Beyond the HIPAA Privacy Rule Enhancing Privacy, Improving Health Through Research (2009) / Chapter Skim
Currently Skimming:
Summary
Summary
Pages 1-14
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 1... ...
developed a set of federal standards for protecting the privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) .1 The HIPAA Privacy Rule set forth detailed regulations 1 The HIPAA Privacy Rule ("Standards for Privacy of Individually Identifiable Health Informa tion: Final Rule")
|
From page 2... ...
to propose recommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information. The committee's conclusion is that the HIPAA Privacy Rule does not protect privacy as well as it should, and that, as currently implemented, the HIPAA Privacy Rule impedes important health research.
|
From page 3... ...
• Require ethical oversight of research when personally identifiable health information is used without informed consent. HHS should develop best practices for oversight that should consider: o Measures taken to protect the privacy, security, and confiden tiality of the data; o Potential harms that could result from disclosure of the data; and o Potential public benefits of the research.
|
From page 4... ...
4. HHS guidance documents should simplify the HIPAA Privacy Rule's provisions regarding the use of PHI in activities preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants.
|
From page 5... ...
C HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede research without providing sub stantive improvements in patient privacy.
|
From page 6... ...
One major difference is that unlike the HIPAA Privacy Rule, which applies privacy obligations unevenly across the health care sector, PHIPA applies to health information custodians (HICs; e.g., providers, hospitals, and pharmacies) that collect, use, and disclose personally identifiable health information, as well as to non-HICs that receive personally identifiable health information from a HIC.
|
From page 7... ...
First, the committee recommends that all interventional research, regardless of funding source and support, should be required to comply with the Common Rule,7 and all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures. Research participants should be allowed to provide consent for future research uses of data and biological materials collected as part of the interventional study as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent.
|
From page 8... ...
In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics oversight board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This board could perhaps entail a new body specifically formulated to review medical records research, rather than relying on traditional IRBs that were created to review interventional research.
|
From page 9... ...
Recommendation II.A. The committee recommends that HHS develop guidance materials to reduce variability among IRBs and Privacy Boards in their interpretation of the HIPAA Privacy Rule as applied to research.
|
From page 10... ...
The committee developed four specific recommendations to facilitate important health research by maximizing the usefulness of patient data associated with biospecimen banks and in research databases, thereby allowing novel hypotheses to be tested with existing data and materials as knowledge and technology improve. The recommendations would align interpretation of the HIPAA Privacy Rule with the Common Rule on several points, simplify or clarify the relevant processes in research, and develop new tools for data aggregation.
|
From page 11... ...
of PHI made for research and public health purposes. Until technology advances make automatic AOD tracking feasible, affordable, and widely available, the HIPAA Privacy Rule should permit covered entities to inform patients in advance that PHI might be used for health research with IRB/Privacy Board oversight or for public health purposes.
|
From page 12... ...
The committee also recommends that HHS -- or, as necessary, Congress -- provide reasonable protection against civil suits brought pursuant to state or federal laws for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule. The limitation on liability should not include protection for willful and wanton misconduct in reviewing the research, but should instead be reserved for good-faith decisions, backed by minutes or other evidence.
|
From page 13... ...
These recommendations could be accomplished without any changes to HIPAA or the Privacy Rule by making them a condition of funding for research grants from HHS and other research sponsors, and by providing additional funds to cover the cost.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.