Questions? Call 800-624-6242
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 153
4
HIPAA, the Privacy Rule, and
Its Application to Health Research
This chapter provides an overview of the development of the Health
Insurance Portability and Accountability Act (HIPAA) Privacy Rule and
describes how it applies to health research. A section at the end of the
chapter also describes the relationships between HIPAA and other federal
and state laws. Because a great deal of health research in the United States
is also subject to the Common Rule (described in Chapter 3), disparities
between these two federal rules are also noted where relevant throughout
the chapter.
OVERVIEW OF HIPAA
HIPAA was passed on August 21, 1996. It was intended to make health
care delivery more efficient and to increase the number of Americans with
health insurance coverage. These objectives were pursued through three
main provisions of the Act: (1) the portability provisions, (2) the tax provi-
sions, and (3) the administrative simplification provisions.
Portability and Tax Provisions
The portability provisions of HIPAA aimed to prevent individuals from
losing health care coverage due to a preexisting condition when changing
to a new employer’s health plan. The portability provisions also aimed to
reduce the number of unemployed or self-employed individuals without
health insurance by making it easier for individuals to purchase health
insurance without their employer.
���
OCR for page 154
��� BEYOND THE HIPAA PRIVACY RULE
Similarly, the tax provisions of HIPAA were also intended to make
it easier for individuals to maintain health insurance. The tax provisions
pursued this goal by modifying existing tax laws to make health insurance
more affordable. HIPAA does not regulate the price of health insurance,
but rather, it relies on tax breaks and other tax incentives to reduce health
care costs (Chaikind et al., 2005).
Administrative Simplification Provisions
The administrative simplification provisions of HIPAA instructed the
Secretary of the U.S. Department of Health and Human Services (HHS) to
issue several regulations concerning the electronic transmission of health
information. These provisions were included in the final version of HIPAA
because health plans had requested federal legislation in this area from
Congress. The use of electronic health information was expanding in the
early 1990s, and the health care industry was unable to standardize the
process and use of electronic health information without federal action.1
The security standards are one set of regulations mandated by the
administrative simplification provisions of HIPAA. The Act instructed the
Secretary of HHS to develop nationwide security standards and safeguards
for the use of electronic health care information. The resulting HHS regu-
lations spell out specific administrative, technical, and physical security
procedures that healthcare plans, providers and clearinghouses must incor-
porate into their operations to prevent unauthorized access, use, and dis-
closure of protected health information (CMS, 2005). HHS published the
final HIPAA Security Rule in the Federal Register on February 20, 2003.
Health plans and providers were required to be in compliance with these
measures by April 2004 (see Box 2-2).
The administrative simplification provisions of HIPAA also directed
the Secretary to develop standards for unique health identifiers for patients,
employers, health plans, and providers. Unique health identifiers are
national numbers that could be used to identify the individual or organiza-
tion in standard health transactions. The Centers for Medicare & Medicaid
Services (CMS) has issued standards for the unique health identifiers for
employers and providers, and unique health identifiers for health plans are
under development. However, Congress has prevented CMS from imple-
menting a standard for the unique health identifier for patients by inserting
language into the annual appropriations bill every year since HIPAA was
enacted (Chaikind et al., 2005).
Finally, the administrative simplification provisions of HIPAA man-
dated the creation of privacy standards for the protection of personally
1 Personal communication, M. Wilder, Hogan and Hartson, March 17, 2007.
OCR for page 155
���
APPLICATION TO HEALTH RESEARCH
identifiable medical information. Although privacy protections were not
a primary objective of the Act, Congress recognized that advances in
electronic technology could erode the privacy of health information, and
included the privacy provision in HIPAA (IOM, 2006). In accordance with
the administrative simplification provisions, HHS developed the Privacy
Rule, which constitutes a broad-ranging federal health privacy regulation
(see Table 4-1). Incorporating many of the basic fair information practices,2
the Privacy Rule generally restricts the use or disclosure of protected health
information, except as permitted by the individual or as authorized or
required by the Privacy Rule. Its provisions also impose on covered entities
affirmative requirements to safeguard the information in their possession.
The Privacy Rule gives individuals certain rights with respect to their health
information (reviewed by Pritts, 2008).
DEVELOPMENT OF THE PRIVACY RULE REGULATIONS
Congress did not include detailed privacy requirements in HIPAA. The
terms of HIPAA required the Secretary of HHS to submit detailed recom-
mendations to Congress by August 1997 on ways to protect the privacy of
personally identifiable health information. These recommendations were
to include suggestions on ways to protect individuals’ rights concerning
their personally identifiable health information, procedures for exercising
such rights, and the uses and disclosures of information that should be
authorized or required under HIPAA.3 If Congress did not enact privacy
legislation within 3 years of the passage of HIPAA, the Act required
the Secretary of HHS to issue privacy regulations for the protection of
personally identifiable health information within 42 months of HIPAA’s
enactment.4
In response to this mandate, HHS submitted recommendations for pro-
tecting the privacy of personally identifiable health information to Congress
in September 1997. In these recommendations, Secretary Shalala advocated
for the passage of federal privacy legislation, rather than relying on HHS to
pass a set of privacy regulations. Shalala’s report stated, “This report rec-
ommends that Congress enact national standards that provide fundamental
privacy rights for patients and define responsibilities for those who service
them” (Shalala, 1997).
Although numerous bills that attempted to address health information
2 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality
of Individually-Identifiable Health Information to the Committees on Labor and Human
Resources (September 11, 1997), and Standards for Privacy of Individually Identifiable Health
Information: Proposed Rule, 64 Fed. Reg. 59918, 59923 (1999).
3 Health Insurance Portability and Accountability Act, 45 C.F.R. § 264(a)–(b) (2006).
4 See 45 C.F.R. § 264(c)(1) (2006).
OCR for page 156
��� BEYOND THE HIPAA PRIVACY RULE
TABLE 4-1 Timeline of the HIPAA Privacy Rule
Date Action
August 1996 Health Insurance Portability and Accountability Act (HIPAA) was
signed into law by President Clinton
September 1997 Donna Shalala, Secretary of the Department of Health and Human
Services (HHS), made recommendations to Congress on the privacy
standards mandated in HIPAA
September 1999 Congress failed to enact federal privacy legislation within the 3-year
time limit set by HIPAA
November 1999 HHS issued a proposed version of the privacy regulation for public
comment
December 2000 HHS published the original Privacy Rule, titled Standards for Privacy
of Individually Identifiable Health Information
March 2002 HHS published a proposed modification to the Privacy Rule and
accepted additional public comments
August 2002 HHS published the Final Privacy Rule
April 2003 Covered entities were required to be in compliance with the Privacy
Rule (except small health plans)
The Association of American Medical Colleges launched a survey
examining how research has been affected by the Privacy Rule and
proposed recommendations for changes to the Privacy Rule
In South Carolina Medical Association v. Tommy Thompson, plaintiffs
lost constitutional challenge to HIPAA
March 2004 The National Committee on Vital and Health Statistics sent a letter to
HHS giving detailed recommendations on ways to improve the Privacy
Rule’s application to research
April 2004 Small health plans were required to be in compliance with the Privacy
Rule
September 2004 The Secretary’s Advisory Committee on Human Research Protections
sent a letter to the Secretary of HHS with recommendations for
changes to the Privacy Rule as applied to research
March 2005 In Citizens for Health v. Michael O. Leavitt, plaintiffs unsuccessfully
challenged the Privacy Rule as being invalid
privacy were introduced, Congress was unable to finalize privacy legislation
on the time schedule mandated in HIPAA. During the 1999 congressional
session alone, eight such bills were introduced. However, none of these
bills was passed. As a result, Congress passed the responsibility of creating
health privacy protections to HHS.
Over the course of developing the current Privacy Rule, HHS went
through four iterations of the Rule. HHS followed Secretary Shalala’s
1997 recommendations to Congress in shaping the regulations (Redhead,
OCR for page 157
���
APPLICATION TO HEALTH RESEARCH
2001). First, HHS issued a proposed version of the Privacy Rule for public
comment on November 3, 1999, that drew more than 50,000 comments
(Stevens, 2000). Based on these comments, HHS issued the second version
of the Privacy Rule, titled Standards for Privacy of Individually Identifiable
Health Information, in December 2000.5 Before this version of the Privacy
Rule could take effect, the Secretary of HHS was inundated with unsolicited
public comments and criticism regarding the Privacy Rule. Health care
insurers and providers were concerned that the Privacy Rule would make
health care industry operations less efficient. They were particularly con-
cerned about the requirement that they obtain authorization prior to mak-
ing any routine disclosure of personally identifiable health information for
health care operations, treatment, or payment. The comments received also
suggested that this version of the Privacy Rule would prevent pharmacists
from filling prescriptions and searching for potential drug interactions
before patients arrived at pharmacies; interfere with providing emergency
medicine in situations where it would be impossible to obtain patient
authorization before treatment; and delay the scheduling and preparation of
hospital procedures until the doctor could obtain patient authorization.6
In March 2002, HHS, under the Bush Administration, published
a proposed modification to the Privacy Rule, which reopened the rule-
making process and created a new period for submitting public comments.
This version of the Privacy Rule drew more than 24,000 comments. Incor-
porating the suggestions collected through the second notice of proposed
rule-making period, HHS issued the final version of the Privacy Rule in
August 14, 2002.7 This is the current, effective, and codified version of the
Privacy Rule (45 C.F.R. parts 160 and 164). Most health care providers
and health plans were required to be in compliance with this version of
the Privacy Rule by April 14, 2003. Small health plans were given until
April 14, 2004, to be in compliance.
OVERVIEW OF THE HIPAA PRIVACY RULE�
Entities Subject to the Privacy Rule
The Privacy Rule applies to “covered entities,”9 which are individuals
or organizations that electronically transmit health information in the
5 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 65 Fed.
Reg. 82461 (2000).
6 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 67 Fed.
Reg. 53181, 53209 (2002).
7 See 67 Fed. Reg. 53181 (2002).
8 Some material in this section is adapted from a background paper by Pritts (2008).
9 See 45 C.F.R. § 160.103 (2006).
OCR for page 158
��� BEYOND THE HIPAA PRIVACY RULE
course of normal health care practices. Covered entities include health care
providers, health plans, and health care clearinghouses. Health plans are
entities that provide or pay the cost of medical care, such as private health
insurers or managed care organizations, and governmental payors and
health programs such as Medicaid, Medicare, or Veterans Affairs. Health
care clearinghouses generally refer to billing services, and health care pro-
viders include hospitals, doctors, and other health care professionals and
facilities that provide treatment (Table 4-2).
If an entity that meets one of the categories of a covered entity also
performs functions unrelated to health care, it can become a hybrid entity
by designating in writing its “health care components.”10 Only these health
care components are then bound by the Privacy Rule. For example, if a
university includes an academic medical center with a hospital, the entire
university will be classified as a covered entity unless the university elects
to be a hybrid entity by designating only the hospital as the health care
component. By doing this, only the hospital has to comply with the Privacy
Rule. The classification of researchers within a hybrid entity depends on
the nature of the work performed (e.g., whether the researchers are within
the health care component, providing health care, or conducting electronic
transactions) (HHS, 2004c).
Type of Information Protected
The Privacy Rule protects all personally identifiable health informa-
tion, known as protected health information (PHI), created or received
by a covered entity. Personally identifiable health information is defined
as information, including demographic information, that “relates to past,
present, or future physical or mental health or condition of an individual,
the provision of health care to an individual, or the past, present, or future
payment for the provision of health care for the individual” that either
identifies the individual or with respect to which there is a reasonable basis
to believe the information can be used to identify the individual.”11
The Privacy Rule does not protect personally identifiable health infor-
mation that is held or maintained by an organization other than a covered
entity (HHS, 2004c). It also does not apply to information that has been
deidentified in accordance with the Privacy Rule12 (see later section on
Deidentified Information).
10 See 45 C.F.R. § 164.105(a)(2)(iii)(c) (2006).
11 See 45 C.F.R. § 160.103 (2006).
12 See 45 C.F.R. § 164.502(d) (2006).
OCR for page 159
���
APPLICATION TO HEALTH RESEARCH
TABLE 4-2 The Uneven Application of the HIPAA Privacy Rule:
Examples of HIPAA Covered Entities and Non-Covered Entities
Covered Entities Non-Covered Entities
• Health maintenance organizations • Independent consent management
(HMOs) companies
• Group health plans • Contract research organizations
• Medicare and Medicaid programs • Research foundations
• Veterans health care program • Data warehousing/data management
• Civilian Health and Medical Program of companies
the Uniformed Services • Student health services (if they do not
• Indian Health Service program under the bill for services)
Indian Health Care Improvement Act • Pharmaceutical companies
• Pharmacies • Researchers who are not employed by a
• Researchers who are employed by a covered entity
covered entity • Some universities (or parts of
• Some universities (or parts of universities, universities)
such as health centers) • A public health agency that does not
• A public health clinic that is part of a perform activities subject to the
public health agency provisions of the Privacy Rule
Restrictions on Use and Disclosure
Covered entities may not use or disclose PHI except as permitted or
required by the Privacy Rule.13 A covered entity may disclose PHI without
the individual’s permission for treatment, payment, and health care opera-
tions purposes. For other uses and disclosures, the Privacy Rule generally
requires the individual’s written permission, which is an “authorization”
that must meet specific content requirements. The Privacy Rule then estab-
lishes a number of exceptions to this general rule, allowing covered entities
to use and disclose PHI without the individual’s authorization in certain
situations. For example, the Privacy Rule permits the disclosure of PHI
without the individual’s authorization in the following circumstances:
To business associates14
•
For public health purposes as required by state and federal law15
•
• To public agencies for health oversight activities, such as audits;
13 See 45 C.F.R. § 164.502(a) (2006). A covered entity is required to make a reasonable
effort to use and disclose only the minimum amount of PHI needed for the intended purpose.
See 45 C.F.R. § 164.502(b) (2006).
14 See 45 C.F.R. § 164.506(e) (2006).
15 See 45 C.F.R. § 164.510(b) (2006).
OCR for page 160
��0 BEYOND THE HIPAA PRIVACY RULE
inspections; civil, criminal, or administrative proceedings; and other
activities necessary for the oversight of the health care system16
To law enforcement officials17
•
• For judicial and administrative proceedings, if the request for infor-
mation is made through a court order18
For research19
•
Most of these permitted uses and disclosures are subject to detailed
conditions. For example, the Privacy Rule allows covered entities to disclose
PHI without individual authorization to its “business associates,” which
are defined as persons or entities that perform, on behalf of the covered
entity, certain functions or services20 that require the use or disclosure of
PHI, provided adequate safeguards are in place.21 As a general rule, these
safeguards take the form of a business associate agreement whereby the
business associate agrees not to use or disclose the PHI it receives except as
permitted by the agreement or by law (Box 4-1).
In the case of public health practice, the Privacy Rule notes that there is a
legitimate need for public health authorities and others working to ensure the
health and safety of the public to have access to PHI. As a result, the Privacy
Rule permits, but does not require,22 covered entities to disclose PHI without
authorization for specified public health purposes (Box 4-2). Disclosures for
research are discussed in detail in subsequent sections of this chapter.
Individual Rights
The Privacy Rule also confers rights on individuals with respect to their
PHI (reviewed by Pritts, 2008). Under the Privacy Rule, individuals have
the right to23:
• Receive a notice of privacy practices from a health care provider
or a health plan that must, among other things, inform patients of
16 See 45 C.F.R. § 164.510(c) (2006).
17 See 45 C.F.R. § 164.510(f) (2006).
18 See 45 C.F.R. § 164.510(d) (2006).
19 See 45 C.F.R. § 164.512 (2006).
20 Some common functions that business associates perform for covered entities include
recruiting subjects, data analysis, processing, or administration; utilization review; quality
assurance; and practice management.
21 See 45 C.F.R. § 164.502(e) (2006).
22 Only states have the authority to require mandatory public health reporting.
23 See 45 C.F.R. § 164.520 (2006).
OCR for page 161
���
APPLICATION TO HEALTH RESEARCH
BOX 4-1
Business Associate Agreements
A covered entity must obtain assurances in writing that the business associate
will: (1) use the information only for the purposes for which it was engaged by
the covered entity; (2) safeguard the information from misuses; and (3) help the
covered entity comply with some of the covered entity’s duties under the Privacy
Rule. Business associate agreements must include:
• A description of the permitted and required uses of the PHI by the business
associate.
• A statement that the business associate will not use or disclose the PHI other
than as permitted or required by the contract, or as required by law.
• A statement that the business associate will use appropriate safeguards to pre-
vent the use or disclosure of PHI other than as provided for by the contract.
SOURCE: 45 C.F.R. § 160.103 (2006).
BOX 4-2
The HIPAA Privacy Rule and Public Health Practice
The Privacy Rule defines public authorities as any “federal, tribal, or local
agency or person or entity acting under a grant of authority or contract with
the agency, including state and local health departments, the Food and Drug
Administration (FDA), the Centers for Disease Control and Prevention, and the
Occupational Safety and Health Administration.”
A covered entity can release PHI to a public health authority, without authoriza-
tion or waiver of authorization, in the following circumstances:
• Monitoring health threats and diseases
• Child abuse or neglect
• Products regulated by the FDA
• Persons at risk of contracting or spreading a disease
• Workplace surveillance
State laws may also permit or require the release of PHI for activities other than
those listed above.
SOURCES: 45 C.F.R. § 164.501 (2006); 45 C.F.R. 164.512(b)(i)–(v) (2006); 45
C.F.R. 160.203(c) (2006).
OCR for page 162
��� BEYOND THE HIPAA PRIVACY RULE
the anticipated uses and disclosures of their health information that
may be made without the patients’ consent or authorization.24
See and obtain a copy of their own health information.25
•
• Request an amendment of information that is incomplete or
inaccurate.26
• Obtain an accounting of certain disclosures that the covered entity
made of their PHI over the past 6 years.27
HIPAA AND RESEARCH
Although health research was not a focus of HIPAA, Congress rec-
ognized the important role that health records play in conducting health
research and wanted to ensure that privacy protections would not impede
researchers’ continued access to such data. This is reflected in two House
Reports on HIPAA with identical language, stating:
“The conferees recognize that certain uses of individually identifiable
information are appropriate, and do not compromise the privacy of an
individual. Examples of such use of information include . . . the transfer
of information from a health plan to an organization for the sole purpose
of conducting health care-related research. As health plans and providers
continue to focus on outcomes research and innovation, it is important
that the exchange and aggregated use of health care data be allowed” (U.S.
Congress, 1996a,b).
In creating the current research provisions of the Privacy Rule, HHS
considered several options. One option considered was exempting PHI used
in research from the regulations, but HHS rejected this option, noting some
reported shortcomings of the protection of the privacy and confidential-
ity of health information in research (reviewed by Pritts, 2008).28 A U.S.
General Accounting Office report prepared in anticipation of federal health
privacy legislation noted that confidentiality protections were not a major
thrust of the Common Rule, and oversight boards tended to give confiden-
tiality less attention than other research risks because they had the flexibil-
ity to decide when it was appropriate to review confidentiality protection
issues (GAO, 1999). The report noted that although “[t]he actual number
of instances in which patient privacy is breached is not fully known . . . in
24 See 45 C.F.R. § 164.520 (2006).
25 See 45 C.F.R. § 164.524 (2006).
26 See 45 C.F.R. § 164.526 (2006).
27 See 45 C.F.R. § 164.528 (2006).
28 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality
of Individually-Identifiable Health Information to the Committees on Labor and Human
Resources (September 11, 1997) (hereinafter “Secretary Recommendations”); 64 Fed. Reg.
59918, 59968 (1999); 65 Fed. Reg. 82461, 82691 (2000).
OCR for page 163
���
APPLICATION TO HEALTH RESEARCH
an NIH [National Institutes of Health] sponsored study, IRB [Institutional
Review Board] chairs reported that complaints about the lack of privacy
and confidentiality were among the most common complaints made by
research subjects.” In addition, the compliance staff of the HHS Office for
Protection from Research Risks (now Office of Human Research Protec-
tions) related that they had investigated several allegations involving human
subjects protection violations resulting from a breach of confidentiality over
the past several years and that the complaints related to (1) research subject
to IRB review and (2) research outside federal protection (GAO, 1999).
HHS also considered requiring researchers to obtain individual autho-
rization in all situations where a covered entity might want to disclose
PHI for research. But this option would have made many research projects
nearly impossible to carry out. Instead, HHS created the current system,
which attempted to protect individual privacy while still allowing research-
ers access to data.
In proposing the Privacy Rule, HHS acknowledged that ideally, it
would have preferred to directly regulate researchers by extending the pro-
tections of the Common Rule to nonfederally funded research and imposing
additional criteria for the waiver of authorization in research.29 However,
HHS recognized that it did not have the authority to do so, and therefore,
it attempted to protect the health information released to researchers indi-
rectly (but within the scope of its limited authority) by imposing disclosure
restrictions on covered entities.
The following sections provide a detailed overview of the Privacy Rule
provisions regulating research, along with comparisons to the provisions
of the Common Rule (see Chapter 3 for a general overview of the Com-
mon Rule).
Research Uses and Disclosures with Individual Authorization
Individuals may voluntarily authorize the use and disclosure of their
PHI for essentially any reason, including for research purposes. To be
valid under the Privacy Rule, an authorization must be “specific and
meaningful”30—that is, it must provide a clear description of the infor-
mation to be used or disclosed. The authorization must also be written
in plain language, and contain core elements (e.g., signature of the indi-
vidual, description of purpose of requested use or disclosure) and state-
ments addressing the individual’s right to revoke authorization, as well as
29 See Secretary Recommendations (1997) and 64 Fed. Reg. 59918, 59968 (1999).
30 See 45 C.F.R. § 164.508(c)(1)(i) (2006).
OCR for page 188
��� BEYOND THE HIPAA PRIVACY RULE
or (6) provides greater privacy protection for the individual with respect
to any other matter.
The third exception to the general preemption rule is in the public
health arena. State laws that are contrary to the Privacy Rule—but provide
for the reporting of disease or injury, child abuse, birth, or death, or for
conducting public health surveillance, investigation, and intervention—are
not preempted by the Privacy Rule. States are permitted to set their own
rules regarding what type of information can be collected by public health
agents and how that information is used (HHS, 2004c).
Applying this preemption rule and determining what privacy laws must
be followed in any given state can be a difficult task for covered entities.
All states provide some protection for the privacy of health information.
However, they differ greatly in what type of protection they provide, and
thus, interact differently with the federal Privacy Rule. To successfully
conduct a preemption analysis, a covered entity must become familiar with
both the state laws and the Privacy Rule, interpret how the state and federal
regulations interact with each other, and correctly determine the situations
in which the Privacy Rule preempts state law. Many of the provisions in
the Privacy Rule do not have directly corresponding provisions in state
laws. This makes comparing the two sets of rules a technical and tedious
task. One of the main impediments to a covered entity complying with the
Privacy Rule is likely the lack of understanding of what the Privacy Rule
actually requires in each state (Pritts, 2002).
CONCLUSIONS AND RECOMMENDATIONS
The HIPAA Privacy Rule was written to provide consistent standards
in the United States for the use and disclosure of PHI by covered entities,
including the use and disclosure of such information for research purposes.
In its current state, however, the HIPAA Privacy Rule is difficult to reconcile
with other federal regulations, including HHS regulations for the protec-
tion of human subjects (the Common Rule), FDA regulations pertaining to
human subjects,81 and other applicable federal or state laws.
Inconsistencies, for example, in federal regulations and their inter-
pretations governing the deidentification of personal health information,
obtaining individuals’ consent for future research, and the recruitment of
research volunteers make it challenging for health researchers seeking to
comply with all these regulations to undertake important research activities.
In addition, there is substantial variation in the way in which institutions
interpret and apply the Privacy Rule (see also Chapter 5).
Additional guidance from HHS, along with some changes in interpreta-
81 See 21 C.F.R. parts 50 and 56 (2008).
OCR for page 189
���
APPLICATION TO HEALTH RESEARCH
tion by HHS, would reduce misunderstandings of the Privacy Rule provi-
sions by covered entities, IRBs, and Privacy Boards and help to harmonize
federal regulations governing health research, which would in turn reduce
complexity for researchers and covered entities, and thereby help to ensure
consistent and appropriate privacy protections for patients. Thus, HHS
should develop revised and expanded guidance materials for the Privacy
Rule.
For example, HHS should develop guidance to clearly state that future
research with repositories can go forward under the Privacy Rule with
IRB/Privacy Board oversight. Many institutions create and maintain data-
bases with patient health information as well as repositories with biological
materials collected from patients, and use them for many types of health
research, including studies to understand diseases or to compare patient
outcomes following different treatments. Once created, these collections
offer a cost-effective resource for rapidly addressing new research ques-
tions as technologies and knowledge advance. Collecting the samples and
data necessary to address each new research question as it arises could take
years, or even decades, at great expense. Thus, the pace and efficiency of
medical progress is significantly enhanced by using established resources
whenever feasible. Under the Common Rule, it is permissible to obtain
patient consent for future research, with IRB oversight, as long as such
future uses are described in sufficient detail to allow an informed consent.
However, the provisions of the Privacy Rule, as interpreted by HHS,
have made it more difficult to effectively use these valuable resources for
research. As a result, patients must be recontacted to obtain individual
authorization for any additional studies undertaken with the data and
samples collected unless the researchers obtain a waiver or alteration of
authorization from an IRB or a Privacy Board. Recontacting patients for
additional authorization is not only impractical, but even in those instances
when it is possible, it can be intrusive and burdensome for patients and their
families. The committee believes that authorization for future use of these
databases and biospecimen banks should be appropriate for protecting pri-
vacy as long as there is an IRB or a Privacy Board overseeing the research.
Thus, HHS should eliminate the discordance between the Privacy Rule and
the Common Rule through guidance explicitly stating that future research
may go forward if the authorization describes the types or categories of
research that may be conducted with the PHI stored in the biospecimen
bank and if an IRB or a Privacy Board determines that the proposed new
research is not incompatible with the initial consent and authorization, and
poses no greater than minimal risk.
Because science is evolving very quickly, one cannot adequately antici-
pate what knowledge will be gained in the future, and significant opportu-
nities for beneficial research could be lost without some alterations to the
OCR for page 190
��0 BEYOND THE HIPAA PRIVACY RULE
way in which this portion of the Privacy Rule is interpreted. Databanks and
biospecimen banks created and maintained with federal funds in particular
should be used for multiple studies as often as feasible, given the high cost
of such activities and the high value of investigating and comparing mul-
tiple scientific questions from the same pool of data.
Additional guidance from HHS is also needed to clarify the circum-
stances under which DNA samples or sequences are considered PHI. The
research community remains uncertain about whether genetic information
accompanying biospecimens is protected under HIPAA because the list of
HIPAA identifiers includes “biometric identifiers” and “unique identifying
characteristics.”82 Although genetic information does not itself identify an
individual, a person’s genetic code could be construed as a unique identifier
in that it could be used to match sequence in another biospecimen bank
or databank that does include identifiers. As genetic information becomes
more prevalent in research and health care, concerns regarding genetic
privacy and discrimination are likely to intensify. Thus, the establishment
of consistent standards for use and protection of genetic information is
important. The committee advocates a focus on strong security measures,
with the goal of realizing the full potential of personalized medicine. In
addition, unauthorized reidentification of individuals from DNA sequences,
by anyone, should be strictly prohibited.
The committee also recommends that HHS issue guidance to clearly
indicate that when researchers seek to store data and materials collected in
conjunction with a clinical trial, a single authorization form with two sig-
nature lines is permissible if the text clearly delineates the two activities and
states that the participant is not required to sign the portion authorizing the
contribution of PHI to the repository. Informed consent and authorization
are essential for the protection of individuals who volunteer to participate
in clinical trials. Thus, it is imperative that the informed consent and
authorization documents are easily understood and meaningful to the indi-
viduals involved. Ideally, all relevant information should be integrated into
one simple document, but the HIPAA Privacy Rule’s complex provisions
have generated misperceptions about restrictions on individuals’ ability to
provide compound authorization for the related activities of clinical trial
participation and biospecimen donation, and some institutions require two
complete authorization forms with all the attendant language rather than
two signature lines on the same form. Such misperceptions can diminish
the informed nature of consent and authorization because they can lead to
patient confusion and misunderstanding.
HHS should also simplify the procedures for the identification and
recruitment of potential research participants and harmonize them with the
82 See 45 C.F.R. § 164.514 (2006).
OCR for page 191
���
APPLICATION TO HEALTH RESEARCH
Common Rule. The provisions regarding these activities that are prepara-
tory to research are complex, confusing, and actually provide less privacy
protection than the Common Rule. The committee believes that IRBs and
Privacy Boards can protect research participants, including their privacy
and confidentiality interests, and thus recommends that IRB/Privacy Board
approval (as required under the Common Rule) should be required for all
researchers (internal and external to the covered entity) prior to contact-
ing potential subjects. When making a decision about whether to approve
research projects, the IRB or Privacy Board should review and consider
the investigator’s plans for contacting patients, and also ensure that the
information will be used only for research projects approved by the IRB or
Privacy Board and not be disclosed to anyone else.
HHS should also take steps to facilitate greater use of data with direct
identifiers removed. Because the Privacy Rule and the Common Rule define
personally identifiable information and deidentification differently, there is
a discrepancy between what research is exempt from the Common Rule and
what research is exempt from the Privacy Rule. This discrepancy can give
rise to situations in which research with anonymized data that are exempt
from IRB oversight under the Common Rule may still require a decision by
an IRB or a Privacy Board to determine if a waiver of individuals’ authori-
zation for the use of their information for research purposes is appropriate
under the Privacy Rule.
Also, there appears to be a great deal of confusion about how to meet
conditions of data use agreements for limited datasets, which have been
stripped of the 16 most direct identifiers and can be used and disclosed for
research without obtaining individuals’ authorization or an IRB/Privacy
Board waiver of authorization. HHS could help to ameliorate this situa-
tion by issuing clear guidance on how to set up and comply with data use
agreements more efficiently and effectively.
New tools are also needed to facilitate important health research by
allowing new hypotheses to be tested with existing data. One major chal-
lenge of using data from which direct identifiers have been removed is that
a patient’s health information is rarely stored in one single location, and
data from multiple sources cannot be linked to generate a more complete
record of a patient’s health history without a unique identifier. As a result,
these datasets often are of minimal value to researchers and are not fre-
quently used. A trusted intermediary that could link data from different
sources and then provide more complete and useful deidentified datasets to
researchers would facilitate the greater use of health data for research and
lead to more meaningful study results while also increasing patient privacy
protections and allaying concerns of covered entities. Thus, HHS should
develop a mechanism for linking data from multiple sources so that more
useful datasets can be made available for research in a manner that protects
OCR for page 192
��� BEYOND THE HIPAA PRIVACY RULE
privacy, confidentiality, and security. Similar efforts have been initiated by
AHRQ for the purpose of monitoring health care quality.
The committee also concluded that for some provisions of the Privacy
Rule the burdens are heavy and the privacy protections are small. Recon-
sideration of such provisions may be necessary if society is to derive maxi-
mal benefits from health research. In particular, the required accounting
of disclosures entails a heavy administrative burden on health systems and
health services research that achieves little in terms of protecting privacy.
The committee recommends that the Privacy Rule permit medical facilities
to inform patients in advance that PHI might be used for health research
(with IRB/Privacy Board oversight) or for public health purposes, and
the Privacy Rule should be altered to exempt these activities from AOD
requirements.
Robust safeguards are already in place to protect the privacy of PHI
disclosures in health research via IRBs and Privacy Boards. As the health
care system moves toward broader implementation of electronic health
records, however, automatic tracking of audit trails will be important to
incorporate. Technology advances will likely make automatic AOD track-
ing feasible, affordable, and widely available in the future. Until then, the
committee recommends that disclosures of PHI made for health research
and public health purposes be exempted from the HIPAA Privacy Rule’s
AOD requirement. However, in the interest of transparency, institutions
should maintain a list, accessible to the public, of all studies approved by
its IRB or Privacy Board.
HHS should also simplify the criteria that IRBs and Privacy Boards
use in making determinations for when they can waive the requirements
to obtain authorization from each patient whose PHI will be used for a
research study. If the current criteria for waiver of authorization are to be
retained, a clear and reasonable definition of impracticability from HHS,
along with specific case examples of what should or should not be consid-
ered impracticable or of minimal risk, could reduce variability and overly
conservative interpretations among IRBs and Privacy Boards.
Case examples should help delineate what IRBs and Privacy Boards
should do to facilitate research, rather than just defining what is permis-
sible. For example, it is appropriate to allow use of registries, clinical data-
bases, and biospecimen banks for justifiable scientific inquiries. HHS should
clearly state that IRBs and Privacy Boards should not impede research that
is permissible under the Privacy Rule without a compelling concern (for
example, if participant solicitation plans are inappropriate or if the princi-
pal investigator is unqualified).
Simplification or clarification of the waiver criteria would be especially
helpful for multi-institutional studies, which fall under the jurisdiction of
multiple IRBs or Privacy Boards, and for smaller or community-based insti-
OCR for page 193
���
APPLICATION TO HEALTH RESEARCH
tutions that do not have internal counsel or regulatory affairs specialists,
and are thus more likely to opt out of research that requires decisions about
authorizations. With better guidance, all covered entities would have more
confidence in their decisions, and might be more willing to rely on a lead
IRB/Privacy Board decision in the case of multi-institutional studies.
REFERENCES
AcademyHealth. 2008. PowerPoint presentation to the Institute of Medicine Committee on
Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on
AcademyHealth survey results.
Adams, R. 2008. Progress vs. privacy. CQ Weekly May 26, 1404.
AHIC (American Health Information Community). 2007. Confidentiality, privacy, and security
workgroup, summary of the ��th web conference. http://137.187.25.8/healthit/ahic/
materials/summary/cpssum_100407.html (accessed August 27, 2008).
AHIMA (American Health Information Management Association). 2006. The state of
HIPAA privacy and security compliance. http://www.ahima.org/emerging_issues/
2006StateofHIPAACompliance.pdf (accessed April 20, 2008).
Barbarq, M., and T. Zeller, Jr. 2006. Confidentiality issues for data miners. Artificial Intel-
ligence in Medicine 26:25–36.
Barnes, M., and K. G. Heffernan. 2004. The “future uses” dilemma: Secondary uses of data
and materials by researchers and commercial research sponsors. Medical Research Law
and Policy Report 3:440–452.
Barr, S. 2008. HIPAA enforcement of Privacy Rule stresses voluntary compliance, HHS official
says. BNA Privacy and Security Law Report 7(13):479.
Berman, J. J. 2002. Confidentiality issues for data miners. Artificial Intelligence in Medicine
26(1):25–36.
Bledsoe, M. 2004. HIPAA models for repositories. ISBER Newsletter: International Society
for Biological and Environmental Repositories 4(1):1–4.
Bregman-Eschet, Y. 2006. Genetic databases and biobanks: Who controls our genetic privacy?
Santa Clara Computer & High Technology Law Journal 23:1.
Casarett, D., J. Karlawish, E. Andrews, and A. Caplan. 2005. Bioethical issues in pharmaco-
epidemiological research. In Pharmacoepidemiology, 4th ed., edited by B. L. Strom. West
Sussex, England: John Wiley & Sons, Ltd. Pp. 417–432.
Chaikind, H., J. Hearne, B. Lyke, and C. S. Redhead. 2005. CRS report for congress: The
Health Insurance Portability and Accountability Act (HIPAA) of ����: Overview
and guidance on frequently asked questions. http://www.law.umaryland.edu/marshall/
crsreports/crsdocuments/RL3163401242005.pdf (accessed August 27, 2005).
Clause, S. L., D. M. Triller, C. P. H. Bornhorst, R. A. Hamilton, and L. E. Cosler. 2004. Con-
forming to HIPAA regulations and compilation of research data. American Journal of
Health-System Pharmacy 61(10):1025–1031.
CMS (Centers for Medicare & Medicaid Services). 2005. Overview: Security standards. http://
www.cms.hhs.gov/SecurityStandard/ (accessed March 27, 2007).
CMS. 2008. Criteria for review of requests for CMS research identifiable data. http://www.
cms.hhs.gov/PrivProtectedData/02_Criteria.asp#TopOfPage (accessed April 23, 2008).
Couzin, J. 2008. Whole-genome data not anonymous, challenging assumptions. Science
321:1278.
OCR for page 194
��� BEYOND THE HIPAA PRIVACY RULE
Damschroder, L. J., J. L. Pritts, M. A. Neblo, R. J. Kalarickal, J. W. Creswell, and R. A.
Hayward. 2007. Patients, privacy and trust: Patients’ willingness to allow researchers to
access their medical records. Social Science & Medicine 64(1):223–235.
De Wolf, V. A., J. E. Sieber, P. M. Steel, and A. O. Zarate. 2006. Part II: HIPAA and disclosure
risk issues. IRB: Ethics and Human Research 28(1):6–11.
DPWP (Data Protection Working Party). 2007. Opinion �/�00� on the concept of personal data.
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf (accessed
August 28, 2008).
Farmer, Y., and B. Godard. 2007. Public health genomics (PHG): From scientific consider-
ations to ethical integration. Genomics, Society and Policy 3:14–27.
Fienberg, S. E. 2005. Confidentiality and disclosure limitation. Encyclopedia of Social Mea-
surement 1:463–469.
GAO (Government Accounting Office). 1999. Medical records privacy: Access needed for
health research but oversight of privacy protections is limited. Washington, DC: GAO.
Greely, H. 2007. The uneasy ethical and legal underpinnings of large-scale genomic biobanks.
Annual Review of Genomics and Human Genetics 8:346.
Hansson, M., J. Dillner, C. Bartram, J. Carlson, and G. Helgesson. 2006. Should donors
be allowed to give broad consent to future biobank research? Lancet Oncology
7(3):266–269.
Heide, C. 2007. PowerPoint presentation to the Institute of Medicine Committee on Health
Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the HIPAA
Privacy Rule & research: Update from HHS Office for Civil Rights.
HHS (Department of Health and Human Services). 1998. White paper on unique identifiers.
HHS. 2000. Standards for privacy of individually identifiable health information; Final Rule.
�� Fed. Reg. �����.
HHS. 2002. OCR guidance explaining significant aspects of the Privacy Rule. http://www.hhs.
gov/ocr/hipaa/privacy.html (accessed August 27, 2008).
HHS. 2003. Institutional review boards and the HIPAA Privacy Rule. http://privacyruleandresearch.
nih.gov/pdf/IRB_Factsheet.pdf (accessed August 21, 2008).
HHS. 2004a. Clinical research and the HIPAA Privacy Rule. http://privacyruleandresearch.
nih/gov/pdf/clin_research.asp (accessed August 27, 2008).
HHS. 2004b. Guidance on research involving coded private information or biological speci-
mens. http://www.hhs.gov/ohrp/humansubjects/guidance/cdebiol.pdf (accessed August
21, 2008).
HHS. 2004c. Protecting personal health information in research: Understanding the HIPAA
Privacy Rule. http://privacyruleandresearch.nih.gov/pr_02.asp (accessed April 17, 2007).
HHS. 2004d. Research repositories, databases, and the HIPAA Privacy Rule. http://
privacyruleandresearch.nih.gov/research_repositories.asp (accessed August 27, 2008).
HHS. 2006. Frequently asked questions: Is a covered entity liable for, or required to moni-
tor, the actions of its business associates? http://www.hhs.gov/hipaafaq/providers/
business/236.html (accessed August 27, 2008).
HHS. 2007. How OCR enforces the HIPAA Privacy Rule. http://www.hhs.gov/ocr/privacy/
enforcement/hipaarule.html (accessed August 27, 2008).
Hillestad, R., J. H. Bigelow, B. Chaudhry, P. Dreyer, M. D. Greenberg, R. C. Meili, M. S.
Ridgely, J. Rothenberg, and R. Taylor. 2008. Identity crisis: An examination of the
costs and benefits of a unique patient identifier for the U.S. health care system. RAND
Corporation.
Homer, N., S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J. V. Pearson,
D. A. Stephan, S. F. Nelson, and D. W. Craig. 2008. Resolving individuals contributing
trace amounts of DNA to highly complex mixtures using high-density SNP genotyping
microarrays. PLoS Genetics 4(8):e1000167. doi:10.1371/journal.pgen.1000167.
OCR for page 195
���
APPLICATION TO HEALTH RESEARCH
IFMC (Iowa Foundation for Medical Care). 2008. Chronic condition data warehouse: User
manual. Version 1.3. http://www.ccwdata.org/downloads/CCW%20User%20Manual.
pdf (accessed August 27, 2008).
Interagency Confidentiality and Data Access Group. 1999. Checklist on disclosure potential
of proposed data releases. http://www.fcsm.gov/committees/cdac/checklist_799.doc (ac-
cessed January 13, 2009).
IOM (Institute of Medicine). 2000. Protecting data privacy in health services research. Wash-
ington, DC: National Academy Press.
IOM. 2005. Implications of genomics for public health: Workshop summary. Washington,
DC: The National Academies Press.
IOM. 2006. Effect of the HIPAA Privacy Rule on health research: Proceedings of a work-
shop presented to the National Cancer Policy Forum. Washington, DC: The National
Academies Press.
IPPC (International Pharmaceutical Privacy Consortium). 2008. Comments to the Institute
of Medicine Committee on Health Research and the Privacy of Health Information:
The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical
research.
Kass, N. E., M. R. Natowicz, S. C. Hull, R. R. Faden, L. Plantinga, L. O. Gostin, and J.
Slutsman. 2003. The use of medical records in research: What do patients want? Journal
of Law, Medicine & Ethics 31:429–433.
Kulynych, J., and D. Korn. 2002. The effect of the new federal medical-Privacy Rule on
research. New England Journal of Medicine 346(3):201–204.
Lin, Z., A. B. Owen, and R. B. Altman. 2004. Genomic research and human subject privacy.
Science 305(5681):183.
Lowrance, W. W. 2002. Learning from experience, privacy and the secondary use of data in
health research. London: The Nuffield Trust.
Lowrance, W. W., and F. S. Collins. 2007. Identifiability in genomic research. Science
317:600–602.
Malin, B., and L. Sweeney. 2004. How (not) to protect genomic data privacy in a distributed
network: Using trail re-identification to evaluate and design anonymity protection sys-
tems. Journal of Biomedical Informatics 37:179–192.
NBAC (National Bioethics Advisory Commission). 1999. Research involving human biological
materials: Ethical issues and policy guidance, report and recommendations. Vol. 1.
Rockville, MD: NBAC.
NCVHS (National Committee on Vital and Health Statistics). 2004. Letter to Secretary
Thompson—recommendation on the effect of the Privacy Rule. http://ncvhs.hhs.gov/
040305l2.htm (accessed August 27, 2008).
NCVHS. 2005. Seventh annual report to congress on the implementation of the administra-
tive simplification provisions of the Health Insurance Portability and Accountability Act
(HIPAA). http://ncvhs.hhs.gov/050908rpt.htm (accessed August 27, 2008).
Ness, R. 2007. Influence on the HIPAA Privacy Rule on health research. JAMA 298(18):
2164–2170.
Pace, W. D., E. W. Staton, and S. Holcomb. 2005. Practice-based research network studies in
the age of HIPAA. Annals of Family Medicine 3(Supp. 1):S38–S45.
Phoenix Health Systems. 2006. US healthcare industry HIPAA compliance survey results:
Summer �00�. http://www.hipaadvisory.com/action/surveynew/ (accessed April 5, 2007).
Pritts, J. 2002. Testimony before the National Committee on Vital and Health Statistics,
Subcommittee on Privacy and Confidentiality: Implementation of the federal standards
for privacy of individually identifiable health information. http://www.ncvhs.hhs.gov/
021030p6.htm (accessed August 27, 2008).
OCR for page 196
��� BEYOND THE HIPAA PRIVACY RULE
Pritts, J. 2008. The importance and value of protecting the privacy of health information:
Roles of HIPAA Privacy Rule and the Common Rule in health research. http://www.iom.
edu/CMS/3740/43729/53160.aspx (accessed March 15, 2008).
Pritts, J., M. Neblo, L. Damschroder, and R. Hayward. 2008. Veterans’ views on balancing
privacy and research in medicine: A deliberative democratic study. Michigan State Uni-
versity Journal of Medicine and Law 12:17–31.
Rahman, N. 2006. Medical: Reflections on privacy: Recent developments in HIPAA Privacy
Rule. I/S: A Journal of Law and Policy for the Information Society 2(3):685.
Redhead, C. S. 2001. CRS report for congress: Health information standards, privacy and
security: HIPAA’s administrative simplification regulations. Washington, DC: Congres-
sional Research Service.
Robling, M. R., K. Hood, H. Houston, R. Pill, J. Fay, and H. M. Evans. 2004. Public attitudes
towards the use of primary care patient record data in medical research without consent:
A qualitative study. Journal of Medical Ethics 30:104–109.
Rosati, K. 2008. PowerPoint presentation to the Institute of Medicine Committee on Health
Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the chal-
lenges with biorepositories, databases, and future research.
Rothstein, M. A. 2005. Research privacy under HIPAA and the Common Rule. Journal of
Law, Medicine & Ethics 33(1):154–159.
SACHRP (Secretary’s Advisory Committee on Human Research Protections). 2004. Letter
to Secretary Thompson. http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html
(accessed August 27, 2008).
Shalala, D. E. 1997. Confidentiality of individually-identifiable health information: Recom-
mendations of the Secretary of Health and Human Services, pursuant to section ��� of
the Health Insurance Portability and Accountability Act of ����. http://aspe.hhs.gov/
admnsimp/pvcrec0.htm (accessed August 27, 2008).
Stevens, G. M. 2000. CRS report for Congress: Summary of the proposed rule for the privacy
of individually identifiable health information. Washington, DC: Congressional Research
Service.
Stevens, G. M. 2003. CRS report for Congress: Compliance with the HIPAA medical Privacy
Rule. Washington, DC: Congressional Research Service.
Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical
Methodology. 1994. Statistical policy working paper ��: Report on statistical disclosure
limitation methodology. http://www.ciser.cornell.edu/NYCRDC/helpful_links/WP-22-
OMB-totalreport.pdf (accessed January 13, 2009).
Sweeney, L. 1997. Weaving technology and policy together to maintain confidentiality. Journal
of Law, Medicine & Ethics 25:98–110.
Tovino, S. A. 2004. The use and disclosure of protected health information for research under
the HIPAA Privacy Rule: Unrealized patient autonomy and burdensome government
regulation. South Dakota Law Review 49(3):447–502.
U.S. Congress, House of Representatives, Committee of Conference. Health Insurance Porta-
bility and Accountability Act of ����. 104th Cong., 2d Sess. July 31, 1996.
U.S. Congress, House of Representatives, Committee on Ways and Means. Health Coverage
Availability and Affordability Act of ����. 104th Cong., 2d Sess. March 25, 1996.
Wendler, D. 2006. One-time general consent for research on biological samples: Is it compat-
ible with the Health Insurance Portability and Accountability Act? Archives of Internal
Medicine 166(14):1449–1452.
Westin, A. 2007. How the public views privacy and health research. http://www.iom.edu/
Object.File/Master/48/528/%20Westin%20IOM%20Srvy%20Rept%2011-1107.pdf
(accessed November 11, 2007).
OCR for page 197
���
APPLICATION TO HEALTH RESEARCH
Willison, D. J., L. Schwartz, J. Abelson, C. Charles, M. Swinton, D. Northrup, and L.
Thabane. 2007 (September 25–28). Alternatives to project-specific consent for access to
personal information for health research. What do Canadians think? Paper presented at
29th International Conference of Data Protection and Privacy Commissioners, Montreal,
Canada.
Zerhouni, E. A., and E. G. Nabel. 2008. Protecting aggregate genomic data. Science 322:44.
OCR for page 198
