Privacy & Confidentiality

Kaiser Permanente Northern California’s (KPNC’S) Institutional Review Board (IRB)

The role of the IRB is to assure protection of the rights, safety, privacy, and dignity of all human research subjects. Federal regulations require an IRB to review and monitor all research that involves Kaiser Foundation Health Plan members and patients, their medical records, and biological specimens.

IRB approval must be obtained for all research proposals and protocols, including but not limited to, consent forms, telephone scripts, patient contact letters and recruitment materials, questionnaires, and mail surveys. The IRB reviews such materials to ensure that patients’ rights are protected and also for appropriateness, clarity, and accuracy.

The KPNC IRB is divided into two panels, each of which meets one day per month. The Health Services Panel primarily reviews epidemiologic, behavioral, and health services research. The Biomedical Panel primarily reviews research studies involving investigational drugs, devices, biologics, and experimental clinical procedures.

Using patient health information

Under certain conditions, researchers may lawfully include patient health data from medical and other clinical records into research databases without receiving individual permission.

For the Research Program, this is not relevant for those participating in the survey or future DNA sampling, because they will be giving their consent when they volunteer for these parts of the study.

However, in setting up the databases for the Research Program, some member health data from existing sources including patient medical records will be inlcuded in the new databases without asking for individual consent, and we think it’s important to explain this practice.

Consent and HIPAA authorization requirements

Medical research that involves patients generally requires written consent. Sometimes consent may be required but not written, such as with phone survey studies. Also when researchers are studying health data only with no direct contact with participants – the law sometimes allows researchers to use that information without asking for individual permission.

Privacy laws

The Health Information Portability and Accountability Act (HIPAA) is a Federal law that protects patient privacy and requires researchers to get patient permission before using medical record data in studies.

One situation in which researchers are permitted to use individually-identifiable health information in research studies without patient permission is if they apply to and receive a waiver from their Institutional Review Board (IRB). Institutional Review Boards are the federally mandated entities that oversee patient protection in medical research. Participant confidentiality is one of the issues they consider.

To be granted a waiver, the IRB must be satisfied that the following three criteria are met:

1. There is minimal risk to the privacy of the individual.
2. The research could not practically be conducted without the waiver.
3. The research could not practically be done without access to and use of the protected health information.

Institutional Review Board approval

The IRB's review of the Research Program included reviewing and approving the request by researchers to include medical information from the electronic medical record and other sources into the new, coded, databases. Changes to IRB-approved studies cannot be made until they have been reviewed and approved by the IRB.

Asking for your permission

When we receive IRB approval and conduct research without asking members for individual permission, it’s not that researchers don’t want to take the time to ask. Instead, our dilemma is that for some kinds of low-risk studies, if we ask and people say "no", it will affect our research results and they won’t reflect the real rates of occurrences of the diseases we are studying. In addition, when research involves records of hundreds of thousands of people, it may not be feasible in terms of costs to contact everyone. However, no genetic research will be done without written informed consent from the individual.

Linking databases together

Typically, after researchers develop their research questions, they obtain relevant information from multiple databases which they link together using a coded identification number. The research is focused on the data, not on individual patients, and identifying information (other than the identification number) is not included in the research database.

How we protect patient information

Privacy protection is an essential component of this research. No results from the RPGEH will be placed in your medical record or shared with Kaiser Foundation Health Plan.  We will also take the following IRB-approved steps to protect your privacy and keep this information confidential. 

1. All RPGEH information will be kept in a computer databank that is only for research. The computer system that holds the entire databank, including the genetic records, is located in a locked and physically secure facility.  The data can never be placed on a laptop computer or portable storage device that could leave this secure environment.
2. The computer system has electronic security measures to prevent attacks on the databank.  The databank is protected by a "firewall" from unapproved entry (commonly called “hackers”). 
3. Access to the databank is limited to authorized Kaiser Permanente Division of Research staff.   All Division of Research staff have signed agreements pledging not to link participant data with any identifying information or reveal any participant data.
4. Within the RPGEH databank, we will label your DNA samples, genetic information, survey answers, and medical record data with a unique study ID number only.  Your study ID number will not be the same as your other personal numbers like your phone number, social security number, or medical record number.   When scientists need to connect genetic information to survey or medical record data, they will do this with a code.  Use of this code is limited to a very small number of Kaiser Permanente Division of Research scientists and staff members.
5. Outside researchers working with Kaiser Permanente scientists will not be given data that includes individual identifiers.

Certificate of Confidentiality

To help us protect your privacy, we have applied for a Certificate of Confidentiality from the National Institutes of Health. Certificates of Confidentiality are granted under a federal law, Section 301(d) of the Public Health Service Act.  Under the laws establishing the Certificate, researchers cannot be forced to disclose information that may identify you, even by a court subpoena, in any federal, state, or local civil, criminal, administrative, legislative or other proceeding.   The researchers will use the Certificate to resist any demands for information that would identify you, except as explained below. 

The certificate permits child abuse reporting as authorized by law.  Also, the Certificate cannot be used to resist a demand for information from personnel of the United States government that is being used for auditing or evaluation of federally funded projects or for information that must be disclosed in order to meet the requirements of the Food and Drug Administration. You should understand that a Certificate of Confidentiality does not prevent you or a member of your family from voluntarily releasing information about you or your involvement in this research.

The content of this Web site has been reviewed and approved by the KPNC IRB.

Addressing member questions In 2006, we created a Community Advisory Panel and conducted 11 focus groups to guide us in program development. Almost everyone we talked to had similar reactions. Overall, they were positive about research into genes and the environment and its potential to improve health. However, some participants were concerned that genetic samples might be used for cloning or genetic engineering and they raised questions about information privacy, confidentiality, and security, particularly in relation to DNA analysis. Some were apprehensive that this information could get into the wrong hands and potentially be used to exclude people from health insurance or future employment. When we described the specifics of our Research Program, most were positive and wanted to participate, but many had questions and some participants wanted to make sure that their concerns about privacy, confidentiality, and information security were addressed before agreeing to volunteer. In addition, many were initially surprised to learn that, under certain conditions, some medical record data can be used in scientific research without asking patients for permission first. Once we provided more detailed information about this practice, most members were comfortable with our procedures.

The Division of Research     KaiserPermanente.org