The trusted source for
healthcare information and
IOM panel finds HIPAA, health research a bad fit
Recommends sweeping changes to handling privacy
An Institute of Medicine committee has proposed a bold solution to the vexing problem of trying to conduct healthcare research under the Health Insurance Portability and Accountability Act's Privacy Rule.
Don't do it.
The committee of ethicists, researchers and privacy experts recommends taking healthcare research out from under HIPAA entirely; instead creating a new approach to privacy protection that would apply to all health research.
"The committee's conclusion is that the HIPAA Privacy Rule does not protect privacy as well as it should, and that, as currently implemented, the HIPAA Privacy Rule impedes important health research," states the report, which was published earlier this year.
It outlines shortcomings of HIPAA: It doesn't apply uniformly to all health research; it overstates the role of informed consent in protecting privacy, rather than actual privacy protections; it conflicts with other regulations governing research; and it creates obstacles that can leave studies with biased samples and invalid results.
Sharyl Nass, PhD, study director for the IOM HIPAA project, says the IOM Committee on Health Research and the Privacy of Health Information didn't come to its sweeping recommendation lightly. A change of this magnitude would require congressional action, and mindful that that might not be feasible, the committee also made a number of suggestions for continuing to work with HIPAA, while improving guidance and clarifying provisions of the Privacy Rule.
"We did what we could to try to tweak the current system, realizing that that's the most likely thing to happen," Nass says. "But the committee thought it was very important to make the point that the way we're doing this is just not good."
Wendy Visscher, PhD, director of the Office of Research Protection at RTI International in Research Triangle Park, NC, was a member of the IOM committee. She says other countries have much stronger privacy protections than the United States, and hopes to see a similarly strong law here eventually.
"We knew that it was ambitious and would be very hard to implement because you had to get Congress involved and excited about it," Visscher says. "But we still think that eventually, that's what needs to happen. We felt like in good conscience, we couldn't leave it out of the (report)."
Applying to all research
The committee held hearings in 2007 and 2008, inviting researchers, privacy experts and others to comment on HIPAA and its effect on health research. It commissioned studies that showed researchers were being stymied by HIPAA's privacy provisions and that IRBs were implementing the Privacy Rule in widely varied ways.
Visscher says one serious flaw with HIPAA is that it doesn't apply to all healthcare research.
"HIPAA only applies to covered entities, so if you're an independent research organization like RTI, we don't fall under the HIPAA Privacy Rule," she says. "If you're doing privately funded research, you're not going to fall under the Privacy Rule."
In its recommendations, the committee called for all health research to be subject to a new system of privacy protections, regardless of funding or type of entity. HIPAA's privacy provisions still would apply to health records kept by providers, insurance companies and clearinghouses, Visscher says. But if a researcher was to do a health study using protected health information (PHI), the research use of that data wouldn't fall under HIPAA but would be regulated by the new privacy approach.
That approach would make a distinction between two types of research, Visscher says: Interventional research involving interactions between researchers and subjects; and informational research involving the use of existing health data or biospecimens.
In dealing with interventional research, Visscher says, studies would be reviewed under the Common Rule, with IRBs looking at privacy as one of many issues raised.
"It's the rule that IRBs are used to in the first place," she says. "We would assess risks and benefits, we would look at the privacy implications, we would see how people are protecting the confidentiality of the data – all the things we always do when we review a research study."
Informational research, on the other hand, raises many more complicated issues of data security and privacy protection that IRBs aren't well equipped to handle, Visscher says.
"We proposed a new oversight system for that type of research," she says. "This system would be very focused on how the data are protected, what computer systems are in place for protecting the data, how are you de-identifying data, how are you making sure that people don't attempt to re-identify people, what are your procedures for sharing data or linking data.
"And we felt like this new oversight would probably require a totally new review board that would be composed of people who have expertise in data security issues," Visscher says.
Under this system, organizations could be certified by the U.S. Department of Health and Human Services or another body to collect and analyze personally identifiable health information for clearly defined purposes, potentially from multiple sources, without individual consent.
"These organizations would show they have procedures in place to protect data and have a privacy officer and use state-of-the-art security techniques for encryption and sending data securely," Visscher says.
Large academic institutions could serve as these certified organizations, or an outside entity such as a private business could be created for that purpose, Visscher and Nass say.
Plan B – improved guidance
If Congress and HHS do not follow the IOM committee's main recommendation and continue to require that health research be conducted under the Privacy Rule, the committee included a wish list of guidance and other improvements it would like to see to help IRBs and researchers better cope with HIPAA requirements. Most would require HHS action:
— increasing knowledge about best practices in privacy protection using protected health information, showing how institutions are facilitating research while still protecting privacy.
"There should be a set of case examples that (IRBs) can look to for advice as to what decisions are really acceptable and even ought to be made under the HIPAA Privacy Rule," Nass says. "It would give them more confidence in feeling that they're doing the right thing."
— developing guidance clarifying how people can grant authorization for future use of their health data or biospecimens. The guidance would clear up concerns about whether a separate consent form is needed when a person enrolls in a trial and authorizes future uses of data or specimens.
"And what does 'future use' mean?" Visscher says. "Could it be a totally unspecified use as long as there's an IRB or privacy board reviewing it, or does it have to be related to what the original study was about? There are lots of issues related to that that the committee thought there needed to be more guidance on, to help IRBs decide whether the consent form was adequate."
— creating guidance detailing under what circumstances a person's DNA should be considered protected health information.
"You think about DNA as being the most identifiable thing there is," Visscher says. "But if you have just a DNA sequence and you don't have any direct identifiers, unless you can link that sequence to another database that does have direct identifiers, well, then is it really identifiable?"
— reforming requirements for accounting for disclosures of PHI. "The committee thought the accounting of disclosures provision in HIPAA was very cumbersome and really almost impossible for covered entities to do correctly. And so they thought you should take research out from under that."
Asked about the IOM report, a spokesman for HHS's Office of Civil Rights, which enforces HIPAA, says the recommendations are being given "careful consideration…together with the viewpoints of other advisory bodies and stakeholders, as we move forward to ensure strong data protections without impeding quality research."
The statement from OCR also notes that work is under way on a trans-HHS Harmonization of Ethical and Legal Policies Related to Use of Human Specimens and Data in Research (HELPS). The HELPS project brings together agencies including OHRP, FDA, CDC and the NIH in an effort to create consistent policies on the research use of biospecimens and data.
Nass notes that the HELPS project, along with HIPAA provisions in the recently passed stimulus bill provide opportunities for addressing some of the recommendations in the IOM report.
"It actually is an opportunity to tweak HIPAA," she says. "It doesn't give us the opportunity for the broad new framework that we propose, but at least some changes could potentially be made in the rule at this point."
[Editor's note: To see the report "Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research", by the IOM Committee on Health Research and the Privacy of Health Information, visit the institute's Web site at www.iom.edu and click on the "Reports" tab.]