|
Items in cart [0] |
Questions? Call 888-624-8373 |
| Copyright © 2010. National Academy of Sciences. All rights reserved. Terms of Use and Privacy Statement |
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page R1
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
BEYOND THE HIPAA PRIVACY RULE
Enhancing Privacy, Improving Health Through Research
Sharyl J. Nass, Laura A. Levit, and Lawrence O. Gostin, Editors
Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule
Board on Health Sciences Policy
Board on Health Care Services
INSTITUTE OF MEDICINE OF THE NATIONAL ACADEMIES
THE NATIONAL ACADEMIES PRESS
Washington, D.C.
www.nap.edu
OCR for page R2
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
THE NATIONAL ACADEMIES PRESS
500 Fifth Street, N.W. Washington, DC 20001
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
The project is sponsored by the National Institutes of Health and the National Cancer Institute, the Robert Wood Johnson Foundation, American Cancer Society, American Heart Association/American Stroke Association, American Society for Clinical Oncology, Burroughs Wellcome Fund, and C-Change. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project.
Library of Congress Cataloging-in-Publication Data
Beyond the HIPAA privacy rule : enhancing privacy, improving health through research / Committee on Health Research and the Privacy of Health Information, the HIPAA Privacy Rule ; Sharyl J. Nass, Laura A. Levit, and Lawrence O. Gostin, editors.
p. ; cm.
Includes bibliographical references and index.
ISBN 978-0-309-12499-7 (pbk.)
1. United States. Health Insurance Portability and Accountability Act of 1996. 2. Medical records—Access control—United States 3. Health—Research—United States 4. Privacy, Right of—United States. I. Nass, Sharyl J. II. Levit, Laura A. III. Gostin, Lawrence O. (Lawrence Ogalthorpe) IV. Institute of Medicine (U.S.). Committee on Health Research and the Privacy of Health Information, the HIPAA Privacy Rule.
[DNLM: 1. United States. Health Insurance Portability and Accountability Act of 1996. 2. Medical Records--legislation & jurisprudence—United States—Guideline. 3. Privacy—legislation & jurisprudence--United States--Guideline. 4. Confidentiality—legislation & jurisprudence--United States--Guideline. 5. Research—methods—United States—Guideline. WX 173 B573 2009]
R864.B49 2009
651.5’04261—dc22
2009003375
Additional copies of this report are available from the
National Academies Press,
500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu.
For more information about the Institute of Medicine, visit the IOM home page at: www.iom.edu.
Copyright 2009 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
Suggested citation: IOM (Institute of Medicine). 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press.
OCR for page R3
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
“Knowing is not enough; we must apply.
Willing is not enough; we must do.”
—Goethe
INSTITUTE OF MEDICINE OF THE NATIONAL ACADEMIES
Advising the Nation. Improving Health.
OCR for page R4
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council.
www.national-academies.org
OCR for page R5
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
COMMITTEE ON HEALTH RESEARCH AND THE PRIVACY OF HEALTH INFORMATION: THE HIPAA PRIVACY RULE
LAWRENCE O. GOSTIN (Chair), Professor of Law,
Georgetown University Law Center, Washington, DC
PAUL APPELBAUM, Professor of Psychiatry, Medicine, and Law, Director,
Division of Psychiatry, Law, and Ethics, Columbia University Psychiatric Institute, New York, NY
ELIZABETH BEATTIE, Professor,
School of Nursing,
Faculty of Health Sciences,
The Queensland University of Technology, Queensland, Australia
MARC BOUTIN, Vice President of Policy, Development, and Advocacy,
National Health Council, Washington, DC
THOMAS W. CROGHAN, Senior Fellow,
Mathematica Policy Research, Inc., Washington, DC
STANLEY W. CROSLEY, Chief Privacy Officer,
Eli Lilly and Company, Law Division, Indianapolis, IN
SANDRA J. HORNING, Professor of Medicine/Oncology,
Stanford School of Medicine, Palo Alto, CA
JAMES S. JACKSON, Director,
Institute for Social Research, University of Michigan–Ann Arbor
MARY BETH JOUBLANC, Chief Privacy Officer,
State of Arizona, Arizona Government Technology Agency, Phoenix, AZ
BERNARD LO, Professor of Medicine, Director,
Program in Medical Ethics, University of California–San Francisco
ANDREW F. NELSON, Executive Director,
HealthPartners Research Foundation, Minneapolis, MN
MARC ROTENBERG, President,
Electronic Privacy Information Center, Washington, DC
WENDY VISSCHER, Director,
Office of Research Protection, RTI International, Research Triangle Park, NC
FRED WRIGHT, Associate Chief of Staff for Research,
VA Connecticut Healthcare System, New Haven, CT
CLYDE W. YANCY, Medical Director,
Baylor Heart and Vascular Institute, Baylor University Medical Center, Dallas, TX
Consultants
SARAH M. GREENE,
Group Health Center for Health Studies, Seattle, WA
DAVID HELMS, President and CEO,
AcademyHealth, Washington, DC
ROBERTA NESS,
University of Pittsburgh, Pittsburgh, PA
OCR for page R6
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
JOY PRITTS,
Health Policy Institute, Georgetown University, Washington, DC
ED WAGNER, Director of the W.A. MacColl Institute for Healthcare Innovation,
Center for Health Studies, Group Health Cooperative of Puget Sound, Seattle, WA
ALAN WESTIN,
Privacy Consulting Group, Teaneck, NJ
Study Staff
SHARYL NASS, Study Director and Senior Program Officer
LAURA LEVIT, Associate Program Officer (Christine Mirzayan Science and Technology Policy Graduate Fellow, December 2006 to March 2007)
CATHERINE REYES, Christine Mirzayan Science and Technology Policy Graduate Fellow (September 2006 to November 2006)
MARY ANN PRYOR, Senior Program Assistant (until August 2007)
MICHAEL PARK, Senior Program Assistant (from September 2007)
ROGER HERDMAN, Director,
Board on Health Care Services
ANDREW POPE, Director,
Board on Health Sciences Policy
JULIE WILTSHIRE, Financial Associate (until July 2007)
PATRICK BURKE, Financial Associate (from July 2007)
OCR for page R7
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
Reviewers
This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:
CLARA D. BLOOMFIELD, Distinguished University Professor, The Ohio State University Comprehensive Cancer Center and James Cancer Hospital and Solove Research Institute, Columbus
ALEXANDER M. CAPRON, Professor of Law and Medicine, Gould School of Law, University of Southern California, Los Angeles
ANN CAVOUKIAN, Information and Privacy Commissioner of Ontario, Office of the Information and Privacy Commissioner, Canada
DEBORAH COLLYAR, President, PAIR: Patient Advocates in Research, Danville, CA
EDWARD GOLDMAN, Associate Vice President and Deputy General Counsel, University of Michigan Health System, Ann Arbor
OCR for page R8
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
EMMETT B. KEELER, Senior Mathematician, Pardee RAND Graduate School, University of California–Los Angeles School of Public Health, Los Angeles
BETSY KOHLER, Executive Director, North American Association of Central Cancer Registries, Springfield, IL
MELISSA L. MARKEY, Associate, Hall, Render, Killian, Heath & Lyman, P.L.L.C., Troy, MI
DEVON McGRAW, Director, Health Privacy Project, Center for Democracy & Technology, Washington, DC
LYNNE WARNER STEVENSON, Director, Cardiomyopathy and Heart Failure Program, Brigham and Women’s Hospital, Cardiovascular Division, Boston, MA
MARCY WILDER, Partner, Hogan & Hartson, L.L.P., Washington, DC
Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations nor did they see the final draft of the report before its release. The review of this report was overseen by Neal A. Vanselow, M.D., Chancellor Emeritus and Professor Emeritus of Medicine at the Tulane University Medical Center, and Bradford H. Gray, Ph.D., Editor, The Milbank Quarterly, and Principle Research Associate, The Urban Institute. Appointed by the National Research Council and the Institute of Medicine, they were responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.
OCR for page R9
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
Acknowledgments
The Committee is grateful to many individuals who provided valuable input and information for the study, either through formal presentations or through informal communications with study staff and Committee members. Contributors to the study include: Joan E. Bailey-Wilson (National Institutes of Health), Mark Barnes (Huron Consulting Group), Marianna Bledsoe (National Institutes of Health, Office of Science Policy), Stefan Brands (Credentica), Suanna Bruinooge (American Society of Clinical Oncology), Robert Califf (Duke Translational Medicine Institute), Fred H. Cate (Indiana University School of Law), Janlori Goldman (Columbia University, Mailman School of Public Health), Elizabeth Goss (American Society of Clinical Oncology), Sarah Greene (HMO Research Network), Christina Heide (Department of Health and Human Services, Office for Civil Rights), David Helms (AcademyHealth), James Hodge (Johns Hopkins Bloomberg School of Public Health), Judd Hollander (Society for Academic Emergency Medicine), Holly Howe (North American Association of Central Cancer Registries), International Pharmaceutical Privacy Consortium, Katherine Kahn (University of California, Los Angeles), Murat Kantarcioglu (University of Texas at Dallas), Anthony Knettel (Association of Academic Health Centers), Elizabeth Mayer-Davis (University of South Carolina), Roberta Ness (University of Pittsburgh), Rachel Nosowsky (Miller, Canfield, Paddock and Stone, PLC), Ann O’Mara (National Cancer Institute, Community Clinical Oncology Program), John Pandiani (The Bristol Observatory), Wendy Patterson (National Cancer Institute), Deborah Peel (Patient Privacy Rights), Joy Pritts (Georgetown Health Policy Institute), John Ring (American Heart Association), Kristin Rosati (Coppersmith Gordon Schermer &
OCR for page R10
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
Brokelman, PLC), Mark Rothstein (University of Louisville), Elaine Rubin (Association of Academic Health Centers), Richard Schilsky (University of Chicago), Frank L. Silver (Registry of the Canadian Stroke Network), Lana Skirboll (National Institutes of Health, Office of Science Policy), Penelope Solis (American Heart Association), Ed Wagner (HMO Research Network), Alan Westin (Privacy Consulting Group), Marcy Wilder (Hogan & Hartson, L.L.P.), and Marsha Young (Booz Allen Hamilton).
OCR for page R11
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
Contents
Summary
1
Overview of Conclusions and Recommendations
15
Definitions,
16
Definition of Privacy and Why Privacy Is Important,
16
Definition of Health Research and Why Health Research Is Important,
19
The HIPAA Privacy Rule,
21
The Committee’s Charge and the Overarching Goals of the Recommendations,
22
Improve the Privacy and Data Security of Health Information,
24
Improve the Effectiveness of Health Research,
24
Improve the Application of Privacy Protections for Health Research,
25
The Committee’s Recommendations,
26
I. Develop a New Approach to Protecting Privacy in All Health Research,
27
II. Revise the Privacy Rule and Associated Guidance,
36
III. Implement Changes Necessary for Both Policy Options Above,
55
1
Introduction
63
Brief History of HIPAA and the Privacy Rule,
63
Privacy and Health Research,
65
Privacy Concerns,
65
OCR for page R12
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
The Concerns of Health Researchers,
66
Origins of the Study,
67
Committee Appointment and Charge,
68
Methods,
68
The Committee’s Conclusions and Recommendations,
70
Framework of the Report,
72
References,
72
2
The Value and Importance of Health Information Privacy
75
Concepts and Value of Privacy,
75
Definitions,
75
The Importance of Privacy,
77
Public Views of Health Information Privacy,
78
Historical Development of Legal Protections of Health Information Privacy,
86
Principles of Fair Information Practice,
91
Security of Health Data,
93
The HIPAA Security Rule and Its Limitations,
94
Potential Technical Approaches to Health Data Privacy and Security,
100
Conclusions and Recommendations,
104
References,
105
3
The Value, Importance, and Oversight of Health Research
111
Concepts and Value of Health Research,
111
Definitions,
111
The Importance of Health Research,
112
Public Perceptions of Health Research,
119
Oversight of Health Research,
122
Historical Development of Federal Protections of Health Information in Research,
122
Overview of the Common Rule,
123
FDA Protection of Human Research Subjects,
131
Distinguishing Health Research from Practice,
131
Public Health Practice Versus Public Health Research,
133
Quality Improvement Versus Health Research,
136
The Importance of Effective Communication with the Public,
139
Disseminating Health Research Results,
139
Research Registries,
141
Informing the Public About the Methods and Value of Research,
142
Conclusions and Recommendations,
145
References,
148
OCR for page R13
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
4
HIPAA, the Privacy Rule, and Its Application to Health Research
153
Overview of HIPAA,
153
Portability and Tax Provisions,
153
Administrative Simplification Provisions,
154
Development of the Privacy Rule Regulations,
155
Overview of the HIPAA Privacy Rule,
157
Entities Subject to the Privacy Rule,
157
Type of Information Protected,
158
Restrictions on Use and Disclosure,
159
Individual Rights,
160
HIPAA and Research,
162
Research Uses and Disclosures with Individual Authorization,
163
Research Uses and Disclosures Without Individual Authorization,
167
Linking Data from Multiple Sources,
177
Genetic Information and the Privacy Rule,
180
Accounting of Research Disclosures,
181
Enforcement of the Privacy Rule,
184
Relationship Between HIPAA and Other Laws,
186
Federal Research Statutes,
186
General Federal Laws,
186
State Laws,
187
Conclusions and Recommendations,
188
References,
193
5
Effect of the HIPAA Privacy Rule on Health Research
199
Overview of Survey Results,
199
Association of American Medical Colleges Survey,
200
National Cancer Advisory Board Survey,
203
AHRQ Survey,
203
National Survey of Epidemiologists,
204
HMO Research Network Survey,
204
AcademyHealth Survey,
206
American Heart Association/American College of Cardiology Survey,
206
North American Association of Central Cancer Registries,
207
American Society of Clinical Oncology Interviews,
208
Association of Academic Health Centers Focus Groups,
208
Selection Bias,
209
General Studies of Consent and Selection Bias,
210
HIPAA Authorization and Selection Bias,
212
Efficiency of Research,
214
Cost and Time,
214
Recruitment,
218
OCR for page R14
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health through Research
IRB and Privacy Board Oversight,
220
Business Associate Agreements,
227
International Collaboration,
228
Abandoned Studies,
228
Deidentified Information,
230
Access to Deidentified Data,
230
Quality of Deidentified Data,
232
Authorization Process,
233
Concerns About Potential Legal Consequences,
234
Potential Ways to Reduce Interpretive and Variability Among IRBs, Privacy Boards, and Covered Entities,
235
Conclusions and Recommendations,
239
References,
240
6
A New Framework for Protecting Privacy in Health Research
245
Review of the Limitations of the Privacy Rule,
247
Improve the Privacy and Data Security of Health Information,
247
Improve the Effectiveness of Health Research,
253
Improve the Application of Privacy Protections for Health Research,
255
The New Framework,
257
Examples of Informative Models,
258
The Committee’s Recommendation,
264
The Role of Informed Consent in the New Framework,
266
The New Framework Addresses the Overarching Goals,
269
Improving the Privacy and Data Security of Health Information,
269
Improving the Effectiveness of Health Research,
271
Improving the Application of Privacy Protections for Health Research,
272
Relevance of the Recommendation to Other Federal Actions,
272
Conclusions and Recommendations,
279
References,
281
Appendixes
A
Previous Recommendations to the Department of Health and Human Services
285
B
Commissioned Survey Methodology
293
C
Committee Member and Staff Biographies
301
Abbreviations and Acronyms
311
Glossary
315
