Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Sharyl J. Nass, Laura A. Levit, and Lawrence O. Gostin, Editors Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule Board on Health Sciences Policy Board on Health Care Services
THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. The project is sponsored by the National Institutes of Health and the National Cancer Institute, the Robert Wood Johnson Foundation, American Cancer Society, American Heart Association/American Stroke Association, American Society for Clinical Oncology, Burroughs Wellcome Fund, and C-Change. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project. Library of Congress Cataloging-in-Publication Data Beyond the HIPAA privacy rule : enhancing privacy, improving health through research / Com- mittee on Health Research and the Privacy of Health Information, the HIPAA Privacy Rule ; Sharyl J. Nass, Laura A. Levit, and Lawrence O. Gostin, editors. p. ; cm. Includes bibliographical references and index. ISBN 978-0-309-12499-7 (pbk.) 1. United States. Health Insurance Portability and Accountability Act of 1996. 2. Medical recordsâAccess controlâUnited States 3. HealthâResearchâUnited States 4. Privacy, Right ofâUnited States. I. Nass, Sharyl J. II. Levit, Laura A. III. Gostin, Lawrence O. (Lawrence Ogalthorpe) IV. Institute of Medicine (U.S.). Committee on Health Research and the Privacy of Health Information, the HIPAA Privacy Rule. [DNLM: 1. United States. Health Insurance Portability and Accountability Act of 1996. 2. Medical Records--legislation & jurisprudenceâUnited StatesâGuideline. 3. Privacyâ legislation & jurisprudence--United States--Guideline. 4. Confidentialityâlegislation & jurisprudence--United States--Guideline. 5. ResearchâmethodsâUnited StatesâGuideline. WX 173 B573 2009] R864.B49 2009 651.5â04261âdc22 2009003375 Additional copies of this report are available from the National Academies Press, 500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu. For more information about the Institute of Medicine, visit the IOM home page at: www. iom.edu. Copyright 2009 by the National Academy of Sciences. All rights reserved. Printed in the United States of America Suggested citation: IOM (Institute of Medicine). 2009. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC: The National Academies Press.
âKnowing is not enough; we must apply. Willing is not enough; we must do.â â Goethe Advising the Nation. Improving Health.
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general wel- fare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineer- ing programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is presi- dent of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Insti- tute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academyâs purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org
COMMITTEE ON HEALTH RESEARCH AND THE PRIVACY OF HEALTH INFORMATION: THE HIPAA PRIVACY RULE LAWRENCE O. GOSTIN (Chair), Professor of Law, Georgetown University Law Center, Washington, DC PAUL APPELBAUM, Professor of Psychiatry, Medicine, and Law, Director, Division of Psychiatry, Law, and Ethics, Columbia University Psychiatric Institute, New York, NY ELIZABETH BEATTIE, Professor, School of Nursing, Faculty of Health Sciences, The Queensland University of Technology, Queensland, Australia MARC BOUTIN, Vice President of Policy, Development, and Advocacy, National Health Council, Washington, DC THOMAS W. CROGHAN, Senior Fellow, Mathematica Policy Research, Inc., Washington, DC STANLEY W. CROSLEY, Chief Privacy Officer, Eli Lilly and Company, Law Division, Indianapolis, IN SANDRA J. HORNING, Professor of Medicine/Oncology, Stanford School of Medicine, Palo Alto, CA JAMES S. JACKSON, Director, Institute for Social Research, University of MichiganâAnn Arbor MARY BETH JOUBLANC, Chief Privacy Officer, State of Arizona, Arizona Government Technology Agency, Phoenix, AZ BERNARD LO, Professor of Medicine, Director, Program in Medical Ethics, University of CaliforniaâSan Francisco ANDREW F. NELSON, Executive Director, HealthPartners Research Foundation, Minneapolis, MN MARC ROTENBERG, President, Electronic Privacy Information Center, Washington, DC WENDY VISSCHER, Director, Office of Research Protection, RTI International, Research Triangle Park, NC FRED WRIGHT, Associate Chief of Staff for Research, VA Connecticut Healthcare System, New Haven, CT CLYDE W. YANCY, Medical Director, Baylor Heart and Vascular Institute, Baylor University Medical Center, Dallas, TX Consultants SARAH M. GREENE, Group Health Center for Health Studies, Seattle, WA DAVID HELMS, President and CEO, AcademyHealth, Washington, DC ROBERTA NESS, University of Pittsburgh, Pittsburgh, PA v
JOY PRITTS, Health Policy Institute, Georgetown University, Washington, DC ED WAGNER, Director of the W.A. MacColl Institute for Healthcare Innovation, Center for Health Studies, Group Health Cooperative of Puget Sound, Seattle, WA ALAN WESTIN, Privacy Consulting Group, Teaneck, NJ Study Staff SHARYL NASS, Study Director and Senior Program Officer LAURA LEVIT, Associate Program Officer (Christine Mirzayan Science and Technology Policy Graduate Fellow, December 2006 to March 2007) CATHERINE REYES, Christine Mirzayan Science and Technology Policy Graduate Fellow (September 2006 to November 2006) MARY ANN PRYOR, Senior Program Assistant (until August 2007) MICHAEL PARK, Senior Program Assistant (from September 2007) ROGER HERDMAN, Director, Board on Health Care Services ANDREW POPE, Director, Board on Health Sciences Policy JULIE WILTSHIRE, Financial Associate (until July 2007) PATRICK BURKE, Financial Associate (from July 2007) vi
Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Councilâs Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report: CLARA D. BLOOMFIELD, Distinguished University Professor, The Ohio State University Comprehensive Cancer Center and James Cancer Hospital and Solove Research Institute, Columbus ALEXANDER M. CAPRON, Professor of Law and Medicine, Gould School of Law, University of Southern California, Los Angeles ANN CAVOUKIAN, Information and Privacy Commissioner of Ontario, Office of the Information and Privacy Commissioner, Canada DEBORAH COLLYAR, President, PAIR: Patient Advocates in Research, Danville, CA EDWARD GOLDMAN, Associate Vice President and Deputy General Counsel, University of Michigan Health System, Ann Arbor vii
viii REVIEWERS EMMETT B. KEELER, Senior Mathematician, Pardee RAND Graduate School, University of CaliforniaâLos Angeles School of Public Health, Los Angeles BETSY KOHLER, Executive Director, North American Association of Central Cancer Registries, Springfield, IL MELISSA L. MARKEY, Associate, Hall, Render, Killian, Heath & Lyman, P.L.L.C., Troy, MI DEVON McGRAW, Director, Health Privacy Project, Center for Democracy & Technology, Washington, DC LYNNE WARNER STEVENSON, Director, Cardiomyopathy and Heart Failure Program, Brigham and Womenâs Hospital, Cardiovascular Division, Boston, MA MARCY WILDER, Partner, Hogan & Hartson, L.L.P., Washington, DC Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations nor did they see the final draft of the report before its release. The review of this report was overseen by Neal A. Vanselow, M.D., Chancellor Emeritus and Professor Emeritus of Medicine at the Tulane University Medical Center, and Bradford H. Gray, Ph.D., Editor, The Mil- bank Quarterly, and Principle Research Associate, The Urban Institute. Appointed by the National Research Council and the Institute of Medicine, they were responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.
Acknowledgments The Committee is grateful to many individuals who provided valuable input and information for the study, either through formal presentations or through informal communications with study staff and Committee mem- bers. Contributors to the study include: Joan E. Bailey-Wilson (National Institutes of Health), Mark Barnes (Huron Consulting Group), Marianna Bledsoe (National Institutes of Health, Office of Science Policy), Stefan Brands (Credentica), Suanna Bruinooge (American Society of Clinical Oncol- ogy), Robert Califf (Duke Translational Medicine Institute), Fred H. Cate (Indiana University School of Law), Janlori Goldman (Columbia University, Mailman School of Public Health), Elizabeth Goss (American Society of Clinical Oncology), Sarah Greene (HMO Research Network), Christina Heide (Department of Health and Human Services, Office for Civil Rights), David Helms (AcademyHealth), James Hodge (Johns Hopkins Bloomberg School of Public Health), Judd Hollander (Society for Academic Emergency Medicine), Holly Howe (North American Association of Central Cancer Registries), International Pharmaceutical Privacy Consortium, Katherine Kahn (University of California, Los Angeles), Murat Kantarcioglu (Univer- sity of Texas at Dallas), Anthony Knettel (Association of Academic Health Centers), Elizabeth Mayer-Davis (University of South Carolina), Roberta Ness (University of Pittsburgh), Rachel Nosowsky (Miller, Canfield, Paddock and Stone, PLC), Ann OâMara (National Cancer Institute, Community Clinical Oncology Program), John Pandiani (The Bristol Observatory), Wendy Patterson (National Cancer Institute), Deborah Peel (Patient Privacy Rights), Joy Pritts (Georgetown Health Policy Institute), John Ring (Ameri- can Heart Association), Kristin Rosati (Coppersmith Gordon Schermer & ix
x ACKNOWLEDGMENTS Brokelman, PLC), Mark Rothstein (University of Louisville), Elaine Rubin (Association of Academic Health Centers), Richard Schilsky (University of Chicago), Frank L. Silver (Registry of the Canadian Stroke Network), Lana Skirboll (National Institutes of Health, Office of Science Policy), Penelope Solis (American Heart Association), Ed Wagner (HMO Research Network), Alan Westin (Privacy Consulting Group), Marcy Wilder (Hogan & Hartson, L.L.P.), and Marsha Young (Booz Allen Hamilton).
Contents Summary 1 Overview of Conclusions and Recommendations 15 Definitions, 16 Definition of Privacy and Why Privacy Is Important, 16 Definition of Health Research and Why Health Research Is Important, 19 The HIPAA Privacy Rule, 21 The Committeeâs Charge and the Overarching Goals of the Recommendations, 22 Improve the Privacy and Data Security of Health Information, 24 Improve the Effectiveness of Health Research, 24 Improve the Application of Privacy Protections for Health Research, 25 The Committeeâs Recommendations, 26 I. Develop a New Approach to Protecting Privacy in All Health Research, 27 II. Revise the Privacy Rule and Associated Guidance, 36 III. Implement Changes Necessary for Both Policy Options Above, 55 1 Introduction 63 Brief History of HIPAA and the Privacy Rule, 63 Privacy and Health Research, 65 Privacy Concerns, 65 xi
xii CONTENTS The Concerns of Health Researchers, 66 Origins of the Study, 67 Committee Appointment and Charge, 68 Methods, 68 The Committeeâs Conclusions and Recommendations, 70 Framework of the Report, 72 References, 72 2 The Value and Importance of Health Information Privacy 75 Concepts and Value of Privacy, 75 Definitions, 75 The Importance of Privacy, 77 Public Views of Health Information Privacy, 78 Historical Development of Legal Protections of Health Information Privacy, 86 Principles of Fair Information Practice, 91 Security of Health Data, 93 The HIPAA Security Rule and Its Limitations, 94 Potential Technical Approaches to Health Data Privacy and Security, 100 Conclusions and Recommendations, 104 References, 105 3 The Value, Importance, and Oversight of Health Research 111 Concepts and Value of Health Research, 111 Definitions, 111 The Importance of Health Research, 112 Public Perceptions of Health Research, 119 Oversight of Health Research, 122 Historical Development of Federal Protections of Health Information in Research, 122 Overview of the Common Rule, 123 FDA Protection of Human Research Subjects, 131 Distinguishing Health Research from Practice, 131 Public Health Practice Versus Public Health Research, 133 Quality Improvement Versus Health Research, 136 The Importance of Effective Communication with the Public, 139 Disseminating Health Research Results, 139 Research Registries, 141 Informing the Public About the Methods and Value of Research, 142 Conclusions and Recommendations, 145 References, 148
xiii CONTENTS 4 HIPAA, the Privacy Rule, and Its Application to Health Research 153 Overview of HIPAA, 153 Portability and Tax Provisions, 153 Administrative Simplification Provisions, 154 Development of the Privacy Rule Regulations, 155 Overview of the HIPAA Privacy Rule, 157 Entities Subject to the Privacy Rule, 157 Type of Information Protected, 158 Restrictions on Use and Disclosure, 159 Individual Rights, 160 HIPAA and Research, 162 Research Uses and Disclosures with Individual Authorization, 163 Research Uses and Disclosures Without Individual Authorization, 167 Linking Data from Multiple Sources, 177 Genetic Information and the Privacy Rule, 180 Accounting of Research Disclosures, 181 Enforcement of the Privacy Rule, 184 Relationship Between HIPAA and Other Laws, 186 Federal Research Statutes, 186 General Federal Laws, 186 State Laws, 187 Conclusions and Recommendations, 188 References, 193 5 Effect of the HIPAA Privacy Rule on Health Research 199 Overview of Survey Results, 199 Association of American Medical Colleges Survey, 200 National Cancer Advisory Board Survey, 203 AHRQ Survey, 203 National Survey of Epidemiologists, 204 HMO Research Network Survey, 204 AcademyHealth Survey, 206 American Heart Association/American College of Cardiology Survey, 206 North American Association of Central Cancer Registries, 207 American Society of Clinical Oncology Interviews, 208 Association of Academic Health Centers Focus Groups, 208 Selection Bias, 209 General Studies of Consent and Selection Bias, 210 HIPAA Authorization and Selection Bias, 212 Efficiency of Research, 214 Cost and Time, 214 Recruitment, 218
xiv CONTENTS IRB and Privacy Board Oversight, 220 Business Associate Agreements, 227 International Collaboration, 228 Abandoned Studies, 228 Deidentified Information, 230 Access to Deidentified Data, 230 Quality of Deidentified Data, 232 Authorization Process, 233 Concerns About Potential Legal Consequences, 234 Potential Ways to Reduce Interpretive and Variability Among IRBs, Privacy Boards, and Covered Entities, 235 Conclusions and Recommendations, 239 References, 240 6 A New Framework for Protecting Privacy in Health Research 245 Review of the Limitations of the Privacy Rule, 247 Improve the Privacy and Data Security of Health Information, 247 Improve the Effectiveness of Health Research, 253 Improve the Application of Privacy Protections for Health Research, 255 The New Framework, 257 Examples of Informative Models, 258 The Committeeâs Recommendation, 264 The Role of Informed Consent in the New Framework, 266 The New Framework Addresses the Overarching Goals, 269 Improving the Privacy and Data Security of Health Information, 269 Improving the Effectiveness of Health Research, 271 Improving the Application of Privacy Protections for Health Research, 272 Relevance of the Recommendation to Other Federal Actions, 272 Conclusions and Recommendations, 279 References, 281 Appendixes A Previous Recommendations to the Department of Health and Human Services 285 B Commissioned Survey Methodology 293 C Committee Member and Staff Biographies 301 Abbreviations and Acronyms 311 Glossary 315