Max Researcher is conducting an NIH-funded study regarding how exercise and the environment are associated with asthma control. The IRB approved protocol involves recruiting participants using an iPhone application that can be downloaded by anyone with an iPhone interested in participating. Upon installing the application, participants are asked to install a tracking application on their iPhone that regularly sends data from third party activity trackers (e.g., FitBit) to a research database where the activity data can be merged with data from the participants’ electronic health records. There are no advance agreements between the research team and providers.
Using the application, participants complete an electronic consent form and agree to be contacted for research purposes. Participants have the option to complete HIPAA authorization for release of electronic medical records for the research project, which participants can send to healthcare providers directly so that the research team can manage data requests. The application also includes a secure email messaging system that allows participants to request electronic copies of their medical records from their physicians so that they may relay the records to the research information system. Providers that do not have Patient-facing Personal Health Records incorporated into their EHRs receiving the authorizations and request messages are unsure of how to verify that the requests are truly coming from their patients.
Questions:
- What is the best system to verify the identity of the research participant in the EHR and iPhone application?
- Are there different considerations for different options for patients to enable transfer of data from providers to researchers?
- Alternatives include working directly with healthcare providers to initiate contact with patients to ensure identities are managed reliably, what are the implications of this topology for the third-party applications and researchers?
- More generally, is “access to research” a right that should be protected? Is it ethical to limit access to iPhone users, or to patients that are served in healthcare systems with pro-active research programs?
| |
Description | Transferring data from electronic medical records to be merged with Patient Generated Health Data in research databases. |
Primary actor/participant | Researcher, Providers, & Participants, third party activity tracking services for PGHD |
Support actor/participant | EHR Vendors |
Preconditions | - All data collection, access procedures, and data uses have been approved by the IRB
- Consent has been obtained from participants
|
Postconditions | - Ethical best practices are observed for managing data
- Identities are accurately and securly linked
|
Data Elements Considered | Activity tracking and geocoded data, complete EHR records |
Purpose of the Data Collection | Research, healthcare |
Purpose of Data Use | Understanding Asthma Risk Factors |
Terms of Transfer to the source data holders | Healthcare, terms of PGHD use, informed consent |
Terms of Transfer to Researchers | IRB approval, informed consent |
