National Academies Press: OpenBook

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research (2009)

Chapter: 5 Effect of the HIPAA Privacy Rule on Health Research

« Previous: 4 HIPAA, the Privacy Rule, and Its Application to Health Research
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 199
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 200
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 201
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 202
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 203
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 204
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 205
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 206
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 207
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 208
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 209
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 210
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 211
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 212
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 213
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 214
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 215
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 216
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 217
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 218
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 219
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 220
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 221
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 222
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 223
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 224
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 225
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 226
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 227
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 228
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 229
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 230
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 231
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 232
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 233
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 234
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 235
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 236
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 237
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 238
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 239
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 240
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 241
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 242
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 243
Suggested Citation:"5 Effect of the HIPAA Privacy Rule on Health Research." Institute of Medicine. 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press. doi: 10.17226/12458.
×
Page 244

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

5 Effect of the HIPAA Privacy Rule on Health Research Since the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was implemented by the U.S. Department of Health and Human Services (HHS) in April 2003, health researchers have asserted that the Privacy Rule has had a negative effect on researchers’ abilities to conduct meaningful research. The purpose of this chapter is to review the currently available evidence on the effect of the Privacy Rule on research, including surveys as well as other types of studies to measure impact. The chapter begins with an overview of several surveys that examined health researchers’ personal experiences with and opinions about the Privacy Rule. Many issues identified by survey respondents were also the focus of other types of studies, so the remainder of the chapter consists of a topical review of the available evidence regarding the effect of the Privacy Rule, and its interpretation, on health research. The following issues are reviewed in detail: (1) selection bias, (2) research efficiency, (3) abandoned research, (4) deidentified information, (5) the authorization process, and (6) concerns about potential legal consequences. OVERVIEW OF SURVEY RESULTS As noted in previous chapters (Chapter 1 in particular), the informa- tion gained by opinion surveys has limitations. The potential for bias exists because of the way the questions are worded and framed, and respondents may have self-motivated reasons for responding in a particular fashion. For example, individuals responding to surveys conducted by professional soci- eties may be more likely to have encountered difficulties with the Privacy 

00 BEYOND THE HIPAA PRIVACY RULE Rule than those who did not respond. Thus, information gathered from surveys is anecdotal and based on individual’s personal opinions; it does not constitute systematic data on the experience of all researchers. Before discussing the relevant surveys in detail in this chapter, it is also important to recognize the strengths and weaknesses of these survey data. One strength is that multiple surveys addressed similar topics, and many respondents were affiliated with different institutions and different fields of health research. The fact that the respondents to the different surveys reported similar problems with conducting research under the Privacy Rule makes it more likely that results can be generalized and are not specific to a particular institution. Weaknesses include the size and low response rates of some surveys and, in some cases, the lack of a denominator, making it impossible to determine a response rate, which is an important measure to assess the representativeness of the results. Also, three of the surveys discussed below were conducted immediately or shortly after the Privacy Rule was implemented, before covered entities and other stakeholders had adequate time to adapt to the new regulation. However, more recent surveys of researchers’ experiences with the Privacy Rule, two of which were commissioned by the Institute of Medicine (IOM) committee, found that researchers were still reporting negative effects of the Privacy Rule on health research (Box 5-1). Surveys to gauge the impact of the HIPAA Privacy Rule on health research have been undertaken by numerous agencies and organizations with various constituencies, including the Association of American Medical Colleges (NCVHS, 2003), the National Cancer Advisory Board (Ramirez and Niederhuber, 2003), the Agency for Healthcare Research and Quality (Walker, 2005), Epidemiological Societies (Ness, 2007), the HMO Research Network (Greene et al., 2008), AcademyHealth (Helms, 2008), the Ameri- can Heart Association (Ring, 2007), and the North American Associa- tion of Central Cancer Registries (Deapen, 2006). In addition, structured interviews were undertaken by the American Society for Clinical Oncology (ASCO, 2008), and focus groups were organized by the Association of Academic Health Centers (AAHC, 2008). An overview of these projects is provided below (also see Table 5-1). Association of American Medical Colleges Survey In 2003, on the day that covered entities were required to be in compli- ance with the Privacy Rule, the Association of American Medical Colleges (AAMC) launched a survey to examine the Privacy Rule experiences of investigators, Institutional Review Board (IRB) personnel, privacy officials, research administrators, and deans. AAMC then created a database of case reports and research functions affected by the Privacy Rule based on 331 individuals’ responses. After analyzing the database, AAMC concluded that

0 EFFECT OF THE HIPAA PRIVACY RULE BOX 5-1 Health Researchers’ Experience with the Privacy Rule: Survey Results in 2003–2004 and 2007–2008 • The Privacy Rule has increased the cost and time it takes to conduct a research project from start to finish (AAMC, NCAB, AHRQ, Ness, Academy- Health, HMORN, AHA/ACC, AAHC) • Institutional differences in interpretation of the Privacy Rule have made con- ducting health research more difficult than in the pre-Privacy Rule era (AAMC, NCAB, AHRQ, Ness, AcademyHealth, HMORN, AAHC) • The Privacy Rule has made recruitment of research participants more dif- ficult and has increased the likelihood of selection bias (AAMC, AHRQ, Ness, AcademyHealth, AHA/ACC, AAHC) • The Privacy Rule has increased research participants’ confusion regarding their rights and protections (NCAB, Ness, HMORN) • The Privacy Rule’s standards for deidentification have not created an effective way for researchers to collect data (AAMC, AHRQ, Ness, AcademyHealth, HMORN, AHA/ACC) • The Privacy Rule has led researchers to abandon studies (AAMC, AHRQ, AcademyHealth, HMORN, ASCO) • The Privacy Rule has created new barriers to the use of patient specimens collected during clinical trials (NCAB, AAHC, ASCO) Survey Institutions: Association of American Medical Colleges (AAMC), National Cancer Advisory Board (NCAB), Agency for Healthcare Research and Quality (AHRQ), HMO Research Network (HMORN), American Heart Association/ American College of Cardiology (AHA/ACC), Association of Academic Health Centers (AAHC), American Society of Clinical Oncology (ASCO). SOURCES: AAHC (2008); ASCO (2008); Greene et al. (2006); Helms (2008); NCVHS (2003); Ness (2007); Ramirez and Niederhuber (2003); Ring (2007); Walker (2005). the Privacy Rule affects many types of health research, including clinical, health services, epidemiological, behavioral, biomedical, health economics, and outcomes research. The most common effects of the Privacy Rule on research reported were that the Privacy Rule: (1) reduced patient recruit- ment, (2) increased the likelihood of selection bias, (3) increased the costs of conducting research by requiring more paperwork and complicating the IRB approval process, (4) increased the number of errors in research when deidentified information was used, (5) made multisite trials more difficult because of variations in IRB interpretation of the Rule, and (6) caused researchers to abandon projects because of the increased number of rules for operating a research study (NCVHS, 2003).

0 BEYOND THE HIPAA PRIVACY RULE TABLE 5-1 Summary of Relevant Surveys Response Ratea Survey Year Survey Participants 331 respondentsb Association of 2003 Targeted investigators, institutional American Medical review board (IRB) personnel, Colleges privacy officials, research administrators, and deans National Cancer 2003 Individuals suggested from cancer 39% (89/226) Advisory Board center directors, clinical cooperative group chairs, and principal investigators of Special Programs of Research Excellence Agency for Healthcare 2004 16 health services researchers, and 17 77% (33/43) Research and Quality privacy officers, research compliance officers, and IRB directors National Survey of 2007 Professional members of 13 1,527 respondentsc Epidemiologists epidemiological societies HMO Research 2008 Scientists working in the 15 43% (89/235) Network (HMORN): HMORN research centers survey of investigators HMORN: survey of 2008 IRB administrators at the 15 73% (11/15) IRB administrators HMORN research centers 396 respondentsd AcademyHealth 2007 Professional members of AcademyHealth 656 respondentse American Heart 2007 Professional members of the Association/American American Heart Association and the College of Cardiology American College of Cardiology North American 2006 Membership of the North American 66% (47/77) Association of Central Association of Central Cancer Cancer Registries Registries American Society for 2008 27 compliance officials and 27 respondents Clinical Oncology investigators from 13 institutions (structured interviews) Association of 2007 Researchers and compliance 5 focus groups Academic Health personnel from 5 institutions Centers Total Number of Responses from All Entities 3,211 respondents aWhere the data are available, the response rate includes the number of survey respondents divided by the total number of individuals invited to participate in the survey. bThe total number of individuals invited to complete this survey is unknown. cThe epidemiological societies e-mailed the survey to 10,347 e-mail addresses. However, a substantial number of epidemiologists belong to more than one organization, and as a result it is impossible to calculate a response rate. Also, only those members who had submitted an application to an IRB since the Privacy Rule was implemented met the criteria for inclusion in the analysis. notes continue

0 EFFECT OF THE HIPAA PRIVACY RULE TABLE 5-1 Notes continued d All 3,461 AcademyHealth members were invited to participate in the survey, but only members who were principal investigators met the criteria for inclusion in the survey analysis. Calculating a response rate was impossible because the total number of eligible survey partici- pants was unknown. eAll 18,261 professional members of the American Heart Association and the American College of Cardiology were invited to complete this survey. Many of these members are prac- ticing physicians, not researchers, and thus were not the intended audience for the survey. As a result, it was impossible to calculate the total number of eligible individuals invited to participate in the survey, or the response rate. National Cancer Advisory Board Survey The National Cancer Advisory Board (NCAB)1 conducted a survey of health researchers’ experiences with the Privacy Rule in 2003. NCAB requested the names of Privacy Rule experts from cancer center directors, clinical cooperative group chairs, and principal investigators of Special Pro- grams of Research Excellence. A total of 226 experts were identified. These experts were invited to visit a website and submit public comments on the effect of the Privacy Rule on cancer research. NCAB received 89 responses to the survey, for a 39 percent response rate. The survey showed that the majority of respondents believed that: (1) the Privacy Rule increased patient confusion, (2) the Privacy Rule’s complex documentation requirements delayed research, (3) differing interpretations of the Privacy Rule made conducting health research more challenging, and (4) the Privacy Rule cre- ated new barriers to the use of patient specimens collected during clinical trials (Ramirez and Niederhuber, 2003). AHRQ Survey In 2004, the Agency for Healthcare Research and Quality (AHRQ) interviewed 33 senior health care researchers, privacy officers, research compliance officers, and IRB directors representing a variety of health settings in 18 states that covered all regions of the United States. With a 77 percent response rate, 92 percent of respondents reported an impact of the Privacy Rule on health research. Those reporting substantial impact were often involved in multisite studies where follow-up information from many patients was needed from many sources. Many respondents reported 1 NCAB was appointed by the President of the United States to advise the HHS Secretary and the National Cancer Institute Director regarding the activities of the Institute and policies regarding these activities.

0 BEYOND THE HIPAA PRIVACY RULE conflicting IRB decisions, difficulties with authorization as well as access to deidentified data, increased cost and time, and lack of participation from small hospitals and provider groups due to lack of resources. More than half of respondents thought that misinterpretations and overly conserva- tive interpretations of the Privacy Rule were the cause of the difficulties (Walker, 2005). National Survey of Epidemiologists The IOM committee commissioned a survey by Roberta Ness at the University of Pittsburgh. In 2007, Dr. Ness conducted a web-based survey of 1,527 epidemiologists who had submitted a new application to an IRB for a research project involving human subjects research since the Privacy Rule was implemented (see Appendix B for methodological details). The survey asked respondents to answer a number of questions on a 5-point Likert scale (1 = none, 5 = a great deal). More than 84 percent of respon- dents ranked the statement “the Privacy Rule made research easier” as a 1 or 2. In contrast, 68 percent of respondents ranked the statement “the degree to which the Rule made research more difficult” as a 4 or 5. Only 11 percent of respondents stated that the Privacy Rule strengthened public trust in research, and 26 percent responded that the Privacy Rule did a great deal to enhance participant confidentiality and privacy (Figure 5-1). This survey also provided respondents with the opportunity to write in comments regarding their experiences conducting research under the Privacy Rule. A total of 427 comments were received; 90 percent were negative, 5 percent were neutral, and 5 percent were positive. The common themes in the comments were: (1) the Privacy Rule added patient burden without enhancing privacy protections, (2) institutions vary greatly in their interpretations of the Privacy Rule, and (3) many government agencies are confused about the demarcation between public health surveillance, which is exempt from the Privacy Rule, and health research. Finally, the survey found that many respondents believed the Privacy Rule added to research costs, caused delays to research projects, and made recruitment of research participants much more difficult (Ness, 2007). HMO Research Network Survey The IOM committee also commissioned data-gathering efforts from the HMO Research Network (HMORN) of investigator and IRB members’ experiences operating under the Privacy Rule (see Appendix B for method- ological details). The HMORN is a consortium of more than 250 scientists who work in 15 research centers based in health care delivery systems. The data collection efforts consisted of a web-based survey of investigators in

0 EFFECT OF THE HIPAA PRIVACY RULE 90 80 Has the Privacy Rule: 70 Strengthened public % Reporting 60 trust 50 40 Enhanced confidentiality 30 20 Made research easier 10 Made research harder 0 1–2 3 4– 5 Don't know 1 = none 5 = a great deal FIGURE 5-1 National Survey of Epidemiologists: Scaled perceptions of the impact of the Health Insurance Portability and Accountability Act Privacy Rule. SOURCE: Ness (2007). Figure 5-1.eps the Cancer Research Network (conducted in fall 2007), a follow-up tele- phone survey of those investigators who reported having a study affected by the Privacy Rule, and a mailed survey to IRB administrators at the 15 HMORN sites (conducted in early 2008). The response rate for the inves- tigator survey was 43 percent (235 investigators were invited to participate in the survey, and 89 responses were received). Respondents were mostly doctoral-level scientists, and 72 percent of them had been in research for 10 or more years. Twelve respondents completed telephone interviews. The response rate for the IRB administrator survey was 73 percent (11 of the 15 sites submitted responses). The results of these surveys are consistent with those of previous sur- veys. Respondents reported numerous difficulties with conducting health research since the implementation of the Privacy Rule, including increased time required to conduct research, problems with gaining IRB approval for studies, impediments to multicenter research, confusion over the autho- rization process, and problems with the use of deidentified data. Of the investigators who responded, 74 percent reported having a study affected by the Privacy Rule. Of these respondents, 61 percent reported having a study affected more than once. In addition, 60 percent of the investigators reported difficulty conducting research under the requirements of the Pri- vacy Rule. On the other hand, 59 percent of the investigators reported that the Privacy Rule has strengthened patient privacy. The IRB administrators were more positive than the investigators

0 BEYOND THE HIPAA PRIVACY RULE regarding the Privacy Rule. Ninety percent of IRB administrators reported that the Privacy Rule strengthened patient privacy. In addition, 46 percent of IRB administrators said it was easy to work within the privacy regula- tions, as opposed to 36 percent of IRB administrators who said it was not easy to work within the regulations. Nonetheless, 63 percent of IRB admin- istrators reported that the Privacy Rule has made conducting research more difficult. More than 72 percent of IRB administrators reported that the federal government needs to give more guidance to IRBs about interpreting and implementing the Privacy Rule (Greene et al., 2008). AcademyHealth Survey To provide input to the IOM study, AcademyHealth conducted a sur- vey in 2007 of researchers’ experiences operating under the Privacy Rule. AcademyHealth is a professional society for health services researchers and health policy analysts. Its mission is to strengthen the research infra- structure, promote the use of the best available research, and assist health policy and practice leaders in addressing major health care challenges. The organization conducted a web-based survey of principal investigators. All 3,461 AcademyHealth members were invited to participate in the survey by e-mail. A total 696 members responded. Out of this group, 396 mem- bers were principal investigators and met the criteria for inclusion in the survey analysis. In general, 75 percent of the survey respondents reported that their experiences with the Privacy Rule were negative. Only 6 per- cent of respondents reported that their experiences were positive. Nearly half—48 percent—reported that their institution provided support to assist researchers with HIPAA compliance and IRB issues, and 77 percent of the researchers at these institutions indicated that they used these resources. Respondents were also asked whether they believe the Privacy Rule strikes the correct balance between protecting individual privacy and allowing research to be conducted. A majority—63 percent—of the respondents reported that the Privacy Rule provides protection to individuals at the expense of access to research data; 28 percent reported that the Privacy Rule strikes the right balance between these two goods; and only 1 per- cent reported that the Privacy Rule provides access to research data at the expense of privacy protection for individuals (Figure 5-2) (Helms, 2008). American Heart Association/American College of Cardiology Survey The American Heart Association (AHA) and the American College of Cardiology (ACC) also conducted a survey in 2007. The 18,261 profes- sional members of AHA and ACC were invited to complete a question- naire by e-mail, and 656 individuals completed the survey. However, it

0 EFFECT OF THE HIPAA PRIVACY RULE Does the Privacy Rule: Allow access to research data at the expense of privacy protections Protect individuals at the expense of access to research data Strike the right balance between privacy and research Unsure 0 10 20 30 40 50 60 70 % Reporting FIGURE 5-2 AcademyHealth Survey: Perspective on the balance of individual protections and research access. Figure 5-2.eps SOURCE: Helms (2008). is important to note that many professional members of AHA and ACC are practicing physicians, not researchers, and thus were not the intended audience for the survey. Of the individuals completing the survey, 61 per- cent reported that they had submitted an IRB application since the Privacy Rule was implemented. In general, the respondents indicated that the Pri- vacy Rule had a negative impact on research and did not improve patient privacy. Only 22 percent of respondents reported that the Privacy Rule increased public trust in research, 44 percent reported that it increased confidentiality, 9 percent reported that it decreased privacy breaches, and 14 percent reported that patients’ privacy was better protected than before the Privacy Rule. Respondents also indicated that the Privacy Rule had a negative impact on research recruitment, the IRB approval process, the cost and time to conduct research, multicenter research, and the use of deidenti- fied information (Ring, 2007). North American Association of Central Cancer Registries In 2006, the North American Association of Central Cancer Registries (NAACCR) conducted a survey of its memberships’ experience operating

0 BEYOND THE HIPAA PRIVACY RULE under the Privacy Rule. NAACCR members represent population-based state, regional, and provincial cancer registries in Canada, the United States and its territories. These registries provide cancer incidence data for public health surveillance and research purposes. All 71 members of NAACCR were invited to participate in the survey and 55 responses were received, however, many of the members are not HIPAA covered entities. In general, the respondents indicated that the Privacy Rule has interfered with both basic cancer surveillance and registry-based research (Deapen, 2006). American Society of Clinical Oncology Interviews The American Society of Clinical Oncology (ASCO) gathered quali- tative information through structured interviews in early 2008 with 27 compliance officials and investigators from 13 institutions about their attitudes toward the Privacy Rule. Participants were presented with three research scenarios prior to their interviews: (1) communication with cancer survivors’ family members to request their participation in genetic studies intended to investigate familial cancer syndromes, (2) establishment and use of tissue and data banks that would contain protected health information (PHI), and (3) identification and consent of cancer survivors to participate in long-term survivorship studies. These scenarios were then discussed dur- ing the interviews to explore how the Privacy Rule standards are applied at the different institutions, and to gauge the opinions of the researchers and compliance officers toward the regulation. Unlike some of the surveys, many of the ASCO interview participants indicated that the Privacy Rule had a positive effect on privacy by trigger- ing a reconsideration of how confidential health information is handled in research. However, they also noted that different institutions’ IRBs have very different approaches to complying with the Privacy Rule, and this can impede important research. They identified the authorization process as the most significant challenge to complying with the Privacy Rule, especially for future research projects relying on stored tissue and databases. Com- pliance officers and researchers disagreed on the possibility of obtaining authorization for “future research.” Other problems identified included abandoned studies, a lack of training and useful guidance documents on the requirements of the Privacy Rule, and concerns about the security of research databases (ASCO, 2008). Association of Academic Health Centers Focus Groups The Association of Academic Health Centers (AAHC) organized focus groups in fall 2007 at five institutions to examine researchers’ experiences operating under the HIPAA Privacy Rule. Each focus group included both

0 EFFECT OF THE HIPAA PRIVACY RULE researchers and compliance personnel from the institution, and all groups were asked the same set of questions. The focus groups reported problems with the Privacy Rule’s regulation of research similar to those found in the surveys. Major issues identified included overly conservative inter- pretation of the Privacy Rule by institutions, diminished ability to recruit research participants, obstacles in accessing stored tissue and genetic data- sets, increased cost and time to conduct research, and increased complexity in the IRB review procedures. Participants also indicated that some hos- pitals and community physicians were opting out of research, rather than attempting to comply with the Privacy Rule (AAHC, 2008) SELECTION BIAS Selection bias is created when data are more likely to be collected from one subset of the population than from a representative sample of the entire population (see Box 3-8). This can cause a systematic difference between the characteristics of the individuals included in a study and the individuals not included. Selection bias is problematic for research because it can lead to inaccurate results and it reduces the generalizability of research results to the general population, as indicated by the examples described below. The Privacy Rule has the potential to contribute to selection bias because it requires researchers to seek patient authorization to access their health records in most situations (see Chapter 4). Selection bias occurs if the individuals who give permission for researchers to access their medical data differ from the group of individuals who are unwilling to give permission for their health information to be used in research. This section provides a detailed overview of the evidence regarding the Privacy Rule’s impact on selection bias. It starts with a description of relevant survey data from the researcher surveys described above, then provides a summary of several systematic studies that examined the effect of consent and authorization on selection bias. It concludes with a section summarizing several studies that specifically examined the Privacy Rule’s effect on research samples. Two surveys provide evidence that researchers are concerned about the Privacy Rule introducing selection bias into research. In the AHRQ survey, 74 percent of respondents reported that they had experienced problems with sample representation and bias. One of the most commonly cited rea- sons for selection bias was that fewer patients have agreed to participate in research since the Privacy Rule was implemented. Respondents indicated that the complicated and lengthy authorization forms required by the Pri- vacy Rule create an impediment to subject recruitment. Also, 42 percent of respondents reported that many small health care entities and other entities serving disadvantaged populations are not participating in research because of an inability to meet all of the Privacy Rule requirements. This results in

0 BEYOND THE HIPAA PRIVACY RULE the underrepresentation of minority populations in many research studies (Walker, 2005). A survey of NAACCR found similar results, with 36 percent of respon- dents reporting that the Privacy Rule had introduced selection bias into a research project. The response rate for this survey was 66 percent (Deapen, 2006). A new privacy policy of Veterans Affairs has deepened concern about bias in cancer registries (Kolata, 2007; see also Chapter 6). This policy goes beyond the requirements of the Privacy Rule by requiring each state to sign a national directive setting privacy standards for the use of patients’ health information. Some states have refused to sign the direc- tive, asserting that it is not feasible to meet the requirements. As a result, cancer registries will not be representative of the entire U.S. population, and researchers and public health officials will have difficulty interpreting annual cancer statistics published by the National Cancer Institute. General Studies of Consent and Selection Bias Numerous studies have directly examined the effect of consent and autho- rization requirements on selection bias in a systematic manner (Al-Shahi et al., 2005; Harris and Levy, 2008; McCarthy et al., 1999; Trevena et al., 2006; Tu et al., 2004; Ward et al., 2007; Woolf et al., 2000). Woolf and colleagues (2000) at Virginia Commonwealth University studied the effect of requiring patients to give consent on the demographics of research participants at an urban family practice center. Patients were recruited to complete the Health Assessment Survey (HAS). At the end of the HAS, patients were asked to give the researchers permission to contact them by phone or mail, and to review their medical records. Of patients who completed the HAS survey, 67 percent granted researchers consent to complete the follow-up activities, 25 percent actively denied consent, and 8 percent did not answer the question. Patients who gave consent were older, and included fewer women and African Ameri- cans than patients who did not give consent. Patients who actively denied consent were younger, included more women, and were more educated than patients giving consent. Also, patients who gave consent differed in health status from patients who denied consent. The researchers concluded that patients willing to release personal health information for health services research differed on important characteristics from patients denying consent (Woolf et al., 2000). A study conducted by Jack Tu and colleagues (2004) examined the effect of requiring consent on the representativeness of the Registry of the Canadian Stroke Network of the entire population of individuals with stroke. The researchers found that requiring consent before enrollment created a database that was not representative. Patients who agreed to participate in the stroke database were younger, more likely to be alert at

 EFFECT OF THE HIPAA PRIVACY RULE admission to the hospital, more likely to be alive at discharge, and were more likely to speak English or French than those patients who did not agree to participate in the database. In addition, the in-hospital discharge rates differed significantly between enrolled patients (7 percent) and unenrolled patients (22 percent). This dif- ference was likely due to the difficulty in approaching critically ill patients and their family members for recruitment during the ordeal of a stroke. Also, many stroke patients were unable to give or decline to give consent because they were cognitively impaired. The selection bias occurred at hospitals with both high and low participation rates. Based on this study’s results, the Registry of the Canadian Stroke Network switched from a consent-based system to a system that uses deidentified patient data and does not require patient consent, to ensure the universality of the registry (Tu et al., 2004). This change, however, eliminated the possibility of follow- up interviews with patients. In Scotland, a study conducted by Rustam Al-Shahi and colleagues (2005) evaluated the effect of requiring consent on prospective, observa- tional research. The researchers attempted to obtain informed consent to review the medical records and conduct annual follow-up questionnaires of all patients residing in Scotland who presented with intracranial vas- cular malformation between 1999 and 2002. An ethics board gave the researchers permission to collect baseline and follow-up data on those patients who did not give consent. The researchers found that adults who consented to participate in the study differed on important prognostic vari- ables from patients who did not consent. For example, patients who gave consent were significantly less likely to have intracranial hemorrhage, or to be dependent at presentation. During the yearly follow-ups, patients who gave consent were significantly more likely to have received interventional treatment, less likely to have died, and more likely to have had an epileptic seizure than nonconsenters. The researchers concluded that requiring con- sent for observational research produced significant selection bias (Al-Shahi et al., 2005). McCarthy and colleagues (1999) studied a Minnesota law that required patient-informed consent before medical records were permitted to be used by researchers. In this pharmacoepidemiologic study, 73 of 140 potential research participants responded to a request for informed consent, with 26 of the potential research participants authorizing the use of their medi- cal records for the study, and 47 declining. Although it is unclear whether there were important differences between the group of individuals granting informed consent and the group of individuals declining to give informed consent, the authors concluded that the low response rate compromised the generalizability of the study results. In contrast, the researchers achieved a 93 percent recruitment rate for this study in states without a privacy law

 BEYOND THE HIPAA PRIVACY RULE requiring informed consent, where health care providers could grant access to patient medical records based on a general enrollment authorization. The low participation rate in Minnesota was directly attributed to the state privacy law (McCarthy et al., 1999). Similar results were found in the study that examined the effect of the recent Australian privacy legislation on selection bias in health research. Trevena and colleagues (2006) conducted a randomized trial comparing recruitment under an opt-out and an opt-in methodology. In the opt-out condition, potential research participants were informed that their physi- cian was participating in a research study, and if they did not wish to be contacted by the researchers they should inform their physician and their contact information would be withheld. Under the opt-in condition, poten- tial research participants could only be contacted by researchers if they affirmatively gave permission in writing, over the phone, or via e-mail to the researchers. This study found that a smaller percentage of potential research participants participated under the opt-in methodology (47 percent) com- pared to the opt-out methodology (67 percent). Although there was no difference in the age, sex, health status, or socioeconomic status between the opt-in and opt-out populations, individuals in the opt-in group were more likely (75 percent) to prefer an active role in making health care deci- sions than individuals in the opt-out group (45 percent). The researchers concluded that the opt-in method produced a sample of research partici- pants who differed in important behavioral characteristics from the opt-out method participants (Trevena et al., 2006). In a study of the United Kingdom Data Protection Act of 1998, epi- demiological researchers assessed their ability to recruit potential research participants under this Act. The researchers wrote to a number of phy- sicians and recruited them to participate in the study. If the physicians agreed to participate, the researchers requested the physicians to randomly select 20 of their patients and ask them to consent to being contacted by the researchers. Those individuals granting consent to be contacted were then invited by the researchers to participate in the study. Following this methodology, the researchers were only able to obtain consent from 16 percent of the patients approached. They concluded that such a low par- ticipation rate led to selection bias, as well as inadequate statistical power and statistical significance. They documented that health care workers were overrepresented in the resulting study population (Ward et al., 2007). HIPAA Authorization and Selection Bias Several studies have explicitly examined whether the provisions of the Privacy Rule contribute to biased research samples. Armstrong and col- leagues (2005) at the University of Michigan conducted a 6-month follow-

 EFFECT OF THE HIPAA PRIVACY RULE up questionnaire for the Acute Coronary Syndrome Registry. They then compared the percentage of patients who gave consent pre-HIPAA and post-HIPAA for participation in the follow-up survey. In the pre-HIPAA time period, informed consent for the follow-up questionnaire was given over the phone by the patient. In the post-HIPAA era, written informed consent and authorization were required. The percentage of patients con- senting to complete the questionnaire decreased from 96 percent in the pre- HIPAA era to 34 percent in the post-HIPAA era. Patients who gave consent post-HIPAA were more likely to be older, married, and white than those who refused to provide consent or did not respond. Patients who gave con- sent also had lower mortality rates at 6 months than patients who refused consent. The results suggest that implementation of the Privacy Rule led to selection bias in the Registry (Armstrong et al., 2005). Beebe and colleagues (2007) at the Mayo Clinic College of Medicine in Rochester, MN, followed up on the Armstrong study and conducted a randomized clinical trial that examined the effect of the Privacy Rule on response rate and selection bias. In this study, 6,939 research participants were randomly assigned to one of two research conditions: (1) one condi- tion required patients to complete and return a HIPAA authorization form in order to participate in the study, and (2) in the second condition, patients were not required to complete a HIPAA authorization form to participate. The response rates were significantly different between the condition requir- ing an authorization form (38 percent) and the condition not requiring an authorization form (55 percent). However, unlike the studies described above, the researchers did not find that the lower response rate translated into a detectable selection bias (Beebe et al., 2007). The lack of detectable selection bias in this study could be the result of the authorization form used. Beebe and colleagues used a simple one-page authorization form. In the other studies discussed in this section, the autho- rization forms were much longer than one page and were often written in complex language. Simplifying the authorization form likely minimized the effect of requiring patient authorization on potential research participants’ willingness to participate in a study. However, as will be discussed below in the chapter section on the authorization process, a majority of covered entities require lengthy and highly legalistic authorization forms. Another study that examined the effect of the Privacy Rule on selection bias was conducted by Dunlop and colleagues (2007) at Emory University in Atlanta. In this study the researchers investigated the impact of includ- ing an authorization form on the willingness of African Americans to participate in a clinical study of an antihypertensive medication. Research participants were randomly assigned to one of two study conditions in which they received either (1) an informed consent form (informed consent condition), or (2) an informed consent form and an authorization form

 BEYOND THE HIPAA PRIVACY RULE (authorization condition). The researchers recorded the reasons that poten- tial research participants gave for declining to participate in the study. The study found that a smaller percentage of research participants in the authorization condition indicated a willingness to participate in the study than in the informed consent condition (27 percent versus 39 per- cent). This was especially true for individuals over 40 years of age with a high school education or less, and in men. In addition, individuals required to complete an authorization form were more likely to report the following reasons for declining to participate in the study: (1) concerns related to mis- trust or fear of research, researchers, or research institutions, and (2) poor comprehension of forms. The researchers concluded that the Privacy Rule’s authorization requirement acted as a deterrent for African American par- ticipation in research (Dunlop et al., 2007). EFFICIENCY OF RESEARCH Substantial evidence indicates that many institution’s implementation and interpretation of the Privacy Rule have had a detrimental effect on health researchers’ ability to efficiently conduct information-based research. This section reviews the available evidence on the effect of the Privacy Rule, and its interpretation, on the efficiency of research in terms of (1) cost and time, (2) research participant recruitment, (3) IRB oversight of research projects, (4) international collaboration between researchers, and (5) the use of business associate agreements. Cost and Time In the 2000 version of the Privacy Rule, HHS estimated that the Pri- vacy Rule would cost the health care industry more than $17.6 billion to implement.2 The expected costs for research were projected to be more than $40 million the first year, and $585 million over 10 years. The 2002 version of the Privacy Rule reduced the projected costs for implementing the research provisions by $10 million the first year, and $146 million over 10 years.3 HHS stated that it was difficult to conduct a true cost–benefit analysis of the Privacy Rule because the value of protecting health privacy is difficult to quantify.4 However, in implementing the Privacy Rule, the agency clearly decided that the benefits of protecting privacy outweighed the economic costs of the Privacy Rule. The aggregate cost to research has 2 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 67 Fed. Reg. 53,255 (August 24, 2002) (codified at 45 C.F.R. parts 160 and 164). 3 Id. at 53,258. 4 Id. at 53,255.

 EFFECT OF THE HIPAA PRIVACY RULE not been measured or estimated since April 2003, and as outlined below, researchers’ estimates of the increase in cost and time attributable to the Privacy Rule vary widely. In a recent article published in the Annual Review of Medicine, Nosowsky and Giordano (2006) reviewed the existing evidence on the effect of the Privacy Rule on research, and concluded that the costs projected by HHS have more than been realized by covered entities, researchers, and IRBs, although no figures were cited. They attributed the increased research costs to the large amounts of paperwork required by the Privacy Rule, increased staff time, and difficulties in recruiting research participants. They con- cluded that these additional burdens on research have pushed researchers to reformulate and abandon many studies. Furthermore, the authors specu- lated that these changes have increased the need for researchers to obtain additional funding, discouraged investigator-initiated research, and caused many smaller research projects to end (Nosowsky and Giordano, 2006). Many researchers report that the implementation of the Privacy Rule increased the cost of conducting health research and increased the time necessary to conduct a research project from start to finish. The national survey of epidemiologists found that most respondents believe the Privacy Rule increased the cost and time of conducting health research. In this sur- vey, 90 percent of the respondents reported an increase in resource expen- diture, with 40 percent indicating that the Privacy Rule increased research costs a great deal (i.e., 4–5 on the Likert scale). Half of the respondents indicated that the additional time required to comply with the Privacy Rule was great (4–5 on the Likert scale) (Figure 5-3a) (Ness, 2007). In the AHA/ACC survey, 78 percent of respondents reported that the Privacy Rule increased the cost of research, and 79 percent reported that it increased the time to conduct research (Ring, 2007). The AcademyHealth survey results were similar, with 86 percent of respondents reporting that the Privacy Rule increased the time necessary for research, and 8 percent of those reporting that the increase was so great that it led some researchers to forego projects. In terms of cost, 73 percent of respondents reported that the Privacy Rule increased the cost of research (4 percent much more, 24 percent significantly more, and 45 percent some- what more) (Helms, 2008) (Figure 5-3b). In the HMORN survey of investigators, 55 percent of respondents reported that study time lines were negatively affected by the Privacy Rule (Figure 5-4). A third of the investigators indicated that the Privacy Rule delayed their research by 1 to more than 3 months. Also, investigators reported that the Privacy Rule led to a median of 20 additional staff hours required to comply with the requirements of the regulation. Twelve percent of respondents reported that 100 or more staff hours were required. In one extreme case in the structured interview portion of this survey, an inves-

 BEYOND THE HIPAA PRIVACY RULE 60 50 % Reporting 40 Has the Privacy Rule: 30 Added cost to research Delayed time to study 20 completion 10 0 1–2 3 4– 5 Don't know 1 = none 5 = a great deal FIGURE 5-3a National Survey of Epidemiologists: Impact on cost and time to complete research. SOURCE: Ness (2007). Figure 5-3a.eps Little /no effect Has the Privacy Rule Somewhat more affected research: Time Significantly more Cost Much more; project must be forgone 0 10 20 30 40 50 % Reporting FIGURE 5-3b AcademyHealth Survey: Impact on cost and time to complete research. Figure 5-3b.eps SOURCE: Helms (2008). tigator said that compliance with the HIPAA procedures required about 1,000–2,000 additional hours of staff time, and added $100,000–$200,000 in unanticipated costs (Greene et al., 2008). In the NAACCR survey of cancer registries, 68 percent of respondents reported that the Privacy Rule delayed a research project or caused it to take longer than it would have

 EFFECT OF THE HIPAA PRIVACY RULE Has the Privacy Rule added to: The time required to review IRB Yes No The number of iterations of IRB IRB staf f time needed to explain 0 2 4 6 8 10 12 Frequency FIGURE 5-4 HMO Research Network Survey of Institutional Review Board Administrators. Responses to the question: Taken as a whole, do you think the Health Insurance Portability and Accountability Act Privacy Rule has added to. . . . SOURCE: Greene et al. (2008). taken pre-HIPAA. In addition, 5-4.eps of respondents indicated that the Figure 66 percent Privacy Rule had been cited as the reason for actions that interfered with nonresearch operations of the cancer registry, such as basic surveillance (Deapen, 2006). A number of researchers have attempted to quantitatively document the increased time and cost of research attributable to the implementa- tion of the Privacy Rule at their institutions. It is important to note that these studies are site specific and depend on how institutions interpret and implement the Privacy Rule. A recent letter to the editor of Anesthesiology reported on the amount of research staff hours spent per month on recruit- ment and follow-up activities in a randomized clinical trial at the University of Pittsburgh, before and after the Privacy Rule went into effect. Implemen- tation of the Privacy Rule led to a 75-hour increase per month in staff time spent updating work logs, and a 77-hour increase in time spent on HIPAA implementation tasks. According to the authors’ calculations, this was a 70 percent increase in staff hours above the monthly base workload. The authors did not try to determine which aspects of the Privacy Rule were responsible for the recorded increases (Williams et al., 2007). Similarly, the Armstrong study on the Acute Coronary Syndrome Registry documented that the incremental cost for this registry at the Uni- versity of Michigan of complying with the Privacy Rule was $8,704.50 for the first year, and an additional $4,558.50 for each year thereafter. The authors did not report the total expenditure of the study but suggested

 BEYOND THE HIPAA PRIVACY RULE that this was a substantial increase in the study’s budget (Armstrong et al., 2005). Johns Hopkins University estimates that the cost of complying with the Privacy Rule is about $2 million annually (Friedman, 2006). Since the Pri- vacy Rule was implemented, the institution calculated that it has required nearly 26,000 of its faculty and staff to pass a written test on their under- standing of the Privacy Rule. Recruitment A number of researchers have also demonstrated that many interpre- tations of the Privacy Rule have made research recruitment more difficult (Table 5-2). During a clinical trial evaluating the efficacy of an educational strategy to inform veterans about the National Cancer Institute/Department of Veterans Affairs Selenium and Vitamin E Cancer Prevention Trial (SELECT), Wolf and Bennett (2006) monitored the recruitment of research participants before and after implementation of the Privacy Rule. Several recruitment methods were used throughout this clinical trial, depending on the phase of HIPAA implementation. Before the Privacy Rule was imple- mented, potential research participants were directly approached by research assistants for informed consent. After the Privacy Rule was implemented, research assistants could no longer approach potential research partici- pants; recruitment was done by hospital staff. The post-HIPAA recruit- ment protocol was modified once to increase participation rates. Under the modified protocol, potential research participants were introduced to the study by desk staff at the medical clinic where the study was conducted, all clinic staff members were reminded of the study, and a research assistant was stationed prominently in the medical clinic. The researchers were able to recruit seven patients a week in the pre- HIPAA phase. The average time to recruit a patient was 4.1 hours, for an average cost of $49 per patient. The study was on target to complete recruit- ment in 60 weeks. Immediately after the Privacy Rule was implemented, recruitment decreased by 73 percent to 1.9 patients per week. The average time to recruit each new patient was 14.1 hours, for a cost of $169 per patient. Meeting the recruitment goals of the study at this rate would require 158 weeks. The modified recruitment protocol increased recruitment to 7.1 patients a week, required 3.9 hours, and cost $52 per patient. The modified recruitment strategy was measured again at a later date in the study to assess whether the modified protocol could be maintained. During this time period, 5.2 patients were recruited per week. Research assistants needed an average of 5.4 hours to recruit each patient, for a cost of $65 per patient. The authors concluded that the Privacy Rule dramatically hindered researchers’ ability to recruit research participants. Implementation of the

 EFFECT OF THE HIPAA PRIVACY RULE TABLE 5-2 Research Participant Recruitment Before and After Implementation of the Privacy Rule Wolf and Bennett: Selenium and Vitamin E Cancer Prevention Trial in Veterans (2006) Pre-HIPAA 7 patients recruited per week Post-HIPAA 1.9 patients recruited per week Modified protocol (time period 1) 7.1 patients recruited per week Modified protocol (time period 2) 5.2 patients recruited per week Roberta Ness: Pregnancy Exposures and Preeclampsia Prevention (2005) Pre-HIPAA (1997–2001) 12.4 patients recruited per week HIPAA implementation (2002) 0.0 patients recruited per week No waivers 1 (4/03–9/03) 2.5 patients recruited per week Waivers of authorization (10/03–6/04) 5.7 patients recruited per week No waivers 2 (6/04) 3.3 patients recruited per week Beebe and Colleagues: HIPAA Authorization and Willingness to Participate (2007) No authorization 55.0% of potential research subjects participated Authorization 39.8% of potential research subjects participated Dunlop and Colleagues: HIPAA Authorization and Willingness to Participate (2007) No authorization 39% of potential research subjects participated Authorization 27% of potential research subjects participated SOURCES: Beebe et al. (2007); Dunlop et al. (2007); Ness (2005); Wolf and Bennett (2006). Privacy Rule increased the cost and time required for recruitment and made it more difficult to achieve an appropriate-sized research sample. Although the modified protocol increased recruitment, the fact that the initial recruit- ment level could not be maintained over time suggests that the new protocol required a great deal of effort and did not completely solve recruitment difficulties. In addition, an intensive evaluation of a study’s recruitment process to devise a new strategy, as was required to develop the modified protocol, costs money, takes time, and may not always be possible (Wolf and Bennett, 2006). A reduced rate of recruitment following implementation of the Pri- vacy Rule was also documented by Roberta Ness in the course of a study on pregnancy exposures and preeclampsia prevention at the University of Pittsburgh. Again, the recruitment methods were divided into several different time periods: (1) pre-HIPAA (1997–2001), (2) 2002, (3) April 2003–September 2003, (4) October 2003–May 2004, and (5) June 2004. In the pre-HIPAA time period, researchers recruited an average of 12.4 women a week. In 2002 recruitment was shut down completely for 4 months while the covered entity where the study was being conducted decided how to implement the requirements of the Privacy Rule.

0 BEYOND THE HIPAA PRIVACY RULE From April 2003 to September 2003, recruitment was allowed to continue, but the covered entity was unwilling to grant any waivers of authorization. Researchers recruited only 2.5 women a week. In October 2003, the covered entity allowed waivers of authorization to be issued, and the researchers were able to review potential research participants’ medical records without obtaining authorization. However, the waivers of authorization required that the researchers obtain the consent of the potential research participants’ health care providers before the researchers could approach individuals for participation in the study. Approximately 5.7 women a week were recruited following this protocol. The need for the health care providers’ permission prevented recruitment from reaching pre-HIPAA levels. The covered entity merged with another covered entity in June 2004, and the waiver of authorization was retracted. Recruitment immediately fell to 3.3 women a week (Ness, 2005). These recruitment numbers clearly demonstrate that the implementation and interpretation of the Privacy Rule, and the availability of waivers of authorization, can have an enormous influence on recruitment success. They also show that conducting research under changing policies, organization, or interpreta- tions of the Privacy Rule can be problematic. Several studies that were discussed previously provide further evi- dence that many interpretations of the Privacy Rule have made research recruitment more difficult. The Beebe study found that the percentage of potential research participants willing to participate declined when HIPAA authorization was required at the Mayo Clinic College of Medicine. More than half—55 percent—of potential research participants participated in the study when authorization was not required, but only 39.8 percent of potential research participants took part if they were required to complete an authorization form (Beebe et al., 2007). In the Dunlop study, 39 percent of potential research participants indicated a willingness to participate in a clinical trial of a hypertensive medication when authorization was not required. Only 27 percent indicated a willingness to participate when authorization was required (Dunlop et al., 2007). Also, the national survey of epidemiologists found Privacy Rule modi- fications were needed in 84.8 percent of proposed research protocols. Of these cases, 68 percent of respondents reported that these modifications increased recruitment difficulties a great deal (4–5 on the Likert scale) (Ness, 2007). In the AcademyHealth survey, 47 percent of respondents reported that the Privacy Rule decreased recruitment (Helms, 2008). Similarly, the 49 percent of respondents to the AHA/ACC survey reported that the Privacy Rule decreased recruitment by more than 10 percent (Ring, 2007).

 EFFECT OF THE HIPAA PRIVACY RULE IRB and Privacy Board Oversight A previous IOM report noted that the workload of IRBs, and the com- plexity of their work, has been steadily increasing as a result of new and evolving requirements for research regulation and documentation (IOM, 2002), including the HIPAA Privacy Rule. This heavy burden has increased the difficulty of both recruiting knowledgeable IRB members and allowing them sufficient time for the necessary ethical reflection to make appropriate decisions about human research projects. In addition, the report noted that the extreme variability in the approval decisions and regulatory interpreta- tions among IRBs is one of the weaknesses in the current protection system (IOM, 2002). Recent findings from surveys and other studies indicate that these issues are a continuing concern for both IRBs and Privacy Boards. This section provides a detailed review of the evidence that the Privacy Rule, and its interpretation, has had a detrimental effect on the oversight process for reviewing research proposals, including information on: (1) IRB approval, (2) exemption from full IRB review, (3) waiver of authorization, (4) differentiating types of research, and (5) inconsistent interpretation of the Privacy Rule by IRBs and Privacy Boards in multicenter research projects. IRB Approval Recent surveys provide evidence that the Privacy Rule, or its interpreta- tion, has reduced the efficiency of health research by affecting researchers’ ability to move a study through the IRB approval process. In the AHRQ survey, 94 percent of respondents stated that the Privacy Rule impacted the design and conduct of health services research. The respondents who reported that the Privacy Rule had no impact on study design were all researchers who used only deidentified data and were not required to go through the IRB/Privacy Board review process under the Privacy Rule (Walker, 2005). Similarly, in the national survey of epidemiologists, 87 per- cent of respondents reported an increase in the time required for preparing a research proposal for review by an IRB (Ness, 2007). The AcademyHealth survey found that 69 percent of respondents reported difficulty gaining approval from IRBs to collect PHI. Respondents also reported difficulty gaining approval to collect PHI from health plans (32 percent), institution lawyers (29 percent), and physicians (25 percent). In the HMORN survey of investigators, respondents reported that they were required to submit a research project for a median of two additional IRB iterations after the Privacy Rule was implemented. Twenty percent of investigators reported that four or more IRB iterations were required. Also, investigators reported that in one-third of study protocols, modifications

 BEYOND THE HIPAA PRIVACY RULE were due to an IRB requirement. In that survey, 29 percent of investiga- tors reported that an IRB required them to modify their planned method of identifying potential research participants, 29 percent reported that an IRB put restrictions on the kind of identifiers that could be collected, and 59 percent reported that an IRB required a study to be modified to include additional consent and/or authorization language (Greene et al., 2008). The AHA/ACC survey also found that 67 percent of respondents reported that the IRB submission process was made more complex by the Privacy Rule (Ring, 2007). Exemption from Full IRB Review Certain types of research that pose minimal risk to human subjects are exempt from IRB review under the Common Rule (45 C.F.R. § 46.101). For these studies, an IRB chair or member can review an application for exemption and determine if the study meets the criteria for exemption. If the study qualifies for exemption, then no further IRB review is necessary. Expedited IRB review is a process allowed by the Common Rule (45 C.F.R. § 46.110) in which an IRB chair or member reviews the entire study pro- tocol. A study conducted by O’Herrin and colleagues (2004) examined the effect of the Privacy Rule on applications for IRB exemption for proposed research projects at the University of Wisconsin. This study was broken down into three time periods: (1) September 1999–December 2000, during which there was no specific process for handling requests for IRB exemp- tion for medical records studies; (2) January 2001–December 2002, during which the institution followed a standardized procedure for Applications for Exemption; and (3) January 2003–March 2003, during which the IRB became fully compliant with the Privacy Rule. During Period 1, all the medical records research projects submitted to the IRB were approved under “expedited” IRB review procedures. In Period 2, 89 percent of the applications received an IRB exemption with- out revision. Of the applications that required revision, 36 percent were revised and successfully approved for exemption within 75 ± 64 days of the original submission. The remaining applications required review by the full IRB committee, but were all ultimately given approval. In Period 3, when the covered entity was in full compliance with the Privacy Rule, 59 percent of proposals received exemption from full IRB review without revision in 12 ± 23 days. Of the projects requiring revision, 50 percent were revised and approved within 29 ± 35 days of the initial submission. The percentage of projects that required full IRB committee review increased from 0 percent in Period 1, to 7 percent in Period 2, to 16 per- cent in Period 3. The authors of this study concluded that the Privacy Rule complicated the IRB review process because a larger percentage of studies

 EFFECT OF THE HIPAA PRIVACY RULE became ineligible for IRB exemption or expedited IRB review. Also, the complexity of the IRB approval process discouraged many researchers from completing their proposed research study. Of the applications that required full IRB committee review, 77 percent were abandoned by the researchers in Period 3. Most of the abandoned studies were chart reviews, and there was no evidence that the full IRB committee review was justified or a nec- essary change that safeguarded research participants’ privacy (O’Herrin et al., 2004). Waiver of Authorization The Privacy Rule allows a covered entity to use and disclose PHI for research purposes without patient authorization if an IRB or Privacy Board determines that a research project meets three criteria, including minimal risk to patient privacy, and whether the study could practicably be con- ducted without the waiver of authorization and without access to and use of PHI (see Chapter 4). However, surveys indicate that many researchers have experienced difficulty in obtaining a waiver of authorization. In the national survey of epidemiologists, 40 percent of respondents reported that they had attempted to obtain a waiver of authorization under the Privacy Rule. Of these researchers, 31 percent reported a high level of difficulty in obtaining a waiver (4–5 on the Likert scale) (Ness, 2007). The AcademyHealth survey also examined this issue, with 62 percent of respondents reporting that they had been involved in one or more studies requiring waivers or alterations of authorization requirements by IRBs (65 percent had been involved in 2–5 studies, and 3 percent had been involved in more than 20 studies). Among respondents who had requested waivers or alteration of waivers from IRBs or Privacy Boards, 59 percent reported that the availability of existing datasets has been impacted by the Privacy Rule. Only 40 percent of the respondents who had requested waivers or alterations of authorization reported that they were successful in accessing data from an existing dataset in its original form under an approved waiver of authorization (Helms, 2008). In the AHA/ACC sur- vey, 59 percent of respondents reported attempting to obtain a waiver of authorization. Of those respondents, 69 percent reported the waiver was hard to attain (Ring, 2007). Differentiating Various Types of Research Scientific and ethical difficulties may arise when rules that were devel- oped to guide clinical research are applied to other kinds of research (Casarett et al., 2005). Under the Privacy Rule, IRBs are charged with reviewing different types of health research that were previously not in their

 BEYOND THE HIPAA PRIVACY RULE purview, including many types of health services research that use data that have been anonymized and are thus exempt under the Common Rule, so making judgments about approval and determining which research studies require a waiver of authorization is a challenge. Some evidence indicates that IRBs do not recognize important differences among various types of health research. In the AcademyHealth survey, 44 percent of the respon- dents reported that IRBs did not correctly differentiate between clinical research and health services research (and 25 percent were unsure). Clinical research often involves the study of a new drug or experimental treatment on human subjects. In contrast, respondents to the AcademyHealth survey reported that most of health services research involves survey or question- naire data (82 percent), medical record review (70 percent), and admin- istrative data (66 percent). Only a small portion of respondents reported doing health research studies that involved direct human contact; 9 percent reported conducting research that required the collection of specimens, and 5 percent reported conducting research on existing specimens. Also, survey respondents indicated that IRBs often did not differentiate between the cost and time required to conduct health services research compared to clinical research (Helms, 2008). Inconsistent Interpretation of the Privacy Rule: Multicenter Research Research studies that entail the collection of data from multiple sites involve the jurisdiction of multiple IRBs or Privacy Boards. The Privacy Rule does not require a researcher to obtain a waiver of authorization from the IRB or Privacy Board of every entity that is contributing PHI. Covered entities are permitted to rely on a waiver of authorization approved by as few as one IRB or Privacy Board with jurisdiction. However, a covered entity may decide to require approval from its own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regardless of whether another IRB or Privacy Board had already granted a waiver of authoriza- tion. The Privacy Rule does not address potential disagreements between IRBs or Privacy Boards, but HHS “strongly encourages” researchers to notify IRBs and Privacy Boards of any prior reviews of a research protocol to reduce the chance of IRBs and Privacy Boards disagreeing. Surveys indicate that the Privacy Rule has had a detrimental effect on the efficiency of multicenter health research because the participat- ing covered entities, IRBs, and Privacy Boards interpret the Privacy Rule differently (AAHC, 2008; Ring, 2007). Researchers conducting a single study at different locations are routinely required to go through multiple IRB/Privacy Board review processes, and to use different authorization forms and methodology across the various sites, even though the Privacy Rule permits reliance on the review or decision of one IRB or Privacy Board for all sites.

 EFFECT OF THE HIPAA PRIVACY RULE In the AHRQ survey, 65 percent of respondents reported problems satisfying the requirements of multiple IRBs for multisite studies. One area with which researchers reported significant frustration was the lack of consistent consent and authorization forms (Walker, 2005). The Academy- Health survey found that 28 percent of researchers who required a waiver of authorization to conduct a study were required to get the waiver from all research sites involved. Only 9 percent of the respondents reported that the same waiver was used at all sites, and 6 percent reported the waivers were required from more than one, but not all, sites. Three percent of the respondents reported that they were unable to proceed with a multi- site study because they were unable to resolve disagreement among sites (Helms, 2008). In the HMORN survey of investigators, 78 percent of respondents reported participating in multicenter research. Of these respondents 54 per- cent indicated that different IRBs raised different concerns about the same study protocol, and 45 percent of respondents reported that these different concerns led to protocol variability across the different sites (Figure 5-5). The HMORN survey of IRB administrators found that 4 of the 11 IRBs reported requiring proof of Privacy Rule–related training for all partici- pating investigators in a study, even if they were from another site. This requirement is not a provision of the Privacy Rule (Greene et al., 2008). The national survey of epidemiologists also confirms that many researchers are frustrated with the process of conducting research at mul- tiple covered entities. In the survey, 76.8 percent of respondents reported difficulties with the Privacy Rule when conducting multicenter research. The problems related to site-specific variability in the research design and method in 40 percent of studies. The survey further explored this issue by presenting survey participants with five case studies that should have been approved without patient authorization either unconditionally or with a waiver of authorization under the Privacy Rule. However, on each of the case studies, 4.7 to 33.8 percent of respondents reported that their IRB would disapprove the study. Only 4.9 to 33.8 percent believed that their IRB would unconditionally approve the studies, and 13.3 to 26.7 percent reported that they did not know what their IRB would require. To further complicate multicenter research, a minority of respondents (17.3 percent) knew of covered entities unwilling to do any clinical research, regardless of the IRB’s interpretation of the Privacy Rule (Ness, 2007). In addition to the survey results, several studies have directly exam- ined the effect of the Privacy Rule, or its interpretation, on multicenter research. Lydon-Rochelle and Holt (2004) at the University of Washington documented their experience in attempting to access medical records from 19 area hospitals during the Privacy Rule implementation period, for a study designed to assess the accuracy of maternally linked birth records. They explained to the participating hospitals that their study protocol met

 BEYOND THE HIPAA PRIVACY RULE 80 70 Did different IRBs raise different 60 HIPA A-related % Reporting 50 concerns? 40 Did HIPA A-related 30 concerns result in the protocol 20 differing from site- to-site? 10 0 Don’t No Yes know FIGURE 5-5 HMO Research Network Survey of Researchers: Multisite research. NOTE: HIPAA = Health Insurance Portability and Accountability Act; IRB = Insti- Figure 5-5.eps tutional Review Board. SOURCE: Greene et al. (2008). the Privacy Rule waiver of authorization requirement and encouraged the hospitals’ IRBs to rely on their IRB’s approval of the study. However, the 19 IRBs displayed great variability in their willingness to approve the study. None of the 19 hospitals agreed to rely on the researchers’ own institu- tion’s IRB approval of the study. Ten hospitals used an expedited in-house IRB review process for the study, and 9 required a full IRB review of the study. The 9 IRBs requiring full review of the study cited concerns over the Privacy Rule’s civil and criminal penalties as the main reason for denying expedited review or for not honoring another IRB’s decisions. All 19 of the reviewing IRBs required different application forms, content, and proce- dures for complying with the Privacy Rule. The authors concluded that the Privacy Rule has increased the difficulty of conducting multicenter health research because of the challenges of navigating through many IRBs’ review processes (Lydon-Rochelle and Holt, 2004). A second study that examined the institutional variability in IRB approval processes was conducted by Newgard and colleagues (2005). The researchers sent 27 hospitals an identical research protocol for a study examining a decision rule to identify children seriously injured in motor

 EFFECT OF THE HIPAA PRIVACY RULE vehicle crashes in Los Angeles County. This was a minimal risk observa- tional study and clearly met the requirements for a waiver of authorization. However, 6 of the 27 hospitals refused to participate in the study at all. Of the remaining 21 hospitals, the median time for the study to be approved by the covered entities’ IRBs was 118 days. Significant differences in approval times were seen across the different covered entities. The researchers recognized they could not conclusively attribute the hospitals’ refusals to participate in the study and the long IRB review pro- cesses to the Privacy Rule itself. However, they believed the Privacy Rule was largely responsible for the results. They compared their experience to a previous study conducted in Los Angeles County before the implemen- tation of the Privacy Rule. The same 27 hospitals were approached for participation in a randomized, controlled, interventional trial for emergent airway management in children with a waiver of consent. All 27 hospitals approved the airway protocol without change, while only 21 of the same 27 hospitals approved Newgard and colleagues’ minimal risk, noninterven- tional study. The authors believed this difference was directly attributable to the complex requirements of the Privacy Rule and the perceived institu- tional risks associated with research (Newgard et al., 2005). A third study that examined the impact of allowing multiple IRBs to review the same research proposal was conducted by Greene and col- leagues (2006). Participants were recruited through a mailed invitation for a survey of psychosocial outcomes after prophylactic mastectomy. A second mailing and a follow-up phone call were made to nonresponders. The study’s protocol was reviewed by six IRBs. All of the IRBs requested that the protocol, letters, and phone call script be modified. Resolving all of the IRBs’ concerns took two to eight iterations at each site, and achiev- ing a uniform study methodology across the sites was impossible. Also, the response rates at the six institutions varied greatly, ranging from 40.9 to 70.8 percent among living individuals, to 60.7 to 84.6 percent among living individuals with physician consent and correct address. The authors concluded that having multiple IRBs review the same study protocol lengthened the study time line, adversely affected the budget, and created protocol variability that may have affected response rate (Greene et al., 2006). This study did not specifically focus on the Privacy Rule. How- ever, as demonstrated by the other studies discussed in this section, since the Privacy Rule was implemented, IRBs are often unwilling to honor the decisions of other IRBs. The Privacy Rule likely contributed to the six IRBs in this study all insisting on reviewing the same research protocol and for the resulting variability in study design.

 BEYOND THE HIPAA PRIVACY RULE Business Associate Agreements The AcademyHealth survey indicated that most health services researchers do not use business associate agreements to gain access to health data, but when they do, difficulties often arise. Twenty-two per- cent of the respondents reported using a business associate agreement to conduct research, and of these respondents, most reported that the busi- ness associate agreement negatively impacted research activities because it complicated the research process, made research more time consuming, and added more paperwork. Of the respondents who reported that they have used an existing dataset to conduct research, 28 percent indicated that they had to develop a business associate relationship with the covered entity to gain access to the dataset. Another 14 percent reported use of an intermediary organization that had a business associate relationship with the covered entity to gain access to an existing dataset (Helms, 2008). International Collaboration A report by Dutch researchers suggests that the Privacy Rule, or its interpretation, has made it more difficult for international researchers to collaborate with U.S. research centers (Kompanje and Maas, 2006). The authors recorded their experiences operating under the Privacy Rule in an international, multicenter, Phase III trial on the safety and efficacy of a neuroprotective agent in traumatic brain injury. The researchers compared the completion of screening logs between research centers in the United States and Europe. Because of the Privacy Rule, many of the U.S. screening logs had a large amount of missing data. All the European sites reported the actual age of the research participants on their screening logs, but only 5 of the 15 U.S. sites reported the age. The remaining 10 U.S. sites only reported whether the patient met the inclusion criteria for the study. Also, all the European sites reported the date and time of the injury, while only 10 U.S. sites provided this information. Information on secondary insults and the Glasgow Coma Scale were often omitted from the screening logs of U.S. sites. Overly conservative or variable interpretations of the Privacy Rule pre- vented many U.S. sites from providing the requisite data to the researchers and made it difficult for the researchers to monitor their study for selection bias and quality (Kompanje and Maas, 2006). In many situations, having international data is important to study a health problem. How often the Privacy Rule, or its interpretation, hinders U.S. collaboration in interna- tional research is unclear. But it is very conceivable that other international researchers have experienced frustrations similar to the Dutch researchers over collecting data from U.S. sites, or have even abandoned attempts to work with U.S. research centers due to the restrictions of the Privacy Rule.

 EFFECT OF THE HIPAA PRIVACY RULE ABANDONED STUDIES Some evidence, mostly in the form of case studies and survey results, shows that researchers have abandoned research studies that they would have pursued prior to the Privacy Rule. The paucity of systematic analysis is likely because abandoned research studies are more difficult to measure and to conclusively document than the other aspects of research that have been affected by the Privacy Rule. Documenting something that did not happen (i.e., an abandoned study) is more challenging than measuring something that did happen (e.g., selection bias, increased inefficiency). One study that examined abandoned studies in a systematic manner was the study by O’Herrin et al. (2004), discussed previously. The researchers determined that 77 percent of research proposals at the University of Wisconsin that were required to be reviewed by the full IRB, rather than being exempted from IRB review or receiving expedited review, were abandoned by inves- tigators. The study did not try to tease out the reasons for abandonment or the appropriateness of abandonment (O’Herrin et al., 2004). A well-publicized instance of the Privacy Rule leading to studies being abandoned was outlined in the San Francisco Chronicle. Reporting of cancer cases to the State of California Cancer Registry is required by law and should not have been affected by the implementation Privacy Rule. However, after the Privacy Rule became effective, 17 hospitals in the Bay area restricted the registry’s access to patient data, endangering many studies that relied on the California Cancer Registry for data. For example, a study examining why African Americans in the Bay Area have a higher risk of lung cancer than other racial and ethnic groups was nearly abandoned after the Privacy Rule came into effect because of the difficulty of collecting data (Russell, 2004b). This problem was created by the hospitals’ overly conservative interpreta- tion of the Privacy Rule, not the actual requirements of the Privacy Rule. A settlement was eventually reached after 2 years of disagreement, and the California Cancer Registry now has full access to the files and records of cancer patients, as is required in all states (Russell, 2004a). A second instance of an institution’s interpretation of the Privacy Rule leading to an abandoned study was reported in the Minneapolis Star Tribune. For more than 25 years, researchers at the University of Minnesota–Twin Cities were allowed to access more than 40,000 Minnesotans’ medical records as part of a longitudinal study into heart attacks and cholesterol- lowering drugs. This study depended on researchers viewing the medical records of patients without the individuals’ consent. After the Privacy Rule was implemented, data collection for this study was put on hold because the researchers were unable to obtain a waiver of authorization. The researchers decided not to seek additional grant money for the study because it was

0 BEYOND THE HIPAA PRIVACY RULE unclear whether they could continue without a seriously modified protocol under the Privacy Rule (Kaiser, 2006; Shaffer, 2006). In addition, a significant number of researchers surveyed attribute abandoned studies to the Privacy Rule. In the NAACCR survey, 19 percent of respondents cited the Privacy Rule as a reason for stopping or preventing a research project (Howe et al., 2006). In the AHRQ survey, 45 percent of respondents described a study that had been stopped or altered because the respondents found it was not possible to redesign a study protocol to com- ply with the Privacy Rule. Examples of studies that were ended included: (1) follow-up studies where patients were tracked through a number of health facilities for services; (2) studies involving community health centers, community-based mental health and substance abuse programs, and rural sites; (3) longitudinal studies, where the Privacy Rule requires researchers to obtain multiple authorizations; and (4) research evaluating government programs and clinical interventions in order to improve patient population health (Walker, 2005). In the HMORN survey of investigators, 65 percent of respondents agreed that they were hesitant to pursue new study ideas due to the Privacy Rule (Figure 5-6) (Greene et al., 2008). In the AcademyHealth survey, 13 percent of respondents reported that an IRB or Privacy Board has pre- vented a study in which they were involved from moving forward due to the IRB or Privacy Board’s concern about violating the Privacy Rule. Ten percent of respondents said they considered or developed a study, but did not submit it to the IRB or Privacy Board because they thought it would not be approved due to their IRB or Privacy Board’s conservative interpretation of the Privacy Rule (Helms, 2008). In addition, in the ASCO survey, six investigators said they had abandoned genetic studies on family members of individuals diagnosed with cancer because of difficulty in moving the proj- ects through the IRB approval process. IRBs were most concerned about the privacy of the cancer patients (ASCO, 2008). DEIDENTIFIED INFORMATION In drafting the Privacy Rule, HHS specifically excluded deidentified infor- mation from the definition of PHI (see Chapter 4). In principle, researchers can access and use deidentified information without patient authorization. However, many researchers have reported that the deidentification provisions of the Privacy Rule do not provide an effective way to obtain health data for research. The two major problems reported are that researchers have dif- ficulty obtaining deidentified information from covered entities and that data that have been deidentified according to the Privacy Rule provisions (which are more stringent than the Common Rule provisions) are of poor quality and difficult to use in research.

 EFFECT OF THE HIPAA PRIVACY RULE The Privacy Rule makes researchers hesitant to pursue new studies: Strongly agree Agree somewhat No opinion Disagree somewhat Strongly disagree 0 10 20 30 40 50 % Reporting FIGURE 5-6 HMO Research Network Survey of Researchers. Responses to the question: There are study ideas that I have5- 6.eps pursuing, but am hesi- Figure considered tant to do so because of the Health Insurance Portability and Accountability Act regulations. SOURCE: Greene et al. (2008). Access to Deidentified Data Survey data indicate that researchers often have difficulty obtaining deidentified information from covered entities. In the national survey of epi- demiologists, half of the respondents reported accessing deidentified infor- mation since the Privacy Rule was implemented. Of this half, 40 percent reported a high level of difficulty in gaining access to this deidentified infor- mation (i.e., 4–5 on the Likert scale) (Ness, 2007). In addition, the AHRQ survey found that 39 percent of respondents reported problems obtaining deidentified data from covered entities or had problems creating deidenti- fied datasets. Most respondents to the survey also reported concerns about the use of the statistical method to certify deidentified data. Many were looking for an alternative option to the “safe harbor” process of deidenti- fication because they believed the resultant datasets were too restrictive for health services research (Walker, 2005).

 BEYOND THE HIPAA PRIVACY RULE The HMORN survey of investigators also found similar results. Of the respondents, 42 percent reported that accessing deidentified data had occasionally been difficult, and 13 percent reported that it was “routinely difficult.” However, in the HMORN survey of IRB administrators, 4 of the 11 sites reported having individuals on staff who could assist with the deidentification of data using the statistical method (Greene et al., 2008). In the AHA/ACC survey, only 32 percent of respondents reported attempt- ing to use deidentified data for research. Of these respondents, 76 percent reported that the process was difficult (Ring, 2007). Quality of Deidentified Data Clause and colleagues (2004) at the Albany College of Pharmacy designed a study to measure the amount of data that is lost when PHI is deidentified under the safe harbor provision of the Privacy Rule (see Chap- ter 4). For this study, the researchers first created a limited dataset from the pharmacy, administrative, and financial files of patients discharged from hospitals within the Northeast Health System. A limited dataset is a collection of health information compiled for research in which 16 direct identifiers are removed from the PHI (see Chapter 4). A limited dataset allows researchers to access more information than deidentified information because the Privacy Rule requires that researchers using a limited dataset enter into a data use agreement specifying the permitted uses and disclo- sures of the limited dataset. The researchers then converted the limited dataset into deidentified information under the safe harbor provision of the Privacy Rule, which requires removal of 18 personal identifiers. They measured data lost as a function of unique data elements (UDEs) for both the limited dataset and the deidentified information. This study found that a large percentage of data was lost when infor- mation was deidentified. The limited dataset represented 4,738 patient dis- charges and contained 810,456 UDEs in 322,657 records. The deidentified dataset represented 4,733 patient discharges but only contained 562,171 UDEs. This means that the deidentified dataset contained 31 percent fewer UDEs than the limited dataset. The researchers reported that much of the information lost when the information was deidentified was of the type that is of the most interest to researchers, such as time between episodes of care. The researchers concluded that deidentified data removes too much information to produce data useful for conducting good research (Clause et al., 2004). Results from the AcademyHealth survey also indicate concern about the usefulness of deidentified data for research. In this survey, 62 percent of the respondents reported that the use of deidentified data had a negative impact on research, 38 percent reported that the removal of the required

 EFFECT OF THE HIPAA PRIVACY RULE identifiers interfered somewhat with research, and 21 percent reported that the removal of identifiers interfered significantly with research. Only 3 percent of the respondents reported that the removal of identifiers did not interfere with research (Helms, 2008). AUTHORIZATION PROCESS The authorization provisions of the Privacy Rule are relevant to health researchers because although there are some situations in which researchers can obtain PHI without authorization (i.e., by obtaining an IRB/Privacy Board waiver of authorization, or using limited datasets or deidentified information), for many research projects, researchers must obtain a signed authorization form from each research participant (see Chapter 4). Many researchers have expressed dissatisfaction with how the authorization pro- cess has been interpreted and implemented by covered entities. Researchers report that many IRBs and Privacy Boards require lengthy and complex wording to describe the authorization within consent forms. They claim that the extra language added to consent forms is confusing to research par- ticipants, burdens the informed consent process, and undermines research recruitment (AAHC, 2008; Shalowitz and Wendler, 2006). In the HMORN survey of investigators, 76 percent of respondents reported that they had incorporated the Privacy Rule’s requirements for authorization directly into their informed consent forms. However, in the structured interviews of investigators, all four respondents who conducted primary data collection reported that they were obliged by their IRB to augment the consent and authorization procedures for their studies after the Privacy Rule was implemented. All four investigators also stated that the Privacy Rule authorization language had an adverse effect on research recruitment because it increased patient confusion and frustration. Likewise, in the HMORN survey of IRB administra- tors, 54.6 percent of respondents stated that study participants are unduly burdened by the complexity of authorization forms (Greene et al., 2008). Studies analyzing the readability of Privacy Rule–compliant autho- rization forms document the effect of complex authorization forms on individuals’ willingness to participate in research. In a letter to the editor of the Annals of Internal Medicine, Breese and colleagues (2004) outlined an evaluation of the readability and length of authorization forms. The researchers analyzed the authorization templates from the 125 academic medical centers receiving the most funding from the National Institutes of Health and from 31 independent IRBs. First, the authors determined that the authorization form added an average of two pages of additional mate- rial to the informed consent form, or about 744 extra words.

 BEYOND THE HIPAA PRIVACY RULE Next, the researchers looked at the authorization forms’ readability using three formulas: the Simple Measure of Gobbledegook (SMOG), the Flesch- Kincaid reading level, and the Flesch Reading Ease Score. Using the SMOG formula to evaluate the authorization forms, the researchers found that the median reading level for the authorization templates was 13th grade (i.e., freshman year in college). All of the forms scored above the eighth-grade reading level. Under the Flesch-Kincaid reading-level formula, the research- ers found that 97 percent of the forms were written above the eighth-grade reading level. Similarly, using the Flesch Reading Ease Score, the researchers found that 86.5 percent of the forms were “difficult” or “very difficult” to read. Only 3 of 111 authorization forms scored at the “standard English” reading level. The authors concluded that these results are problematic for researchers because half of the U.S. adult population reads at or below the eighth-grade level. A large percentage of potential research participants are likely unable to comprehend much of the information contained in authori- zation forms. The authors believe that many institutions view authorization forms as liability protection, rather than as a mechanism to inform research participants about a study (Breese et al., 2004). A similar study was conducted by Nosowsky and Giordano (2006) at the University of Michigan. They analyzed the National Institutes of Health’s model authorization form using Microsoft’s Flesch-Kincaid scale and found that it was written at a 12th-grade reading level. The authors concluded that many research participants cannot understand the forms they are required to sign. Thus, it is not surprising that researchers are reporting that the authorization process is causing confusion for research participants (Nosowsky and Giordano, 2006). Another study that examined whether the Privacy Rule authorization requirement has created a barrier to research was conducted by Shen et al. at Governors State University, University Park, IL. The researchers followed the authorization process in a school-based educational program for child- hood obesity prevention as a case study. The authorization form used in this case study was as simple as possible. Most of the sentences on the form were taken directly out of the Privacy Rule regulation, and any additional sentences were required by the local IRB. However, despite an attempt to simplify the authorization form, only 21 percent of parents granted authori- zation for their children to participate in the school-based obesity program. The researchers concluded that the authorization form was overly complex, making many parents reluctant or unwilling to sign it. The authors noted, however, that the low recruitment rate recorded perhaps could have been more easily solved through better communication about the program with the students’ parents than through modification of the authorization forms (Shen et al., 2006).

 EFFECT OF THE HIPAA PRIVACY RULE CONCERNS ABOUT POTENTIAL LEGAL CONSEQUENCES Because many institutions are risk averse, the AcademyHealth survey examined the impact of concerns about the penalty provisions of the Pri- vacy Rule on research. Nineteen percent of the respondents reported that the penalties had no effect on efforts to obtain data from a covered entity, and 24 percent reported that penalties were considered by covered entities but ultimately did not prevent researchers from obtaining data. However, 26 percent of respondents reported that concerns about penalties have impeded access to data—16 percent reported that fear of penalties has pre- vented covered entities from providing data to researchers, and 10 percent reported that covered entities’ concerns about data privacy caused them to forego research activities. Nearly 30 percent of respondents were unsure what impact, if any, penalties have had on efforts to obtain data from covered entities (Helms, 2008). Similar concerns were reported for a study using data from 19 hospitals near the University of Washington, as noted previously. The nine IRBs requiring full review of a study already approved by the IRB of the University cited concerns over the Privacy Rule’s civil and criminal penalties as the main reason for denying expedited review or for not honoring another IRB’s decisions (Lydon-Rochelle and Holt, 2004). Fear of civil suits could also lead IRB and Privacy Board members to be overly conservative in their decisions about research proposals brought before them, and could be a significant deterrent in recruiting qualified volunteers to serve on IRBs and Privacy Boards. Effective oversight of health research depends on the recruitment of qualified and knowledgeable volunteers to serve on IRBs and Privacy Boards, but the growth over the past decade of lawsuits naming individual IRB members as defendants5 has created a chill that threatens the willingness of volunteers to serve on IRBs (Hoffman and Berg, 2005; Icenogle, 2003; IPPC, 2008; Rose and Lodato, 2004; Shaul et al., 2005). Members of IRBs and Privacy Boards are generally indemnified by their institutions, but they are not immune from being named in a suit. There- fore they could still have to devote time and resources to defending themselves for decisions made by an IRB or a Privacy Board on which they served. POTENTIAL WAYS TO REDUCE INTERPRETIVE VARIABILITY AMONG IRBS, PRIVACY BOARDS, AND COVERED ENTITIES HHS intended to allow covered entities, IRBs, and Privacy Boards to have some local control in implementing and interpreting the Privacy Rule as it applies to the use and disclosure of PHI for research. Sensitivity to local 5 For examples of specific cases naming IRB members as individual defendants, see Robertson v. McGee (2001), Guckin v. Nagle (2002), and Scheer v. Burke (2003), available at http:// www.sskrplaw.com/gene/index.html.

 BEYOND THE HIPAA PRIVACY RULE issues can be a desirable feature, particularly when institutions serve special populations or under unusual circumstances. However, variations in IRB and Privacy Board oversight may relate less to true local differences in the research environment than to the administrative differences and variability in the skills and resources of IRBs and Privacy Boards (Casarett et al., 2005). There is no required certification process to ensure that IRB/Privacy Board members have sufficient knowledge and understanding of research ethics and regulation, and funding is often through indirect sources, such as grants. Based on the evidence presented in this chapter, it is clear that over- interpretation of the Privacy Rule is common and that the substantial variability in interpretation among covered entities and oversight boards is detrimental to health research. More consistent application of the Privacy Rule would facilitate responsible research and also provide more meaning- ful protection of patient privacy. One potential way to begin to address this issue would be for HHS to regularly identify and disseminate “best practices” for responsible research (IOM, 2000). Guidance materials and models or templates for things such as the authorization form (written at an appropriate reading level), waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. This endeavor could perhaps be accomplished as an activity of the National Institutes of Health (NIH) Roadmap,6 under the direction of the Office for Civil Rights. An informative precedent for this activity is the National Practitioner Data Bank Guidebook7 of the Health Resources and Services Administration, established through Title IV of the Healthcare Quality Improvement Act of 1986, Public Law 99–660. That guidebook, which is frequently updated, provides many case examples of what should be done in various situations. Stakeholders—including researchers; research institutions, IRBs, and Privacy Boards; sponsors of research; public health practitioners and agen- cies; patient and consumer organizations; and privacy experts—could have considerable influence on the adoption of best practices once they have been identified and thus could help to make privacy protections and IRB/Privacy Board decisions more uniform. For example, Requests for Proposals and other funding mechanisms could be more instructive on this point. Many 6 The NIH Roadmap was initiated in 2004 as “an integrated vision to deepen our under- standing of biology, stimulate interdisciplinary research teams, and reshape clinical research to accelerate medical discovery and improve people’s health.” See http://nihroadmap.nih. gov/overview.asp (accessed January 13, 2009). 7 See http://www.npdb-hipdb.hrsa.gov/npdbguidebook.html (accessed January 13, 2009).

 EFFECT OF THE HIPAA PRIVACY RULE academic researchers depend on their ability to procure funding from a source external to their institutions, and research sponsors also have obliga- tions to protect research participants. As a result, major nonfederal funders could be a powerful force for adherence to ethical guidelines, even in the absence of strong federal regulations and enforcement. Organizations whose primary missions are focused on promoting responsible and ethical research, such as Public Responsibility in Medi- cine and Research (PRIM&R) and the Association for the Accreditation of Human Research Protection Programs (AAHRPP), featured in Boxes 5-2 and 5-3, could contribute much to the dynamic and ongoing process of developing best practices. These organizations educate IRB profession- als, offer voluntary certification programs, and have hosted conferences to address ethical and legal challenges in research, including those related to HIPAA. Increased participation in PRIM&R and AAHRPP could extend understanding of regulatory requirements and foster national discourse about issues of interpretation and application of the Privacy Rule. An important point to remember is that HHS’s policy is to seek compli- ance first, rather than penalties, when a concern is brought to the agency’s attention (see Chapter 5). Institutions might be less inclined to be overly conservative in interpreting the Privacy Rule if this were stated more clearly BOX 5-2 Public Responsibility in Medicine and Research (PRIM&R) The mission of PRIM&R is to promote ethical research in humans and animals. It tracks and provides input to policy initiatives and regulatory changes relating to ethical standards in research and offers educational opportunities in the fields of biomedical and social/behavioral/educational research. PRIM&R also offers two certification programs, one for administrators for animal care and use committees, and one for IRB professionals. The latter is designed specifically for individuals participating in and/or over- seeing the daily operations of IRBs, including IRB administrators, staff, chairs, and institutional officials. Professionals from institutional IRBs, independent IRBs, and industry, as well as other institutions focused on either biomedical or social/ behavioral/educational research, are eligible. Candidates’ IRB experience must be “substantial and ongoing” and must reflect the applicant’s commitment to applied research ethics in human subjects protections. The exam for certification is administered by the Professional Testing Corporation and is offered at least twice yearly at testing sites across the United States and Canada. Certification is valid for 3 years and can be renewed via reexamination or once in a 6-year period with continuing education credits. SOURCE: See http://www.primr.org.

 BEYOND THE HIPAA PRIVACY RULE BOX 5-3 Association for the Accreditation of Human Research Protection Programs (AAHRPP) A AHRPP is an independent, nonprofit entity that accredits organiza - tions’ human research protection programs. Its mission is to accredit “high- quality human research protection programs in order to promote excellent, e thically sound research. Through partnership with research organizations, r esearchers, sponsors, and the public, AAHRPP encourages effective, effi- cient, and innovative systems of protection for human research participants.” To earn and maintain accreditation, an organization must provide evidence t hat its practices, policies, and procedures promote ethically sound and sci- entific research every 3 years. AAHRPP provides print, online, and training r esources to guide organizations through the accreditation process and to h elp organizations interpret the required accreditation standards. SOURCE: See http://www.aahrpp.org/www.aspx. in guidance materials. Simple clarification and clear communication of the way HHS will enforce the Privacy Rule and seek penalties would be helpful. In addition, some limited protection against civil suits brought pursu- ant to federal or state law for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the Privacy Rule and the Common Rule could be beneficial. This limited protection should not include protection for willful and wanton misconduct in review- ing the research. Members of IRBs or Privacy Boards who receive limited protection against lawsuits may be less likely to interpret the Privacy Rule too conservatively. A similar provision was incorporated into the Ontario Personal Health Information Protection Act of 2004, under which members of Research Ethics Boards are immune for acts done and omissions made in good faith that are reasonable under the circumstances (see also Chapter 6). This type of immunity for IRB and Privacy Board members would be simi- lar to the precedent of protection for peer review members under state laws and under the Health Care Quality Improvement Act of 1986. Such protections might also facilitate multi-institutional research by reducing the variability among local IRBs and Privacy Boards because they might be more comfortable accepting the decision of a lead IRB/Privacy Board. But even in the absence of this sort of regulatory or statutory

 EFFECT OF THE HIPAA PRIVACY RULE change, a clear statement from HHS regarding the acceptability, and thus the limits, of legal consequences of accepting the decision of another IRB or Privacy Board would help to facilitate multi-institutional research. CONCLUSIONS AND RECOMMENDATIONS The evidence presented in this chapter demonstrates that implementa- tion and interpretation of the Privacy Rule has had a significant effect on how health research is conducted in the United States. Although the Pri- vacy Rule may have extended regulatory protections of privacy in health research that were desirable, the numerous studies reviewed here indicate that it has also had an unintended negative effect on health research, often due to variations in how covered entities, IRBs, and Privacy Boards inter- pret the complex regulations. Nonetheless, even if the effect on research has been negative, carefully considering the effect on privacy of any changes to the Privacy Rule as well as the effect on research is important. Many problems identified in this chapter could potentially be improved by HHS without changing the Privacy Rule itself. More consistent application of the Privacy Rule would facilitate responsible research and provide more meaningful protection of patient privacy. Thus, the committee recommends that HHS regularly convene consensus development conferences in collaboration with health research stakeholders to collect and evaluate current practices in privacy protec- tion in order to identify and disseminate best practices for responsible research. Stakeholders can then enable and encourage researchers to use these best practices in designing and conducting research involving the use of PHI. Current guidance from HHS addresses only what is permissible under the HIPAA Privacy Rule; the guidance does not identify best practices. A dynamic, ongoing process for the identification and dissemination of best practices in privacy protection for various types of health research by HHS would facilitate reviews by IRBs and Privacy Boards and would lead to more consistent and appropriate decisions. Guidance materials with best practices and models or templates for things such as the authorization form, waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. Such guidance mate- rials should be written as clearly and simply as possible, using an inclusive, dynamic, and transparent development process, and should override all prior guidance documents. Stakeholders—including researchers; research institutions, IRBs, and Privacy Boards; sponsors of research; public health practitioners and agen-

0 BEYOND THE HIPAA PRIVACY RULE cies; patient and consumer organizations; and privacy experts—could have considerable influence on the adoption of best practices once they have been identified and thus could help to make privacy protections and IRB/Privacy Board decisions more uniform. Organizations whose primary missions are focused on promoting responsible and ethical research, such as PRIM&R and AAHRPP, can contribute much to the process. Another potential way to reduce inconsistency and overly conservative interpretation would be to provide some limited legal protection for IRB and Privacy Board members, who may be fearful of lawsuits pertaining to IRB/Privacy Board decisions. The committee recommends that HHS—or, as necessary, Congress—provide reasonable protection against civil suits brought pursuant to federal or state law for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule. The limitation on liability should not include protection for willful and wanton misconduct in review- ing the research, but should instead be for good-faith decisions, backed by minutes or other evidence, in responsibly applying the legal requirements under the HIPAA Privacy Rule or the Common Rule. Recommendations put forth in previous chapters should also help to reduce variability and overinpretation of the regulations. These include facilitating greater use of data with direct identifiers removed and facili- tating appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants (see Chapter 4). Clarifying the distinction between “research” and “practice” to ensure appropriate ethical oversight of the use of protected health information would also help IRBs and Privacy Boards make decisions that adequately protect patient privacy and facilitate responsible research (see Chapter 3). However, as indicated in Chapter 6, the committee believes that ideally, a bolder approach should be taken, with HHS developing a new approach to protecting privacy in health research that emphasizes privacy, security, accountability, and transparency and that is applicable to all health research in the United States. REFERENCES AAHC (Association of Academic Health Centers). 2008. HIPAA creating barriers to research and discovery: HIPAA problems widespread and unresolved since 00. http://www. aahcdc.org/policy/reddot/AAHC_HIPAA_Creating_Barriers.pdf (accessed September 2, 2008). Al-Shahi, R., C. Vousden, and C. Warlow. 2005. Bias from requiring explicit consent from all participants in observational research: Prospective, population based study. British Medical Journal 331:942–945.

 EFFECT OF THE HIPAA PRIVACY RULE Armstrong, D., E. Kline-Rogers, S. M. Jani, E. B. Goldman, J. Fang, D. Mukherjee, B. K. Nallamothu, and K. A. Eagle. 2005. Potential impact of the HIPAA Privacy Rule on data collection in a registry of patients with acute coronary syndrome. Archives of Internal Medicine 165(10):1125–1129. ASCO (American Society of Clinical Oncology). 2008. The impact of the Privacy Rule on cancer research: Variations in attitudes and application of regulatory standards. Alexandria, VA: ASCO. Beebe, T., N. Talley, M. Camilleri, S. M. Jenkins, K. J. Anderson, and G. R. Locke. 2007. The HIPAA authorization form and effects on survey response rate, nonresponse bias, and data quality. Medical Care 45(10):959–965. Breese, P., W. Burman, C. Rietmeijer, and D. Lezotte. 2004. The Health Insurance Portability and Accountability Act and the informed consent process. Annals of Internal Medicine 141:897–898. Casarett, D., J. Karlawish, E. Andrews, and A. Caplan. 2005. Bioethical issues in pharmaco- epidemiological research. In Pharmacoepidemiology, 4th ed, edited by B. L. Strom. West Sussex, England: John Wiley & Sons, Ltd. Pp. 417–432. Clause, S. L., D. M. Triller, C. P. H. Bornhorst, R. A. Hamilton, and L. E. Cosler. 2004. Con- forming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy 61(10):1025–1031. Deapen, D. 2006. Negative impact of HIPAA on population-based cancer registry research: A brief survey. Springfield, IL: North American Association of Central Cancer Registries. Dunlop, A., T. Graham, Z. Leroy, K. Glanz, and B. Dunlop. 2007. The impact of HIPAA authorization on willingness to participate in clinical research. Annals of Epidemiology 17(11):899–905. Friedman, D. S. 2006. HIPAA and research: How have the first two years gone? American Journal of Ophthalmology 141(3):543–546. Greene, S. M., A. M. Geiger, E. L. Harris, A. Altschuler, L. Nekhlyudov, M. B. Barton, S. J. Rolnick, J. G. Elmore, and S. Fletcher. 2006. Impact of IRB requirements on a multicenter survey of prophylactic mastectomy outcomes. Annals of Epidemiology 16:275–278. Greene, S. M., S. Bennett, B. Kirlin, K. R. Oliver, R. Pardee, and E. Wagner. 2008. Impact of the HIPAA Privacy Rule in the HMO Research Network. Seattle, WA: Group Health Cooperative Center for Health Studies. Harris, M. A., and A. R. Levy. 2008. Personal privacy and public health: Potential impacts of privacy legislation on health research in Canada. Canadian Journal of Public Health 99(4):293–296. Helms, D. 2008 (February 14). PowerPoint presentation to the Institute of Medicine Com- mittee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the AcademyHealth survey results. Hoffman, S., and J. W. Berg. 2005. The suitability of IRB liability. Case Legal Studies Research Paper No. 0-. February. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=671004 (accessed September 2, 2008). Howe, H. L., A. J. Lake, and T. Shen. 2006. Method to assess identifiability in electronic data files. American Journal of Epidemiology 165(5):597–601. Icenogle, D. L. 2003. IRBs, conflict and liability: Will we see IRBs in court? Or is it when? Clinical Medicine & Research 1(1):63–68. IOM (Institute of Medicine). 2000. Protecting data privacy in health services research. Wash- ington, DC: National Academy Press. IOM. 2002. Responsible research: A systems approach to protecting research participants. Washington, DC: The National Academies Press.

 BEYOND THE HIPAA PRIVACY RULE IPPC (International Pharmaceutical Privacy Consortium). 2008 (March 30). Comments to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical research. Kaiser, J. 2006. Rule to protect records may doom long-term heart study. Science 311:1547–1548. Kolata, G. 2007. States and V.A. at odds on cancer data. The New York Times, October 10. Kompanje, E. J. O., and A. I. R. Maas. 2006. Is the Glasgow coma scale score protected health information? The effect of new United States regulations (HIPAA) on completion of screening logs in emergency research trials. Intensive Care Medicine 32:313–314. Lydon-Rochelle, M., and V. L. Holt. 2004. HIPAA transition: Challenges of a multisite medical records validation study of maternally linked birth records. Maternal & Child Health Journal 8(1):35–38. McCarthy, D. B., D. Shatin, C. R. Drinkard, J. H. Kleinman, and J. S. Gardner. 1999. Medical records and privacy: Empirical effects of legislation. Health Services Research 34(1):417–425. National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confiden- tiality. Susan Ehringhaus’s testimony on behalf of the Association of American Medical Colleges. November 19, 2003. Ness, R. 2005. A year is a terrible thing to waste: Early experience with HIPAA. Annals of Epidemiology 15(2):85–86. Ness, R. 2007. Influence of the HIPAA Privacy Rule on health research. JAMA 298(18):2164–2170. Newgard, C. D., S. H. Hui, P. Stamps-White, R. J. Lewis, C. D. Newgard, S.-H. J. Hui, P. Stamps-White, and R. J. Lewis. 2005. Institutional variability in a minimal risk, population-based study: Recognizing policy barriers to health services research. Health Services Research 40(4):1247–1258. Nosowsky, R., and T. J. Giordano. 2006. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for clinical research. Annual Review of Medicine 57(1):575–590. O’Herrin, J. K., N. Fost, and K. A. Kudsk. 2004. Health Insurance Portability and Account- ability Act (HIPAA) regulations: Effect on medical record research. Annals of Surgery 239(6):772–778. Ramirez, A. G., and J. E. Niederhuber. 2003 (November 5). Letter to the Honorable Tommy G. Thompson, Secretary of the Department of Health and Human Services. Ring, J. 2007 (October 1–2). PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the American Heart Association survey results. Rose, B. S., and V. Lodato. 2004. The role of class actions in litigation involving human research subjects. BNA Class Action Litigation Report, March 12. Russell, S. 2004a. Dispute on medical record access settled: Cancer researchers wanted UC data on new cases quicker. San Francisco Chronicle, December 7, B1. Russell, S. 2004b. Medical privacy law said to be chilling cancer studies: Scientists fight for fast access to patient files. San Francisco Chronicle, September 26, A4. Shaffer, D. 2006. Privacy laws jeopardize heart study: Researchers have put a well-known stroke and heart disease study on hold. Star Tribune, February 12. Shalowitz, D., and D. Wendler. 2006. Informed consent for research and authorization under the Health Insurance Portability and Accountability Act Privacy Rule: An integrated approach. Annals of Internal Medicine 144(9):685–688. Shaul, R. Z., S. Birenbaum, and M. Evans. 2005. Legal liability in research: Early lessons from North America. BMC Medical Ethics 6(4):1–4.

 EFFECT OF THE HIPAA PRIVACY RULE Shen, J. J., L. F. Samson, E. L. Washington, P. Johnson, C. Edwards, A. Malone, J. J. Shen, L. F. Samson, E. L. Washington, P. Johnson, C. Edwards, and A. Malone. 2006. Barriers of HIPAA regulation to implementation of health services research. Journal of Medical Systems 30(1):65–69. Trevena, L., L. Irwig, and A. Barratt. 2006. Impact of privacy legislation on the number and characteristics of people who are recruited for research: A randomized controlled trial. Journal of Medical Ethics 32:473–477. Tu, J. V., D. J. Willison, F. L. Silver, J. Fang, J. A. Richards, A. Laupacis, and M. K. Kapral. 2004. Impracticability of informed consent in the registry of the Canadian stroke net- work. New England Journal of Medicine 350(14):1414–1421. Walker, D. K. 2005. Impact of the HIPAA Privacy Rule on health services research. Philadelphia, PA: Abt Associates, Inc. Ward, H. J. T., S. N. Cousens, B. Smith-Bathgate, M. Leitch, D. Everington, R. G. Will, and P. G. Smith. 2007. Obstacles to conducting epidemiological research in the UK general population. British Medical Journal 329:277–279. Williams, B. A., J. J. Irrgant, M. T. Bottegal, K. A. Francis, and M. T. Vogt. 2007. A post hoc analysis of research study staffing: Budgetary effects of the Health Insurance Portability and Accountability Act (HIPAA) on research staff workload during a prospective, randomized clinical trial. Anesthesiology 107(5):860–861. Wolf, M. S., and C. L. Bennett. 2006. Local perspective of the impact of the HIPAA Privacy Rule on research. Cancer 106(2):474–479. Woolf, S. H., S. F. Rothemich, R. E. Johnson, and D. W. Marsland. 2000. Selection bias from requiring patients to give consent to examine data for health services research. Archives of Family Medicine 9:1111–1118.

Next: 6 A New Framework for Protecting Privacy in Health Research »
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research Get This Book
×
Buy Paperback | $43.00 Buy Ebook | $34.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

In the realm of health care, privacy protections are needed to preserve patients' dignity and prevent possible harms. Ten years ago, to address these concerns as well as set guidelines for ethical health research, Congress called for a set of federal standards now known as the HIPAA Privacy Rule.

In its 2009 report, Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, the Institute of Medicine's Committee on Health Research and the Privacy of Health Information concludes that the HIPAA Privacy Rule does not protect privacy as well as it should, and that it impedes important health research.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!