Citizens value the confidentiality of their personal health information, and epidemiologists regard the protection of that confidentiality as a central ethical principle. However, access to that information for the purposes of health research can also serve the public good. When legislation and regulations try to ensure personal privacy by limiting data access, we face a societal issue with competing values.
As early as 1977, Leon Gordis and his colleagues expressed concern about recommendations following the U.S. Privacy Act of 1974, which they saw as “a major threat to epidemiologic and other medical research.”1 More recently, fears of the invasion of privacy have produced restrictive legislation in European countries2 and fueled debate in the United States.3,4 In the United States, these concerns have focused on the Health Insurance Portability and Accountability Act of 1996, becoming widely known as HIPAA. Just a few months ago, new regulations stemming from the HIPAA legislation went into effect regarding access to health data.
These regulations have been widely discussed over the past several years. In 2000, the American College of Epidemiology (ACE) issued a policy statement5 seeking to strike a balance between the needs for data access and confidentiality. ACE’s recommendations closely paralleled those of the American Association of Medical Colleges (AAMC) and other national organizations.6 Some of the recommended principles, although not all, have found their way into current regulations.
A BRIEF HISTORY OF HIPAA
HIPAA was originally conceived during the Clinton administration as much broader legislation that required administrative simplification provisions for the “portability” of electronic transactions by health insurers and “clearinghouses.” Part of the legislation directed Congress to pass health privacy legislation within 3 years and, anticipating difficulties in that task, subsequently instructed the Department of Health and Human Services (DHHS) to draft regulations on the privacy of health information. The final Privacy Rule was issued by DHHS in August 2002 following public comment during both the Clinton and Bush administrations. The compliance date for most entities covered by the legislation was April 14, 2003.7
HIPAA regulations were not meant to have an effect on health research.8 In fact, only a few sections of the regulation deal directly with research, and the intention of these was to strike an appropriate balance between privacy and data access. However, like the Privacy Act of 1974, the HIPAA provisions have been seen by many as “a threat to epidemiologic and other medical research.”9
WHAT DOES HIPAA REQUIRE?
Investigators who use medical records with individually identifiable information have to follow new procedures that, while complex in their details, can be stated briefly:
* Written authorization is required from an individual before personal health information can be used or disclosed for research purposes unless such authorization has been waived or exempted.
* Authorization waivers can be granted by Institutional Review Boards (IRBs) or Privacy Boards (a new entity created by HIPAA) under certain specific circumstances.
* Access to the health information of persons who have since died does not require authorization, although the researcher must show that the personal health information will be used only for research and that the research could not otherwise be conducted.
* Accounting and reporting of disclosures are required.
* Only the “minimum necessary” information can be disclosed.
* Penalties are imposed on covered entities for improper disclosure of private information.
HIPAA adds to the so-called Common Rule, which was established in 1974 and revised in 1991 to govern the conduct of Federally funded human subjects research. The Common Rule requires review by IRBs and informed consent from participants under a system of institutional assurances to protect human subjects.10 The HIPAA Privacy Rule introduces new aspects: 1) it applies to all research, not just Federally funded research; 2) it requires specific authorization in addition to informed consent; 3) it requires that authorization be limited to a specific use; and 4) it defines specific identifiers that comprise personal health information.
ARE THERE EXCEPTIONS?
Fortunately, HIPAA allows the disclosure of personal health data for research purposes without individual authorization under certain conditions. These exemptions were not all included in earlier versions of the Privacy Rule, and the final version includes the following welcome amendments. Authorization is not required for any of the following situations:
1. Personal health information is “de-identified” by the removal of 18 specified personal identifiers, including name, address, and social security number.
2. Health information is disclosed as part of a “limited” dataset created when 16 specific identifiers are excluded and the researcher signs a Data Use Agreement.
3. An IRB or Privacy Board waives the need for authorization using new criteria that differ from the criteria for a waiver of informed consent under the Common Rule.
4. The personal health data are used solely to prepare a protocol (not for the research itself), and are not removed from the covered entity, and are deemed necessary for the research.
5. The research is based on information about people who have died.
6. The research was “grandfathered” during the transition to the new Rule. This is “legal permission,” meaning that consent or IRB-approved waiver of consent was obtained before the compliance date of April 14, 2003.
7. Disclosure is required by law or for public health activities.
Details about these exceptions and other aspects of HIPAA’s provisions have been published.7,11,12
HOW SERIOUS IS THE PROBLEM?
The new procedures required by HIPAA have generated a lot of concern. An entire new industry has sprung up to advise hospitals, universities, and other entities that deal with medical information.11 Among epidemiologists, there is confusion and consternation over how these new regulations will affect our work. Will our access to health data be severely hindered or blocked altogether? Will potential research subjects be more reluctant (or even unable) to participate in research, leading to unacceptable selection bias?
One thing seems to be clear—it is taking more time to get approvals and to implement new procedures. Early anecdotes suggest that IRBs are being conservative in their interpretation of HIPAA, erring on the side of ensuring privacy even if at the expense of research. To complicate matters, HIPAA does not preempt state regulations so there is no national standard. Investigators doing studies in more than one state might have to deal with different regulations. Things are made even worse by the lack of authoritative guidance from the DHHS or the Office of Civil Rights (which enforces HIPAA) on the many complex transactions involved in research activities.
How much of the concern over HIPAA is a direct result of the regulation, and how much is the result of confusion associated with the implementation and interpretation of new procedures? We do not yet know. Some of the early problems could well be the result of an overreaction on the part of IRBs and their institutions, which face stiff penalties for any violation of these new and complex regulations.11 With time, much of the current confusion undoubtedly will abate. However, there could still be long-term detrimental consequences of the regulation that impede conduct of epidemiologic research in the United States. For example, the costs associated with HIPAA compliance could lead some holders of personal health data (eg, hospitals) to refuse to provide access to records.
Unfortunately, we do not have much data so far on the impact of HIPAA on epidemiologic research. Now, 7 months after the regulation took effect, most information is still anecdotal. Investigators and institutions are dealing primarily with their local experience and seeking their own local solutions.
WHAT CAN WE DO?
Keep in mind that HIPAA was not intended to interfere with public health and medical research. One positive step epidemiologists can take is to read and understand the new privacy regulations. A well-informed researcher can contribute to the deliberations of IRBs and help steer away from overly cautious interpretations before they become the standard practice of a specific IRB.
However, what if there are genuinely deleterious effects? We might need to press for changes in the regulation. In fact, there are already mechanisms in place to modify the rule annually. Some have argued that HIPAA needs to be replaced by new legislation.13 Whatever changes are needed, they must begin with documented examples of genuinely adverse impacts on research and public health. Generalities and speculation will carry little weight with policymakers or the public.
The AAMC (with the support of numerous other professional organizations) has begun to collect such data. The AAMC “HIPAA Impact Survey” is currently collecting examples of ways in which HIPAA has interfered with the conduct of research.14 Individuals and organizations can submit reports electronically. Thus far, most responses have focused on problems with contacting and screening potential participants; the process of consent and authorization (including IRB review); and the general burden of time, cost, and diversion from primary research associated with the new procedures. Many respondents report patient confusion when confronted with new paperwork. In a paradoxical way, the effort to protect the privacy of medical records could actually intrude on the traditionally private relationship between doctor and patient, or between investigator and research participant.
We should support the data collection effort by the AAMC. It is a systematic and constructive effort to document the HIPAA-related problems for research that will be essential to future decision-making. It will help show the costs and burden of compliance, and it could uncover new issues that were not considered in the formulation of the current Rule. Most important, the data collection will help show whether the additional level of privacy achieved by HIPAA is worth the impact it could have on the production of epidemiologic and other medical research. Results of this survey will be made available to the DHHS as they develop formal guidance for compliance with HIPAA.
The balance between personal privacy and data access for research is going to be an ongoing tension for modern societies. The ethical guidelines we follow include the protection of privacy, the provision of benefit from our research, and maintenance of the public trust.15,16 As epidemiologists, we need to attend to the relevance and application of our work to the public health and then communicate that benefit. In the face of rising concerns over personal privacy, there is only one sure guarantee of public support for epidemiologic research, and that is a public that understands the importance of such research for their health.
ABOUT THE AUTHOR
bob hiatt is deputy director of the Comprehensive Cancer Center at the University of California San Francisco, and a professor of epidemiology and biostatistics. He has served as chair of the Policy Committee of the American College of Epidemiology, and oversaw the development of the ACE statement on principles for health data access and confidentiality.