on
the fact that he or she evidences the character under investigation, assuming that there is a breach of data security that results in a disclosure of data
outside the research context where the data are used for an impermissible
purpose.
As
a result, the ‘weighing’ question posed to the Review Board with respect to
archival research misses the mark entirely. It largely becomes a philosophical
question about the importance of the knowledge that might be gained in
comparison with the IRB’s beliefs about how badly US society discriminates or
misuses the particular characteristics that are under study. By comparison, for
interventional research, the Review Board evaluates the risk of the research
protocol and proposes modifications to minimize the risk posed by the research.
The Board evaluates the research risk
in relation to benefits to the participant and the impor-tance of the potential
knowledge. The risk equation does not
include consideration of the possibility that a negligent or intentional action
that is not a part of the research
protocol – for example an auto accident on the way to the clinical trial site –
could result in the death or serious bodily harm of a participant.
The
critical problem is that as formulated, the Common Rule’s risk equation – when
applied in review of a data-only project – is almost certain to devolve into a
referendum on the value of the researcher’s hypothesis. In fact, the vast
majority of IRBs appear to avoid such tangled debates by estab-lishing
procedures under which most data-only studies fall into the category posing
‘minimal risk’ to data subjects. The categories of studies eligible for
expe-dited review under the Common Rule are specified in a guidance document
promulgated by the Office for Human Research Protections.43 Under
this guidance, where there is a risk of discrimination based on disclo-sure of
the subject’s responses or data, the research is not eligible for expedited review unless ‘reasonable and
appropriate protections will be implemented’.44
The
Department’s introduction of ‘reasonable and appropriate protections’ in
evaluating the risks inher-ent in data-only studies hints at the underlying
issue that, in our view, should be of
concern in any Board Review of a data study: does the study design
appro-priately limit use and disclosure of personal iden-tifying information?
And, does the researcher have adequate arrangements for data security? However,
as currently formulated, this decision is made only in considering whether or
not to have a full Board review of a
study. The review itself is still premised on a risk-value enquiry that does
not address the real questions about the risk posed by the research, i.e. the
risk that identifying data might be used or disclosed for non-research
purposes.
The
concept of consent is critical in interventional research because the physical
risks and rigors of the research will directly affect the individual and his or
her health and well-being. The informed consent process helps to minimize the
potential for coercion and for ensuring that the individual maintains control
over what is done to him or her in the research proto-col. In effect, it is a
recognition of the value our society places on an individual’s physical
integrity and autonomy. A properly informed individual may decide to accept
fairly significant risks. However, only in rare circumstances where the risk is
judged to be minimal would our values and our current laws permit a researcher
or Board to decide to subject others to physical risks without their knowledge;
never would we expect an IRB to permit experimentation on human beings against
their will.
In
the context of archival research, where the researcher will access only
information in existing records, the role of informed consent is conceptu-ally
different from consent to physical participation. As discussed above, assuming
adequate data secu-rity arrangements and protection of direct identi-fiers, the
research itself does not pose a risk to the data subject. Epidemiologic and
outcomes research is concerned not with a specific individual but with
populations.
At
best, therefore, any ‘informed consent’ discus-sion with individual data
subjects is little more than an explanation of the researcher’s hypotheses and
research interests and his or her promises and arrange-ments regarding the
safeguarding of data. Because epidemiologic researchers are concerned with
popu-lations and not individuals, both of these discussions could be addressed
in a more general manner, such as a researcher’s data practices, and more
effective communication to the public regarding research topics and how data archives
are used in investigating them. A discussion between a researcher and an
individ-ual data subject may elicit sympathy or the ‘benefi-cence’ of the data
subject and a motivation to permit the records to be used. However, to the
extent that the data subject dislikes the topic or the philosophi-cal
underpinnings of the research question, consent is little more than an
invitation for the data subject to exert control over the researcher’s inquiry
by deny-ing access to data.46 If this very natural exercise of power
can be expected to occur fairly systematically (e.g. those who favour the
researcher’s point of view or value the subject matter consent to use of their
records and those who do not, decline to consent), then the records sample
available for analysis of any kind is systematically biased and may not meet
the criteria to be considered a valid sample for conducting the research.
Suppose
that the discussion of the research topic is more neutral to minimize adverse
selection and the informed consent documents seek merely to inform the
individual of the risks. As discussed above, the risks to the individual from
data-only studies are from the potential misuses of information by non-researchers who obtain it through
illegal or negligent activities. As such, the risk statement is a statement
about the society in which we live and not about the research, per se. In fact, a full statement of the
‘risks’ might very well detail the various possible illegal acts that could
cause damage to the individual’s reputation, employment, insurability and so
on. But these are not research risks. The individual has little or no way of
estimating or evaluating the probability of these occurrences. Arguably, this
is what the Review Board should have done in evaluating the researcher’s data
security arrangements. The prudent individual, when confronted with a catalogue
of abuses that might occur if the
information found its way outside the research lab, would be hard pressed to
find a reason why he or she should
authorize the information to go to the laboratory in the first place.
As
a practical matter, in institutions where data-only studies are subject to the
Common Rule, it is widely understood that the rule ‘works’ only because these
studies typically are considered to be eligible for expe-dited review, and the
IRB’s reviewer decides to waive the requirement for obtaining the consent of
data subjects. Any additional requirement that threatens to disrupt this
accommodation, either by requiring the Board to debate and review the relative
merits of the research question and society’s potential for discrim-ination and
privacy invasion, can do little more than increase the probability that the
existing regulatory scheme may threaten the viability of valid epidemio-logic
and outcomes research.
Since
the promulgation of the HIPAA medical privacy regulations, a very troubling
phenomenon has started occurring at several clinical research sites in the
United States. In part because of a fusion and confu-sion of the HIPAA
authorization requirements and the Common Rule’s informed consent requirements,
some IRB administrators and/or privacy officers advising IRBs at clinical
research sites are prohibiting the inclusion of provisions in the informed
consent that govern future use of the research data created in a clinical
trial.
Under
the Common Rule, the consent signed by the individual is the vehicle for
informing the indi-vidual of the potential physical and personal risks of the
research as well as of the potential uses and disclosures of the data. It is
important to note that in a research institution acting in accord with best
research practices, the data are not the same as the clinical record of care
rendered to the clinical trial participant. With respect to the research site,
the data are extracted from the more comprehensive record of care at the site
and are disclosed to the researcher and/or research sponsor. Typically, direct
personal identifiers and contact information are not furnished to the
researcher/sponsor, although best clinical prac-tices necessitate some sort of
code number or other arrangement under which the specific research partic-ipant
can be linked to the data, such as for follow-up on adverse findings or other
matters of concern to the individual and/or to the integrity of the research,
and of course, medical device serial numbers must be included in data reports.
The informed consent traditionally has provided both for the disclosure by the
research site to the researcher/sponsor and the purposes or uses of the data by
the researcher/sponsor, including any limitations on future use or publication
of the data.
Where
an IRB chooses to prohibit or limit the researcher’s ability to obtain informed
consent to future research use of the data created from an indi-vidual’s
participation in the clinical trial, we think this is in part due to two
problematic developments. First, there is great confusion surrounding a new
prohibi-tion under the HIPAA medical privacy regulation.47 HIPAA
prohibits providers (and health plans) from obtaining blanket authorizations to
research use of medical records or the conditioning of treatment or health
benefits on the signing of such authorizations. This formerly occurred with
some regularity as part of the consent to admission for treatment in some
medical facilities. Second, we think that this is further evidence of the same
troubling phenomenon we have seen with respect to the criteria for waiver of
consent for epidemiologic and outcomes research using medi-cal archives. In
effect, there is an increasing tendency of some IRBs to substitute an in loco parentis deci-sion by the IRB
regarding the ‘societal risk/value’ of the researcher’s use of the data for the
individual’s role in giving consent to use of the data from the clinical trial.
Although
this result is not required by law, no law prohibits it either. The IRB has
broad discretion under the Common Rule to determine what is to be included in
the informed consent protocol. However, over time, this type of decision by
IRBs could significantly increase the cost of research in the United States, as
it could preclude the otherwise secure and confidential use of the research
database by the researcher for purposes of formulating future hypotheses,
looking back for evidence of unexpected adverse events, looking for new
correlates or patterns in the data that were not part of the initial research
protocol and other valid epidemiologic and outcomes hypotheses. Given the cost
of obtaining clinical trial data, such a practice, over time, would likely make
facilities whose IRBs elect to impose such limitations on the use of research
data undesirable, unaffordable sites for clinical trials.
Ironically,
some of the privacy officers advising IRBs have urged them to instead inform
researchers that they should rely on one of the mandatory asser-tions in the
HIPAA authorization for research – that information disclosed under a HIPAA
authorization may be redisclosed by the recipient and that it is not subject to
the protections of the HIPAA rule. This is not a solution at all for
researcher, who wishes to review a clinical database for evidence of untoward
effects or anomalies that may have been undetected in the original analysis.
Related Topics
TH 2019 - 2025 pharmacy180.com; Developed by Therithal info.