3 Privacy and Security Considerations for Clinical Research

Technology and the Internet are connecting patients, physicians, advance practice professionals, and therapeutic treatments like never before.  With the increasing availability of internet-connected devices and wearable tech, individuals can monitor their own health status and share it with their health care team.  Through social media and social-enabled services, individuals can share their own health updates and experiences with traditional or alternative treatment methods (not a HIPAA violation). A hot topic for Institutional Review Boards (IRB) these days is to simply understand the role of social media and technology; with this understanding the IRB should establish guidelines for researchers.

There are three key privacy and security considerations in establishment of research technology usage guidelines:

  1. Patient Recruitment – Does the primary investigator (PI) propose recruiting patients through a general social media channel advertisement, such as Facebook or Twitter, or a patient community such as 23andMe or PatientsLikeMe?  Regardless of the manner in which a patient is recruited, informed consent for research must still be obtained.The use of apps for recruitment and data collection is likely to explode in the near future thanks to Apple’s recent release of the ResearchKit as part of iOS.  Apple’s terms of service for ResearchKit include the requirement that users seek Institutional Review Board approval as appropriate, but Apple’s lawyers are looking to absolve the company of as little liability as possible by not requiring proof of IRB approval as part of ResearchKit use.
  2. Secure Data Collection/Storage – While the closed-garden of iOS offers some security for any apps released through ResearchKit, IRBs should seek the approval of their organizational Chief Information Security Officer of a research proposal that involves extensive data collection and storage outside the organization’s internal network.  If patients are submitting diary data through a mobile app, that app needs to be encrypted and meet the same safeguards as any other manner in which protected health information (PHI) is handled, even though the diary data would not be part of the patient’s overall medical record.  A PI should be required to describe how they will be storing the collected information (hint: the only acceptable answer should be on the secured internal network – not a cloud storage service or personal storage device such as a flash drive).  A recent example of this is the HIPAA violation and $4.3 million fine for New York-Presbyterian and Columbia after a physician attempted to deactivate a computer from the network and accidentally published the PHI of 6,800 individuals.
  3. Publication Implications – If a researcher is primarily recruiting patients from a small online community, even de-identified information credited to that community ipso facto identifies possible study participants.  Subjects recruited online through forums and social media may be presenting a fictional persona, creating invalid data for the researcher.  Finally, the IRB should question to assure that the researcher is acting honestly and not simply using social media as a data collection front for creating false data.  IRBs should be studying watchdog groups such as RetractionWatch which can identify questionable research methods and individuals in the research community.