Privacy requirements give researchers fits

Confusion in research circles over privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) is evident in a flap at the Johns Hopkins Medical School in Baltimore, which sent a letter to the Department of Health and Human Services (HHS) asking whether it could request patients’ permission to use their medical records for research.

The Baltimore Sun reported that the university was seeking a waiver to the privacy rule for its research, even though the rule does not require researchers to inform patients whose personal health information they are looking at, as long as an institutional review board backs the research.

Two days later, the newspaper backed away from its story, saying the medical school was not asking patients to yield any privacy protections.

Officials of the medical school say they contacted HHS because they wanted to ask patients up front for their permission to view their medical information.

They said they decided to approach the government agency in response to a growing number of complaints from patients who had been called by researchers and asked to participate in a study.

The school’s leadership thought that in light of the increased patient sensitivity to privacy concerns, it would be better to ask them for authorization up front.

Observers of the confusion say Hopkins is to be commended for trying to find the best way to manage the situation, and note that the rule has a lot of ambiguities and institutional review boards may be taking an overly cautious approach.