Research Ethics Tutorial

• Personal health information is written or oral “identifying information” collected about an individual. It is information about an individual’s health or health care history in relation to:
• The individual’s physical or mental condition, including family medical history;
• The provision of health care to the individual;
• Long-term health care services;
• The Individual’s health care number;
• Blood or body-part donations;
• Payment or eligibility for health care: and
• The identity of a health care provider or a substitute decision maker for the individual.

Physicians who are affiliated with Windsor Regional Hospital and maintain their own patient records for healthcare purposes (i.e. records which are not included in the health records of Windsor Regional Hospital), are also considered to be HICs.

HIC’s are permitted to authorize designated agents to act on behalf of the HIC in relation to the HIC’s activities, including the collection, use and disclosure of PHI..

PHIPA assumes that PHI is in the custody of the HIC. The HIC may permit its agents to collect, use or disclose, retain or dispose of PHI on the HIC’s behalf. An agent of the HIC is someone authorized to act on behalf of the HIC (e.g. residents and trainees, hospital employees, volunteers and others); and perform activities for the purposes of the HIC (generally health-care purposes).

Agents are not HICs in and of themselves. Agents may be internal or external to the HIC. The HIC has a responsibility to ensure that its agents are informed of the provisions of PHIPA and that they comply with them..

PHIPA also applies to all researchers who obtain PHI from any HIC.

Research is defined in PHIPA in substantially the same way as it is defined in the Tri-Council Policy Statement, i.e. “a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of these, and includes the development, testing and evaluation of research”.

In general terms PHIPA requires an individual’s consent to the collection, use or disclosure of PHI. To be valid, the consent must be knowledgeable, it must relate to the information provided, and it must not be obtained through deception or coercion.

PHIPA specifically allows for either express or implied consent, requiring express consent in certain defined circumstances.

Express consent is consent obtained specifically and directly from the individual or his or her authorized legal guardian.

Implied consent is consent which may be assumed to have been given, if it is reasonable, under all of the circumstances to assume that it has been given. PHIPA expressly provides that a HIC which receives PHI about an individual from the individual or from another HIC for the purposes of providing health care to the individual, is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care (not research) to the individual, unless the HIC that receives the PHI is aware that the individual has expressly withheld or withdrawn the consent.

PHIPA specifically provides [Section 18(3)] that consent must be express and not implied, if a HIC is disclosing PHI to:

A person who is not a HIC (e.g. a researcher or a research assistant) OR

For a purpose other than providing health care or assisting in providing health care. (e.g. research)

Most, but not all, of the research conducted at Windsor Regional Hospital will entail obtaining express consent from the participants in the research. Most of the research will have undergone a research review by the Research Ethics Board, and the consent form (and process for obtaining it), will have been approved by the Research Ethics Board.

IF A RESEARCHER HAS REB APPROVAL FOR HIS RESEARCH AND HE OBTAINS EXPRESS CONSENT FROM ALL PATIENTS TO CONDUCT THE RESEARCH, DOES HE HAVE TO DO ANYTHING MORE TO COMPLY WITH PHIPA?

Generally, if the researcher has REB approval and provides for express consent, the requirements of PHIPA will have been met.

MY RESEARCH WOULD BE IMPOSSIBLE TO CONDUCT IF I HAD TO OBTAIN EXPRESS CONSENT FROM EVERY INDIVIDUAL THAT I NEED PHI FROM. DOES THAT MEAN THAT I CAN’T CONDUCT MY RESEARCH?

Some research, particularly large epidemiological studies, would not be possible to conduct, if express consent to the use and disclosure of personal health information had to be obtained from every individual involved.

PHIPA expressly recognizes this reality, and provides for the possibility of a waiver of express consent for research purposes, provided that certain criteria apply, and specific requirements are met.

A HIC cannot use or disclose personal health information for research purposes, without express consent of the individual, unless the provisions of Section 44 of PHIPA are complied with.

The Act requires that the HIC obtain from the researcher a written application, a research plan that has been approved by the Research Ethics Board, and a copy of the Research Ethics Board approval.

• The name, affiliation, roles and qualifications of everyone working on the research and accessing PHI
• Adequate justification for disclosing PHI to these persons
• The nature of the research
• The particular research objectives and related research questions
• The duration of the research
• The anticipated public and scientific benefit of the research
• The required PHI
• The sources of the PHI
• The use of PHI, including details on information linkage (if any)
• Adequate justification for using the PHI
• Adequate justification for linking the PHI
• Adequate consent process/form OR adequate justification for proceeding without consent
• The reasonably foreseeable harms and benefits of the information use
• Adequate explanation of how foreseeable harms will be addressed
• Adequate privacy and security safeguards
• How long the information will remain identifiable and why
• How and when the information will be destroyed or returned to source
• Details on research funding
• Details on whether the researcher has applied for other REB approval and its response or the status of the application
• Details on the researcher’s conflicts of interest

1. Whether the research purposes cannot be achieved without the information;
2. Whether it is impracticable to obtain consent;
3. What safeguards for protection of the information are in place and whether the information will be used in a manner that will ensure its confidentiality; and
4. Whether the public interest in conducting the research exceeds the public interest in protecting the privacy of the individuals.

• Comply with the approved research plan, including any conditions imposed by the REB, 
• Implement the safeguards for protecting the information outlined in your plan,
• Use PHI only for the purposes described in your research plan,
• Not publish PHI in a way that could reasonably allow others to identify the individual whose information was used in the research,
• Only disclose the information when required by law,
• Not contact individuals whose information is used in the research unless they have given consent to the disclosing HIC to be contacted by you (even if the PHI you hold is stolen, lost or accessed by unauthorized individuals), Note: The HIC which collects the information would obtain consent,
• Comply with the terms and conditions of the written agreement that you enter into with the disclosing HIC, and
• Provide written notice of any breach of the written agreement or any of these duties to the disclosing HIC.

If you work under a research plan approved outside of Ontario, you must follow the same requirements that researchers whose plans are approved in Ontario must follow.

Researchers may use or disclose PHI originating outside of Ontario for research purposes without consent if a REB (or other body Outside of Ontario responsible for approved research) has approved the research.

Does a Medical Student or Resident in the Hospital have to obtain REB approval to access hospital health records for research purposes?

Yes. The Medical Student/Resident is considered to be an agent of the HIC. If the Medical Student/Resident wishes to access hospital health records for research purposes, this would be considered a use of the PHI by the HIC for non-health care purposes. The Medical Student/Resident is required to obtain REB approval before proceeding with the research, and if express consent of the patients is not contemplated, the criteria for granting a waiver must be met.

If the Medical Student/Resident develops a research study and creates a database of PHI obtained through the review of patient health records, is the Medical Student/Resident permitted to take the database when he/she leaves the hospital?

No. If PHI is collected from within the hospital, in other words it is PHI in the custody of the hospital as HIC, then the PHI must stay within the hospital and it does not belong to the Medical Student/Registry or any other agent of the hospital.

The research question: Are patients with elevated serum bilirubin more likely to be taking triglyceride lowering drugs?

The researcher is designing a study to address the above question, and will submit it to the REB for review and approval. In the proposed study, the researcher plans to as Laboratory Services in the Hospital to flag all abnormal serum bilirubins in adult patients and then plans to go through the patients’ charts to find out whether the patients are taking specific medications. For those patients with abnormal test results, the researcher will ask the attending physician to contact their patient, asking the patients’ permission for the researcher to contact them. Does Lab Services have the right to disclose this information to the researcher?

Yes. Prior to the Lab disclosing the PHI to the researcher, the Lab must be assured that the researcher has obtained REB and Health Records approval and if express consent of the patients is not contemplated, the criteria for granting a waiver must be met.

The researcher now has a list from Lab Services of patients with abnormal serum bilirubins, and a list of 50 attending physicians (also HIC’s). Twenty of the attending physicians will only participate in the study if the researcher does all the contact work, citing lack of time and resources to do it themselves.

Is it acceptable for the researcher to then propose to the physician that the researcher pay for someone to contact the patient on the physician’s behalf?

What if the physician doesn’t want to be involved with this at all? Let’s say they do not want to give their patients the opportunity to be asked if they are interested in participating. Assuming this is really “important research”, what are the researcher’s options?

The physician (or his/her agent) must obtain the individual’s express consent before the researcher can contact the individual, however, the physician may appoint someone to act as their agent to contact the patient. The physician could approve the researcher to contact the patient on his/her behalf as an authorized agent. However, best practice (see CIHR Privacy Best Practices Guideline) would caution the physician with respect to the patient’s expectations with respect to access, undue influence, etc.

The REB would need to approve the research plan which details who is contacting the patient, the telephone or contact script to be used, etc.

It would be more appropriate to offer to compensate the physician for his/her staff’s time spent contacting the patients. For the person to be the authorized agent of the physician, she/he should be paid and supervised by the physician, not by the researcher. 

• Can the existing information be used for research purposes? Yes
• Should patients give express consent for the use of their information from this point forward? Yes
• Patients are not being contacted, but their anonymized data are being used. Can the REBs provide a waiver of consent in this case? Yes