This chapter provides an overview of the development of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and describes how it applies to health research. A section at the end of the chapter also describes the relationships between HIPAA and other federal and state laws. Because a great deal of health research in the United States is also subject to the Common Rule (described in Chapter 3), disparities between these two federal rules are also noted where relevant throughout the chapter.
OVERVIEW OF HIPAA
HIPAA was passed on August 21, 1996. It was intended to make health care delivery more efficient and to increase the number of Americans with health insurance coverage. These objectives were pursued through three main provisions of the Act: (1) the portability provisions, (2) the tax provisions, and (3) the administrative simplification provisions.
Portability and Tax Provisions
The portability provisions of HIPAA aimed to prevent individuals from losing health care coverage due to a preexisting condition when changing to a new employer’s health plan. The portability provisions also aimed to reduce the number of unemployed or self-employed individuals without health insurance by making it easier for individuals to purchase health insurance without their employer.
Similarly, the tax provisions of HIPAA were also intended to make it easier for individuals to maintain health insurance. The tax provisions pursued this goal by modifying existing tax laws to make health insurance more affordable. HIPAA does not regulate the price of health insurance, but rather, it relies on tax breaks and other tax incentives to reduce health care costs (Chaikind et al., 2005).
Administrative Simplification Provisions
The administrative simplification provisions of HIPAA instructed the Secretary of the U.S. Department of Health and Human Services (HHS) to issue several regulations concerning the electronic transmission of health information. These provisions were included in the final version of HIPAA because health plans had requested federal legislation in this area from Congress. The use of electronic health information was expanding in the early 1990s, and the health care industry was unable to standardize the process and use of electronic health information without federal action.1
The security standards are one set of regulations mandated by the administrative simplification provisions of HIPAA. The Act instructed the Secretary of HHS to develop nationwide security standards and safeguards for the use of electronic health care information. The resulting HHS regulations spell out specific administrative, technical, and physical security procedures that healthcare plans, providers and clearinghouses must incorporate into their operations to prevent unauthorized access, use, and disclosure of protected health information (CMS, 2005). HHS published the final HIPAA Security Rule in the Federal Register on February 20, 2003. Health plans and providers were required to be in compliance with these measures by April 2004 (see Box 2-2).
The administrative simplification provisions of HIPAA also directed the Secretary to develop standards for unique health identifiers for patients, employers, health plans, and providers. Unique health identifiers are national numbers that could be used to identify the individual or organization in standard health transactions. The Centers for Medicare & Medicaid Services (CMS) has issued standards for the unique health identifiers for employers and providers, and unique health identifiers for health plans are under development. However, Congress has prevented CMS from implementing a standard for the unique health identifier for patients by inserting language into the annual appropriations bill every year since HIPAA was enacted (Chaikind et al., 2005).
Finally, the administrative simplification provisions of HIPAA mandated the creation of privacy standards for the protection of personally identifiable medical information. Although privacy protections were not a primary objective of the Act, Congress recognized that advances in electronic technology could erode the privacy of health information, and included the privacy provision in HIPAA (IOM, 2006). In accordance with the administrative simplification provisions, HHS developed the Privacy Rule, which constitutes a broad-ranging federal health privacy regulation (see Table 4-1). Incorporating many of the basic fair information practices,2 the Privacy Rule generally restricts the use or disclosure of protected health information, except as permitted by the individual or as authorized or required by the Privacy Rule. Its provisions also impose on covered entities affirmative requirements to safeguard the information in their possession. The Privacy Rule gives individuals certain rights with respect to their health information (reviewed by Pritts, 2008).
DEVELOPMENT OF THE PRIVACY RULE REGULATIONS
Congress did not include detailed privacy requirements in HIPAA. The terms of HIPAA required the Secretary of HHS to submit detailed recommendations to Congress by August 1997 on ways to protect the privacy of personally identifiable health information. These recommendations were to include suggestions on ways to protect individuals’ rights concerning their personally identifiable health information, procedures for exercising such rights, and the uses and disclosures of information that should be authorized or required under HIPAA.3 If Congress did not enact privacy legislation within 3 years of the passage of HIPAA, the Act required the Secretary of HHS to issue privacy regulations for the protection of personally identifiable health information within 42 months of HIPAA’s enactment.4
In response to this mandate, HHS submitted recommendations for protecting the privacy of personally identifiable health information to Congress in September 1997. In these recommendations, Secretary Shalala advocated for the passage of federal privacy legislation, rather than relying on HHS to pass a set of privacy regulations. Shalala’s report stated, “This report recommends that Congress enact national standards that provide fundamental privacy rights for patients and define responsibilities for those who service them” (Shalala, 1997).
Although numerous bills that attempted to address health information privacy were introduced, Congress was unable to finalize privacy legislation on the time schedule mandated in HIPAA. During the 1999 congressional session alone, eight such bills were introduced. However, none of these bills was passed. As a result, Congress passed the responsibility of creating health privacy protections to HHS.
Over the course of developing the current Privacy Rule, HHS went through four iterations of the Rule. HHS followed Secretary Shalala’s 1997 recommendations to Congress in shaping the regulations (Redhead, 2001). First, HHS issued a proposed version of the Privacy Rule for public comment on November 3, 1999, that drew more than 50,000 comments (Stevens, 2000). Based on these comments, HHS issued the second version of the Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information, in December 2000.5 Before this version of the Privacy Rule could take effect, the Secretary of HHS was inundated with unsolicited public comments and criticism regarding the Privacy Rule. Health care insurers and providers were concerned that the Privacy Rule would make health care industry operations less efficient. They were particularly concerned about the requirement that they obtain authorization prior to making any routine disclosure of personally identifiable health information for health care operations, treatment, or payment. The comments received also suggested that this version of the Privacy Rule would prevent pharmacists from filling prescriptions and searching for potential drug interactions before patients arrived at pharmacies; interfere with providing emergency medicine in situations where it would be impossible to obtain patient authorization before treatment; and delay the scheduling and preparation of hospital procedures until the doctor could obtain patient authorization.6
In March 2002, HHS, under the Bush Administration, published a proposed modification to the Privacy Rule, which reopened the rule-making process and created a new period for submitting public comments. This version of the Privacy Rule drew more than 24,000 comments. Incorporating the suggestions collected through the second notice of proposed rule-making period, HHS issued the final version of the Privacy Rule in August 14, 2002.7 This is the current, effective, and codified version of the Privacy Rule (45 C.F.R. parts 160 and 164). Most health care providers and health plans were required to be in compliance with this version of the Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance.
OVERVIEW OF THE HIPAA PRIVACY RULE8
Entities Subject to the Privacy Rule
The Privacy Rule applies to “covered entities,”9 which are individuals or organizations that electronically transmit health information in the course of normal health care practices. Covered entities include health care providers, health plans, and health care clearinghouses. Health plans are entities that provide or pay the cost of medical care, such as private health insurers or managed care organizations, and governmental payors and health programs such as Medicaid, Medicare, or Veterans Affairs. Health care clearinghouses generally refer to billing services, and health care providers include hospitals, doctors, and other health care professionals and facilities that provide treatment (Table 4-2).
The Uneven Application of the HIPAA Privacy Rule: Examples of HIPAA Covered Entities and Non-Covered Entities.
If an entity that meets one of the categories of a covered entity also performs functions unrelated to health care, it can become a hybrid entity by designating in writing its “health care components.”10 Only these health care components are then bound by the Privacy Rule. For example, if a university includes an academic medical center with a hospital, the entire university will be classified as a covered entity unless the university elects to be a hybrid entity by designating only the hospital as the health care component. By doing this, only the hospital has to comply with the Privacy Rule. The classification of researchers within a hybrid entity depends on the nature of the work performed (e.g., whether the researchers are within the health care component, providing health care, or conducting electronic transactions) (HHS, 2004c).
Type of Information Protected
The Privacy Rule protects all personally identifiable health information, known as protected health information (PHI), created or received by a covered entity. Personally identifiable health information is defined as information, including demographic information, that “relates to past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care for the individual” that either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”11
The Privacy Rule does not protect personally identifiable health information that is held or maintained by an organization other than a covered entity (HHS, 2004c). It also does not apply to information that has been deidentified in accordance with the Privacy Rule12 (see later section on Deidentified Information).
Restrictions on Use and Disclosure
Covered entities may not use or disclose PHI except as permitted or required by the Privacy Rule.13 A covered entity may disclose PHI without the individual’s permission for treatment, payment, and health care operations purposes. For other uses and disclosures, the Privacy Rule generally requires the individual’s written permission, which is an “authorization” that must meet specific content requirements. The Privacy Rule then establishes a number of exceptions to this general rule, allowing covered entities to use and disclose PHI without the individual’s authorization in certain situations. For example, the Privacy Rule permits the disclosure of PHI without the individual’s authorization in the following circumstances:
To business associates14
For public health purposes as required by state and federal law15
To public agencies for health oversight activities, such as audits; inspections; civil, criminal, or administrative proceedings; and other activities necessary for the oversight of the health care system16
To law enforcement officials17
For judicial and administrative proceedings, if the request for information is made through a court order18
Most of these permitted uses and disclosures are subject to detailed conditions. For example, the Privacy Rule allows covered entities to disclose PHI without individual authorization to its “business associates,” which are defined as persons or entities that perform, on behalf of the covered entity, certain functions or services20 that require the use or disclosure of PHI, provided adequate safeguards are in place.21 As a general rule, these safeguards take the form of a business associate agreement whereby the business associate agrees not to use or disclose the PHI it receives except as permitted by the agreement or by law (Box 4-1).
Business Associate Agreements. A covered entity must obtain assurances in writing that the business associate will: (1) use the information only for the purposes for which it was engaged by the covered entity; (2) safeguard the information from misuses; (more...)
In the case of public health practice, the Privacy Rule notes that there is a legitimate need for public health authorities and others working to ensure the health and safety of the public to have access to PHI. As a result, the Privacy Rule permits, but does not require,22 covered entities to disclose PHI without authorization for specified public health purposes (Box 4-2). Disclosures for research are discussed in detail in subsequent sections of this chapter.
The HIPAA Privacy Rule and Public Health Practice. The Privacy Rule defines public authorities as any “federal, tribal, or local agency or person or entity acting under a grant of authority or contract with the agency, including state and local (more...)
The Privacy Rule also confers rights on individuals with respect to their PHI (reviewed by Pritts, 2008). Under the Privacy Rule, individuals have the right to23:
Receive a notice of privacy practices from a health care provider or a health plan that must, among other things, inform patients of the anticipated uses and disclosures of their health information that may be made without the patients’ consent or authorization.24
See and obtain a copy of their own health information.25
Request an amendment of information that is incomplete or inaccurate.26
Obtain an accounting of certain disclosures that the covered entity made of their PHI over the past 6 years.27
HIPAA AND RESEARCH
Although health research was not a focus of HIPAA, Congress recognized the important role that health records play in conducting health research and wanted to ensure that privacy protections would not impede researchers’ continued access to such data. This is reflected in two House Reports on HIPAA with identical language, stating:
“The conferees recognize that certain uses of individually identifiable information are appropriate, and do not compromise the privacy of an individual. Examples of such use of information include … the transfer of information from a health plan to an organization for the sole purpose of conducting health care-related research. As health plans and providers continue to focus on outcomes research and innovation, it is important that the exchange and aggregated use of health care data be allowed” (U.S. Congress, 1996a,b).
In creating the current research provisions of the Privacy Rule, HHS considered several options. One option considered was exempting PHI used in research from the regulations, but HHS rejected this option, noting some reported shortcomings of the protection of the privacy and confidentiality of health information in research (reviewed by Pritts, 2008).28 A U.S. General Accounting Office report prepared in anticipation of federal health privacy legislation noted that confidentiality protections were not a major thrust of the Common Rule, and oversight boards tended to give confidentiality less attention than other research risks because they had the flexibility to decide when it was appropriate to review confidentiality protection issues (GAO, 1999). The report noted that although “[t]he actual number of instances in which patient privacy is breached is not fully known … in an NIH [National Institutes of Health] sponsored study, IRB [Institutional Review Board] chairs reported that complaints about the lack of privacy and confidentiality were among the most common complaints made by research subjects.” In addition, the compliance staff of the HHS Office for Protection from Research Risks (now Office of Human Research Protections) related that they had investigated several allegations involving human subjects protection violations resulting from a breach of confidentiality over the past several years and that the complaints related to (1) research subject to IRB review and (2) research outside federal protection (GAO, 1999).
HHS also considered requiring researchers to obtain individual authorization in all situations where a covered entity might want to disclose PHI for research. But this option would have made many research projects nearly impossible to carry out. Instead, HHS created the current system, which attempted to protect individual privacy while still allowing researchers access to data.
In proposing the Privacy Rule, HHS acknowledged that ideally, it would have preferred to directly regulate researchers by extending the protections of the Common Rule to nonfederally funded research and imposing additional criteria for the waiver of authorization in research.29 However, HHS recognized that it did not have the authority to do so, and therefore, it attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing disclosure restrictions on covered entities.
The following sections provide a detailed overview of the Privacy Rule provisions regulating research, along with comparisons to the provisions of the Common Rule (see Chapter 3 for a general overview of the Common Rule).
Research Uses and Disclosures with Individual Authorization
Individuals may voluntarily authorize the use and disclosure of their PHI for essentially any reason, including for research purposes. To be valid under the Privacy Rule, an authorization must be “specific and meaningful”30—that is, it must provide a clear description of the information to be used or disclosed. The authorization must also be written in plain language, and contain core elements (e.g., signature of the individual, description of purpose of requested use or disclosure) and statements addressing the individual’s right to revoke authorization, as well as circumstances under which services or payment may be conditioned on signing the authorization.31
Authorization under the Privacy Rule differs from informed consent in research (reviewed by Pritts, 2008). Authorization states how, why, and to whom the PHI will be used and/or disclosed for research, and seeks permission for that use or disclosure. In contrast, informed consent describes the potential risks and benefits of research and seeks permission to involve the subject, although it also provides research participants with a description of how the confidentiality of the research records will be protected. The Privacy Rule permits, but does not require, review of authorization forms by an IRB or a Privacy Board (see Box 4-3). In contrast, under the Common Rule, IRBs are required to review and approve informed consent documents for human subjects research. However, if the authorization is combined in the same document as the informed consent document, then IRB approval must be sought for the combination (HHS, 2004c).
IRBs and Privacy Boards. Institutional Review Boards (IRBs) and Privacy Boards have different scopes of review. The Common Rule requires IRBs to review research projects involving human subjects for risk of harm to the subjects and to ensure that the (more...)
Authorization of Future Research
Under the Common Rule, it is permissible to obtain patient consent for future research with biological samples or information stored in databases, with oversight by an IRB, if such future uses are described in sufficient detail to allow an informed consent. Historically, IRBs typically have tried to craft informed consent language on a case-by-case basis to allow for some measure of consent to future, largely unspecified research uses, but also to require some level of detail with respect to the categories of types of uses of the information or specimens, and to emphasize confidentiality protections for identified data and tissues (Barnes and Heffernan, 2004). For example, a consent form may specify that the tissue will be kept for research to learn about, prevent, or treat the type of cancer that affects the subject.
However, such language is too general to comply with the more stringent HIPAA authorization requirements. Under the Privacy Rule, authorizations for the use or disclosure of PHI must include “[a] description of each purpose of the requested use or disclosure.”32 In the August 2002 Final Rule, HHS commented that research-related purposes described in the authorization must be “study specific” and indicated that authorizations for “unspecified future research” would be considered overly broad and invalid.33 In other words, HHS regards all future uses of PHI as inherently nonspecific, and the Privacy Rule does not permit an individual to grant authorization to nonspecific research.
For example, the creation and maintenance of a biospecimen bank or database is considered a specific research activity under the Privacy Rule, but authorization for any future studies undertaken with the data or materials cannot be sought at the time of collection. However, the process of recontacting individuals whose biospecimens are stored to obtain consent for each and every research project for which the samples could be used is widely viewed as impractical, if not impossible, especially as more and more samples are collected. This situation can be quite problematic for studies using stored biological samples (Barnes and Heffernan, 2004; Bledsoe, 2004; Rosati, 2008; Rothstein, 2005).
HHS received comments suggesting that general descriptions of future research could meet the requirement of “meaningful and specific” authorization, but HHS noted that the Privacy Rule does not require IRB or Privacy Board review of uses and disclosures made with individual authori zation, and thus covered entities would be left to decide whether or not the initial authorization was broad enough to cover subsequent research.34 The HHS response went on to note that authorization for future research would not be required if a waiver of authorization was granted for a subsequent study by an IRB or a Privacy Board (see the section regarding Waiver of Authorization).
However, the committee recommends that this discordance between the Privacy Rule and the Common Rule be eliminated through guidance explicitly stating that future research may go forward if the authorization describes the types or categories of research that may be conducted with the PHI stored in a biospecimen bank or database, and if an IRB or Privacy Board determines that the proposed new research is not incompatible with the initial consent and authorization and poses no greater than minimal risk to the privacy of individuals (Wendler, 2006). Future consent for research is ethically valid if appropriate security measures are in place, donors have the right to withdraw consent, and new studies are reviewed and approved by an IRB or Privacy Board (Hansson et al., 2006). Furthermore, a prohibition on future consent actually limits individual autonomy. If individuals desire to authorize the use of their PHI for future research, they should be able to do so.
If a covered entity plans to collect and store PHI in a research repository in conjunction with a clinical trial, HHS has stated that the HIPAA authorization for storage of the PHI in the repository must be separate from the HIPAA authorization for disclosure of PHI associated with participation in the clinical trial. HHS came to this conclusion through a complex series of interpretive steps (reviewed by Rosati, 2008). First, it is generally not permissible to condition treatment on the provision of an authorization, although the Privacy Rule does permit a covered entity to condition treatment in a clinical trial on signing an authorization.35 Second, although the Privacy Rule generally permits researchers to combine an authorization form with any other type of written permission (including another authorization), the Privacy Rule prohibits combining authorizations where the covered entity conditions the provision of treatment on signing only one of the authorizations, but not the other.36 Because HHS has concluded that collection of PHI for a clinical trial and for a repository are separate research activities, researchers cannot condition participation in the clini cal trial on signing authorization to include PHI in the repository (HHS, 2004d). Thus, HHS has determined that the two authorizations cannot be combined in one form unless the form has separate signature lines for each authorization, and the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the contribution of PHI to the repository.
Ideally, all relevant information pertaining to authorization should be integrated into one simple document, but there is much confusion about these complex provisions of the HIPAA Privacy Rule (Rosati, 2008). Misperceptions about restrictions on individuals’ ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation are widespread. Some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. The excess paperwork that results is burdensome for patients, can reduce the informed nature of authorization by confusing patients, and may reduce patient participation in research. The committee believes that guidance from HHS to clearly indicate that a single authorization form with two signature lines is permissible in such circumstances would reduce variability and increase the informed nature of authorization.
Research Uses and Disclosures Without Individual Authorization
Documented IRB or Privacy Board Approval of Such Use or Disclosure
In crafting the Privacy Rule, HHS acknowledged that it is not always possible to obtain authorization for using or disclosing PHI for research, particularly in fields such as health services research and epidemiological research, where thousands of records may be involved (Pritts, 2008). It also recognized the potential for selection bias (see Box 3-8) when authorization is required. In light of these factors, HHS concluded that there were circumstances under which it is appropriate to disclose PHI for research without authorization. HHS noted, however, “[T]he privilege of using individually identifiable health information for research purposes without individual authorization requires that the information be used and disclosed under strict conditions that safeguard individuals’ confidentiality.”37
One situation in which the Privacy Rule permits a covered entity to use and disclose PHI for research purposes without obtaining authorization from each patient is when an IRB or a Privacy Board (Box 4-3) reviews a research proposal to use PHI and determines whether to grant a “waiver” of authorization to the researcher for that particular research protocol.38
The Privacy Rule sets out complex standards for IRBs and Privacy Boards to apply in deciding whether to grant a waiver of authorization for a particular research study. The IRBs and Privacy Boards must determine whether a study meets all of the following criteria39:
The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
An adequate plan to protect the identifiers from improper use and disclosure;
An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this subpart;
The research could not practicably be conducted without the waiver or alteration; and
The research could not practicably be conducted without access to and use of the PHI.
An IRB or a Privacy Board may waive the authorization requirement in whole or in part. A complete waiver of authorization means that no authorization is required for the covered entity to use and disclose PHI. A partial waiver means that the IRB or Privacy Board determined that a covered entity does not need authorization for the uses and disclosure of the PHI for one part of a research project, but does need to obtain authorization from patients for another part of the project. For example, an IRB or a Privacy Board often grants a partial waiver to allow PHI to be disclosed to researchers to access PHI to identify potential subjects for a study. However, if only a partial waiver of authorization is granted, the researchers will need to obtain HIPAA authorization before the PHI for each individual patient is used for the research project. An IRB or Privacy Board may also approve a request for an alteration that removes some, but not all, required elements of an authorization, using the same criteria for a waiver of authorization.
The final and codified provisions above share only some of the language used in the Common Rule40 to determine whether it is allowable to alter the elements of informed consent or to waive the requirement of obtaining informed consent. This difference can create a challenge for the IRB decision-making process (Rothstein, 2005).
The concept of “practicability” is used in both the Common Rule and in the HIPAA authorization criteria, but there is no guidance as to what factors (e.g., feasibility or cost) should be considered in determining whether the criteria are met (IOM, 2006; IPPC, 2008; Rothstein, 2005). HHS commentary in the December 2000 Final Rule briefly mentioned cost as one factor that could be considered in determining practicability41 (HHS, 2000), but guidance documents do not define what is “practicable” or “impracticable.” As a result, institutions apply varying standards indepen- dently, often too conservatively to allow even low-risk research to proceed (see also Chapter 5). For example, some institutions interpret impracticable as “not at all possible” and require researchers to demonstrate that a study will fail without a waiver of authorization.
Moreover, stakeholders across the board, from researchers to individual patients, have questioned the meaning of the “practicability” standard (Pritts et al., 2008; Tovino, 2004). One focus group study indicated that patients may find it appropriate to consider two factors in determining whether it is practicable to conduct the research without the waiver of authorization: whether having to contact each patient first would (1) make the study less scientifically valid or (2) make the results less useful in improving medical care (i.e., would produce selection bias) (Pritts et al., 2008).
There are also no clear standards regarding what constitutes adequate protection of privacy, or what constitutes a minimal risk to privacy. The concept of minimal risk implies that there is a risk threshold, above which protections should be stricter. However, clearly defining the threshold is problematic. The terms “adequate plan” and “adequate written assurance” are highly subjective, and thus different institutions are likely to set varying thresholds for “minimal risk.” Thus, to facilitate appropriate authorization requirements for responsible research, the committee recommends that HHS simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study.
In the 2000 version of the Privacy Rule, one of the criteria for waiver of authorization was that “the privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individual, and the importance of the knowledge that may rea sonably be expected to result from the research.”42 In 2002, HHS deleted this criterion from the Final Rule, stating that it was “unnecessarily duplicative of other provisions to protect patients’ confidentiality interests.”43 It may have been more appropriate to retain this criterion and omit the criteria for impracticability.
If the current waiver criteria are to be retained, the IOM committee believes that a clear and reasonable definition of practicability, along with specific case examples of what should or should not be considered impracticable or of minimal risk, could perhaps reduce variability and overly conservative interpretation of these provisions.
Simplification or clarification of the waiver criteria would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards. Covered entities are permitted to rely on a waiver of authorization approved by a single IRB or Privacy Board with jurisdiction. However, covered entities often decide to require approval from their own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regardless of whether another IRB or Privacy Board already granted a waiver of authorization. This leads to delays and variability in the protocol at different sites (see also Chapter 5). Simplification would also be very helpful for smaller or community-based institutions that do not have internal counsel or regulatory affairs specialists, and are thus more likely to opt out of research that requires decisions about authorizations.
Activities Preparatory to Research
A second situation where a covered entity is permitted to use and disclose PHI without obtaining authorization is for activities that are preparatory to research.44 Review by an IRB or a Privacy Board is also not required for activities preparatory to research. A covered entity may permit researchers to look through its medical records in order to develop research protocols and to aid the recruitment of research participants if it obtains from the researcher representations that the information sought is necessary for the research purpose, that information will be reviewed only for the stated purposes preparatory to research, and that no PHI will be removed from the covered entity by the researcher in the course of the review45 (HHS, 2004a).
Many research studies, especially those focused on rare conditions with limited eligible patient populations, rely on large-scale medical chart reviews and searches of patient databases to identify patients who might be eligible for and might benefit from a particular study. Sufficient patient enrollment in a timely fashion is essential to ensure the meaningfulness and reliability of the research results. However, confusion regarding what is permitted under this component of the Privacy Rule is widespread (SACHRP, 2004), and surveys and studies indicate that patient recruitment has become more difficult and costly under the varying interpretations of the Privacy Rule (see Chapter 5).
HHS has issued multiple guidance statements on this topic, but these statements, some of which have been contradictory, have failed to eliminate confusion (reviewed by SACHRP, 2004). According to current HHS guidance on the Privacy Rule, researchers (both internal and external to a covered entity) may conduct a review of medical records under the preparatory to research exception. However, only internal researchers (an employee or member of the covered entity’s workforce) may contact potential subjects about the possibility of enrolling in a study under this provision of the Privacy Rule. HHS guidance on the Privacy Rule indicates that external researchers are not allowed under the preparatory to research exception to record or remove contact information of patients from a covered entity. External researchers must get an IRB/Privacy Board approved waiver of authorization to perform any recruitment activities. This creates an artificial distinction between internal and external researchers that actually provides less privacy protection than that afforded by the Common Rule, which requires that any activities preparatory to research involving human subjects, or related to initial recruitment of subjects for research studies, be reviewed and approved by an IRB (HHS, 2003). Thus, the Privacy Rule permits conduct that is prohibited by the Common Rule (Rothstein, 2005).
IRBs historically have required all communications about an available research study to come from the individual’s caregivers, not from an investigator unknown to the potential subjects (SACHRP, 2004). Moreover, research shows that patients prefer to be approached by their clinician or an associated nurse as opposed to a stranger (Damschroder et al., 2007; Kass et al., 2003; Robling et al., 2004; Westin, 2007; Willison et al., 2007), and HHS has reported that most allegations of violations of the Privacy Rule related to research come from patients upset at receiving recruitment calls from unknown researchers (Heide, 2007).
According to the Secretary’s Advisory Committee on Human Research Protections (SACHRP), “The consequence of these confused and complex interpretations of research recruitment requirements has been to layer unnecessary, and extremely burdensome, tasks onto human subjects research. It appears, for example, that in some institutions, boilerplate business associate contracts are being signed, and that template applications for partial waivers of authorization are being routinely granted, as methods of perfunctory compliance with these confusing Privacy Rule requirements. Another effect of the enormous confusion has been that other institutions are hesitant to permit many recruitment activities critical to the continuation of the research enterprise, out of fear that they are in some way misinterpreting the government’s current positions on research recruitment. SACHRP is very concerned that the bureaucratic complexities here undermine, rather than enhance, the attention that needs to be paid to the welfare and interests of subjects in the research recruitment process” (SACHRP, 2004).
The IOM committee believes that new guidance documents from HHS that clarify and simplify the rules for activities preparatory to research, and harmonize them with the Common Rule—by requiring IRB/PrivacyBoard approval for all researchers (internal and external) prior to contacting potential subjects—would help to eliminate this confusion and facilitate ethical research that protects patient privacy.
Research on Protected Health Information of Decedents
The third situation where a covered entity is permitted to disclose PHI without authorization is for research using the PHI of decedents. Covered entities are not required to obtain authorization from the personal representative or next of kin to conduct research on a decedent’s PHI, nor are they required to receive a waiver of authorization. These provisions are similar to the Common Rule, which defines a “human subject” as a “living individual.”46
However, the Privacy Rule does require that researchers make several representations, either in writing or orally, to the covered entity prior to the covered entity granting the researcher access to a decedent’s PHI. These representations include:
The use or disclosure being sought is solely for research on the PHI of decedents
The PHI is necessary for research
The death of the individual is documented, if requested by the covered entity47
Apparently some covered entities interpret the Privacy Rule more conservatively by requiring researchers to obtain authorization from next of kin, or a waiver of authorization from an IRB or Privacy Board, in order to access the PHI of decedents (Ness, 2007).48
Researchers can also access deidentified health information stored by covered entities without obtaining authorization, waiver of authorization, or IRB/Privacy Board approval. Deidentified information does not qualify as PHI, and therefore is not protected under the Privacy Rule—it can be disclosed to researchers at any time (HHS, 2004c). The Privacy Rule offers two methods to deidentify personal health information. Under the statistical method, a statistician or person with appropriate training verifies that enough identifiers have been removed that the risk of identification of the individual is very small. Under the “safe harbor” method, data are considered deidentified if the covered entity removes 18 specified personal identifiers from the data (Box 4-4).49 In the process of deidentifying information, the covered entity may assign a code to the deidentified information so that it may reidentify it, but the code may not be derived from information related to the individual (e.g., Social Security number). Furthermore, the covered entity may not disclose the key to the code to anyone else.50 These provisions of the Privacy Rule are based on the federal statistical agencies’ policy of using statistical methods to assess and protect the confidentiality of individuals’ data they collect and release (Interagency Confidentiality and Data Access Group, 1999; Subcommittee on Disclosure Limitation Methodology, 1994).
HIPAA “Safe Harbor” Deidentification Method. The HIPAA “safe harbor” method of deidentification requires that each of the following identifiers of the individual or of relatives, employers, or household members of the (more...)
These provisions are more stringent than those of the Common Rule, leading to situations in which some coded data might be subject to the Privacy Rule, but not the Common Rule (Rothstein, 2005). The Common Rule does not apply to research if “the identity of the subject is [not] or may [not] be readily ascertained by the investigator or associated with the information accessed by the researcher” (see Chapter 3).51 In practice, this can mean that a covered entity may no longer routinely disclose for research data that have been anonymized according to the Common Rule (Pritts, 2008). This discrepancy between deidentification standards under the two rules can give rise to situations in which research with anonymized data that are exempt from IRB oversight under the Common Rule may still require a decision by an IRB or a Privacy Board to determine if a waiver of individuals’ authorization of disclosure for the use of their information for research purposes is appropriate under the Privacy Rule. But because IRBs have not had to review these protocols in the past, they may find it difficult to make appropriate decisions about waivers.
The Privacy Rule restrictions put greater emphasis on the possibility that health data could be reidentified using publicly available databases. Determining what information can be released without inappropriately compromising the privacy of the individual respondents is inherently a statistical issue (Fienberg, 2005) (see also discussion on privacy-preserving data mining and statistical disclosure limitation in Chapter 2). Record linkage technology has advanced rapidly in the past 10 years, and large public list searches are readily available for integration with “deidentified” data, making it easier to reidentify data than when the Common Rule was implemented (De Wolf et al., 2006; Pritts, 2008). For example, an academic exercise showed that it was possible to identify the names and addresses of 97 percent of the registered voters in Cambridge, Massachusetts, using the birth date and full postal code (Sweeney, 1997). In a nonacademic setting, New York Times reporters were also able to identify “anonymous” AOL clients whose search habits had been posted on the web for research projects by linking their search history to other available data (Barbarq and Zeller, 2006).
Studies indicate that even after removal of the 18 identifiers required under the safe harbor method of the Privacy Rule, recipients could reidentify individuals in a study dataset with a moderately high expectation of accuracy by applying only diagnosis and medication combinations (Clause et al., 2004). In short, even the Privacy Rule’s deidentification standard may not be stringent enough to protect the anonymity of data in today’s technological environment (Pritts, 2008). However, strong security measures (as recommended in Chapter 2) and the implementation of legal sanctions against the unauthorized reidentification of deidentified data (as recommended in subsequent sections of this chapter) may be more effective in protecting privacy than more stringent deidentification standards.
Many researchers have argued that removal of all 18 data categories as required by the HIPAA Privacy Rule’s deidentification standards can render the dataset unusable for many research projects (Casarett et al., 2005; HHS, 2002; Kulynych and Korn, 2002; SACHRP, 2004) (see also Chapter 5).52 For example, general areas of origin, residence, and work may be essential to epidemiological and other studies of topics such as disease incidence. Likewise, treatment dates are essential information for determining treatment effects, including adverse side effects. Concerns were also raised that deidentification would impede longitudinal studies, and subsequent research has indicated that information deidentified using the safe harbor method of removing all of the listed identifiers results in lost chronological spacing of episodes of care (Clause et al., 2004).
Because of these concerns, some stakeholders urged HHS “to permit covered entities to disclose PHI for research if the protected information is facially deidentified, that is, stripped of direct identifiers, so long as the research entity provides assurances that it will not use or disclose the information for purposes other than research and will not identify or contact the individuals who are subjects of the information.”53 Others were more specific and requested that the Privacy Rule be amended to allow the use of keyed-hash message authentication code (HMAC), asserting that this mechanism would be valuable for researchers because it allows the recipient to link clinical information about the individual from multiple entities over time. In direct response to these requests, HHS modified the Privacy Rule and created a category54 of partially deidentified data called the “limited dataset,” which may be used and disclosed for research without obtaining individual authorization or IRB/Privacy Board approval.55
To qualify as a limited dataset, 16 of the more direct identifiers—such as names, addresses, Social Security numbers, and medical telephone numbers—must be removed from the data. However, the following elements may be included in a limited dataset: city, state, ZIP Code, elements of date, and other numbers, characteristics, or codes not listed as direct identifiers in the regulation (including HMAC). A limited dataset may be created by a covered entity or the covered entity can enter into a business associate agreement with another party, including the intended recipient, to create the limited dataset on its behalf.56
To disclose a limited dataset for research without individual authorization, the covered entity must enter into a data use agreement with the recipient. These contracts specify the recipient of the limited dataset and require the recipient to agree to a number of conditions, including:
Not to use or disclose the limited dataset other than as permitted by the agreement or as required by law
To use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement
To report to the covered entity any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware
To ensure that any agents to whom the recipient provides the limited dataset agree to the same restrictions and conditions as the original recipient
Not to identify the information or contact the individuals whose records are included in the dataset57
Although some researchers have indicated that the use of limited datasets may be “enticing” (Pace et al., 2005), there do not appear to be any studies about the use of limited datasets in the United States (Pritts, 2008). France reportedly uses the equivalent of limited datasets from numerous hospitals to conduct epidemiologic research (Berman, 2002), but the French health care system and legal environment are quite different than in the United States. In testimony at an Institute of Medicine workshop on the HIPAA Privacy Rule and health research, legal experts noted the shortcomings of the limited dataset (IOM, 2006). For example, in some health care settings, it can be challenging to identify an individual who will sign a data use agreement on behalf of the covered entity and thus manage the contract according to the perceived risk and obligation to monitor how that limited dataset is used. At the other extreme, it was noted that some covered entities were signing data use agreements as a matter of course, and thus providing little meaningful privacy protection to the patient (IOM, 2006).
Thus, the committee recommends that HHS encourage greater use of limited datasets and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively.
Linking Data from Multiple Sources
A single database may not provide a complete picture of a patient’s condition or health history, so combining information from multiple sources is often necessary (IOM, 2000). HHS stated that one intent of the limited dataset provisions was to permit data to be used and disclosed in a coded manner such that the recipient of the data could link one person’s data longitudinally over multiple settings.58 However, linking data continues to be problematic for researchers under the HIPAA Privacy Rule (IOM, 2006; IPPC, 2008).
The Privacy Rule addresses data aggregation only with respect to health care operations,59 not research. However, it is possible in principle under the Privacy Rule for a researcher to aggregate PHI from multiple covered entities with authorization or IRB/Privacy Board waiver of authorization. Obtaining individuals’ authorization for research that entails the review of thousands of medical records is unrealistic, though, and even with a waiver of authorization, covered entities with large datasets are often reluctant to allow researchers access to PHI, as noted above (see also Chapters 5 and 6). More commonly, data are provided to researchers with direct identifiers removed. But because datasets from multiple sources cannot be linked to generate a more complete record of a patient’s health history without a unique identifier, such datasets often are of minimal value to researchers and are not frequently used. A third party may also collect PHI from covered entities and aggregate the data for research by establishing business associate agreements (BAs) with the various data sources, but in practice, BAs are used infrequently for this purpose (AcademyHealth, 2008). This approach is complicated and impractical to set up for individual research projects. Moreover, BAs can be established by covered entities to gain competitive advantage, rather than to collaborate in research.
The committee believes that a better approach would be to establish secure, trusted, nonconflicted intermediaries that could develop a protocol, or key, for routinely linking data without direct identifiers from different sources and then provide more complete and useful deidentified datasets to researchers. One way this could be accomplished, for example, might be through data warehouses that are certified for the purpose of linking data from different sources (IOM, 2000). The organizations responsible for such linking would be required to use strong security measures and would maintain the details about how this linkage was done, should another research team need to recreate the linked dataset. Using such intermediaries would increase patient privacy protections and allay concerns of covered entities, and thus would facilitate greater use of health data for research and also lead to more meaningful study results.
CMS provides a similar service for Medicare and Medicaid data, via contractors who create standardized data files that are tailored for research (Box 4-5). The agency has begun pilot projects to aggregate Medicare claims data with data from commercial health plans and, in some cases, Medicaid, in order to calculate and report quality measures for physician groups. A broader effort to link data from diverse sources has been initiated by the Agency for Healthcare Research and Quality (AHRQ), called the National Health Data Stewardship Entity.60 AHRQ is also involved in implementing the Patient Safety and Quality Improvement Act of 2005, which encourages creation of Patient Safety Organizations to receive information from hospitals, doctors, and health care providers on a privileged and confidential basis, for analysis and aggregation.61 Although the purpose of the latter two initiatives is for monitoring health care quality, they could provide a model for data aggregation applicable to health research as well.
The Chronic Conditions Warehouse. Section 723 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 instructed the Secretary of the U.S. Department of Health and Human Services to make Medicare data more readily available to researchers (more...)
The HIPAA administrative simplification provisions specifically provided for the creation of a unique individual identifier, but work on this project has been halted because there is a great deal of controversy regarding how it could be implemented without comprising individual privacy. Federal agencies are also under pressure from the Office of Management and Budget to reduce the use of Social Security numbers as unique identifiers. But the development of some type of linking key (not based on Social Security numbers) would make linkages more efficient, standardized, and reliable and less costly. Moreover, this type of linkage could greatly facilitate many types of information research, provide more extensive health histories and facilitate public health surveillance, and improve quality of care (HHS, 1998; Hillestad et al., 2008).
Genetic Information and the Privacy Rule
Research involving genetic information presents perhaps some of the most challenging areas for protecting the privacy of health information (Bregman-Eschet, 2006; Farmer and Godard, 2007; Greely, 2007; NBAC, 1999). With recent technological advances in biomedical research, it is now possible to learn a great deal about disease processes and individual variations in treatment effectiveness or susceptibility to disease from genetic analyses because the DNA sequences comprising a person’s genome strongly influence a person’s health. New knowledge of the human genome, combined with advances in computing capabilities, are expected to help decipher the roles that genetics and the environment play in the origins of complex but common human diseases, such as cancer, heart disease, and diabetes. In this genomic age of health research, patient samples stored in biospecimen banks can provide a wealth of information for addressing long-standing questions about health and disease, and efforts are underway to create large genomic databases for that purpose (Adams, 2008; Greely, 2007; Lowrance, 2002; Lowrance and Collins, 2007). However, it is particularly difficult to assess the potential harms to individuals who are the subjects of research in these rapidly advancing areas (NBAC, 1999; Pritts, 2008), and precedent does not appear to provide sufficient guidance in this relatively uncharted territory (Lowrance, 2002; Lowrance and Collins, 2007). Moreover, HHS has not issued clear guidance on how the Privacy Rule applies to DNA samples or sequences (IOM, 2005).
HHS guidance documents indicate that tissue or blood itself is not protected under the Privacy Rule unless it contains or is associated with HIPAA identifiers (HHS, 2004b). HHS has further stated that the results of an analysis of blood or tissue, if containing or associated with personally identifiable information, would be PHI. However, the research community remains uncertain about whether genetic information accompanying biospecimens is protected under the Privacy Rule because the list of identifiers includes “biometric identifiers” and “unique identifying characteristics”62 (NCVHS, 2004).
The European Union, which has a more restrictive privacy regime than the United States, does not consider DNA in and of itself to be a direct identifier (DPWP, 2007). Genetic information does not itself identify an individual in the absence of other identifying information. However, in some circumstances, a person’s genetic code could be construed as a unique identifier in that it could be used to match a sequence in another biospecimen bank or databank that does include identifiers (Lin et al., 2004; Malin and Sweeney, 2004).
As genetic information becomes more prevalent in research and health care, the latter scenario is more likely to occur. For example, in January 2008, the NIH began requiring data from the Genome Wide Association Study63 to be submitted to a central databank in an anonymous and aggregated form. That database was publicly accessible until August 2008 when officials at NIH removed the database from the public Website, citing concerns about patient confidentiality (Couzin, 2008; Zerhouni and Nabel, 2008). Those concerns stemmed from a study showing that a new type of DNA analysis could confirm the identity of an individual in a pool of similarly masked data if that person’s genetic profile was already known (Homer et al., 2008). NIH intends to move the aggregate genotype data to a secure, controlled-access database with policies for review and approval of data access requests (Zerhouni and Nabel, 2008).
Also, as we enter the era of personalized medicine, genetic information is more likely to be included in a person’s health records. But at the same time, realization of the promises of personalized medicine will require research on DNA from a great many diverse individuals whose medical histories are well documented. Therefore, the committee believes that the establishment of consistent standards for use and protection of genetic information is important and advocates a focus on strong security measures. To facilitate appropriate use of DNA in health research, the committee recommends that HHS clarify the circumstances under which DNA samples or sequences are considered PHI. In addition, it recommends the adoption of strict prohibitions on the unauthorized reidentification of individuals by anyone from DNA sequences.
Regardless of how genetic information is regulated under the HIPAA Privacy Rule, a federal prohibition of genetic discrimination is necessary to allay privacy concerns and diminish potential negative consequences of unintended disclosure of genetic information. Many people are concerned about genetic discrimination—the misuse of genetic information by insurance companies, employers, and others to make decisions based on a person’s DNA—so it is important both to protect the privacy of genetic information and to protect people against such discrimination. The Genetic Information Nondiscrimination Act (GINA), recently signed into law, hopefully will begin to address some of these concerns.
Accounting of Research Disclosures
The “accounting of disclosures” provision of the HIPAA Privacy Rule gives individuals the right to receive a list of certain disclosures that a covered entity has made of their PHI in the past 6 years, including disclosures made for research purposes.64 The accounting of disclosures (AOD) must also include certain substantive information related to each disclosure, including the date of the disclosure, the identity of the person who received the information, a description of the information disclosed, and a statement of the purpose of the disclosure.
The AOD requirement was intended “as a means for the individual to find out the nonroutine purposes for which his or her PHI was disclosed by the covered entity, so as to increase the individual’s awareness of persons or entities other than the individual’s health care provider or health plan in possession of this information.”65 This requirement does not actually protect privacy; it merely requires covered entities to record disclosures that have already happened. In addition, the AOD requirement does not constitute an audit trail, as there are numerous exceptions to the requirement, including disclosures for health care operations, pursuant to an authorization, as part of a limited dataset, for national security or intelligence purposes, and to correctional institutions or law enforcement official. Therefore, AOD cannot provide individuals with some of the information they may want, such as a list of employees who looked at their medical record when they were in the hospital (AHIC, 2007; Pritts, 2008).
Disclosures made for research purposes under a waiver of authorization, or for public health purposes as required by law, must be included in the AOD. In fact, HHS has noted that “making a set of records available for review by a third party constitutes a disclosure of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record.” The Privacy Rule has an exception for research involving groups of 50 or more subjects, which allows the generation of a general list of all protocols for which a person’s PHI may have been disclosed, but even in that case, there is a considerable administrative obligation. Furthermore, in many medical facilities, that list is very extensive, and thus is relatively meaningless to a particular patient.
This aspect of the Privacy Rule places a heavy administrative burden on health systems and health services research that achieves little in terms of protecting privacy. Moreover, HHS has not given covered entities any guidance on practical ways to fulfill this requirement in an efficient manner. Annual surveys of health care privacy officers undertaken by the American Health Information Management Association (AHIMA) since 2004 have found that many facilities report difficulties with the AOD requirement (AHIMA, 2006). Furthermore, the surveys have found that the demand for AOD is extremely low. Two-thirds of respondents reported receiving no requests at all. Nearly a third indicated that they would like to see a change to the AOD provisions—the most frequently cited Privacy Rule provision among all respondents, and by far among those with more than 20,000 admissions/discharges per year. Based on these results, AHIMA concluded that “for many, this provision is not only burdensome but also significantly inefficient.”
The National Committee on Vital and Health Statistics (NCVHS), the Association of American Medical Colleges (AAMC), and SACHRP have all recommended changes to the AOD provisions (see Appendix A). Witnesses at the first public hearing held by the NCVHS Subcommittee on Privacy and Confidentiality
HIPPA and the Privacy of Medical Records Essay
1349 Words6 Pages
HIPPA and the Privacy of Medical Records
With the increase in technology, it has become easy for physicians to transfer medical data via fax and computer. HIPAA encourages electronic transactions, but requires new guidelines to protect the security and confidentiality of health information. According to HIPAA, transferring patients medical data to anyone without consent is illegal. A major goal of the Privacy Rule is to assure that individual's health information is protected properly while allowing health information that is needed to provide a quality of service to people who need it. Although the healthcare field is diverse, the Rule is flexible and covers a wide range of uses and disclosures that need to be addressed (Burke & Weill, 2005). In a large service-related Healthcare organization with the staff to patient ratio approximately 1:100, there is a greater threat by technology of breaching security records. Medical records include information about ones physical and mental being. They may contain information about ones relationship with family members, sexual behavior, drug or alcohol problems and HIV status ( Burke & Weill, 2005). The confidentiality is threatened when the medical records information is put on the Internet, by use of telemedicine, and by the use of e-mail by healthcare workers. Although this is the fastest way to store and share