Beyond the HIPAA Privacy Rule Enhancing Privacy, Improving Health Through Research (2009) / Chapter Skim
Currently Skimming:
Overview of Conclusions and Recommendations
Overview of Conclusions and Recommendations
Pages 15-62
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 15... ...
developed a set of federal standards for protecting the privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) .1 The HIPAA Privacy Rule set forth detailed regulations regarding the types of uses and disclosures of individuals' personally identifiable health information -- called "protected health information" -- permitted by "covered entities" (health plans, health care clearing houses, and health care providers who transmit information in electronic form in connection with transactions for which HHS has adopted standards under 1 The HIPAA Privacy Rule can be found at 45 Code of Federal Regulations (C.F.R.)
|
From page 16... ...
to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly to include biomedical research, epidemiological studies, and health services research, as well as studies of behavioral, social, and economic factors that affect health; and (2) to propose recommendations to enable the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information (Box O-1)
|
From page 17... ...
Consider the needs for privacy of identifiable personal health information and the value of such privacy to patients and the public. As data and evidence allow, the needs and benefits of patient privacy will be balanced against the needs, risks, and benefits of identifiable health information for various kinds of health research.
|
From page 18... ...
Individuals are less likely to participate in health research or other socially and individually beneficial activities, including candid and complete disclosures of sensitive information to their physicians, if they do not believe their privacy is being protected. However, it should also be noted that perceptions of privacy vary among individuals and groups.
|
From page 19... ...
They reflect a broad consensus about the need for standards to protect individual privacy and to facilitate information flows in an increasingly technology-dependent, global society. Definition of Health Research and Why Health Research Is Important Under both the HIPAA Privacy Rule and a federal regulation known as the Common Rule,8 "research" is defined as "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge." This is a broad definition that may include biomedical research, epidemiological studies,9 and health services research,10 as well as studies of behavioral, social, and economic factors that affect health.
|
From page 20... ...
As the use of electronic medical records increases, the pace of medical records research is accelerating, and the opportunities to use these records to generate new knowledge about what works in health care are expanding. The varying methods of health research provide complementary insights.
|
From page 21... ...
A major goal of the HIPAA Privacy Rule is to ensure that individuals' health information is properly protected while allowing the flow of information needed to promote high-quality health care. Recognizing that patients' health records also play an important role in health research, Congress wanted to ensure that the implementation of HIPAA would not impede health researchers' continued access to data from health records.
|
From page 22... ...
A covered entity may also use or disclose PHI without an individual's authorization if the PHI is contained as part of a "limited dataset" from which specified direct identifiers have been removed, and the researcher enters into a data use agreement with the covered entity. THE COMMITTEE'S CHARGE AND THE OVERARCHING GOALS OF THE RECOMMENDATIONS The sponsors of this study asked the IOM to assess whether the HIPAA Privacy Rule implemented by HHS is impacting the conduct of health research, and requested that the IOM committee propose recommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information.
|
From page 23... ...
Nevertheless, our recommendations are aimed at strengthening health research regulations and practices that effectively safeguard personally identifiable health information, while changing provisions of the HIPAA Privacy Rule or its interpretations that the committee found to be mostly formalistic or 15 Responsible health research is methodologically sound, is scientifically valid, protects the rights and interests of study subjects, and addresses a question or problem relevant to improving human health.
|
From page 24... ...
Improve the Privacy and Data Security of Health Information In the context of health research, the privacy goal is the commitment to handle personal information of patients and research participants in accordance with meaningful privacy protections. These protections should include strong security measures, disclosure of the purposes for which personally identifiable health information is used (transparency)
|
From page 25... ...
Improve the Application of Privacy Protections for Health Research The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of PHI by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protection of human subjects (the Common Rule)
|
From page 26... ...
Improved clarity, harmonization, and uniform application of regulations governing health research are needed to align the interests and understandings of the research community, the custodians of PHI, and other stakeholders such as patients, so that implementation of the privacy protections in health research can be achieved with acceptability to all. THE COMMITTEE'S RECOMMENDATIONS The IOM Committee on Health Research and the Privacy of Health Information developed several recommendations with the intent of strengthening the privacy protections of personally identifiable health information and facilitating the efficient and effective conduct of beneficial health research.
|
From page 27... ...
I Develop a New Approach to Protecting Privacy in All Health Research Background The primary justification for including research provisions in the HIPAA Privacy Rule was to remedy perceived shortcomings of federal privacy protections in health research under the Common Rule, but the HIPAA Privacy Rule has numerous limitations of its own.
|
From page 28... ...
A HHS should reduce variability in interpretations of the HIPAA Privacy Rule in health research by covered entities, IRBs, and Privacy Boards through revised and expanded guidance and harmonization.
|
From page 29... ...
C HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede research without providing sub stantive improvements in patient privacy.
|
From page 30... ...
As the volume and importance of digital personal health data increase exponentially, the public can be expected to heighten demands for a legal framework that provides meaningful safeguards to protect personally identifiable health information in the health research setting. Thus, the IOM committee recommends developing a new framework to both protect individuals' privacy and facilitate responsible and beneficial health research.
|
From page 31... ...
Include federal oversight and enforcement to ensure regulatory • compliance. Rationale The committee concluded that the HIPAA Privacy Rule impedes important health research and does not protect privacy as well as it should.
|
From page 32... ...
they implement penalties and allow for criminal sanctions against researchers who abuse their access to personally identifiable data. The committee believes that such an approach, combined with strong security measures, offers adequate privacy protections for personally identifiable health information in information-based health research, while greatly expanding research opportunities.
|
From page 33... ...
First, all interventional research, regardless of funding source and support, should be required to comply with the Common Rule and all researchers who gain access to personally identifiable health information as part of the interventional research should be required to protect that information with strong security measures. Research participants should be allowed to provide consent for future research uses of data and biological materials collected as part of the interventional study as long as an IRB reviews and approves the future uses, ensuring that the new study is not incompatible with the original consent.
|
From page 34... ...
In cases where researchers cannot use data with direct identifiers removed, and personally identifiable health information is needed for research, approval and oversight by an ethics oversight board should be required, partially analogous to what is now done under the HIPAA Privacy Rule and PHIPA. This oversight board could perhaps entail a new body specifically formulated to review medical records research, rather than relying on traditional IRBs that were created to review interventional research.
|
From page 35... ...
The committee's proposal for a new approach to ensuring privacy in health research that is uniformly applicable to all health research in the United States is especially timely because Congress has shown considerable interest in producing new legislation to facilitate the implementation of a nationwide health information technology system. Such a system has been hailed as a means of addressing rising health care costs and improving the quality and efficiency of health care, but privacy concerns are emerging as a primary obstacle to the implementation of such a nationwide system.
|
From page 36... ...
In addition, some IRBs and Privacy Boards may conflate the Common Rule and Privacy Rule, or apply the research provisions of the Privacy Rule to activities for which they are not applicable, such as public health practice or the operation of cancer registries. Furthermore, in the case of the HIPAA Privacy Rule, covered entities that disclose PHI are regulated, not the health researchers who receive the information.
|
From page 37... ...
Current guidance from HHS addresses only what is permissible under the HIPAA Privacy Rule; the guidance does not identify best practices. A dynamic, ongoing process for the identification and dissemination of best practices in privacy protection for various types of health research by HHS
|
From page 38... ...
Many academic researchers depend on their ability to procure funding from a source external to their institutions, and research sponsors have obligations to protect research participants. Thus, major nonfederal funders of health research could be a powerful force for adherence to ethical guidelines even in the absence of strong federal regulations and enforcement.
|
From page 39... ...
The standard for deidentification as defined in the Common Rule is that the identity of the subject may not be readily ascertained by the health researcher (e.g., "anonymized" datasets with no direct identifiers included) .21 Thus, health research using information recorded in such a manner that subjects cannot be readily identified is exempt from the Common Rule.22 Under the HIPAA Privacy Rule, there are two ways to deidentify health information so that it is exempt from the Privacy Rule.
|
From page 40... ...
do not directly identify individuals, and are essential for some types of health research, such as epidemiology or studies of disease incidence. In 2002, in response to the concerns that had been raised, HHS modified the HIPAA Privacy Rule to create a category of partially deidentified data called the "limited dataset," in which health information that is stripped of the 16 most direct identifiers can be used and disclosed for research without obtaining individuals' authorization or an IRB/Privacy Board waiver if the covered entity enters into a data use agreement (DUA)
|
From page 41... ...
These criteria should be evaluated regularly by HHS to ensure that the criteria are helpful and producing the desired outcomes. Rationale The HIPAA Privacy Rule makes a somewhat artificial distinction between health research and some closely related activities, such as public health and quality improvement activities, which also may involve collection and analysis of PHI.
|
From page 42... ...
In addition, it will be important to evaluate whether these criteria are effective in aiding IRB/Privacy Board reviews of proposed protocols and whether they lead to appropriate IRB/Privacy Board decisions. Recommendation II.A.4: HHS guidance documents should simplify the HIPAA Privacy Rule's provisions regarding the use of PHI in activi ties preparatory to research and harmonize those provisions with the Common Rule, in order to facilitate appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants.
|
From page 43... ...
Thus, the HIPAA Privacy Rule permits conduct that is prohibited by the Common Rule. According to SACHRP, HHS statements regarding these provisions for activities preparatory to research have led to "enormous confusion," and many "institutions are hesitant to permit many recruitment activities critical to the continuation of the research enterprise, out of fear that they are in some way misinterpreting the government's current positions on research recruitment." In 2004 SACHRP indicated that it was "very concerned that the bureaucratic complexities here undermine, rather than enhance, the attention that needs to be paid to the welfare and interests of subjects in the research recruitment process." To address these issues, the committee recommends that all researchers (including those internal to the covered entity)
|
From page 44... ...
Such interpretations of the HIPAA Privacy Rule create confusion and unnecessary burdens for patients and researchers alike and lead to lost opportunity by impeding important health research. Furthermore, because such interpretations are inconsistent with the Common Rule, they lead to inequities between covered entities and non-covered entities that hold databases and biospecimen banks.
|
From page 45... ...
The Privacy Rule requires an individual's authorization for the use or disclosure of protected information to describe, with specificity, the purpose of the proposed use or disclosure of such information.28 HHS regards all future uses of PHI as nonspecific -- and therefore ineligible for inclusion in an authorization for the collection and storage of biological materials and data. In contrast, the Common Rule makes it possible to obtain individuals' consent to future use or disclosure of their health information for health research, with IRB oversight, as long as any intended future use is described in sufficient detail to allow informed consent.
|
From page 46... ...
First, it is generally not permissible to condition treatment on an individual's authorization for the use of PHI, although the HIPAA Privacy Rule does permit a covered entity to condition treatment in a clinical trial on sign
|
From page 47... ...
Rationale With recent technological advances in biomedical research, it is now possible to learn a great deal about disease processes and individual variations in treatment effectiveness or susceptibility to disease from genetic analyses because the DNA sequences that make up a person's genome strongly influence a person's health. In this genomic age of health research, patient blood and tissue samples stored in biospecimen banks can provide a 30 4 5C.F.R.
|
From page 48... ...
The committee advocates a focus on strong security measures and recommends the adoption of strict prohibitions on the unauthorized reidentification of individuals from DNA sequences, by anyone. Regardless of how genetic information is regulated under the HIPAA Privacy Rule, a federal prohibition of genetic discrimination is necessary to allay privacy concerns and diminish potential negative consequences of unintended disclosure of genetic information.
|
From page 49... ...
However, the way in which the HIPAA Privacy Rule has been interpreted and implemented has made linking data from diverse sources for research purposes more difficult. Thus, the Privacy Rule impedes health research and compromises the value and reliability of research that is undertaken.
|
From page 50... ...
Recommendation II.C. HHS should revise provisions of the HIPAA Privacy Rule that entail heavy burdens for covered entities and impede 35 National Health Data Stewardship, Request for Information, 72 Fed.
|
From page 51... ...
The HIPAA Privacy Rule should permit covered entities to inform • patients in advance that PHI might be used for health research with IRB/Privacy Board oversight or for public health purposes. Accordingly, the Privacy Rule should be revised to exempt disclo sures of PHI made for research and public health purposes from the Privacy Rule's accounting of disclosures requirements.
|
From page 52... ...
Until then, the committee recommends that disclosures of PHI made for health research 37 American Health Information Management Association, 2006, The State of HIPAA Privacy and Security Compliance, http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance. pdf (accessed April 20, 2008)
|
From page 53... ...
Rationale Under the HIPAA Privacy Rule, researchers seeking to use PHI in medical records for research must obtain authorization from each patient unless an IRB or a Privacy Board makes a determination that a waiver of individual authorization is warranted. For many types of research with medical records, making that determination is a challenge for IRBs and Privacy Boards.
|
From page 54... ...
With better guidance, all covered entities would have more confidence in their decisions and might be more willing to rely on a lead IRB or Privacy Board's decision in the case of multi-institutional studies. If HHS decides to retain the three criteria that IRBs or Privacy Boards currently use in deciding whether to approve a waiver of individual authorization, however, the committee recommends that HHS provide clear and reasonable definitions of the vague terms used in those criteria.
|
From page 55... ...
Recommendation III.A: All institutions (both covered entities and non covered entities) in the health research community that are involved in the collection, use, and disclosure of personally identifiable health information should take strong measures to safeguard the security of health data.
|
From page 56... ...
The committee recommends that all institutions conducting health research undertake measures to strengthen data protections. Given the recent spate of lost or stolen laptops containing patient health information, for example, encryption should be required for all laptops and removable media containing such data.
|
From page 57... ...
The limitation on liability for members of IRBs and Privacy Boards should not include protection for willful and wanton misconduct in reviewing the research, but should instead be reserved for good-faith decisions, backed by min utes or other evidence, in responsibly applying the legal requirements under the HIPAA Privacy Rule or the Common Rule. Rationale IRBs, Privacy Boards, and institutions have enormous responsibility in determining whether health research projects are planned and conducted in a way that minimizes or eliminates the potential risk to human research participants, including both direct physical harms and nonphysical harms (e.g., breach of privacy)
|
From page 58... ...
A similar provision was incorporated into the Ontario Personal Health Information Protection Act of 2004, under which members of ethical boards are immune for acts done and omissions made in good faith that are reasonable under the circumstances. In addition to reducing over interpretation of the HIPAA Privacy Rule in health research, such protections might also facilitate multi-institutional research by reducing the variability among local IRBs and Privacy Boards, as they should be more willing to accept the decision of a lead IRB or Privacy Board.
|
From page 59... ...
The committee's two recommendations below address the public's desire for more information about health research and are important components in fulfilling two of the committee's overarching goals of the report: (1) improving the privacy and data security of health information, and (2)
|
From page 60... ...
Thus, the committee recommends that when patients grant authorization for their medical records to be used in a particular study, health researchers should make greater efforts at the conclusion of the study to inform study participants about the results, and the relevance and importance of those results. Broader adoption of electronic medical records may be helpful in accomplishing this goal, but multiple impediments, beyond cost and technology, may prevent delivery of meaningful feedback to participants.
|
From page 61... ...
But educating patients about how health research is conducted, monitored, and reported could also help to increase patients trust in the research community, which is important for the public's continued participation under both the HIPAA Privacy Rule and the committee's new framework. In addition, an educated public could also decrease the potential for biased research samples.
|
From page 62... ...
Thus, HHS and the health research community should work to educate the public about how research is done, and what value it provides. All stakeholders, including professional organizations, nonprofit funders, and patient organizations, have different interests and responsibilities to make sure their constituencies are well informed, but coordination and identification of best practices by HHS would be helpful.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.