Questions? Call 800-624-6242
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 63
1
Introduction
BRIEF HISTORY OF HIPAA AND THE PRIVACY RULE
The Health Insurance Portability and Accountability Act (HIPAA) was
passed on August 21, 1996, with the dual goals of making health care
delivery more efficient and increasing the number of Americans with health
insurance coverage. These objectives were pursued through three main pro-
visions of the Act: (1) the portability provisions, (2) the tax provisions, and
(3) the administrative simplification provisions. The focus of this report,
the HIPAA Privacy Rule, was promulgated under the third provision. The
administrative simplification provisions of HIPAA instructed the Secretary
of the U.S. Department of Health and Human Services (HHS) to issue sev-
eral regulations concerning electronic transmission of health information,
which was expanding greatly in the early 1990s. The primary purpose of
these provisions was to standardize the use of electronic health informa-
tion, but Congress also recognized that advances in electronic technology
could endanger the privacy of health information. Thus, HIPAA mandated
the development of nationwide security standards and safeguards for the
use of electronic health care information as well as the creation of privacy
standards for protected health information.1
1 Protectedhealth information is personally identifiable health information transmitted by
electronic media, maintained in electronic media, or transmitted or maintained in any other
form or medium. Protected health information excludes education records covered by the
Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232(g), records described
at 20 U.S.C. 1232(g)(a)(4)(B)(iv), and employment records held by a covered entity in its role
as employer.
��
OCR for page 64
�� BEYOND THE HIPAA PRIVACY RULE
Although the Common Rule2 imposed some requirements on the use
of health information in research, federal regulations specifically targeting
health information privacy were lacking. In accordance with the adminis-
trative simplification provisions, HHS developed the HIPAA Privacy Rule,
which set out detailed regulations regarding the types of uses and disclo-
sures of personally identifiable health information that are permitted by the
covered entities.3 HHS first issued a proposed version of the HIPAA Privacy
Rule for public comment in 1999, but because of the enormous volume of
comments received regarding the regulations, as well as a change in execu-
tive branch leadership following the 2000 Presidential election, the HIPAA
Privacy Rule evolved through several iterations before the final version was
issued in 2002 (45 C.F.R. parts 160 and 164). Most health care providers
and health plans were required to be in compliance with this version of the
HIPAA Privacy Rule by April 14, 2003. Small health plans were given until
April 14, 2004, to be in compliance.
The primary targets of the HIPAA Privacy Rule were information uses
and transactions necessary for the provision of health care, but the final
regulations also apply to a great deal of health research. Congress rec-
ognized the important role that health records play in conducting health
research, and wanted to ensure that implementation of the HIPAA Privacy
Rule would not impede researchers’ continued access to such data. This
is reflected in two House reports on HIPAA with identical language, stat-
ing: “The conferees recognize that certain uses of individually identifiable
information are appropriate, and do not compromise the privacy of an
individual. Examples of such use of information include . . . the transfer
of information from a health plan to an organization for the sole purpose
of conducting health care–related research. As health plans and providers
continue to focus on outcomes research and innovation, it is important
that the exchange and aggregated use of health care data be allowed” (U.S.
Congress, 1996a,b).
In response, HHS attempted to create a system that mandated privacy
protection for individually identifiable health information while allow-
ing important uses of the information in health care and research. Thus,
researchers must now follow the provisions of the HIPAA Privacy Rule
when obtaining data from a covered entity.
2 The “Common Rule” is the term used by 18 federal agencies who have adopted the same
regulations governing the protection of human subjects of research.
3 45 C.F.R. § 160.103 (2006), a health plan, a health care clearinghouse, or a health care
provider that transmits health information in electronic form in connection with a transaction
for which HHS has adopted a standard.
OCR for page 65
��
INTRODUCTION
PRIVACY AND HEALTH RESEARCH
Health research and privacy protections both provide valuable benefits
to society, and the two topics are interrelated. Researchers know that trust
is essential for patients to be willing to participate in research, and many
patients value research and are willing to share their health information in
the hope of reaping some benefit from scientific advances for themselves or
their families. Collection and analysis of health information is necessary to
attain the full benefits of health research for the individual, the family, and
the community. The challenge is to identify the most essential components
of both privacy protection and research, to ensure maximal benefit and
minimal risk.
Some health research projects with important implications for health
care improvements and public health protections entail the analysis of infor-
mation that many would consider sensitive. For example, some research
examines information regarding individuals’ sexuality, or smoking, alcohol,
and drug use habits. Also, it may be necessary to collect information on an
individual’s social, racial, or economic status to study the influence of pov-
erty, nutrition, and social relationships on health. Many research projects
now also study a person’s genetic profile to gain insight into predispositions
for diseases. Epidemiology and public health research may trace disease
incidence and characteristics, or response to treatments.
Research participants are more willing to share personal information
and more likely to truthfully answer research questions when they believe
the privacy of their personal information is protected against inadvertent
or unwanted disclosure. This helps to assure individuals that their risk of
harm in participating, including economic, social, or psychological harm, is
minimal (Hodge et al., 1999). Furthermore, when researchers have access
to accurate and comprehensive medical datasets, the results are more likely
to be valid and meaningful to broad populations.
PRIVACY CONCERNS
Since the HIPAA Privacy Rule was implemented, privacy advocates and
others have argued that the United States needs stronger privacy protections
than are provided in the HIPAA Privacy Rule (Friedman, 2006; Gellman,
2006; Sobel, 2007). These demands have generally focused on health care
rather than health research, and are based to a large extent on theory, opin-
ions, and anecdotal experiences. As noted in the methods section below, a
Harris Poll undertaken during the course of this study provided new and
current insight into the experiences and expectations of the U.S. public with
regard to privacy in health research. A review of the relevant literature,
including surveys and focus group studies, can be found in Chapter 2.
OCR for page 66
�� BEYOND THE HIPAA PRIVACY RULE
After reviewing the available evidence, the committee concluded that
the public is deeply concerned about the privacy and security of personal
health information, and that the HIPAA Privacy Rule has reduced, but not
eliminated, those concerns. In some surveys, the majority of respondents
were not comfortable with their health information being provided for
health research except with notice and express consent. But in others, a
majority of respondents were willing to forgo notice and consent if vari-
ous safeguards and specific types of research were specified. As noted in
Chapter 3, surveys also indicate that the majority of Americans are sup-
portive of health research, but they lack information about how research is
conducted and are rarely informed about research results that may have a
direct impact on their health.
THE CONCERNS OF HEALTH RESEARCHERS
Researchers began raising concerns about the potential impact of the
HIPAA Privacy Rule on health research when the regulations were first
proposed. However, researchers did not play a large role in shaping the final
version of the HIPAA Privacy Rule published by HHS. Most of the com-
ments that HHS received from the research community during the notice
of proposed rulemaking period were focused on urging HHS not to include
research within the HIPAA Privacy Rule regulations at all. Few comments
suggested alternatives to the regulatory scheme proposed by HHS, or gave
HHS constructive comments on how to incorporate the research provisions
into the rule (IOM, 2006).
After the date of compliance for the HIPAA Privacy Rule, the con-
cerns of researchers escalated. Numerous anecdotal reports and expert
opinions, along with a number of surveys, indicate that the HIPAA Pri-
vacy Rule has had a negative effect on the ability of researchers to con-
duct valid research due to new restrictions on access to health data, and
has not produced a measurable increase in the protection of data used in
research (NCVHS, 2003; Ramirez and Niederhuber, 2003; Tovino, 2004;
Walker, 2005) (see also Chapter 5). Because of the reported concerns
about the HIPAA Privacy Rule’s effect on research, several organizations
have provided HHS with recommendations on how to improve the way
the HIPAA Privacy Rule regulates research. The past recommendations
of the National Committee on Vital and Health Statistics, the Associa-
tion of American Medical Colleges, and the HHS Secretary’s Advisory
Committee on Human Research Protections are listed in Appendix A. As
noted in the methods section below, several new surveys were also under-
taken during the course of this study to provide more current, systematic
data for the committee’s deliberations. The committee also reviewed
a number of studies that attempted to assess the impact of the HIPAA
OCR for page 67
��
INTRODUCTION
Privacy Rule on health research. A complete review of the literature can
be found in Chapter 5.
ORIGINS OF THE STUDY
The 2003 Annual Report of the President’s Cancer Panel, which made
a number of recommendations regarding issues affecting cancer survivors,
also included a recommendation that “The Institute of Medicine (IOM)
should be commissioned to evaluate the impact of HIPAA provisions and
provide guidance to legislators on amendments needed to make this law
serve the interests of cancer survivors and others” after concluding that
the HIPAA Privacy Rule slowed research on cancer survivors in a variety
of ways (President’s Cancer Panel, 2004). The Panel’s 2005–2006 report
again called for an evaluation of the HIPAA Privacy Rule provisions that
were thought to inhibit the ability to track and collect data for research on
cancer survivors (President’s Cancer Panel, 2006). Based on those recom-
mendations, the IOM’s National Cancer Policy Forum held a workshop on
the topic, inviting a diverse group of speakers representing many relevant
stakeholders from academia, industry, and the public. The proceedings of
that workshop, held June 16, 2006, were then reported in a summary pub-
lished by the IOM (IOM, 2006).
At that workshop, speakers reiterated many of the challenges described
above in applying the HIPAA Privacy Rule to health research, noting that
despite having several years to learn and adapt to the new rules, as well as
new guidance from HHS and the Office for Civil Rights (OCR), researchers
are still facing difficulty in working under the HIPAA Privacy Rule. Although
the goal of the HIPAA Privacy Rule was to establish a uniform set of federal
standards to be applied nationwide, many speakers testified that there is
enormous variation among institutions and oversight boards in the way the
regulations are interpreted and applied, with many adopting exceptionally
conservative interpretations. Moreover, it was reported that many smaller
institutions lacked the staff and infrastructure to implement the regulations
on research and ensure compliance, and were opting out of research entirely
to avoid the risk of penalties for HIPAA noncompliance (IOM, 2006).
However, many speakers also stressed the need to maintain or strengthen
the privacy protections for personal health information.
Following the publication of the IOM’s National Cancer Policy Forum’s
workshop summary, the governing board of the National Academies deter-
mined that a consensus study to examine the effects of the HIPAA Privacy
Rule on health research would be of value, and funding for the study
was obtained from diverse sources, including the National Institutes of
Health, the National Cancer Institute, the Burroughs Wellcome Fund, the
Robert Wood Johnson Foundation, the American Heart Association (AHA)/
OCR for page 68
�� BEYOND THE HIPAA PRIVACY RULE
American Stroke Association, the American Cancer Society, the American
Society for Clinical Oncology (ASCO), and C-Change.
COMMITTEE APPOINTMENT AND CHARGE
The funders of the study asked the IOM to examine the available
evidence to determine whether the HIPAA Privacy Rule was impacting the
conduct of health research. As a major funder of the study, HHS had a
particular interest in distinguishing direct effects of mandates in the HIPAA
Privacy Rule on the conduct of research from the variable influence of
interpretation and implementation of the regulations by various institutions
and oversight boards.
To examine the question, the IOM appointed a 15-member committee
with a broad range of expertise and experience covering various fields of
health research; privacy of health information; health law, regulation, and
ethics; human research protections and IRBs; health center administration;
use and protection of electronic health information; and patient advocacy.
The IOM committee was charged with the task of proposing recommenda-
tions that would facilitate the efficient and effective conduct of responsible
health research while maintaining or strengthening the privacy protections
of identifiable health information (Box 1-1).
METHODS
The committee reviewed the available published literature and obtained
input from experts in the field and interested individuals and institutions.
The literature review, as well as the proceedings of the IOM workshop
described above, demonstrated there was a dearth of systematic data to
determine whether the HIPAA Privacy Rule was having an impact on health
research. Because many published reports were based on isolated anecdotes
or small surveys, the IOM committee sought larger surveys with national
coverage. As a result, the IOM, in consultation with committee members,
took the unusual step of commissioning4 several surveys to assess current
perceptions among health researchers of the effect of the HIPAA Privacy
Rule on research, and to gauge the public’s perception of and expectations
for privacy in health research. The first survey entailed a national web-
based survey of U.S. epidemiologists overseen by Dr. Roberta Ness at the
University of Pittsburgh. A second project, undertaken by Sarah Greene and
Dr. Ed Wagner at the Group Health Center for Health Studies in Seattle,
involved a survey of HMO Research Network (HMORN) investigators and
4 The surveys were commissioned with private funding. No federal funds were used to sup-
port collection of survey data.
OCR for page 69
��
INTRODUCTION
BOX 1-1
Committee Statement of Task
An Institute of Medicine committee will investigate the effects on health
research of the Privacy Rule regulations implementing the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) section on Administrative Sim-
plification and prepare a report. In conducting the study, the committee will:
1. Consider the range of study types, such as clinical trials, epidemiologic designs,
research using tissue repositories and databases, public health research,
and health services research, to the extent that available data and evidence
allow;
2. Consider research carried out by the full range of sponsors: government, pub-
lic and private academic, and for-profit sectors, including the pharmaceutical,
biotechnology, and medical device industries;
3. Review provisions of the Privacy Rule relevant to health research, including
those dealing with authorizations and accounting of disclosures of personal
health information, deidentification of data, reviews preparatory to research,
and others, and on reviewing them, may identify provisions that merit priority
attention and analysis;
4. Consider issues of interpretation and implementation of the Privacy Rule, as
well as of harmonization with overlapping provisions of the Common Rule and
Food and Drug Administration regulations, which have existed much longer;
5. Examine the potential impact of the Rule on public health research, on the
recruitment of research subjects for studies, on carrying out research interna-
tionally, and on research using data and biomaterials in databases and tissue
repositories; and
6. Consider the needs for privacy of identifiable personal health information and
the value of such privacy to patients and the public. As data and evidence
allow, the needs and benefits of patient privacy will be balanced against the
needs, risks, and benefits of identifiable health information for various kinds of
health research. The committee will formulate recommendations for alterations
or retention of the status quo accordingly.
a survey of HMORN Institutional Review Boards. A Harris Interactive Poll
of the public, developed by Alan Westin of the Privacy Consulting Group,
served as the third survey. Detailed descriptions of the methodologies and
analysis for each of the surveys can be found in Appendix B. Several
additional surveys and focus groups were undertaken independently by
organizations, with the intent of providing input to the IOM committee.
Those organizations include AcademyHealth, AHA, ASCO, the American
Association of Central Cancer Registries, and the Association of Academic
Health Centers.
OCR for page 70
�0 BEYOND THE HIPAA PRIVACY RULE
Surveys are useful in identifying the main issues surrounding the
HIPAA Privacy Rule’s regulation of research, but it is important to rec-
ognize the limitations of opinion surveys. As noted briefly in Chapters 2,
3, and 5, designing quality surveys presents many challenges. These chal-
lenges include ensuring that the respondents are truly representative of the
population being surveyed, developing the wording of questions, framing
the responses provided, analyzing the relationship and potential influence
of questions to each other in the survey process, and applying statistical
analyses to the data acquired. Although they are helpful in gaining the per-
spective of populations of interest, such as current members of the health
research community or of the public, survey methods are also prone to
subject bias and error. Motivational factors may influence the results of
surveys that address sensitive subjects, and respondents may be unwilling
to provide accurate information for reasons of self-protection or personal
gain (Wentland and Smith, 1993). In addition, experiments in social psy-
chology suggest that responses to survey questions regarding attitude are
influenced by environment, survey type, and the context in which the ques-
tion is presented (Tourangeau et al., 2000). The committee’s intention in
presenting findings from opinion surveys, including those commissioned by
the IOM, is to shed light on opinions regarding the influence of the HIPAA
Privacy Rule on health research and patient privacy; it is not an attempt to
definitively determine cause and effect.
THE COMMITTEE’S CONCLUSIONS AND RECOMMENDATIONS
The recommendations put forth in this report represent committee
consensus that was developed through review and discussion of the above
information sources. There are three general methods for improving the
current system: (1) HHS and its OCR could provide more guidance to
IRBs, Privacy Boards, institutions, and other participants and stakeholders,
which is the simplest and most direct way to achieve change; (2) regula-
tory changes to the HIPAA Privacy Rule provisions may be necessary in
some cases, but are more difficult to undertake; and (3) statutory change of
HIPAA or other legislation at the federal or state level, which is the most
difficult to accomplish. The committee tried to be as modest as possible in
proposing recommendations to achieve its goals, with the aim of making it
easier to effect change if policy makers agree with our proposals.
After reviewing the available evidence, the committee concluded that
covered entities, Institutional Review Boards (IRBs), Privacy Boards, and
researchers alike have faced difficulty in interpreting and implementing
the complex regulation. There is a great deal of variation in how these
stakeholders have responded to the HIPAA Privacy Rule, with many cov-
ered entities, IRBs, and Privacy Boards interpreting the HIPAA Privacy
OCR for page 71
��
INTRODUCTION
Rule very conservatively. These interpretations impede some important
research activities, and can also limit the validity and generalizability of
some research results. The variation in interpretation is especially problem-
atic for multi-institutional research projects. Gaining IRB or Privacy Board
approval from multiple institutions for a particular project is challenging
and can lead to significant delays or even abandoned studies, and also can
result in protocol variations at different research sites. The committee also
found that for some provisions of the HIPAA Privacy Rule, the burdens are
heavy and the privacy protections in research are small.
Therefore, the committee concluded that the HIPAA Privacy Rule,
as currently interpreted and implemented, impedes research without pro-
tecting privacy as well as it should. The committee’s approach to its task
evolved as the study progressed and the group began thinking about poten-
tial recommendations. The committee decided to approach the problem in
two ways. First, the committee proposes a bold, innovative, and more uni-
form approach to the dual challenge of protecting privacy and supporting
beneficial and responsible research.5 Although this new approach may be
harder to implement in the short term, it should help stimulate fresh ideas
about the best ways to protect privacy and improve research as the nation
thinks about these two interrelated values over the next several years.
Second, the committee makes a series of detailed proposals to improve the
HIPAA Privacy Rule and associated guidance. These recommendations aim
to reduce variability in the interpretation of the HIPAA Privacy Rule as
applied to research, and to facilitate important health research within the
scope of the HIPAA Privacy Rule through revised and expanded guidance,
or by altering some provisions that pose a hindrance to research but do not
provide significant privacy protections. The committee’s last set of recom-
mendations do not directly relate to the HIPAA Privacy Rule, but should be
adopted regardless of which of the committee’s approaches is implemented
(the new framework or revisions to the HIPAA Privacy Rule and associ-
ated guidance). These include improving the security of identifiable health
information, encouraging service on Institutional Review Boards and Pri-
vacy Boards, and providing more information to the public about research
results, how health research is conducted, and how it contributes to the
welfare of individuals and society as a whole.
5 Responsible health research is methodologically sound, scientifically valid, protects the
rights and interests of study subjects, and addresses a question or problem relevant to improv-
ing human health.
OCR for page 72
�� BEYOND THE HIPAA PRIVACY RULE
FRAMEWORK OF THE REPORT
Chapter 2 describes the value and importance of health information
privacy with an overview of how informational privacy has been protected
by law; a review of survey data on public opinions, expectations, and expe-
riences; and a discussion on the security of health data.
Chapter 3 describes the value and importance of responsible health
research, and includes an overview of how health information is used in
research and how federal regulations govern the conduct of research.
Chapter 4 provides an overview of the HIPAA Privacy Rule and how
privacy regulations apply to health research, including a discussion of the
HIPAA Privacy Rule’s relation to other regulations that govern the privacy
of health information in research.
Chapter 5 reviews the available evidence, including results from recent
surveys, on the impact of the HIPAA Privacy Rule on the conduct of health
research.
Chapter 6 describes the limitations of the HIPAA Privacy Rule, and
proposes a new and broader framework for the protection of privacy in
health research.
The Appendixes provide a summary of previous recommendations
to HHS about the HIPAA Privacy Rule and health research, as well as a
description of the surveys commissioned by the committee (survey methods
and analysis).
REFERENCES
Friedman, D. S. 2006. HIPAA and research: How have the first two years gone? American
Journal of Ophthalmology 141(3):543–546.
Gellman, R. 2006. Crimes and sanctions. Journal of AHIMA 77(9):96–97.
Hodge, J. G., Jr., L. O. Gostin, and P. D. Jacobson. 1999. Legal issues concerning electronic
health information: Privacy, quality, and liability. Journal of the American Medical Asso-
ciation 282(15):1466–1471.
IOM (Institute of Medicine). 2006. Effect of the HIPAA Privacy Rule on health research:
Proceedings of a workshop presented to the National Cancer Policy Forum. Washington,
DC: The National Academies Press.
National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confiden-
tiality. Susan Ehringhaus’s testimony on behalf of the Association of American Medical
Colleges. November 19, 2003.
President’s Cancer Panel. 2004. Living beyond cancer: Finding a new balance. http://deainfo.
nci.nih.gov/ADVISORY/pcp/pcp03-04rpt/Survivorship.pdf (accessed May 1, 2008).
President’s Cancer Panel. 2006. Assessing progress, advancing change. http://deainfo.nci.nih.
gov/ADVISORY/pcp/pcp07rpt/pcp07rpt.pdf (accessed June 15, 2008).
Ramirez, A. G., and J. E. Niederhuber. 2003 (November 5). Letter to The Honorable Tommy G.
Thompson, Secretary of Department of Health and Human Services. Washington, DC.
Sobel, R. 2007. The HIPAA paradox: The Privacy Rule that’s not. Hastings Center Report
37(4):40–50.
OCR for page 73
��
INTRODUCTION
Tourangeau, R., L. Rips, and K. Rasinski. 2000. The psychology of survey response. Cam-
bridge, UK: Cambridge University Press.
Tovino, S. A. 2004. The use and disclosure of protected health information for research under
the HIPAA Privacy Rule: Unrealized patient autonomy and burdensome government
regulation. South Dakota Law Review 49(3):447–502.
U.S. Congress, House of Representatives, Committee on Ways and Means. 1996a. Health
Coverage Availability and Affordability Act of ����. 104th Cong., 2d Sess. March 25,
1996.
U.S. Congress, House of Representatives, Committee of Conference. 1996b. Health Insurance
Portability and Accountability Act of ����. 104th Cong., 2d Sess. July 31, 1996.
Walker, D. K. 2005. Impact of the HIPAA Privacy Rule on health services research. Philadel-
phia, PA: Abt Associates, Inc.
Wentland, E. J., and K. W. Smith. 1993. Survey responses: An evaluation of their validity. San
Diego, CA: Academic Press.
OCR for page 74
