Research using electronic health records: Balancing confidentiality and public good

Negotiating the tension between releasing patient information for research and protecting privacy and confidentiality is the subject of considerable debate and has recently been identified as a top priority for primary care patient safety research.^1–5

Electronic health records are widespread in primary care; personal health information may be accessible to a multitude of providers often including administrative staff, healthcare assistants, and external providers. Much electronic health information is encoded using the READ or SNOMED CT coding systems. De-identified coded data are routinely extracted for quality assurance and funding purposes. Electronic health records are a valuable resource for research to ensure the safety and quality of healthcare: the coded data may be used in research linking large datasets of anonymised health information (Big Data projects) and in real-world trials, and the un-coded data (including the free-text of the daily record) may be used in research using emergent data mining software to identify targeted information or in records review projects where researchers scroll through the records.

Patients have a right to health information privacy that stems from the principle of autonomy and concerns the right of an individual to control information about her- or himself. Most democratic countries have laws protecting patients’ right to health information privacy, with consent the usual protection. When asked, most people approve the use of their health information in research.^6,7 However, time and cost constraints mean it is usually not feasible to ask.

The right to privacy is important but never absolute; there are many exceptions when doctors are legally permitted to share patient information without consent, usually in the best interests of the patient or public. There is considerable international variation in the laws, policies and protocols that govern health information and who has access to what.^8–12 In New Zealand, for example, auditors of the National Cervical Screening Programme may access patients’ primary care records without consent.¹³ In the European Union, the recently introduced General Data Protection Regulation gives consumers more control over how their personal information is used (patients can opt-out of sharing identifiable but not anonymised health information for research) and imposes on general practitioners (GPs) increased responsibility to communicate how health information may be used and to demonstrate compliance with data protection processes.¹⁴

Doctors receive private information in the course of a confidential relationship and make an implicit promise to protect the information and use it only to serve the interests of the patient. While the law might permit or even oblige doctors to share patient information, doctors have an enduring ethical duty to protect the information they have been entrusted with. Patients need to trust their practitioner if they are to disclose sensitive information and receive appropriate care.

But confidentiality is not the only important ethical duty: doctors also have a duty to provide safe and effective healthcare. Research is essential to safe and effective healthcare. Doctors also have a duty, then, to support research that seeks to build the evidence base. The duty to share information to support safe and effective healthcare may be as important as the duty to protect confidentiality.¹⁵

We conducted a retrospective records review study in general practice to identify and describe patient harms: the SHARP study (Safety, Harms And Risk reduction Project).¹⁶ Eight GP reviewers reviewed three years of de-identified electronic health records from 9000 randomly selected patients. The focus of the study was on harm, not error, defined as the physical or emotional negative consequences arising from healthcare.¹⁷ Data included the free-text daily record, prescriptions, test results, and letters from specialists and hospital admissions. Name recognition software was used to strip names and addresses from extracted records. De-identified data were allocated to reviewers living and working in geographical locations remote from study practices. Reviewers accessed the data via a secure password protected website. Consent to participation was sought not from individual patients, but from general practices. Ethical approval was provided by the University of Otago Human Ethics Committee (HD14/32). The study was approved by the Minister of Health as a protected Quality Assurance Activity (2015/23), barring the use of research data in civil liability proceedings and providing legal immunity to both general practices and researchers.¹⁸

We randomly selected 72 practices nationally and invited the 62 eligible practices to participate.¹⁹ Forty-five practices agreed (73%). The most common reasons for non-participation were commitment to confidentiality, concern about secondary use of data for financial gain, and fear of accountability repercussions. Data de-identification and security processes minimised the risks and legal protections barred misuse and secondary use of data, but GPs had no way of checking and had to decide on trust. We found GPs were more likely to trust (and to participate) if they had pre-existing relationships with or deemed the researchers trustworthy.

We found that electronic GP records were a rich source of data for studying the epidemiology of patient harms and identifying lessons to improve the patient safety. The data de-identification processes worked most of the time but were not perfect: occasionally the name of a practice, clinician, or patient remained in the extracted data. The name recognition software was more likely to fail when a name was uncommon or had atypical spelling. Deductive identification (where the free-text holds clues to the person, place or provider) was also sometimes possible even though we allocated data to reviewers geographically remote from the data source. Deductive identification is perhaps not unexpected in a country of only 4.5 million people. No identifiable data were ever passed on or misused. SHARP reviewers were all experienced GPs well versed in acting according to professional obligations. It was not possible for reviewers to contact and inform patients who had been identified because reviewers did not have contact details and also could not identify the patient’s practice or doctor. Participating practices had been informed during the consent process that despite our best efforts ‘some potentially identifying data are nevertheless likely to appear from time to time (eg in hospital discharge summaries)’.

Research using electronic health records often depends upon trust: doctors will only consent to research if they trust the researchers and the research. Research ethics committees have a role in ensuring the potential benefits of a project justify the risks. Good research practices including reliable data anonymisation and security processes are important. Researchers also need to maintain strong communication links with both the public and clinicians. Many patients lack awareness and understanding about the potential uses of health information, the protections in place, and how sharing information can benefit themselves and others.²⁰ Researchers can help to increase public understanding about the potential benefits of research and the potential dangers in not learning from the data by engaging in public education and debate.

Doctors and practices have a responsibility to communicate to enable patients to understand what information is being collected, how it will be stored and protected, how it may be used, and their rights including when and how they can opt-out. Communication with patients could be through information on practice websites, information provided on enrolment, personal communication, and clearly visible signage in practice waiting rooms. Practices could choose to give patients the opportunity to provide broad agreement to the use of their information in research, for example on enrolment. Any consent should be meaningful: informed, freely given, and a clear indication of agreement rather than implied through inaction or a pre-ticked box. Practices could offer some sort of formal data use agreement whereby patients can select the types of information (de-identified, encoded) they are willing to share with whom and for what purpose. Ideally such agreements would include the ability for patients to change their selection at any time. The opportunity to opt-out affords patients some control over the use of their information, but it risks introducing selection bias into research. It may be necessary for some practices, for example practices dealing with especially sensitive sexual or mental health information, to always require explicit patient consent to research projects.

Electronic health records are a rich source of data for research to improve patient care. Individual patient consent to research using electronic health data is usually not feasible. Research using personal health information without consent risks damaging the doctor-patient relationship. The risks may be minimised and managed through rigorous data anonymisation and security processes; clear communication to patients about the potential uses of health information, the protections in place, and the potential benefits of sharing information for research; and through developing mutual understanding and trust between GPs and researchers. Our experience emphasises the importance of on-going software improvements and supporting the professionalism of researchers.

Authors declare there are none.