Click for next page ( 200


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 199
5 Effect of the HIPAA Privacy Rule on Health Research Since the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was implemented by the U.S. Department of Health and Human Services (HHS) in April 2003, health researchers have asserted that the Privacy Rule has had a negative effect on researchers’ abilities to conduct meaningful research. The purpose of this chapter is to review the currently available evidence on the effect of the Privacy Rule on research, including surveys as well as other types of studies to measure impact. The chapter begins with an overview of several surveys that examined health researchers’ personal experiences with and opinions about the Privacy Rule. Many issues identified by survey respondents were also the focus of other types of studies, so the remainder of the chapter consists of a topical review of the available evidence regarding the effect of the Privacy Rule, and its interpretation, on health research. The following issues are reviewed in detail: (1) selection bias, (2) research efficiency, (3) abandoned research, (4) deidentified information, (5) the authorization process, and (6) concerns about potential legal consequences. OVERVIEW OF SURVEY RESULTS As noted in previous chapters (Chapter 1 in particular), the informa- tion gained by opinion surveys has limitations. The potential for bias exists because of the way the questions are worded and framed, and respondents may have self-motivated reasons for responding in a particular fashion. For example, individuals responding to surveys conducted by professional soci- eties may be more likely to have encountered difficulties with the Privacy 

OCR for page 199
00 BEYOND THE HIPAA PRIVACY RULE Rule than those who did not respond. Thus, information gathered from surveys is anecdotal and based on individual’s personal opinions; it does not constitute systematic data on the experience of all researchers. Before discussing the relevant surveys in detail in this chapter, it is also important to recognize the strengths and weaknesses of these survey data. One strength is that multiple surveys addressed similar topics, and many respondents were affiliated with different institutions and different fields of health research. The fact that the respondents to the different surveys reported similar problems with conducting research under the Privacy Rule makes it more likely that results can be generalized and are not specific to a particular institution. Weaknesses include the size and low response rates of some surveys and, in some cases, the lack of a denominator, making it impossible to determine a response rate, which is an important measure to assess the representativeness of the results. Also, three of the surveys discussed below were conducted immediately or shortly after the Privacy Rule was implemented, before covered entities and other stakeholders had adequate time to adapt to the new regulation. However, more recent surveys of researchers’ experiences with the Privacy Rule, two of which were commissioned by the Institute of Medicine (IOM) committee, found that researchers were still reporting negative effects of the Privacy Rule on health research (Box 5-1). Surveys to gauge the impact of the HIPAA Privacy Rule on health research have been undertaken by numerous agencies and organizations with various constituencies, including the Association of American Medical Colleges (NCVHS, 2003), the National Cancer Advisory Board (Ramirez and Niederhuber, 2003), the Agency for Healthcare Research and Quality (Walker, 2005), Epidemiological Societies (Ness, 2007), the HMO Research Network (Greene et al., 2008), AcademyHealth (Helms, 2008), the Ameri- can Heart Association (Ring, 2007), and the North American Associa- tion of Central Cancer Registries (Deapen, 2006). In addition, structured interviews were undertaken by the American Society for Clinical Oncology (ASCO, 2008), and focus groups were organized by the Association of Academic Health Centers (AAHC, 2008). An overview of these projects is provided below (also see Table 5-1). Association of American Medical Colleges Survey In 2003, on the day that covered entities were required to be in compli- ance with the Privacy Rule, the Association of American Medical Colleges (AAMC) launched a survey to examine the Privacy Rule experiences of investigators, Institutional Review Board (IRB) personnel, privacy officials, research administrators, and deans. AAMC then created a database of case reports and research functions affected by the Privacy Rule based on 331 individuals’ responses. After analyzing the database, AAMC concluded that

OCR for page 199
0 EFFECT OF THE HIPAA PRIVACY RULE BOX 5-1 Health Researchers’ Experience with the Privacy Rule: Survey Results in 2003–2004 and 2007–2008 • The Privacy Rule has increased the cost and time it takes to conduct a research project from start to finish (AAMC, NCAB, AHRQ, Ness, Academy- Health, HMORN, AHA/ACC, AAHC) • Institutional differences in interpretation of the Privacy Rule have made con- ducting health research more difficult than in the pre-Privacy Rule era (AAMC, NCAB, AHRQ, Ness, AcademyHealth, HMORN, AAHC) • The Privacy Rule has made recruitment of research participants more dif- ficult and has increased the likelihood of selection bias (AAMC, AHRQ, Ness, AcademyHealth, AHA/ACC, AAHC) • The Privacy Rule has increased research participants’ confusion regarding their rights and protections (NCAB, Ness, HMORN) • The Privacy Rule’s standards for deidentification have not created an effective way for researchers to collect data (AAMC, AHRQ, Ness, AcademyHealth, HMORN, AHA/ACC) • The Privacy Rule has led researchers to abandon studies (AAMC, AHRQ, AcademyHealth, HMORN, ASCO) • The Privacy Rule has created new barriers to the use of patient specimens collected during clinical trials (NCAB, AAHC, ASCO) Survey Institutions: Association of American Medical Colleges (AAMC), National Cancer Advisory Board (NCAB), Agency for Healthcare Research and Quality (AHRQ), HMO Research Network (HMORN), American Heart Association/ American College of Cardiology (AHA/ACC), Association of Academic Health Centers (AAHC), American Society of Clinical Oncology (ASCO). SOURCES: AAHC (2008); ASCO (2008); Greene et al. (2006); Helms (2008); NCVHS (2003); Ness (2007); Ramirez and Niederhuber (2003); Ring (2007); Walker (2005). the Privacy Rule affects many types of health research, including clinical, health services, epidemiological, behavioral, biomedical, health economics, and outcomes research. The most common effects of the Privacy Rule on research reported were that the Privacy Rule: (1) reduced patient recruit- ment, (2) increased the likelihood of selection bias, (3) increased the costs of conducting research by requiring more paperwork and complicating the IRB approval process, (4) increased the number of errors in research when deidentified information was used, (5) made multisite trials more difficult because of variations in IRB interpretation of the Rule, and (6) caused researchers to abandon projects because of the increased number of rules for operating a research study (NCVHS, 2003).

OCR for page 199
0 BEYOND THE HIPAA PRIVACY RULE TABLE 5-1 Summary of Relevant Surveys Response Ratea Survey Year Survey Participants 331 respondentsb Association of 2003 Targeted investigators, institutional American Medical review board (IRB) personnel, Colleges privacy officials, research administrators, and deans National Cancer 2003 Individuals suggested from cancer 39% (89/226) Advisory Board center directors, clinical cooperative group chairs, and principal investigators of Special Programs of Research Excellence Agency for Healthcare 2004 16 health services researchers, and 17 77% (33/43) Research and Quality privacy officers, research compliance officers, and IRB directors National Survey of 2007 Professional members of 13 1,527 respondentsc Epidemiologists epidemiological societies HMO Research 2008 Scientists working in the 15 43% (89/235) Network (HMORN): HMORN research centers survey of investigators HMORN: survey of 2008 IRB administrators at the 15 73% (11/15) IRB administrators HMORN research centers 396 respondentsd AcademyHealth 2007 Professional members of AcademyHealth 656 respondentse American Heart 2007 Professional members of the Association/American American Heart Association and the College of Cardiology American College of Cardiology North American 2006 Membership of the North American 66% (47/77) Association of Central Association of Central Cancer Cancer Registries Registries American Society for 2008 27 compliance officials and 27 respondents Clinical Oncology investigators from 13 institutions (structured interviews) Association of 2007 Researchers and compliance 5 focus groups Academic Health personnel from 5 institutions Centers Total Number of Responses from All Entities 3,211 respondents aWhere the data are available, the response rate includes the number of survey respondents divided by the total number of individuals invited to participate in the survey. bThe total number of individuals invited to complete this survey is unknown. cThe epidemiological societies e-mailed the survey to 10,347 e-mail addresses. However, a substantial number of epidemiologists belong to more than one organization, and as a result it is impossible to calculate a response rate. Also, only those members who had submitted an application to an IRB since the Privacy Rule was implemented met the criteria for inclusion in the analysis. notes continue

OCR for page 199
0 EFFECT OF THE HIPAA PRIVACY RULE TABLE 5-1 Notes continued d All 3,461 AcademyHealth members were invited to participate in the survey, but only members who were principal investigators met the criteria for inclusion in the survey analysis. Calculating a response rate was impossible because the total number of eligible survey partici- pants was unknown. eAll 18,261 professional members of the American Heart Association and the American College of Cardiology were invited to complete this survey. Many of these members are prac- ticing physicians, not researchers, and thus were not the intended audience for the survey. As a result, it was impossible to calculate the total number of eligible individuals invited to participate in the survey, or the response rate. National Cancer Advisory Board Survey The National Cancer Advisory Board (NCAB)1 conducted a survey of health researchers’ experiences with the Privacy Rule in 2003. NCAB requested the names of Privacy Rule experts from cancer center directors, clinical cooperative group chairs, and principal investigators of Special Pro- grams of Research Excellence. A total of 226 experts were identified. These experts were invited to visit a website and submit public comments on the effect of the Privacy Rule on cancer research. NCAB received 89 responses to the survey, for a 39 percent response rate. The survey showed that the majority of respondents believed that: (1) the Privacy Rule increased patient confusion, (2) the Privacy Rule’s complex documentation requirements delayed research, (3) differing interpretations of the Privacy Rule made conducting health research more challenging, and (4) the Privacy Rule cre- ated new barriers to the use of patient specimens collected during clinical trials (Ramirez and Niederhuber, 2003). AHRQ Survey In 2004, the Agency for Healthcare Research and Quality (AHRQ) interviewed 33 senior health care researchers, privacy officers, research compliance officers, and IRB directors representing a variety of health settings in 18 states that covered all regions of the United States. With a 77 percent response rate, 92 percent of respondents reported an impact of the Privacy Rule on health research. Those reporting substantial impact were often involved in multisite studies where follow-up information from many patients was needed from many sources. Many respondents reported 1 NCAB was appointed by the President of the United States to advise the HHS Secretary and the National Cancer Institute Director regarding the activities of the Institute and policies regarding these activities.

OCR for page 199
0 BEYOND THE HIPAA PRIVACY RULE conflicting IRB decisions, difficulties with authorization as well as access to deidentified data, increased cost and time, and lack of participation from small hospitals and provider groups due to lack of resources. More than half of respondents thought that misinterpretations and overly conserva- tive interpretations of the Privacy Rule were the cause of the difficulties (Walker, 2005). National Survey of Epidemiologists The IOM committee commissioned a survey by Roberta Ness at the University of Pittsburgh. In 2007, Dr. Ness conducted a web-based survey of 1,527 epidemiologists who had submitted a new application to an IRB for a research project involving human subjects research since the Privacy Rule was implemented (see Appendix B for methodological details). The survey asked respondents to answer a number of questions on a 5-point Likert scale (1 = none, 5 = a great deal). More than 84 percent of respon- dents ranked the statement “the Privacy Rule made research easier” as a 1 or 2. In contrast, 68 percent of respondents ranked the statement “the degree to which the Rule made research more difficult” as a 4 or 5. Only 11 percent of respondents stated that the Privacy Rule strengthened public trust in research, and 26 percent responded that the Privacy Rule did a great deal to enhance participant confidentiality and privacy (Figure 5-1). This survey also provided respondents with the opportunity to write in comments regarding their experiences conducting research under the Privacy Rule. A total of 427 comments were received; 90 percent were negative, 5 percent were neutral, and 5 percent were positive. The common themes in the comments were: (1) the Privacy Rule added patient burden without enhancing privacy protections, (2) institutions vary greatly in their interpretations of the Privacy Rule, and (3) many government agencies are confused about the demarcation between public health surveillance, which is exempt from the Privacy Rule, and health research. Finally, the survey found that many respondents believed the Privacy Rule added to research costs, caused delays to research projects, and made recruitment of research participants much more difficult (Ness, 2007). HMO Research Network Survey The IOM committee also commissioned data-gathering efforts from the HMO Research Network (HMORN) of investigator and IRB members’ experiences operating under the Privacy Rule (see Appendix B for method- ological details). The HMORN is a consortium of more than 250 scientists who work in 15 research centers based in health care delivery systems. The data collection efforts consisted of a web-based survey of investigators in

OCR for page 199
0 EFFECT OF THE HIPAA PRIVACY RULE 90 80 Has the Privacy Rule: 70 Strengthened public % Reporting 60 trust 50 40 Enhanced confidentiality 30 20 Made research easier 10 Made research harder 0 1–2 3 4– 5 Don't know 1 = none 5 = a great deal FIGURE 5-1 National Survey of Epidemiologists: Scaled perceptions of the impact of the Health Insurance Portability and Accountability Act Privacy Rule. SOURCE: Ness (2007). Figure 5-1.eps the Cancer Research Network (conducted in fall 2007), a follow-up tele- phone survey of those investigators who reported having a study affected by the Privacy Rule, and a mailed survey to IRB administrators at the 15 HMORN sites (conducted in early 2008). The response rate for the inves- tigator survey was 43 percent (235 investigators were invited to participate in the survey, and 89 responses were received). Respondents were mostly doctoral-level scientists, and 72 percent of them had been in research for 10 or more years. Twelve respondents completed telephone interviews. The response rate for the IRB administrator survey was 73 percent (11 of the 15 sites submitted responses). The results of these surveys are consistent with those of previous sur- veys. Respondents reported numerous difficulties with conducting health research since the implementation of the Privacy Rule, including increased time required to conduct research, problems with gaining IRB approval for studies, impediments to multicenter research, confusion over the autho- rization process, and problems with the use of deidentified data. Of the investigators who responded, 74 percent reported having a study affected by the Privacy Rule. Of these respondents, 61 percent reported having a study affected more than once. In addition, 60 percent of the investigators reported difficulty conducting research under the requirements of the Pri- vacy Rule. On the other hand, 59 percent of the investigators reported that the Privacy Rule has strengthened patient privacy. The IRB administrators were more positive than the investigators

OCR for page 199
0 BEYOND THE HIPAA PRIVACY RULE regarding the Privacy Rule. Ninety percent of IRB administrators reported that the Privacy Rule strengthened patient privacy. In addition, 46 percent of IRB administrators said it was easy to work within the privacy regula- tions, as opposed to 36 percent of IRB administrators who said it was not easy to work within the regulations. Nonetheless, 63 percent of IRB admin- istrators reported that the Privacy Rule has made conducting research more difficult. More than 72 percent of IRB administrators reported that the federal government needs to give more guidance to IRBs about interpreting and implementing the Privacy Rule (Greene et al., 2008). AcademyHealth Survey To provide input to the IOM study, AcademyHealth conducted a sur- vey in 2007 of researchers’ experiences operating under the Privacy Rule. AcademyHealth is a professional society for health services researchers and health policy analysts. Its mission is to strengthen the research infra- structure, promote the use of the best available research, and assist health policy and practice leaders in addressing major health care challenges. The organization conducted a web-based survey of principal investigators. All 3,461 AcademyHealth members were invited to participate in the survey by e-mail. A total 696 members responded. Out of this group, 396 mem- bers were principal investigators and met the criteria for inclusion in the survey analysis. In general, 75 percent of the survey respondents reported that their experiences with the Privacy Rule were negative. Only 6 per- cent of respondents reported that their experiences were positive. Nearly half—48 percent—reported that their institution provided support to assist researchers with HIPAA compliance and IRB issues, and 77 percent of the researchers at these institutions indicated that they used these resources. Respondents were also asked whether they believe the Privacy Rule strikes the correct balance between protecting individual privacy and allowing research to be conducted. A majority—63 percent—of the respondents reported that the Privacy Rule provides protection to individuals at the expense of access to research data; 28 percent reported that the Privacy Rule strikes the right balance between these two goods; and only 1 per- cent reported that the Privacy Rule provides access to research data at the expense of privacy protection for individuals (Figure 5-2) (Helms, 2008). American Heart Association/American College of Cardiology Survey The American Heart Association (AHA) and the American College of Cardiology (ACC) also conducted a survey in 2007. The 18,261 profes- sional members of AHA and ACC were invited to complete a question- naire by e-mail, and 656 individuals completed the survey. However, it

OCR for page 199
0 EFFECT OF THE HIPAA PRIVACY RULE Does the Privacy Rule: Allow access to research data at the expense of privacy protections Protect individuals at the expense of access to research data Strike the right balance between privacy and research Unsure 0 10 20 30 40 50 60 70 % Reporting FIGURE 5-2 AcademyHealth Survey: Perspective on the balance of individual protections and research access. Figure 5-2.eps SOURCE: Helms (2008). is important to note that many professional members of AHA and ACC are practicing physicians, not researchers, and thus were not the intended audience for the survey. Of the individuals completing the survey, 61 per- cent reported that they had submitted an IRB application since the Privacy Rule was implemented. In general, the respondents indicated that the Pri- vacy Rule had a negative impact on research and did not improve patient privacy. Only 22 percent of respondents reported that the Privacy Rule increased public trust in research, 44 percent reported that it increased confidentiality, 9 percent reported that it decreased privacy breaches, and 14 percent reported that patients’ privacy was better protected than before the Privacy Rule. Respondents also indicated that the Privacy Rule had a negative impact on research recruitment, the IRB approval process, the cost and time to conduct research, multicenter research, and the use of deidenti- fied information (Ring, 2007). North American Association of Central Cancer Registries In 2006, the North American Association of Central Cancer Registries (NAACCR) conducted a survey of its memberships’ experience operating

OCR for page 199
0 BEYOND THE HIPAA PRIVACY RULE under the Privacy Rule. NAACCR members represent population-based state, regional, and provincial cancer registries in Canada, the United States and its territories. These registries provide cancer incidence data for public health surveillance and research purposes. All 71 members of NAACCR were invited to participate in the survey and 55 responses were received, however, many of the members are not HIPAA covered entities. In general, the respondents indicated that the Privacy Rule has interfered with both basic cancer surveillance and registry-based research (Deapen, 2006). American Society of Clinical Oncology Interviews The American Society of Clinical Oncology (ASCO) gathered quali- tative information through structured interviews in early 2008 with 27 compliance officials and investigators from 13 institutions about their attitudes toward the Privacy Rule. Participants were presented with three research scenarios prior to their interviews: (1) communication with cancer survivors’ family members to request their participation in genetic studies intended to investigate familial cancer syndromes, (2) establishment and use of tissue and data banks that would contain protected health information (PHI), and (3) identification and consent of cancer survivors to participate in long-term survivorship studies. These scenarios were then discussed dur- ing the interviews to explore how the Privacy Rule standards are applied at the different institutions, and to gauge the opinions of the researchers and compliance officers toward the regulation. Unlike some of the surveys, many of the ASCO interview participants indicated that the Privacy Rule had a positive effect on privacy by trigger- ing a reconsideration of how confidential health information is handled in research. However, they also noted that different institutions’ IRBs have very different approaches to complying with the Privacy Rule, and this can impede important research. They identified the authorization process as the most significant challenge to complying with the Privacy Rule, especially for future research projects relying on stored tissue and databases. Com- pliance officers and researchers disagreed on the possibility of obtaining authorization for “future research.” Other problems identified included abandoned studies, a lack of training and useful guidance documents on the requirements of the Privacy Rule, and concerns about the security of research databases (ASCO, 2008). Association of Academic Health Centers Focus Groups The Association of Academic Health Centers (AAHC) organized focus groups in fall 2007 at five institutions to examine researchers’ experiences operating under the HIPAA Privacy Rule. Each focus group included both

OCR for page 199
0 EFFECT OF THE HIPAA PRIVACY RULE researchers and compliance personnel from the institution, and all groups were asked the same set of questions. The focus groups reported problems with the Privacy Rule’s regulation of research similar to those found in the surveys. Major issues identified included overly conservative inter- pretation of the Privacy Rule by institutions, diminished ability to recruit research participants, obstacles in accessing stored tissue and genetic data- sets, increased cost and time to conduct research, and increased complexity in the IRB review procedures. Participants also indicated that some hos- pitals and community physicians were opting out of research, rather than attempting to comply with the Privacy Rule (AAHC, 2008) SELECTION BIAS Selection bias is created when data are more likely to be collected from one subset of the population than from a representative sample of the entire population (see Box 3-8). This can cause a systematic difference between the characteristics of the individuals included in a study and the individuals not included. Selection bias is problematic for research because it can lead to inaccurate results and it reduces the generalizability of research results to the general population, as indicated by the examples described below. The Privacy Rule has the potential to contribute to selection bias because it requires researchers to seek patient authorization to access their health records in most situations (see Chapter 4). Selection bias occurs if the individuals who give permission for researchers to access their medical data differ from the group of individuals who are unwilling to give permission for their health information to be used in research. This section provides a detailed overview of the evidence regarding the Privacy Rule’s impact on selection bias. It starts with a description of relevant survey data from the researcher surveys described above, then provides a summary of several systematic studies that examined the effect of consent and authorization on selection bias. It concludes with a section summarizing several studies that specifically examined the Privacy Rule’s effect on research samples. Two surveys provide evidence that researchers are concerned about the Privacy Rule introducing selection bias into research. In the AHRQ survey, 74 percent of respondents reported that they had experienced problems with sample representation and bias. One of the most commonly cited rea- sons for selection bias was that fewer patients have agreed to participate in research since the Privacy Rule was implemented. Respondents indicated that the complicated and lengthy authorization forms required by the Pri- vacy Rule create an impediment to subject recruitment. Also, 42 percent of respondents reported that many small health care entities and other entities serving disadvantaged populations are not participating in research because of an inability to meet all of the Privacy Rule requirements. This results in

OCR for page 199
 BEYOND THE HIPAA PRIVACY RULE Next, the researchers looked at the authorization forms’ readability using three formulas: the Simple Measure of Gobbledegook (SMOG), the Flesch- Kincaid reading level, and the Flesch Reading Ease Score. Using the SMOG formula to evaluate the authorization forms, the researchers found that the median reading level for the authorization templates was 13th grade (i.e., freshman year in college). All of the forms scored above the eighth-grade reading level. Under the Flesch-Kincaid reading-level formula, the research- ers found that 97 percent of the forms were written above the eighth-grade reading level. Similarly, using the Flesch Reading Ease Score, the researchers found that 86.5 percent of the forms were “difficult” or “very difficult” to read. Only 3 of 111 authorization forms scored at the “standard English” reading level. The authors concluded that these results are problematic for researchers because half of the U.S. adult population reads at or below the eighth-grade level. A large percentage of potential research participants are likely unable to comprehend much of the information contained in authori- zation forms. The authors believe that many institutions view authorization forms as liability protection, rather than as a mechanism to inform research participants about a study (Breese et al., 2004). A similar study was conducted by Nosowsky and Giordano (2006) at the University of Michigan. They analyzed the National Institutes of Health’s model authorization form using Microsoft’s Flesch-Kincaid scale and found that it was written at a 12th-grade reading level. The authors concluded that many research participants cannot understand the forms they are required to sign. Thus, it is not surprising that researchers are reporting that the authorization process is causing confusion for research participants (Nosowsky and Giordano, 2006). Another study that examined whether the Privacy Rule authorization requirement has created a barrier to research was conducted by Shen et al. at Governors State University, University Park, IL. The researchers followed the authorization process in a school-based educational program for child- hood obesity prevention as a case study. The authorization form used in this case study was as simple as possible. Most of the sentences on the form were taken directly out of the Privacy Rule regulation, and any additional sentences were required by the local IRB. However, despite an attempt to simplify the authorization form, only 21 percent of parents granted authori- zation for their children to participate in the school-based obesity program. The researchers concluded that the authorization form was overly complex, making many parents reluctant or unwilling to sign it. The authors noted, however, that the low recruitment rate recorded perhaps could have been more easily solved through better communication about the program with the students’ parents than through modification of the authorization forms (Shen et al., 2006).

OCR for page 199
 EFFECT OF THE HIPAA PRIVACY RULE CONCERNS ABOUT POTENTIAL LEGAL CONSEQUENCES Because many institutions are risk averse, the AcademyHealth survey examined the impact of concerns about the penalty provisions of the Pri- vacy Rule on research. Nineteen percent of the respondents reported that the penalties had no effect on efforts to obtain data from a covered entity, and 24 percent reported that penalties were considered by covered entities but ultimately did not prevent researchers from obtaining data. However, 26 percent of respondents reported that concerns about penalties have impeded access to data—16 percent reported that fear of penalties has pre- vented covered entities from providing data to researchers, and 10 percent reported that covered entities’ concerns about data privacy caused them to forego research activities. Nearly 30 percent of respondents were unsure what impact, if any, penalties have had on efforts to obtain data from covered entities (Helms, 2008). Similar concerns were reported for a study using data from 19 hospitals near the University of Washington, as noted previously. The nine IRBs requiring full review of a study already approved by the IRB of the University cited concerns over the Privacy Rule’s civil and criminal penalties as the main reason for denying expedited review or for not honoring another IRB’s decisions (Lydon-Rochelle and Holt, 2004). Fear of civil suits could also lead IRB and Privacy Board members to be overly conservative in their decisions about research proposals brought before them, and could be a significant deterrent in recruiting qualified volunteers to serve on IRBs and Privacy Boards. Effective oversight of health research depends on the recruitment of qualified and knowledgeable volunteers to serve on IRBs and Privacy Boards, but the growth over the past decade of lawsuits naming individual IRB members as defendants5 has created a chill that threatens the willingness of volunteers to serve on IRBs (Hoffman and Berg, 2005; Icenogle, 2003; IPPC, 2008; Rose and Lodato, 2004; Shaul et al., 2005). Members of IRBs and Privacy Boards are generally indemnified by their institutions, but they are not immune from being named in a suit. There- fore they could still have to devote time and resources to defending themselves for decisions made by an IRB or a Privacy Board on which they served. POTENTIAL WAYS TO REDUCE INTERPRETIVE VARIABILITY AMONG IRBS, PRIVACY BOARDS, AND COVERED ENTITIES HHS intended to allow covered entities, IRBs, and Privacy Boards to have some local control in implementing and interpreting the Privacy Rule as it applies to the use and disclosure of PHI for research. Sensitivity to local 5 For examples of specific cases naming IRB members as individual defendants, see Robertson v. McGee (2001), Guckin v. Nagle (2002), and Scheer v. Burke (2003), available at http:// www.sskrplaw.com/gene/index.html.

OCR for page 199
 BEYOND THE HIPAA PRIVACY RULE issues can be a desirable feature, particularly when institutions serve special populations or under unusual circumstances. However, variations in IRB and Privacy Board oversight may relate less to true local differences in the research environment than to the administrative differences and variability in the skills and resources of IRBs and Privacy Boards (Casarett et al., 2005). There is no required certification process to ensure that IRB/Privacy Board members have sufficient knowledge and understanding of research ethics and regulation, and funding is often through indirect sources, such as grants. Based on the evidence presented in this chapter, it is clear that over- interpretation of the Privacy Rule is common and that the substantial variability in interpretation among covered entities and oversight boards is detrimental to health research. More consistent application of the Privacy Rule would facilitate responsible research and also provide more meaning- ful protection of patient privacy. One potential way to begin to address this issue would be for HHS to regularly identify and disseminate “best practices” for responsible research (IOM, 2000). Guidance materials and models or templates for things such as the authorization form (written at an appropriate reading level), waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. This endeavor could perhaps be accomplished as an activity of the National Institutes of Health (NIH) Roadmap,6 under the direction of the Office for Civil Rights. An informative precedent for this activity is the National Practitioner Data Bank Guidebook7 of the Health Resources and Services Administration, established through Title IV of the Healthcare Quality Improvement Act of 1986, Public Law 99–660. That guidebook, which is frequently updated, provides many case examples of what should be done in various situations. Stakeholders—including researchers; research institutions, IRBs, and Privacy Boards; sponsors of research; public health practitioners and agen- cies; patient and consumer organizations; and privacy experts—could have considerable influence on the adoption of best practices once they have been identified and thus could help to make privacy protections and IRB/Privacy Board decisions more uniform. For example, Requests for Proposals and other funding mechanisms could be more instructive on this point. Many 6 The NIH Roadmap was initiated in 2004 as “an integrated vision to deepen our under- standing of biology, stimulate interdisciplinary research teams, and reshape clinical research to accelerate medical discovery and improve people’s health.” See http://nihroadmap.nih. gov/overview.asp (accessed January 13, 2009). 7 See http://www.npdb-hipdb.hrsa.gov/npdbguidebook.html (accessed January 13, 2009).

OCR for page 199
 EFFECT OF THE HIPAA PRIVACY RULE academic researchers depend on their ability to procure funding from a source external to their institutions, and research sponsors also have obliga- tions to protect research participants. As a result, major nonfederal funders could be a powerful force for adherence to ethical guidelines, even in the absence of strong federal regulations and enforcement. Organizations whose primary missions are focused on promoting responsible and ethical research, such as Public Responsibility in Medi- cine and Research (PRIM&R) and the Association for the Accreditation of Human Research Protection Programs (AAHRPP), featured in Boxes 5-2 and 5-3, could contribute much to the dynamic and ongoing process of developing best practices. These organizations educate IRB profession- als, offer voluntary certification programs, and have hosted conferences to address ethical and legal challenges in research, including those related to HIPAA. Increased participation in PRIM&R and AAHRPP could extend understanding of regulatory requirements and foster national discourse about issues of interpretation and application of the Privacy Rule. An important point to remember is that HHS’s policy is to seek compli- ance first, rather than penalties, when a concern is brought to the agency’s attention (see Chapter 5). Institutions might be less inclined to be overly conservative in interpreting the Privacy Rule if this were stated more clearly BOX 5-2 Public Responsibility in Medicine and Research (PRIM&R) The mission of PRIM&R is to promote ethical research in humans and animals. It tracks and provides input to policy initiatives and regulatory changes relating to ethical standards in research and offers educational opportunities in the fields of biomedical and social/behavioral/educational research. PRIM&R also offers two certification programs, one for administrators for animal care and use committees, and one for IRB professionals. The latter is designed specifically for individuals participating in and/or over- seeing the daily operations of IRBs, including IRB administrators, staff, chairs, and institutional officials. Professionals from institutional IRBs, independent IRBs, and industry, as well as other institutions focused on either biomedical or social/ behavioral/educational research, are eligible. Candidates’ IRB experience must be “substantial and ongoing” and must reflect the applicant’s commitment to applied research ethics in human subjects protections. The exam for certification is administered by the Professional Testing Corporation and is offered at least twice yearly at testing sites across the United States and Canada. Certification is valid for 3 years and can be renewed via reexamination or once in a 6-year period with continuing education credits. SOURCE: See http://www.primr.org.

OCR for page 199
 BEYOND THE HIPAA PRIVACY RULE BOX 5-3 Association for the Accreditation of Human Research Protection Programs (AAHRPP) A AHRPP is an independent, nonprofit entity that accredits organiza - tions’ human research protection programs. Its mission is to accredit “high- quality human research protection programs in order to promote excellent, e thically sound research. Through partnership with research organizations, r esearchers, sponsors, and the public, AAHRPP encourages effective, effi- cient, and innovative systems of protection for human research participants.” To earn and maintain accreditation, an organization must provide evidence t hat its practices, policies, and procedures promote ethically sound and sci- entific research every 3 years. AAHRPP provides print, online, and training r esources to guide organizations through the accreditation process and to h elp organizations interpret the required accreditation standards. SOURCE: See http://www.aahrpp.org/www.aspx. in guidance materials. Simple clarification and clear communication of the way HHS will enforce the Privacy Rule and seek penalties would be helpful. In addition, some limited protection against civil suits brought pursu- ant to federal or state law for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the Privacy Rule and the Common Rule could be beneficial. This limited protection should not include protection for willful and wanton misconduct in review- ing the research. Members of IRBs or Privacy Boards who receive limited protection against lawsuits may be less likely to interpret the Privacy Rule too conservatively. A similar provision was incorporated into the Ontario Personal Health Information Protection Act of 2004, under which members of Research Ethics Boards are immune for acts done and omissions made in good faith that are reasonable under the circumstances (see also Chapter 6). This type of immunity for IRB and Privacy Board members would be simi- lar to the precedent of protection for peer review members under state laws and under the Health Care Quality Improvement Act of 1986. Such protections might also facilitate multi-institutional research by reducing the variability among local IRBs and Privacy Boards because they might be more comfortable accepting the decision of a lead IRB/Privacy Board. But even in the absence of this sort of regulatory or statutory

OCR for page 199
 EFFECT OF THE HIPAA PRIVACY RULE change, a clear statement from HHS regarding the acceptability, and thus the limits, of legal consequences of accepting the decision of another IRB or Privacy Board would help to facilitate multi-institutional research. CONCLUSIONS AND RECOMMENDATIONS The evidence presented in this chapter demonstrates that implementa- tion and interpretation of the Privacy Rule has had a significant effect on how health research is conducted in the United States. Although the Pri- vacy Rule may have extended regulatory protections of privacy in health research that were desirable, the numerous studies reviewed here indicate that it has also had an unintended negative effect on health research, often due to variations in how covered entities, IRBs, and Privacy Boards inter- pret the complex regulations. Nonetheless, even if the effect on research has been negative, carefully considering the effect on privacy of any changes to the Privacy Rule as well as the effect on research is important. Many problems identified in this chapter could potentially be improved by HHS without changing the Privacy Rule itself. More consistent application of the Privacy Rule would facilitate responsible research and provide more meaningful protection of patient privacy. Thus, the committee recommends that HHS regularly convene consensus development conferences in collaboration with health research stakeholders to collect and evaluate current practices in privacy protec- tion in order to identify and disseminate best practices for responsible research. Stakeholders can then enable and encourage researchers to use these best practices in designing and conducting research involving the use of PHI. Current guidance from HHS addresses only what is permissible under the HIPAA Privacy Rule; the guidance does not identify best practices. A dynamic, ongoing process for the identification and dissemination of best practices in privacy protection for various types of health research by HHS would facilitate reviews by IRBs and Privacy Boards and would lead to more consistent and appropriate decisions. Guidance materials with best practices and models or templates for things such as the authorization form, waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. Such guidance mate- rials should be written as clearly and simply as possible, using an inclusive, dynamic, and transparent development process, and should override all prior guidance documents. Stakeholders—including researchers; research institutions, IRBs, and Privacy Boards; sponsors of research; public health practitioners and agen-

OCR for page 199
0 BEYOND THE HIPAA PRIVACY RULE cies; patient and consumer organizations; and privacy experts—could have considerable influence on the adoption of best practices once they have been identified and thus could help to make privacy protections and IRB/Privacy Board decisions more uniform. Organizations whose primary missions are focused on promoting responsible and ethical research, such as PRIM&R and AAHRPP, can contribute much to the process. Another potential way to reduce inconsistency and overly conservative interpretation would be to provide some limited legal protection for IRB and Privacy Board members, who may be fearful of lawsuits pertaining to IRB/Privacy Board decisions. The committee recommends that HHS—or, as necessary, Congress—provide reasonable protection against civil suits brought pursuant to federal or state law for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule. The limitation on liability should not include protection for willful and wanton misconduct in review- ing the research, but should instead be for good-faith decisions, backed by minutes or other evidence, in responsibly applying the legal requirements under the HIPAA Privacy Rule or the Common Rule. Recommendations put forth in previous chapters should also help to reduce variability and overinpretation of the regulations. These include facilitating greater use of data with direct identifiers removed and facili- tating appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants (see Chapter 4). Clarifying the distinction between “research” and “practice” to ensure appropriate ethical oversight of the use of protected health information would also help IRBs and Privacy Boards make decisions that adequately protect patient privacy and facilitate responsible research (see Chapter 3). However, as indicated in Chapter 6, the committee believes that ideally, a bolder approach should be taken, with HHS developing a new approach to protecting privacy in health research that emphasizes privacy, security, accountability, and transparency and that is applicable to all health research in the United States. REFERENCES AAHC (Association of Academic Health Centers). 2008. HIPAA creating barriers to research and discovery: HIPAA problems widespread and unresolved since 00. http://www. aahcdc.org/policy/reddot/AAHC_HIPAA_Creating_Barriers.pdf (accessed September 2, 2008). Al-Shahi, R., C. Vousden, and C. Warlow. 2005. Bias from requiring explicit consent from all participants in observational research: Prospective, population based study. British Medical Journal 331:942–945.

OCR for page 199
 EFFECT OF THE HIPAA PRIVACY RULE Armstrong, D., E. Kline-Rogers, S. M. Jani, E. B. Goldman, J. Fang, D. Mukherjee, B. K. Nallamothu, and K. A. Eagle. 2005. Potential impact of the HIPAA Privacy Rule on data collection in a registry of patients with acute coronary syndrome. Archives of Internal Medicine 165(10):1125–1129. ASCO (American Society of Clinical Oncology). 2008. The impact of the Privacy Rule on cancer research: Variations in attitudes and application of regulatory standards. Alexandria, VA: ASCO. Beebe, T., N. Talley, M. Camilleri, S. M. Jenkins, K. J. Anderson, and G. R. Locke. 2007. The HIPAA authorization form and effects on survey response rate, nonresponse bias, and data quality. Medical Care 45(10):959–965. Breese, P., W. Burman, C. Rietmeijer, and D. Lezotte. 2004. The Health Insurance Portability and Accountability Act and the informed consent process. Annals of Internal Medicine 141:897–898. Casarett, D., J. Karlawish, E. Andrews, and A. Caplan. 2005. Bioethical issues in pharmaco- epidemiological research. In Pharmacoepidemiology, 4th ed, edited by B. L. Strom. West Sussex, England: John Wiley & Sons, Ltd. Pp. 417–432. Clause, S. L., D. M. Triller, C. P. H. Bornhorst, R. A. Hamilton, and L. E. Cosler. 2004. Con- forming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy 61(10):1025–1031. Deapen, D. 2006. Negative impact of HIPAA on population-based cancer registry research: A brief survey. Springfield, IL: North American Association of Central Cancer Registries. Dunlop, A., T. Graham, Z. Leroy, K. Glanz, and B. Dunlop. 2007. The impact of HIPAA authorization on willingness to participate in clinical research. Annals of Epidemiology 17(11):899–905. Friedman, D. S. 2006. HIPAA and research: How have the first two years gone? American Journal of Ophthalmology 141(3):543–546. Greene, S. M., A. M. Geiger, E. L. Harris, A. Altschuler, L. Nekhlyudov, M. B. Barton, S. J. Rolnick, J. G. Elmore, and S. Fletcher. 2006. Impact of IRB requirements on a multicenter survey of prophylactic mastectomy outcomes. Annals of Epidemiology 16:275–278. Greene, S. M., S. Bennett, B. Kirlin, K. R. Oliver, R. Pardee, and E. Wagner. 2008. Impact of the HIPAA Privacy Rule in the HMO Research Network. Seattle, WA: Group Health Cooperative Center for Health Studies. Harris, M. A., and A. R. Levy. 2008. Personal privacy and public health: Potential impacts of privacy legislation on health research in Canada. Canadian Journal of Public Health 99(4):293–296. Helms, D. 2008 (February 14). PowerPoint presentation to the Institute of Medicine Com- mittee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the AcademyHealth survey results. Hoffman, S., and J. W. Berg. 2005. The suitability of IRB liability. Case Legal Studies Research Paper No. 0-. February. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=671004 (accessed September 2, 2008). Howe, H. L., A. J. Lake, and T. Shen. 2006. Method to assess identifiability in electronic data files. American Journal of Epidemiology 165(5):597–601. Icenogle, D. L. 2003. IRBs, conflict and liability: Will we see IRBs in court? Or is it when? Clinical Medicine & Research 1(1):63–68. IOM (Institute of Medicine). 2000. Protecting data privacy in health services research. Wash- ington, DC: National Academy Press. IOM. 2002. Responsible research: A systems approach to protecting research participants. Washington, DC: The National Academies Press.

OCR for page 199
 BEYOND THE HIPAA PRIVACY RULE IPPC (International Pharmaceutical Privacy Consortium). 2008 (March 30). Comments to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical research. Kaiser, J. 2006. Rule to protect records may doom long-term heart study. Science 311:1547–1548. Kolata, G. 2007. States and V.A. at odds on cancer data. The New York Times, October 10. Kompanje, E. J. O., and A. I. R. Maas. 2006. Is the Glasgow coma scale score protected health information? The effect of new United States regulations (HIPAA) on completion of screening logs in emergency research trials. Intensive Care Medicine 32:313–314. Lydon-Rochelle, M., and V. L. Holt. 2004. HIPAA transition: Challenges of a multisite medical records validation study of maternally linked birth records. Maternal & Child Health Journal 8(1):35–38. McCarthy, D. B., D. Shatin, C. R. Drinkard, J. H. Kleinman, and J. S. Gardner. 1999. Medical records and privacy: Empirical effects of legislation. Health Services Research 34(1):417–425. National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confiden- tiality. Susan Ehringhaus’s testimony on behalf of the Association of American Medical Colleges. November 19, 2003. Ness, R. 2005. A year is a terrible thing to waste: Early experience with HIPAA. Annals of Epidemiology 15(2):85–86. Ness, R. 2007. Influence of the HIPAA Privacy Rule on health research. JAMA 298(18):2164–2170. Newgard, C. D., S. H. Hui, P. Stamps-White, R. J. Lewis, C. D. Newgard, S.-H. J. Hui, P. Stamps-White, and R. J. Lewis. 2005. Institutional variability in a minimal risk, population-based study: Recognizing policy barriers to health services research. Health Services Research 40(4):1247–1258. Nosowsky, R., and T. J. Giordano. 2006. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for clinical research. Annual Review of Medicine 57(1):575–590. O’Herrin, J. K., N. Fost, and K. A. Kudsk. 2004. Health Insurance Portability and Account- ability Act (HIPAA) regulations: Effect on medical record research. Annals of Surgery 239(6):772–778. Ramirez, A. G., and J. E. Niederhuber. 2003 (November 5). Letter to the Honorable Tommy G. Thompson, Secretary of the Department of Health and Human Services. Ring, J. 2007 (October 1–2). PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the American Heart Association survey results. Rose, B. S., and V. Lodato. 2004. The role of class actions in litigation involving human research subjects. BNA Class Action Litigation Report, March 12. Russell, S. 2004a. Dispute on medical record access settled: Cancer researchers wanted UC data on new cases quicker. San Francisco Chronicle, December 7, B1. Russell, S. 2004b. Medical privacy law said to be chilling cancer studies: Scientists fight for fast access to patient files. San Francisco Chronicle, September 26, A4. Shaffer, D. 2006. Privacy laws jeopardize heart study: Researchers have put a well-known stroke and heart disease study on hold. Star Tribune, February 12. Shalowitz, D., and D. Wendler. 2006. Informed consent for research and authorization under the Health Insurance Portability and Accountability Act Privacy Rule: An integrated approach. Annals of Internal Medicine 144(9):685–688. Shaul, R. Z., S. Birenbaum, and M. Evans. 2005. Legal liability in research: Early lessons from North America. BMC Medical Ethics 6(4):1–4.

OCR for page 199
 EFFECT OF THE HIPAA PRIVACY RULE Shen, J. J., L. F. Samson, E. L. Washington, P. Johnson, C. Edwards, A. Malone, J. J. Shen, L. F. Samson, E. L. Washington, P. Johnson, C. Edwards, and A. Malone. 2006. Barriers of HIPAA regulation to implementation of health services research. Journal of Medical Systems 30(1):65–69. Trevena, L., L. Irwig, and A. Barratt. 2006. Impact of privacy legislation on the number and characteristics of people who are recruited for research: A randomized controlled trial. Journal of Medical Ethics 32:473–477. Tu, J. V., D. J. Willison, F. L. Silver, J. Fang, J. A. Richards, A. Laupacis, and M. K. Kapral. 2004. Impracticability of informed consent in the registry of the Canadian stroke net- work. New England Journal of Medicine 350(14):1414–1421. Walker, D. K. 2005. Impact of the HIPAA Privacy Rule on health services research. Philadelphia, PA: Abt Associates, Inc. Ward, H. J. T., S. N. Cousens, B. Smith-Bathgate, M. Leitch, D. Everington, R. G. Will, and P. G. Smith. 2007. Obstacles to conducting epidemiological research in the UK general population. British Medical Journal 329:277–279. Williams, B. A., J. J. Irrgant, M. T. Bottegal, K. A. Francis, and M. T. Vogt. 2007. A post hoc analysis of research study staffing: Budgetary effects of the Health Insurance Portability and Accountability Act (HIPAA) on research staff workload during a prospective, randomized clinical trial. Anesthesiology 107(5):860–861. Wolf, M. S., and C. L. Bennett. 2006. Local perspective of the impact of the HIPAA Privacy Rule on research. Cancer 106(2):474–479. Woolf, S. H., S. F. Rothemich, R. E. Johnson, and D. W. Marsland. 2000. Selection bias from requiring patients to give consent to examine data for health services research. Archives of Family Medicine 9:1111–1118.

OCR for page 199