Click for next page ( 154


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 153
4 HIPAA, the Privacy Rule, and Its Application to Health Research This chapter provides an overview of the development of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and describes how it applies to health research. A section at the end of the chapter also describes the relationships between HIPAA and other federal and state laws. Because a great deal of health research in the United States is also subject to the Common Rule (described in Chapter 3), disparities between these two federal rules are also noted where relevant throughout the chapter. OVERVIEW OF HIPAA HIPAA was passed on August 21, 1996. It was intended to make health care delivery more efficient and to increase the number of Americans with health insurance coverage. These objectives were pursued through three main provisions of the Act: (1) the portability provisions, (2) the tax provi- sions, and (3) the administrative simplification provisions. Portability and Tax Provisions The portability provisions of HIPAA aimed to prevent individuals from losing health care coverage due to a preexisting condition when changing to a new employer’s health plan. The portability provisions also aimed to reduce the number of unemployed or self-employed individuals without health insurance by making it easier for individuals to purchase health insurance without their employer. 

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE Similarly, the tax provisions of HIPAA were also intended to make it easier for individuals to maintain health insurance. The tax provisions pursued this goal by modifying existing tax laws to make health insurance more affordable. HIPAA does not regulate the price of health insurance, but rather, it relies on tax breaks and other tax incentives to reduce health care costs (Chaikind et al., 2005). Administrative Simplification Provisions The administrative simplification provisions of HIPAA instructed the Secretary of the U.S. Department of Health and Human Services (HHS) to issue several regulations concerning the electronic transmission of health information. These provisions were included in the final version of HIPAA because health plans had requested federal legislation in this area from Congress. The use of electronic health information was expanding in the early 1990s, and the health care industry was unable to standardize the process and use of electronic health information without federal action.1 The security standards are one set of regulations mandated by the administrative simplification provisions of HIPAA. The Act instructed the Secretary of HHS to develop nationwide security standards and safeguards for the use of electronic health care information. The resulting HHS regu- lations spell out specific administrative, technical, and physical security procedures that healthcare plans, providers and clearinghouses must incor- porate into their operations to prevent unauthorized access, use, and dis- closure of protected health information (CMS, 2005). HHS published the final HIPAA Security Rule in the Federal Register on February 20, 2003. Health plans and providers were required to be in compliance with these measures by April 2004 (see Box 2-2). The administrative simplification provisions of HIPAA also directed the Secretary to develop standards for unique health identifiers for patients, employers, health plans, and providers. Unique health identifiers are national numbers that could be used to identify the individual or organiza- tion in standard health transactions. The Centers for Medicare & Medicaid Services (CMS) has issued standards for the unique health identifiers for employers and providers, and unique health identifiers for health plans are under development. However, Congress has prevented CMS from imple- menting a standard for the unique health identifier for patients by inserting language into the annual appropriations bill every year since HIPAA was enacted (Chaikind et al., 2005). Finally, the administrative simplification provisions of HIPAA man- dated the creation of privacy standards for the protection of personally 1 Personal communication, M. Wilder, Hogan and Hartson, March 17, 2007.

OCR for page 153
 APPLICATION TO HEALTH RESEARCH identifiable medical information. Although privacy protections were not a primary objective of the Act, Congress recognized that advances in electronic technology could erode the privacy of health information, and included the privacy provision in HIPAA (IOM, 2006). In accordance with the administrative simplification provisions, HHS developed the Privacy Rule, which constitutes a broad-ranging federal health privacy regulation (see Table 4-1). Incorporating many of the basic fair information practices,2 the Privacy Rule generally restricts the use or disclosure of protected health information, except as permitted by the individual or as authorized or required by the Privacy Rule. Its provisions also impose on covered entities affirmative requirements to safeguard the information in their possession. The Privacy Rule gives individuals certain rights with respect to their health information (reviewed by Pritts, 2008). DEVELOPMENT OF THE PRIVACY RULE REGULATIONS Congress did not include detailed privacy requirements in HIPAA. The terms of HIPAA required the Secretary of HHS to submit detailed recom- mendations to Congress by August 1997 on ways to protect the privacy of personally identifiable health information. These recommendations were to include suggestions on ways to protect individuals’ rights concerning their personally identifiable health information, procedures for exercising such rights, and the uses and disclosures of information that should be authorized or required under HIPAA.3 If Congress did not enact privacy legislation within 3 years of the passage of HIPAA, the Act required the Secretary of HHS to issue privacy regulations for the protection of personally identifiable health information within 42 months of HIPAA’s enactment.4 In response to this mandate, HHS submitted recommendations for pro- tecting the privacy of personally identifiable health information to Congress in September 1997. In these recommendations, Secretary Shalala advocated for the passage of federal privacy legislation, rather than relying on HHS to pass a set of privacy regulations. Shalala’s report stated, “This report rec- ommends that Congress enact national standards that provide fundamental privacy rights for patients and define responsibilities for those who service them” (Shalala, 1997). Although numerous bills that attempted to address health information 2 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (September 11, 1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59923 (1999). 3 Health Insurance Portability and Accountability Act, 45 C.F.R. § 264(a)–(b) (2006). 4 See 45 C.F.R. § 264(c)(1) (2006).

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE TABLE 4-1 Timeline of the HIPAA Privacy Rule Date Action August 1996 Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton September 1997 Donna Shalala, Secretary of the Department of Health and Human Services (HHS), made recommendations to Congress on the privacy standards mandated in HIPAA September 1999 Congress failed to enact federal privacy legislation within the 3-year time limit set by HIPAA November 1999 HHS issued a proposed version of the privacy regulation for public comment December 2000 HHS published the original Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information March 2002 HHS published a proposed modification to the Privacy Rule and accepted additional public comments August 2002 HHS published the Final Privacy Rule April 2003 Covered entities were required to be in compliance with the Privacy Rule (except small health plans) The Association of American Medical Colleges launched a survey examining how research has been affected by the Privacy Rule and proposed recommendations for changes to the Privacy Rule In South Carolina Medical Association v. Tommy Thompson, plaintiffs lost constitutional challenge to HIPAA March 2004 The National Committee on Vital and Health Statistics sent a letter to HHS giving detailed recommendations on ways to improve the Privacy Rule’s application to research April 2004 Small health plans were required to be in compliance with the Privacy Rule September 2004 The Secretary’s Advisory Committee on Human Research Protections sent a letter to the Secretary of HHS with recommendations for changes to the Privacy Rule as applied to research March 2005 In Citizens for Health v. Michael O. Leavitt, plaintiffs unsuccessfully challenged the Privacy Rule as being invalid privacy were introduced, Congress was unable to finalize privacy legislation on the time schedule mandated in HIPAA. During the 1999 congressional session alone, eight such bills were introduced. However, none of these bills was passed. As a result, Congress passed the responsibility of creating health privacy protections to HHS. Over the course of developing the current Privacy Rule, HHS went through four iterations of the Rule. HHS followed Secretary Shalala’s 1997 recommendations to Congress in shaping the regulations (Redhead,

OCR for page 153
 APPLICATION TO HEALTH RESEARCH 2001). First, HHS issued a proposed version of the Privacy Rule for public comment on November 3, 1999, that drew more than 50,000 comments (Stevens, 2000). Based on these comments, HHS issued the second version of the Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information, in December 2000.5 Before this version of the Privacy Rule could take effect, the Secretary of HHS was inundated with unsolicited public comments and criticism regarding the Privacy Rule. Health care insurers and providers were concerned that the Privacy Rule would make health care industry operations less efficient. They were particularly con- cerned about the requirement that they obtain authorization prior to mak- ing any routine disclosure of personally identifiable health information for health care operations, treatment, or payment. The comments received also suggested that this version of the Privacy Rule would prevent pharmacists from filling prescriptions and searching for potential drug interactions before patients arrived at pharmacies; interfere with providing emergency medicine in situations where it would be impossible to obtain patient authorization before treatment; and delay the scheduling and preparation of hospital procedures until the doctor could obtain patient authorization.6 In March 2002, HHS, under the Bush Administration, published a proposed modification to the Privacy Rule, which reopened the rule- making process and created a new period for submitting public comments. This version of the Privacy Rule drew more than 24,000 comments. Incor- porating the suggestions collected through the second notice of proposed rule-making period, HHS issued the final version of the Privacy Rule in August 14, 2002.7 This is the current, effective, and codified version of the Privacy Rule (45 C.F.R. parts 160 and 164). Most health care providers and health plans were required to be in compliance with this version of the Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance. OVERVIEW OF THE HIPAA PRIVACY RULE Entities Subject to the Privacy Rule The Privacy Rule applies to “covered entities,”9 which are individuals or organizations that electronically transmit health information in the 5 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 65 Fed. Reg. 82461 (2000). 6 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 67 Fed. Reg. 53181, 53209 (2002). 7 See 67 Fed. Reg. 53181 (2002). 8 Some material in this section is adapted from a background paper by Pritts (2008). 9 See 45 C.F.R. § 160.103 (2006).

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE course of normal health care practices. Covered entities include health care providers, health plans, and health care clearinghouses. Health plans are entities that provide or pay the cost of medical care, such as private health insurers or managed care organizations, and governmental payors and health programs such as Medicaid, Medicare, or Veterans Affairs. Health care clearinghouses generally refer to billing services, and health care pro- viders include hospitals, doctors, and other health care professionals and facilities that provide treatment (Table 4-2). If an entity that meets one of the categories of a covered entity also performs functions unrelated to health care, it can become a hybrid entity by designating in writing its “health care components.”10 Only these health care components are then bound by the Privacy Rule. For example, if a university includes an academic medical center with a hospital, the entire university will be classified as a covered entity unless the university elects to be a hybrid entity by designating only the hospital as the health care component. By doing this, only the hospital has to comply with the Privacy Rule. The classification of researchers within a hybrid entity depends on the nature of the work performed (e.g., whether the researchers are within the health care component, providing health care, or conducting electronic transactions) (HHS, 2004c). Type of Information Protected The Privacy Rule protects all personally identifiable health informa- tion, known as protected health information (PHI), created or received by a covered entity. Personally identifiable health information is defined as information, including demographic information, that “relates to past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care for the individual” that either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”11 The Privacy Rule does not protect personally identifiable health infor- mation that is held or maintained by an organization other than a covered entity (HHS, 2004c). It also does not apply to information that has been deidentified in accordance with the Privacy Rule12 (see later section on Deidentified Information). 10 See 45 C.F.R. § 164.105(a)(2)(iii)(c) (2006). 11 See 45 C.F.R. § 160.103 (2006). 12 See 45 C.F.R. § 164.502(d) (2006).

OCR for page 153
 APPLICATION TO HEALTH RESEARCH TABLE 4-2 The Uneven Application of the HIPAA Privacy Rule: Examples of HIPAA Covered Entities and Non-Covered Entities Covered Entities Non-Covered Entities • Health maintenance organizations • Independent consent management (HMOs) companies • Group health plans • Contract research organizations • Medicare and Medicaid programs • Research foundations • Veterans health care program • Data warehousing/data management • Civilian Health and Medical Program of companies the Uniformed Services • Student health services (if they do not • Indian Health Service program under the bill for services) Indian Health Care Improvement Act • Pharmaceutical companies • Pharmacies • Researchers who are not employed by a • Researchers who are employed by a covered entity covered entity • Some universities (or parts of • Some universities (or parts of universities, universities) such as health centers) • A public health agency that does not • A public health clinic that is part of a perform activities subject to the public health agency provisions of the Privacy Rule Restrictions on Use and Disclosure Covered entities may not use or disclose PHI except as permitted or required by the Privacy Rule.13 A covered entity may disclose PHI without the individual’s permission for treatment, payment, and health care opera- tions purposes. For other uses and disclosures, the Privacy Rule generally requires the individual’s written permission, which is an “authorization” that must meet specific content requirements. The Privacy Rule then estab- lishes a number of exceptions to this general rule, allowing covered entities to use and disclose PHI without the individual’s authorization in certain situations. For example, the Privacy Rule permits the disclosure of PHI without the individual’s authorization in the following circumstances: To business associates14 • For public health purposes as required by state and federal law15 • • To public agencies for health oversight activities, such as audits; 13 See 45 C.F.R. § 164.502(a) (2006). A covered entity is required to make a reasonable effort to use and disclose only the minimum amount of PHI needed for the intended purpose. See 45 C.F.R. § 164.502(b) (2006). 14 See 45 C.F.R. § 164.506(e) (2006). 15 See 45 C.F.R. § 164.510(b) (2006).

OCR for page 153
0 BEYOND THE HIPAA PRIVACY RULE inspections; civil, criminal, or administrative proceedings; and other activities necessary for the oversight of the health care system16 To law enforcement officials17 • • For judicial and administrative proceedings, if the request for infor- mation is made through a court order18 For research19 • Most of these permitted uses and disclosures are subject to detailed conditions. For example, the Privacy Rule allows covered entities to disclose PHI without individual authorization to its “business associates,” which are defined as persons or entities that perform, on behalf of the covered entity, certain functions or services20 that require the use or disclosure of PHI, provided adequate safeguards are in place.21 As a general rule, these safeguards take the form of a business associate agreement whereby the business associate agrees not to use or disclose the PHI it receives except as permitted by the agreement or by law (Box 4-1). In the case of public health practice, the Privacy Rule notes that there is a legitimate need for public health authorities and others working to ensure the health and safety of the public to have access to PHI. As a result, the Privacy Rule permits, but does not require,22 covered entities to disclose PHI without authorization for specified public health purposes (Box 4-2). Disclosures for research are discussed in detail in subsequent sections of this chapter. Individual Rights The Privacy Rule also confers rights on individuals with respect to their PHI (reviewed by Pritts, 2008). Under the Privacy Rule, individuals have the right to23: • Receive a notice of privacy practices from a health care provider or a health plan that must, among other things, inform patients of 16 See 45 C.F.R. § 164.510(c) (2006). 17 See 45 C.F.R. § 164.510(f) (2006). 18 See 45 C.F.R. § 164.510(d) (2006). 19 See 45 C.F.R. § 164.512 (2006). 20 Some common functions that business associates perform for covered entities include recruiting subjects, data analysis, processing, or administration; utilization review; quality assurance; and practice management. 21 See 45 C.F.R. § 164.502(e) (2006). 22 Only states have the authority to require mandatory public health reporting. 23 See 45 C.F.R. § 164.520 (2006).

OCR for page 153
 APPLICATION TO HEALTH RESEARCH BOX 4-1 Business Associate Agreements A covered entity must obtain assurances in writing that the business associate will: (1) use the information only for the purposes for which it was engaged by the covered entity; (2) safeguard the information from misuses; and (3) help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Business associate agreements must include: • A description of the permitted and required uses of the PHI by the business associate. • A statement that the business associate will not use or disclose the PHI other than as permitted or required by the contract, or as required by law. • A statement that the business associate will use appropriate safeguards to pre- vent the use or disclosure of PHI other than as provided for by the contract. SOURCE: 45 C.F.R. § 160.103 (2006). BOX 4-2 The HIPAA Privacy Rule and Public Health Practice The Privacy Rule defines public authorities as any “federal, tribal, or local agency or person or entity acting under a grant of authority or contract with the agency, including state and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration.” A covered entity can release PHI to a public health authority, without authoriza- tion or waiver of authorization, in the following circumstances: • Monitoring health threats and diseases • Child abuse or neglect • Products regulated by the FDA • Persons at risk of contracting or spreading a disease • Workplace surveillance State laws may also permit or require the release of PHI for activities other than those listed above. SOURCES: 45 C.F.R. § 164.501 (2006); 45 C.F.R. 164.512(b)(i)–(v) (2006); 45 C.F.R. 160.203(c) (2006).

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE the anticipated uses and disclosures of their health information that may be made without the patients’ consent or authorization.24 See and obtain a copy of their own health information.25 • • Request an amendment of information that is incomplete or inaccurate.26 • Obtain an accounting of certain disclosures that the covered entity made of their PHI over the past 6 years.27 HIPAA AND RESEARCH Although health research was not a focus of HIPAA, Congress rec- ognized the important role that health records play in conducting health research and wanted to ensure that privacy protections would not impede researchers’ continued access to such data. This is reflected in two House Reports on HIPAA with identical language, stating: “The conferees recognize that certain uses of individually identifiable information are appropriate, and do not compromise the privacy of an individual. Examples of such use of information include . . . the transfer of information from a health plan to an organization for the sole purpose of conducting health care-related research. As health plans and providers continue to focus on outcomes research and innovation, it is important that the exchange and aggregated use of health care data be allowed” (U.S. Congress, 1996a,b). In creating the current research provisions of the Privacy Rule, HHS considered several options. One option considered was exempting PHI used in research from the regulations, but HHS rejected this option, noting some reported shortcomings of the protection of the privacy and confidential- ity of health information in research (reviewed by Pritts, 2008).28 A U.S. General Accounting Office report prepared in anticipation of federal health privacy legislation noted that confidentiality protections were not a major thrust of the Common Rule, and oversight boards tended to give confiden- tiality less attention than other research risks because they had the flexibil- ity to decide when it was appropriate to review confidentiality protection issues (GAO, 1999). The report noted that although “[t]he actual number of instances in which patient privacy is breached is not fully known . . . in 24 See 45 C.F.R. § 164.520 (2006). 25 See 45 C.F.R. § 164.524 (2006). 26 See 45 C.F.R. § 164.526 (2006). 27 See 45 C.F.R. § 164.528 (2006). 28 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (September 11, 1997) (hereinafter “Secretary Recommendations”); 64 Fed. Reg. 59918, 59968 (1999); 65 Fed. Reg. 82461, 82691 (2000).

OCR for page 153
 APPLICATION TO HEALTH RESEARCH an NIH [National Institutes of Health] sponsored study, IRB [Institutional Review Board] chairs reported that complaints about the lack of privacy and confidentiality were among the most common complaints made by research subjects.” In addition, the compliance staff of the HHS Office for Protection from Research Risks (now Office of Human Research Protec- tions) related that they had investigated several allegations involving human subjects protection violations resulting from a breach of confidentiality over the past several years and that the complaints related to (1) research subject to IRB review and (2) research outside federal protection (GAO, 1999). HHS also considered requiring researchers to obtain individual autho- rization in all situations where a covered entity might want to disclose PHI for research. But this option would have made many research projects nearly impossible to carry out. Instead, HHS created the current system, which attempted to protect individual privacy while still allowing research- ers access to data. In proposing the Privacy Rule, HHS acknowledged that ideally, it would have preferred to directly regulate researchers by extending the pro- tections of the Common Rule to nonfederally funded research and imposing additional criteria for the waiver of authorization in research.29 However, HHS recognized that it did not have the authority to do so, and therefore, it attempted to protect the health information released to researchers indi- rectly (but within the scope of its limited authority) by imposing disclosure restrictions on covered entities. The following sections provide a detailed overview of the Privacy Rule provisions regulating research, along with comparisons to the provisions of the Common Rule (see Chapter 3 for a general overview of the Com- mon Rule). Research Uses and Disclosures with Individual Authorization Individuals may voluntarily authorize the use and disclosure of their PHI for essentially any reason, including for research purposes. To be valid under the Privacy Rule, an authorization must be “specific and meaningful”30—that is, it must provide a clear description of the infor- mation to be used or disclosed. The authorization must also be written in plain language, and contain core elements (e.g., signature of the indi- vidual, description of purpose of requested use or disclosure) and state- ments addressing the individual’s right to revoke authorization, as well as 29 See Secretary Recommendations (1997) and 64 Fed. Reg. 59918, 59968 (1999). 30 See 45 C.F.R. § 164.508(c)(1)(i) (2006).

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE or (6) provides greater privacy protection for the individual with respect to any other matter. The third exception to the general preemption rule is in the public health arena. State laws that are contrary to the Privacy Rule—but provide for the reporting of disease or injury, child abuse, birth, or death, or for conducting public health surveillance, investigation, and intervention—are not preempted by the Privacy Rule. States are permitted to set their own rules regarding what type of information can be collected by public health agents and how that information is used (HHS, 2004c). Applying this preemption rule and determining what privacy laws must be followed in any given state can be a difficult task for covered entities. All states provide some protection for the privacy of health information. However, they differ greatly in what type of protection they provide, and thus, interact differently with the federal Privacy Rule. To successfully conduct a preemption analysis, a covered entity must become familiar with both the state laws and the Privacy Rule, interpret how the state and federal regulations interact with each other, and correctly determine the situations in which the Privacy Rule preempts state law. Many of the provisions in the Privacy Rule do not have directly corresponding provisions in state laws. This makes comparing the two sets of rules a technical and tedious task. One of the main impediments to a covered entity complying with the Privacy Rule is likely the lack of understanding of what the Privacy Rule actually requires in each state (Pritts, 2002). CONCLUSIONS AND RECOMMENDATIONS The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of PHI by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protec- tion of human subjects (the Common Rule), FDA regulations pertaining to human subjects,81 and other applicable federal or state laws. Inconsistencies, for example, in federal regulations and their inter- pretations governing the deidentification of personal health information, obtaining individuals’ consent for future research, and the recruitment of research volunteers make it challenging for health researchers seeking to comply with all these regulations to undertake important research activities. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule (see also Chapter 5). Additional guidance from HHS, along with some changes in interpreta- 81 See 21 C.F.R. parts 50 and 56 (2008).

OCR for page 153
 APPLICATION TO HEALTH RESEARCH tion by HHS, would reduce misunderstandings of the Privacy Rule provi- sions by covered entities, IRBs, and Privacy Boards and help to harmonize federal regulations governing health research, which would in turn reduce complexity for researchers and covered entities, and thereby help to ensure consistent and appropriate privacy protections for patients. Thus, HHS should develop revised and expanded guidance materials for the Privacy Rule. For example, HHS should develop guidance to clearly state that future research with repositories can go forward under the Privacy Rule with IRB/Privacy Board oversight. Many institutions create and maintain data- bases with patient health information as well as repositories with biological materials collected from patients, and use them for many types of health research, including studies to understand diseases or to compare patient outcomes following different treatments. Once created, these collections offer a cost-effective resource for rapidly addressing new research ques- tions as technologies and knowledge advance. Collecting the samples and data necessary to address each new research question as it arises could take years, or even decades, at great expense. Thus, the pace and efficiency of medical progress is significantly enhanced by using established resources whenever feasible. Under the Common Rule, it is permissible to obtain patient consent for future research, with IRB oversight, as long as such future uses are described in sufficient detail to allow an informed consent. However, the provisions of the Privacy Rule, as interpreted by HHS, have made it more difficult to effectively use these valuable resources for research. As a result, patients must be recontacted to obtain individual authorization for any additional studies undertaken with the data and samples collected unless the researchers obtain a waiver or alteration of authorization from an IRB or a Privacy Board. Recontacting patients for additional authorization is not only impractical, but even in those instances when it is possible, it can be intrusive and burdensome for patients and their families. The committee believes that authorization for future use of these databases and biospecimen banks should be appropriate for protecting pri- vacy as long as there is an IRB or a Privacy Board overseeing the research. Thus, HHS should eliminate the discordance between the Privacy Rule and the Common Rule through guidance explicitly stating that future research may go forward if the authorization describes the types or categories of research that may be conducted with the PHI stored in the biospecimen bank and if an IRB or a Privacy Board determines that the proposed new research is not incompatible with the initial consent and authorization, and poses no greater than minimal risk. Because science is evolving very quickly, one cannot adequately antici- pate what knowledge will be gained in the future, and significant opportu- nities for beneficial research could be lost without some alterations to the

OCR for page 153
0 BEYOND THE HIPAA PRIVACY RULE way in which this portion of the Privacy Rule is interpreted. Databanks and biospecimen banks created and maintained with federal funds in particular should be used for multiple studies as often as feasible, given the high cost of such activities and the high value of investigating and comparing mul- tiple scientific questions from the same pool of data. Additional guidance from HHS is also needed to clarify the circum- stances under which DNA samples or sequences are considered PHI. The research community remains uncertain about whether genetic information accompanying biospecimens is protected under HIPAA because the list of HIPAA identifiers includes “biometric identifiers” and “unique identifying characteristics.”82 Although genetic information does not itself identify an individual, a person’s genetic code could be construed as a unique identifier in that it could be used to match sequence in another biospecimen bank or databank that does include identifiers. As genetic information becomes more prevalent in research and health care, concerns regarding genetic privacy and discrimination are likely to intensify. Thus, the establishment of consistent standards for use and protection of genetic information is important. The committee advocates a focus on strong security measures, with the goal of realizing the full potential of personalized medicine. In addition, unauthorized reidentification of individuals from DNA sequences, by anyone, should be strictly prohibited. The committee also recommends that HHS issue guidance to clearly indicate that when researchers seek to store data and materials collected in conjunction with a clinical trial, a single authorization form with two sig- nature lines is permissible if the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the contribution of PHI to the repository. Informed consent and authorization are essential for the protection of individuals who volunteer to participate in clinical trials. Thus, it is imperative that the informed consent and authorization documents are easily understood and meaningful to the indi- viduals involved. Ideally, all relevant information should be integrated into one simple document, but the HIPAA Privacy Rule’s complex provisions have generated misperceptions about restrictions on individuals’ ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation, and some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. Such misperceptions can diminish the informed nature of consent and authorization because they can lead to patient confusion and misunderstanding. HHS should also simplify the procedures for the identification and recruitment of potential research participants and harmonize them with the 82 See 45 C.F.R. § 164.514 (2006).

OCR for page 153
 APPLICATION TO HEALTH RESEARCH Common Rule. The provisions regarding these activities that are prepara- tory to research are complex, confusing, and actually provide less privacy protection than the Common Rule. The committee believes that IRBs and Privacy Boards can protect research participants, including their privacy and confidentiality interests, and thus recommends that IRB/Privacy Board approval (as required under the Common Rule) should be required for all researchers (internal and external to the covered entity) prior to contact- ing potential subjects. When making a decision about whether to approve research projects, the IRB or Privacy Board should review and consider the investigator’s plans for contacting patients, and also ensure that the information will be used only for research projects approved by the IRB or Privacy Board and not be disclosed to anyone else. HHS should also take steps to facilitate greater use of data with direct identifiers removed. Because the Privacy Rule and the Common Rule define personally identifiable information and deidentification differently, there is a discrepancy between what research is exempt from the Common Rule and what research is exempt from the Privacy Rule. This discrepancy can give rise to situations in which research with anonymized data that are exempt from IRB oversight under the Common Rule may still require a decision by an IRB or a Privacy Board to determine if a waiver of individuals’ authori- zation for the use of their information for research purposes is appropriate under the Privacy Rule. Also, there appears to be a great deal of confusion about how to meet conditions of data use agreements for limited datasets, which have been stripped of the 16 most direct identifiers and can be used and disclosed for research without obtaining individuals’ authorization or an IRB/Privacy Board waiver of authorization. HHS could help to ameliorate this situa- tion by issuing clear guidance on how to set up and comply with data use agreements more efficiently and effectively. New tools are also needed to facilitate important health research by allowing new hypotheses to be tested with existing data. One major chal- lenge of using data from which direct identifiers have been removed is that a patient’s health information is rarely stored in one single location, and data from multiple sources cannot be linked to generate a more complete record of a patient’s health history without a unique identifier. As a result, these datasets often are of minimal value to researchers and are not fre- quently used. A trusted intermediary that could link data from different sources and then provide more complete and useful deidentified datasets to researchers would facilitate the greater use of health data for research and lead to more meaningful study results while also increasing patient privacy protections and allaying concerns of covered entities. Thus, HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE privacy, confidentiality, and security. Similar efforts have been initiated by AHRQ for the purpose of monitoring health care quality. The committee also concluded that for some provisions of the Privacy Rule the burdens are heavy and the privacy protections are small. Recon- sideration of such provisions may be necessary if society is to derive maxi- mal benefits from health research. In particular, the required accounting of disclosures entails a heavy administrative burden on health systems and health services research that achieves little in terms of protecting privacy. The committee recommends that the Privacy Rule permit medical facilities to inform patients in advance that PHI might be used for health research (with IRB/Privacy Board oversight) or for public health purposes, and the Privacy Rule should be altered to exempt these activities from AOD requirements. Robust safeguards are already in place to protect the privacy of PHI disclosures in health research via IRBs and Privacy Boards. As the health care system moves toward broader implementation of electronic health records, however, automatic tracking of audit trails will be important to incorporate. Technology advances will likely make automatic AOD track- ing feasible, affordable, and widely available in the future. Until then, the committee recommends that disclosures of PHI made for health research and public health purposes be exempted from the HIPAA Privacy Rule’s AOD requirement. However, in the interest of transparency, institutions should maintain a list, accessible to the public, of all studies approved by its IRB or Privacy Board. HHS should also simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study. If the current criteria for waiver of authorization are to be retained, a clear and reasonable definition of impracticability from HHS, along with specific case examples of what should or should not be consid- ered impracticable or of minimal risk, could reduce variability and overly conservative interpretations among IRBs and Privacy Boards. Case examples should help delineate what IRBs and Privacy Boards should do to facilitate research, rather than just defining what is permis- sible. For example, it is appropriate to allow use of registries, clinical data- bases, and biospecimen banks for justifiable scientific inquiries. HHS should clearly state that IRBs and Privacy Boards should not impede research that is permissible under the Privacy Rule without a compelling concern (for example, if participant solicitation plans are inappropriate or if the princi- pal investigator is unqualified). Simplification or clarification of the waiver criteria would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards, and for smaller or community-based insti-

OCR for page 153
 APPLICATION TO HEALTH RESEARCH tutions that do not have internal counsel or regulatory affairs specialists, and are thus more likely to opt out of research that requires decisions about authorizations. With better guidance, all covered entities would have more confidence in their decisions, and might be more willing to rely on a lead IRB/Privacy Board decision in the case of multi-institutional studies. REFERENCES AcademyHealth. 2008. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on AcademyHealth survey results. Adams, R. 2008. Progress vs. privacy. CQ Weekly May 26, 1404. AHIC (American Health Information Community). 2007. Confidentiality, privacy, and security workgroup, summary of the th web conference. http://137.187.25.8/healthit/ahic/ materials/summary/cpssum_100407.html (accessed August 27, 2008). AHIMA (American Health Information Management Association). 2006. The state of HIPAA privacy and security compliance. http://www.ahima.org/emerging_issues/ 2006StateofHIPAACompliance.pdf (accessed April 20, 2008). Barbarq, M., and T. Zeller, Jr. 2006. Confidentiality issues for data miners. Artificial Intel- ligence in Medicine 26:25–36. Barnes, M., and K. G. Heffernan. 2004. The “future uses” dilemma: Secondary uses of data and materials by researchers and commercial research sponsors. Medical Research Law and Policy Report 3:440–452. Barr, S. 2008. HIPAA enforcement of Privacy Rule stresses voluntary compliance, HHS official says. BNA Privacy and Security Law Report 7(13):479. Berman, J. J. 2002. Confidentiality issues for data miners. Artificial Intelligence in Medicine 26(1):25–36. Bledsoe, M. 2004. HIPAA models for repositories. ISBER Newsletter: International Society for Biological and Environmental Repositories 4(1):1–4. Bregman-Eschet, Y. 2006. Genetic databases and biobanks: Who controls our genetic privacy? Santa Clara Computer & High Technology Law Journal 23:1. Casarett, D., J. Karlawish, E. Andrews, and A. Caplan. 2005. Bioethical issues in pharmaco- epidemiological research. In Pharmacoepidemiology, 4th ed., edited by B. L. Strom. West Sussex, England: John Wiley & Sons, Ltd. Pp. 417–432. Chaikind, H., J. Hearne, B. Lyke, and C. S. Redhead. 2005. CRS report for congress: The Health Insurance Portability and Accountability Act (HIPAA) of : Overview and guidance on frequently asked questions. http://www.law.umaryland.edu/marshall/ crsreports/crsdocuments/RL3163401242005.pdf (accessed August 27, 2005). Clause, S. L., D. M. Triller, C. P. H. Bornhorst, R. A. Hamilton, and L. E. Cosler. 2004. Con- forming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy 61(10):1025–1031. CMS (Centers for Medicare & Medicaid Services). 2005. Overview: Security standards. http:// www.cms.hhs.gov/SecurityStandard/ (accessed March 27, 2007). CMS. 2008. Criteria for review of requests for CMS research identifiable data. http://www. cms.hhs.gov/PrivProtectedData/02_Criteria.asp#TopOfPage (accessed April 23, 2008). Couzin, J. 2008. Whole-genome data not anonymous, challenging assumptions. Science 321:1278.

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE Damschroder, L. J., J. L. Pritts, M. A. Neblo, R. J. Kalarickal, J. W. Creswell, and R. A. Hayward. 2007. Patients, privacy and trust: Patients’ willingness to allow researchers to access their medical records. Social Science & Medicine 64(1):223–235. De Wolf, V. A., J. E. Sieber, P. M. Steel, and A. O. Zarate. 2006. Part II: HIPAA and disclosure risk issues. IRB: Ethics and Human Research 28(1):6–11. DPWP (Data Protection Working Party). 2007. Opinion /00 on the concept of personal data. http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf (accessed August 28, 2008). Farmer, Y., and B. Godard. 2007. Public health genomics (PHG): From scientific consider- ations to ethical integration. Genomics, Society and Policy 3:14–27. Fienberg, S. E. 2005. Confidentiality and disclosure limitation. Encyclopedia of Social Mea- surement 1:463–469. GAO (Government Accounting Office). 1999. Medical records privacy: Access needed for health research but oversight of privacy protections is limited. Washington, DC: GAO. Greely, H. 2007. The uneasy ethical and legal underpinnings of large-scale genomic biobanks. Annual Review of Genomics and Human Genetics 8:346. Hansson, M., J. Dillner, C. Bartram, J. Carlson, and G. Helgesson. 2006. Should donors be allowed to give broad consent to future biobank research? Lancet Oncology 7(3):266–269. Heide, C. 2007. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the HIPAA Privacy Rule & research: Update from HHS Office for Civil Rights. HHS (Department of Health and Human Services). 1998. White paper on unique identifiers. HHS. 2000. Standards for privacy of individually identifiable health information; Final Rule.  Fed. Reg. . HHS. 2002. OCR guidance explaining significant aspects of the Privacy Rule. http://www.hhs. gov/ocr/hipaa/privacy.html (accessed August 27, 2008). HHS. 2003. Institutional review boards and the HIPAA Privacy Rule. http://privacyruleandresearch. nih.gov/pdf/IRB_Factsheet.pdf (accessed August 21, 2008). HHS. 2004a. Clinical research and the HIPAA Privacy Rule. http://privacyruleandresearch. nih/gov/pdf/clin_research.asp (accessed August 27, 2008). HHS. 2004b. Guidance on research involving coded private information or biological speci- mens. http://www.hhs.gov/ohrp/humansubjects/guidance/cdebiol.pdf (accessed August 21, 2008). HHS. 2004c. Protecting personal health information in research: Understanding the HIPAA Privacy Rule. http://privacyruleandresearch.nih.gov/pr_02.asp (accessed April 17, 2007). HHS. 2004d. Research repositories, databases, and the HIPAA Privacy Rule. http:// privacyruleandresearch.nih.gov/research_repositories.asp (accessed August 27, 2008). HHS. 2006. Frequently asked questions: Is a covered entity liable for, or required to moni- tor, the actions of its business associates? http://www.hhs.gov/hipaafaq/providers/ business/236.html (accessed August 27, 2008). HHS. 2007. How OCR enforces the HIPAA Privacy Rule. http://www.hhs.gov/ocr/privacy/ enforcement/hipaarule.html (accessed August 27, 2008). Hillestad, R., J. H. Bigelow, B. Chaudhry, P. Dreyer, M. D. Greenberg, R. C. Meili, M. S. Ridgely, J. Rothenberg, and R. Taylor. 2008. Identity crisis: An examination of the costs and benefits of a unique patient identifier for the U.S. health care system. RAND Corporation. Homer, N., S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J. V. Pearson, D. A. Stephan, S. F. Nelson, and D. W. Craig. 2008. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS Genetics 4(8):e1000167. doi:10.1371/journal.pgen.1000167.

OCR for page 153
 APPLICATION TO HEALTH RESEARCH IFMC (Iowa Foundation for Medical Care). 2008. Chronic condition data warehouse: User manual. Version 1.3. http://www.ccwdata.org/downloads/CCW%20User%20Manual. pdf (accessed August 27, 2008). Interagency Confidentiality and Data Access Group. 1999. Checklist on disclosure potential of proposed data releases. http://www.fcsm.gov/committees/cdac/checklist_799.doc (ac- cessed January 13, 2009). IOM (Institute of Medicine). 2000. Protecting data privacy in health services research. Wash- ington, DC: National Academy Press. IOM. 2005. Implications of genomics for public health: Workshop summary. Washington, DC: The National Academies Press. IOM. 2006. Effect of the HIPAA Privacy Rule on health research: Proceedings of a work- shop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press. IPPC (International Pharmaceutical Privacy Consortium). 2008. Comments to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical research. Kass, N. E., M. R. Natowicz, S. C. Hull, R. R. Faden, L. Plantinga, L. O. Gostin, and J. Slutsman. 2003. The use of medical records in research: What do patients want? Journal of Law, Medicine & Ethics 31:429–433. Kulynych, J., and D. Korn. 2002. The effect of the new federal medical-Privacy Rule on research. New England Journal of Medicine 346(3):201–204. Lin, Z., A. B. Owen, and R. B. Altman. 2004. Genomic research and human subject privacy. Science 305(5681):183. Lowrance, W. W. 2002. Learning from experience, privacy and the secondary use of data in health research. London: The Nuffield Trust. Lowrance, W. W., and F. S. Collins. 2007. Identifiability in genomic research. Science 317:600–602. Malin, B., and L. Sweeney. 2004. How (not) to protect genomic data privacy in a distributed network: Using trail re-identification to evaluate and design anonymity protection sys- tems. Journal of Biomedical Informatics 37:179–192. NBAC (National Bioethics Advisory Commission). 1999. Research involving human biological materials: Ethical issues and policy guidance, report and recommendations. Vol. 1. Rockville, MD: NBAC. NCVHS (National Committee on Vital and Health Statistics). 2004. Letter to Secretary Thompson—recommendation on the effect of the Privacy Rule. http://ncvhs.hhs.gov/ 040305l2.htm (accessed August 27, 2008). NCVHS. 2005. Seventh annual report to congress on the implementation of the administra- tive simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). http://ncvhs.hhs.gov/050908rpt.htm (accessed August 27, 2008). Ness, R. 2007. Influence on the HIPAA Privacy Rule on health research. JAMA 298(18): 2164–2170. Pace, W. D., E. W. Staton, and S. Holcomb. 2005. Practice-based research network studies in the age of HIPAA. Annals of Family Medicine 3(Supp. 1):S38–S45. Phoenix Health Systems. 2006. US healthcare industry HIPAA compliance survey results: Summer 00. http://www.hipaadvisory.com/action/surveynew/ (accessed April 5, 2007). Pritts, J. 2002. Testimony before the National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality: Implementation of the federal standards for privacy of individually identifiable health information. http://www.ncvhs.hhs.gov/ 021030p6.htm (accessed August 27, 2008).

OCR for page 153
 BEYOND THE HIPAA PRIVACY RULE Pritts, J. 2008. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. http://www.iom. edu/CMS/3740/43729/53160.aspx (accessed March 15, 2008). Pritts, J., M. Neblo, L. Damschroder, and R. Hayward. 2008. Veterans’ views on balancing privacy and research in medicine: A deliberative democratic study. Michigan State Uni- versity Journal of Medicine and Law 12:17–31. Rahman, N. 2006. Medical: Reflections on privacy: Recent developments in HIPAA Privacy Rule. I/S: A Journal of Law and Policy for the Information Society 2(3):685. Redhead, C. S. 2001. CRS report for congress: Health information standards, privacy and security: HIPAA’s administrative simplification regulations. Washington, DC: Congres- sional Research Service. Robling, M. R., K. Hood, H. Houston, R. Pill, J. Fay, and H. M. Evans. 2004. Public attitudes towards the use of primary care patient record data in medical research without consent: A qualitative study. Journal of Medical Ethics 30:104–109. Rosati, K. 2008. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the chal- lenges with biorepositories, databases, and future research. Rothstein, M. A. 2005. Research privacy under HIPAA and the Common Rule. Journal of Law, Medicine & Ethics 33(1):154–159. SACHRP (Secretary’s Advisory Committee on Human Research Protections). 2004. Letter to Secretary Thompson. http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html (accessed August 27, 2008). Shalala, D. E. 1997. Confidentiality of individually-identifiable health information: Recom- mendations of the Secretary of Health and Human Services, pursuant to section  of the Health Insurance Portability and Accountability Act of . http://aspe.hhs.gov/ admnsimp/pvcrec0.htm (accessed August 27, 2008). Stevens, G. M. 2000. CRS report for Congress: Summary of the proposed rule for the privacy of individually identifiable health information. Washington, DC: Congressional Research Service. Stevens, G. M. 2003. CRS report for Congress: Compliance with the HIPAA medical Privacy Rule. Washington, DC: Congressional Research Service. Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology. 1994. Statistical policy working paper : Report on statistical disclosure limitation methodology. http://www.ciser.cornell.edu/NYCRDC/helpful_links/WP-22- OMB-totalreport.pdf (accessed January 13, 2009). Sweeney, L. 1997. Weaving technology and policy together to maintain confidentiality. Journal of Law, Medicine & Ethics 25:98–110. Tovino, S. A. 2004. The use and disclosure of protected health information for research under the HIPAA Privacy Rule: Unrealized patient autonomy and burdensome government regulation. South Dakota Law Review 49(3):447–502. U.S. Congress, House of Representatives, Committee of Conference. Health Insurance Porta- bility and Accountability Act of . 104th Cong., 2d Sess. July 31, 1996. U.S. Congress, House of Representatives, Committee on Ways and Means. Health Coverage Availability and Affordability Act of . 104th Cong., 2d Sess. March 25, 1996. Wendler, D. 2006. One-time general consent for research on biological samples: Is it compat- ible with the Health Insurance Portability and Accountability Act? Archives of Internal Medicine 166(14):1449–1452. Westin, A. 2007. How the public views privacy and health research. http://www.iom.edu/ Object.File/Master/48/528/%20Westin%20IOM%20Srvy%20Rept%2011-1107.pdf (accessed November 11, 2007).

OCR for page 153
 APPLICATION TO HEALTH RESEARCH Willison, D. J., L. Schwartz, J. Abelson, C. Charles, M. Swinton, D. Northrup, and L. Thabane. 2007 (September 25–28). Alternatives to project-specific consent for access to personal information for health research. What do Canadians think? Paper presented at 29th International Conference of Data Protection and Privacy Commissioners, Montreal, Canada. Zerhouni, E. A., and E. G. Nabel. 2008. Protecting aggregate genomic data. Science 322:44.

OCR for page 153