CMS proposes changes to privacy rules, but critics say more still are needed

Identifiers remain an issue for researchers

The federal government wants to add some flexibility to privacy regulations, including eliminating the need for researchers to use multiple consent forms. But even with these changes, the privacy regulation may have a chilling effect on research, some industry experts say.

This spring, the Department for Health and Human Services (HHS) proposed various changes to the Standards for Privacy of Individually Identifiable Health Information, which is part of the Health Insurance Portability and Accountability Act (HIPAA) that covers health plans, health care providers, and health care clearinghouses. The privacy rule, effective April 14, 2001, will require most covered entities to comply by April 14, 2003.

Among the modifications proposed to the privacy rule is a change to the uses and disclosures for research purposes. HHS proposes to require researchers to use only one combined informed consent/privacy form for research purposes, rather than to add an additional consent form related to information privacy rights. HHS also proposes to simplify other provisions to make the privacy rule more closely follow the requirements of the common rule governing federally funded research.

"I think they’ve certainly made a step in the right direction, with the acknowledgement that one can combine HIPAA privacy with authorization," says Lisa Murtha, JD, chief audit and compliance officer at The Children’s Hospital of Philadelphia. "The less paperwork required for subjects to sign, the easier it is to recruit them," she adds.

However, IRBs and researchers still have some concerns about the privacy rule’s identifier requirements, which still could have a chilling effect on certain types of research even under the proposed changes, Murtha notes. "Sometimes, the identifiers are the very things you need in order to do the research you want to do," she says. "So you can’t do anything short of getting full authorization from the patient, and that may be absolutely fine, but it may also be an additional task people have to go through to do their job in the research area."

A separate and more reasonable standard is needed for the de-identification of protected health information for research purposes, wrote Jordan J. Cohen, MD, of the Association of American Medical Colleges (AAMC) of Washington, DC, in an April 11, 2002, letter to HHS that comments on the proposed modifications.

"The single most important thing is the identification," says Jennifer Kulynych, JD, PhD, director of the division of Biomedical and Health Sciences Research at AAMC. "HHS discussed a proposal for a limited data set that is somewhat similar to what we had suggested in our comment letter on the final rule," Kulynych says. "It would remove direct identifiers rather than the entire list of identifiers." 

Under this suggestion the researcher would agree to use the information solely for research purposes and the information could be released to research without authorization or waiver, Kulynych explains. "HHS discussed that and asked for more comments, but they do not propose it yet, and we think that’s critically important," Kulynych adds.

In a March 21, 2002, memorandum, HHS notes that the department is aware of the research community’s concerns about the rule’s approach to de-identification, but that it believes that identifiable information should have strong protections.

"My own bias is that it’s rare for an investigator to say they don’t need an identifier," says Robert M. Nelson, MD, PhD, associate professor of anesthesia and pediatrics at The Children’s Hospital of Philadelphia. "At the very least, if you’re looking at medical records you need to be able to go back and look at missing data points," Nelson says. "So by definition, it is therefore linked."

The HHS memorandum states, "Therefore, HHS is seeking comments on establishing a limited data set that does not include directly identifiable information, but in which certain identifiers remain. In addition, to further protect privacy, the department proposes to condition the disclosure of the limited data set on a covered entity’s obtaining from the recipient a data use or similar agreement, in which the recipient would agree to limit the use of the data set for the purposes for which it was given, as well as not to re-identify the information or use it to contact any individual," HHS wrote.

It’s that kind of language that makes it difficult for IRBs and research institutions to decide how to prepare for the implementation of the privacy rule, Nelson suggests. "One of the challenges in this whole area is taking the arcane language of HIPAA and translating it into a language where researchers will have a clue of what you’re talking about," Nelson says. "I tell attorneys to tell me what it really says, but at this point it’s in a state of flux," Nelson adds.

The AAMC, in the April letter, offers several suggestions for how the privacy rule could be improved and still protect patients. Here are a few of the association’s ideas:

Clarify the requirement regarding authorizations to obtain permission for disclosure of private health information to a database maintained for research purposes. HHS now asks that researchers disclose on the authorization form the potential for information to be disclosed by those who have access to the information. "The AAMC requests that this criterion be modified as it is not possible for a covered entity even to estimate the risks of disclosure in any particular instance because these risks will be largely unknown to the entity and often outside its control," Cohen wrote.

Develop a separate, more reasonable standard for the de-identification of protected health information for research purposes. "Covered entities should be permitted to release information that has been de-identified under this research standard if the recipient researcher agrees in writing not to attempt to re-identify or contact the subjects of the information, and not to further disclose the information except as required by law," Cohen wrote.

Revisit the requirement that health systems provide a specific accounting for all research disclosures made before a waiver of authorization, which will impose an administrative burden upon providers. "We fear in particular that community providers and hospitals that do not view research as their primary mission will be reluctant to assume this burden and thus unwilling to make patient records available to researchers," the letter says. "This unfortunate result would impede or even prevent much valuable epidemiological and health services research to the great detriment of patients whose care is enhanced by new medical knowledge."

Permit covered entities to disclose public health information to sponsor-initiated registries, provided these are created for quality and safety purposes. The regulations do not permit covered entities to make the same disclosures to registries run by academic investigators and institutions or other nonprofit organizations, even when these are operated under IRB supervision and do not disclose direct patient identifiers to researchers accessing the data, the letter states. "These registries are vitally important to researchers who study epidemiological patterns of disease or track the success of health interventions across broadly dispersed populations," the letter says.