Commentary
Ethical Issues in the Use of Computerized Databases for Epidemiologic and Other Health Research

Wilfreda E Thurston, Michael M Burgess and Carol E Adair

Abstract

Computerization of databases has increased apprehension about loss of privacy. The intent of this paper is to facilitate health research that gives proper respect to ethical principles, thereby increasing public comfort and reducing demands for restrictive legislation concerning access to databases. We review how computerization has increased the saliency of concerns and discuss examples of the application of ethical analysis in published database research. Extreme positions notwithstanding, there is general agreement among researchers that research curiosity and the convenience of database research cannot justify the suspension of moral concerns about privacy and confidentiality. Public and professional concerns may affect policy development; therefore, the methods of ensuring privacy and protecting confidentiality must be routinely described in research proposals and published reports along with the benefits of the research. An important issue requiring further attention is that the moral responsibility to respect privacy increases with the sensitivity of information.

Key words: computers; databases; epidemiology; ethics; guidelines; health care research; linkage; public policy

Introduction

In this paper we address the principles of ethical research as they can be applied to research using computerized databases. A database, computerized or not, is a collection of information on individuals. Our belief is that restrictive legislation concerning access to databases¹ should be avoided by respecting the public's apprehension that an individual's privacy has been diminished by technology.² Neither personal knowledge of misuse of data, demographic variables nor exposure to media accounts explains the public's concerns.³ Computerization merely increases the salience of some historic concerns.⁴ However, the nature of the response of health researchers to these concerns may have a major impact on policy development around database research.

Principles of Ethical Research and Computerization

The first principle to be assessed in any research with human subjects is that of non-maleficence: avoiding harm to the subjects caused by the research process, the intervention or procedures being evaluated or used in the study, or by the uses made of the data. Health information that is not secured and is put to another use can affect employment status and benefits.⁵ Computerization has raised new security issues, including the ability to transport large quantities of data without being physically close to it and to alter records invisibly.⁶ The speed and storage capacity of computers have resulted in policies to protect privacy.⁷

A duty to maintain confidentiality and to respect privacy, another ethical principle, exists as a result of the nature of the relationship within which information is disclosed. That duty may be stronger when the nature of the information itself-for instance, sensitive diagnoses-establishes some reasonable expectation of confidentiality. A "gradual erosion of the concept of confidentiality of medical records" has been attributed to technological advances.⁸

Fidelity to the therapeutic or other relationships within which information is disclosed is an implicit commitment that the nature of that relationship will be respected. Patients share information in the belief that it is related to their health care, for direct clinical and billing purposes. Clinicians can be encouraged to add information to a file in the interest of future research, regardless of its clinical significance. It is relatively easy to add variables to a longitudinal database; storage room is not an issue, and a few fields will not substantially increase data entry time. Patient privacy and trust, however, may be compromised if patients are not aware that the relationship in which information is gathered has varied.

The possibility of linking databases when a common identifier does not exist is another reason to add fields. Improving linkage capability may mean including "complete name, maiden name, address, complete date, place of birth, and sex." ⁹ Some health researchers want access to the following types of records: medical, school, social agency, federal agency, credit, employment, census, social security and internal revenue "when the appropriate provisions for confidentiality are met."¹⁰ Concern about ethical principles increases because a range of information not originally intended to be associated with an individual becomes available, and the individuals involved may not have known that others would have access to this aggregate of information.

Finally, when control of the use of personal information is lost, there is a loss of autonomy or rational self-direction, such that personal values may be compromised. Diagnostic information, for example, is sensitive, and its disclosure might be limited to clinicians or a select group of acquaintances. The principle of autonomy must also be respected with regard to choice of a social community or a social identity,¹¹ such as a risk group.

Other Moral Concerns

Three other moral concerns-informed consent, public good and the least harm principle-arise with respect to balancing the principles already mentioned. Informed consent is a directive that balances autonomy with risk of harm to achieve some good. In research, the good may be non-personal, whereas the risks are borne personally. If valid informed consent is given to inclusion in a research database, then there is no infringement of autonomy. Individual consent for use of data is not always required by policy¹² if protection of individual confidentiality is ensured. Kluge,¹³ however, took the extreme position that using patient data in a study without informed consent is electronic assault. A more moderate position balances issues of anonymity and consent with notions of probability and magnitude of harms. Recent proposals for a code of ethics for health information professionals¹⁴ and Canadian research guidelines provide caution without much guidance for database research.¹⁵

The accomplishment of a very important public good (e.g. control of an epidemic) may justify some infringement of confidentiality, autonomy or fidelity. However, when some moral harm must be done to achieve a greater moral good, the least harm principle specifies that only the least harm necessary to accomplish the good is justified. Of two possible methods to accomplish a research goal, the one that causes least moral harm must be selected. Balancing the protection of individuals' autonomy with the benefits of research to the community may be difficult.^10,14,15 Historically, however, the automatic setting aside of social interests in favour of the individual has been infrequent and usually prescribed by legislation.⁸

Cost and convenience become morally relevant when it is prohibitively expensive to achieve a moral good while offering full protection of confidentiality, autonomy or fidelity. The principle of least harm requires that, if the justification for moral harm is a greater moral good, the moral harm must be the least necessary to achieve the moral good. For example, there is less loss of confidentiality if the people who abstract the data from the health record for research would see that information anyway.

Application of Ethical Analysis in Published Studies

We selected several examples of published studies of database research to illustrate the application of principles of ethical research. The analysis and discussion rely entirely on the information contained in the published articles.

Example 1: Linkage of Government Health Records and a Disease Registry

Our first example involves five papers from the Journal of Acquired Immune Deficiency Syndromes. The first¹⁶ describes the creation of a longitudinal database of AIDS patients in New York and California using Medicaid records, an AIDS registry and death certificates. The new database covered several years and contained the following: one record for each case, demographic and Medicaid data, health care utilization and expenditure data, and ICD-CM (International Classification of Diseases, Clinical Modification) codes.

Because people could use more than one Medicaid number, cases were linked using Medicaid number, social security number, birth date and name. Different diagnostic algorithms for AIDS were created for California and New York. The percentage of people identified by the algorithms and in the registry ranged from 25% to 80%, depending on sex and age. As well, proxy measures were used to create risk group designations: drug users, hemophiliacs, recipients of blood products, children, other females (not previously included) and other males. The last category was assumed to "loosely approximate the homosexual male risk group."¹⁶ The database was then used to study Medicaid eligibility patterns, some features of the epidemic in Medicaid users, lifetime Medicaid utilization and expenditures, and a survival-based severity index.^17-20 Ethics and security were not mentioned in the papers, but several ethical concerns arose in our minds upon reading.

When AIDS diagnosis, types of treatments and secondary infections of specified individuals are disclosed for research purposes without the consent of the individuals, their autonomy is limited. The principle of non-maleficence may have been breached since there is some risk of prejudicial treatment with the creation of a list of identifiable, living persons with AIDS. Some individuals were not registered on the AIDS registry, perhaps because they or their physicians decided that this would be unwise. The database identified many of these cases as instances of AIDS as well as some cases with a false positive diagnosis. Furthermore, since patients disclosed information that they believed was necessary to receive medical treatment through Medicaid, the fidelity of that clinical relationship may have been breached. These issues would not have arisen if all individuals in the database had given informed consent to be involved. There is no evidence in the article that this was the case, and, given the size and nature of the population, we assume that this was not possible.

Alternatively, the study might still reasonably have been approved by a human subjects review committee under two conditions: (1) all individuals in the new database freely consented to being in the source databases for research purposes and (2) security measures minimized the risk due to inadvertent or malicious disclosure. If access by researchers had been achieved without names or contact numbers, then there would have been considerable reduction of risk of harm and violation of privacy and autonomy. It is clear, however, that this study used names as part of the unique identifiers. It might also be established that the benefits of doing the study were moral benefits that could not be achieved without suspension of the duty of confidentiality.

We propose four possible moral benefits of the study. The most direct moral benefit would be decreased suffering if resources for persons with AIDS who were receiving Medicaid became more readily available. Less directly and more controversially, if AIDS therapies are disproportionately expensive and thus fewer resources are made available for them, then reallocation of resources to persons with other diseases may lead to decreased suffering for those persons, with possible detrimental effects on the subjects whose privacy was compromised. Other much less direct benefits are reduced prejudice toward persons with AIDS and decreased suffering through the prevention of AIDS.

The first benefit provides the strongest justification for the study. Nevertheless, the benefit of ensuring the future adequacy of resources for treatment of AIDS justifies the violation of the usual duties of confidentiality only if there is no other less ethically offensive method to achieve the moral good. In this case, the study design was not essential to ensuring the adequacy of future resources. Cost and convenience cannot stand alone as justification for suspension of moral concerns; thus, if no argument can be made for the moral importance of the specific information obtained, then the study design cannot be justified on the grounds that other designs may have been more expensive and less convenient.

Example 2: Linkage of Government Health Records

The second example also involved linkage of two government health records, in a Canadian pilot study to establish the feasibility of the process for studying other diseases.²¹ Manitoba's hospital separation files and files of claims made by physicians were linked using the unique personal identification number (PIN) assigned to each resident of the province. All cases of acute myocardial infarction (AMI) were identified, and AMI-related conditions and medical procedures were separated and analyzed.

It is unlikely that patients knew about the research or consented to be in the study, so the fidelity of the clinical relationship and patients' autonomy may have been jeopardized. Furthermore, since the PIN was used, information was traceable back to individuals. However, if the names and addresses were removed from the database after linkage, tracing would require some effort or expertise, or access to the master list. In other words, confidentiality may have been protected and the potential for inadvertent harm to subjects reduced to an acceptable level.

The information gathered in this study was of a less sensitive nature than in the previous example, and therefore the potential for harm to subjects was less. A large sample was needed, and a design involving consent would have been very costly and would have resulted in a loss of precision, since some potential subjects or their relatives could not have been traced. Therefore, the public good was served by examining the equity and value of treatments; for instance, the findings that women received fewer tests, were less likely to be hospitalized and more likely to die in hospital suggested that changes in health care delivery were desirable and would benefit some of the research population.

Example 3: Program Evaluation

More comprehensive information on subjects may enhance the evaluation of community-based health promotion interventions. The demand that programs be tested for effectiveness has increased, but it is very costly to enrol enough individuals in community studies to ensure sufficient follow-up and power to detect clinically significant differences between groups. An alternative design is to assess changes at the group or community level.

Researchers linked live birth certificates for 1988 and 1989 with Medicaid newborn hospital claims to identify Medicaid births and evaluate the impact of maternity care co-ordination on birth outcomes.²² The baby's Medicaid identification number was used to extract all health care claims beginning within 60 days of birth. The mother's name and date of birth were matched with claims paid for maternity care co-ordination, with the public health department client information system and with records of the Special Supplementary Food Program for Women and Children. The resulting sample was 15,526 women who received maternity care co-ordination and 34,463 controls.

A significant impact was found on improving birth outcomes for women on Medicaid and lowering the number of babies with very low birth weight. Prenatal care from public health departments was better than that from other services. The moral good of this study lies in its potential impact on policies regarding delivery of prenatal care to poor women. A large sample was needed to detect the small but clinically significant differences in low birth weight outcomes that were achieved. A prospective randomized trial would have allowed for informed consent and autonomy of mothers, but it would have cost much more. The research design avoided conflicts in fidelity since neither participants nor health care providers knew of the study. The record departments compromised the privacy of patients, but the study seemed the best way to achieve the moral value of justice and beneficence to the population. Some of the subjects who continued on Medicaid may have benefited.

Example 4: Use of Records on Deceased Subjects

Studies using record linkage may be the best way to achieve the moral good when contact is not possible. A study linked all death records for women aged 10-49 with live birth records, to identify women who had died within one year of giving birth.²³ The mother's social security number and name, and the baby's name and date of birth were used, all of which (save the social security number) are available to the public. Since the mother was dead, the privacy of the social security number is not as important. Medical records for mother and baby and autopsy reports on mothers were reviewed to identify maternal deaths. Identification of maternal deaths was increased by 100%, which has major implications for policies on perinatal care and provides a more accurate assessment of success in reaching goals for reduced maternal mortality.

The moral benefit of this study, although indirect, is the accumulation of important evidence supporting changes in health care policy and funding. The group studied could not benefit from the research. It would have been costly and very inconvenient for the researchers to contact the families of the deceased women in order to seek permission to review their medical records; furthermore, each family may have been unnecessarily upset by the reminder of the woman's (and possibly child's) death. An alternative design, a large prospective study, would also have been much more costly and intrusive and would have taken several years.

Example 5: Reporting of Sensitive Information

Ethical research ought to maintain confidentiality, particularly when breaches are in no way important to the research findings or to achieving social good. It is unusual to see this practice overlooked, but a report on a study that linked death certificates with AIDS as the cause of death to a cancer registry in order to study the impact of AIDS on "cancer registration"²⁴ contains one table in which all 20 cases of AIDS identified in the study are listed with their sex, age of death, risk group, year of cancer diagnosis, type of cancer, and whether cancer was on the death certificate and AIDS was on the medical record.

This appears to us to be a potential breach of confidentiality. We see no need to present these details to support the study's findings. Furthermore, with so few cases, the families could have been contacted for consent or the same results could have been achieved by contacting a group of living patients, obtaining their consent and getting data on cancer diagnosis, retrospectively and prospectively. This seems to be an example of violating the principle of confidentiality even if there is no evidence that any other harm befell an individual. Such extreme and unusual cases tend to receive undue attention when detected and cause alarm in the general public.

Public Concerns and Policy Development

The public's role in policy development is significant because of the dependence on voluntary provision of information by individuals.²⁵ In Britain, the United States and West Germany, policy development around technology has been characterized as conflictual. Fears of loss of privacy, the potential for increased power of the state, misuse of personal information and reduced human dignity have been raised as issues. By contrast, the Swedish response was described as "consensual, anticipatory, and open."⁷

Canadian studies indicate that the potential for a conflictual discourse on database research exists but is avoidable. The largest group of people in one survey² was knowledgeable about computers and well educated, with a higher proportion of women, Quebec residents and white collar workers. They were extremely fearful of intrusions into privacy and tended to believe that current controls were inadequate and that informed consent and regulation needed to be increased. Another study³ found that most people tended to weigh the benefits of data collection and the presence of mechanisms for data control in deciding whether a threat to privacy was acceptable. These pragmatists became unconcerned when they believed fair practices were followed and would not seek government regulation. Thus, if health researchers follow ethical practices and are seen by the public to be doing so, demands for legislative restriction may be fewer²⁶ and the role of health data in serving the public good²⁷ may be emphasized.

Conclusions

We have discussed the ethics of database research and how computerization has increased public concern about some issues. Although there are some extreme positions taken on the subject of individual rights versus public benefit, we find general agreement that research curiosity and the convenience of database research cannot justify the suspension of moral concerns about privacy and confidentiality that affect us all as patients and citizens. Our literature review, however, suggested that more attention must be given to all of the ethical issues raised by database research since we feel that the extent to which ethically relevant details are discussed may be interpreted as a reflection of the level of concern about these issues among authors and/or editors.

In order to avoid public demands for restrictive regulation of databases and research, we believe that epidemiologists and health researchers must maintain the public's trust by providing a description of the ethical component of the research design (e.g. how confidentiality was protected or access to data without consent was justified) in proposals and published reports. The benefits of research must be highlighted, and methods of protecting confidentiality and ensuring privacy must be routinely described in research proposals and published reports. An important issue that has received little attention to date is that the moral responsibility to respect privacy increases with the sensitivity of the information.

References

1. Bang O. EC proposal for directive can destroy the possibilities of cancer research. Eur J Cancer 1992;6/7:1012-13.

2. Graves F, Porteous N, Beauchamp P. Privacy revealed: the Canadian privacy survey. Ottawa: Ekos Research Associates Inc., 1993.

3. Louis Harris and Associates, Westin AF. The Equifax Canada report on consumers and privacy in the information age. New York: Louis Harris and Associates, Inc., 1992.

4. Soskolne CL. Epidemiology: questions of science, ethics, morality, and law [commentary]. Am J Epidemiol 1989;129(1):1-18.

5. Pedersen R. Inside information. Occup Health Safety Magazine 1994;17(4):6.

6. Krever H. Report of the Commission of Inquiry into the Confidentiality of Health Information, Volumes I, II, and III. Toronto (Ont): JC Thatcher, Queen's Printer, 1980.

7. Bennett C. Regulating privacy: data protection and public policy in Europe and the United States. Ithica (NY): Cornell University Press, 1992.

8. Martin BA, Eastwood MR. The confidentiality of medical records: the right to privacy versus the public interest. Can J Psychiatry 1980;25(6):492-5.

9. Neutel CI, Johansen HL, Walop W. "New data from old": epidemiology and record linkage. Prog Food Nutr Sci 1991;15:85-116.

10. Robins LN. Consequences of the recommendations of the privacy protection study commission for longitudinal studies. In: Tancredi L, ed. Ethical issues in epidemiological research. New Brunswick (NJ): Rutgers University Press, 1986:99-113.

11. Mosco V. Dinosaurs alive: toward a political economy of information. Can J Inf Sci 1992;1:49.

12. Canadian Health Record Association. Guidelines to the code of practice. Oshawa (Ont): Canadian College of Health Record Administrators, 1980.

13. Kluge EHW. Medical informatics and education: the profession as gatekeeper. Methods Inf Med 1989;196-201.

14. Kluge EHW. Fostering a security culture: a model code of ethics for health information professionals. Int J Med Inf 1998;105-10.

15. Medical Research Council of Canada, Natural Sciences and Engineering Research Council of Canada, Social Sciences and Humanities Research Council of Canada. Tri-council policy statement: ethical conduct for research involving humans. Ottawa: Public Works and Government Services Canada, 1998; Cat No MR21-18/1998E.

16. Keyes M, Andrews R, Mason M-L. A methodology for building an AIDS research file using Medicaid claims and administrative data bases. J Acquir Immune Defic Syndr 1991;4(10):1015-24.

17. Fanning TR, Cosler LE, Gallagher P, Chiarella J, Howell EM. The epidemiology of AIDS in the New York and California Medicaid programs. J Acquir Immune Defic Syndr 1991;4(10):1025-35.

18. Ellwood MR, Fanning TR, Dodds S. Medicaid eligibility patterns for persons with AIDS in California and New York, 1982-1987. J Acquir Immune Defic Syndr 1991;4(10):1036-45.

19. Andrews RM, Keyes MA, Fanning TR, Kizer KW. Lifetime Medicaid service utilization and expenditures for AIDS in New York and California. J Acquir Immune Defic Syndr 1991;4(10):1046-58.

20. Turner BJ, Markson LE, McKee L, Houchens R, Fanning T. The AIDS-defining diagnosis and subsequent complications: a survival-based severity index. J Acquir Immune Defic Syndr 1991;4(10):1059-71.

21. Johansen H, Paddon P, Chagani K, Hamilton D, Kiss L, Krawchuk S. Acute myocardial infarction: a feasibility study using record-linkage of routinely collected health information to create a two-year patient profile, Manitoba, 1984-85 and 1985-86. Health Rep 1990;2(4):305-22.

22. Buescher PA, Roth MS, Williams D, Goforth CM. An evaluation of the impact of maternity care coordination on Medicaid birth outcomes in North Carolina. Am J Public Health 1991;81(12):1625-9.

23. Dye TD, Gordon H, Held B, Tolliver N, Holmes AP. Retrospective maternal mortality case ascertainment in west Virginia, 1985 to 1989. Am J Obs Gynecol 1992;167(1):72.

24. Franceschi S, Levi F, Rolland Portal I, La Vecchia C. Linkage of death certification of AIDS and cancer registration in Vaud, Switzerland. Eur J Cancer 1992;28A(8/9):1487-90.

25. Feinleib M. The epidemiologist's responsibilities to study participants. J Clin Epidemiol 1991;44(Suppl 1):73S-79S.

26. Stott J. Surveillance by data base a danger to privacy. Calgary Herald 1992 Nov 15:7.

27. Knox EG. Confidential medical records and epidemiological research: wrongheaded European directive on the way [editorial]. BMJ 1992;304:727-8.

Wilfreda E Thurston and Carol E Adair, Department of Community Health Sciences, Faculty of Medicine, University of Calgary, Calgary, Alberta

Michael M Burgess, Centre for Applied Ethics, University of British Columbia, Vancouver, British Columbia

Correspondence: Dr WE Thurston, Associate Professor, Department of Community Health Sciences, Faculty of Medicine, University of Calgary, 3330 Hospital Drive NW, Calgary, Alberta   T2N 4N1; Fax: (403) 270-7307; E-mail: thurston@ucalgary.ca

[Previous][Table of Contents] [Next]