What Price Privacy? Is the HIPAA Law Stifling Dementia Research?
Are you a dementia epidemiologist trying to access patient records so you can puzzle out disease associations? Are you a clinical investigator trying to recruit patients to a trial? Are you a professional dementia care provider trying desperately to spend your time with the patient rather than on onerous paperwork? Or are you an AD caregiver incensed about the slow progress of research into your loved one's disease? You all may share a sense of frustration that a well-intentioned law has instead become a hindrance to what should be everyone's overarching goal: Understanding and treating Alzheimer's disease better, faster.
Margaret Doris approached the topic of HIPAA, patients' rights, and research from multiple perspectives, as a patient advocate, scholar of bioethics, and as a journalist. Read her highly informative introduction of the history of the Health Insurance Portability and Accountability Act (HIPAA) and of how it affects epidemiological and clinical research.
About the Author: Margaret Doris is a journalist and a doctoral candidate in bioethics at Boston University's School of Theology where her particular area of interest is the protection of human participants in research. She sits on the IRB at one of Harvard University's teaching hospitals, and has served as a consultant to various academic institutions, patient advocacy organizations and municipalities on issues of informed consent, survey research, and participant protection in research.
Margaret Doris led this live discussion on 24 April 2005. Readers are invited to submit additional comments by using our Comments form at the bottom of the page.
By Margaret Doris
The privacy provisions of HIPAA went into effect April 14, 2003. As part of these provisions, the act outlines rules for the conduct of epidemiology and health services research, the treatment of research participants, and how medical records can be given to third parties. It carries stiff penalties for violations.
The HIPAA privacy provisions, known as the Privacy Rule, claim "to strike a balance by minimizing the privacy risks of research participants, while not impeding the conduct of vital national and international research." To the extent that some researchers joke that HIPAA stands for the Huge Increase in Paperwork and Aggravation Act, it may have succeeded. But other researchers insist that HIPAA is more than "one more form," which is what it appears like to most patients, and that the avalanche of forms, coupled with a lack of specific direction from the U.S. Department of Health and Human Services (HHS) about how to interpret this provision and the resulting variability in approaches by research institutions, is having a devastating effect on research. Writing in the February 2005 issue of the Annals of Epidemiology, Roberta B. Ness, who chairs the Department of Epidemiology at the University of Pittsburgh Medical Center in Pennsylvania, describes the before-and-after effect of HIPAA's rules governing medical research as it applied to patient recruitment in a single-institution, prospective study to determine the cause of preeclampsia. "To put out the rules without guidance has resulted in a lack of clarity," that severely disrupts research, she maintains.
Since HIPAA went into effect, researchers have reported negative effects on patient recruitment, database access, as well as access to individual medical records and data acquisition. They complain that some of the criteria are so subjective that Institutional Review Boards and Privacy Boards may make inconsistent determinations of the same research projects.
The need to correctly interpret and comply with HIPAA regulations has created a vast industry of consultants and technical advisors who profit from the fears of physicians, medical institutions, other medically-related companies, and healthcare insurers, according to Deeb Salem, chairman of medicine at Tufts University School of Medicine on Boston.
"A Google search on the term "HIPAA" produces more than 1.3 million "hits," many of which are links to consultants," Salem noted in a recent Medscape commentary.
Consultants, however well paid, aren't enough to allay fears about how the rules will be interpreted by the courts, leading many institutions and healthcare providers to err on the side of caution. Citing perceived HIPPA restrictions, the University of California San Francisco Medical Center in December 2002 began restricting the access of data collection, threatening its 16-year-long rapid cancer case reporting relationship with the California State Cancer Registry. It took the state Department of Human Services nearly two years to hammer out an agreement whereby the University of California would no longer block timely access to data on newly diagnosed cancer cases.
Congress passed HIPAA in 1996 in the wake of the Clinton administration's failure to pass a sweeping reform of the health care system. The intent was to standardize and streamline the health care system, to protect patients' electronic privacy, and to make sure job switchers would be able to get health insurance despite preexisting conditions. It allows patients to inspect and correct medical records, and it levies fines against medical providers if they disclose information without permission.
HIPAA's Privacy Rule specifically regulates the way certain health care groups, organizations, and businesses handle individually identifiable health information. Referred to as protected health information (PHI), it covers any information about an individual's past, present, or future physical or mental health or condition; health care; or payment for health care that is in the possession of a person or entity subject to the HIPPA privacy regulations.
The bill stipulated that if Congress did not adopt specific privacy standards within three years, authority to set those standards would pass to the White House. Congress defaulted, and the Clinton administration issued privacy regulations in December 2000, its final month in office. Those rules required patients' written consent before any information, no matter how routine, be disclosed to any health care provider. The regulations also clamped down on marketing by drug companies and other industry groups.
In April 2001, the Bush administration announced it would revise the Privacy Rule. Where HIPAA had required a patient's written permission to release confidential information for "routine purposes," such as treatment and payment, the Bush administration made consent optional, requiring that patients simply sign a basic "notice of privacy practices provided by their health care provider." Under the Bush regulations, marketing also was redefined. Doctors, health plans and pharmacies are now permitted to team up with a drug company to send mailings to patients without identifying the source of the funding or giving consumers the option of blocking future solicitations.
HIPAA is not the last word, either. Prior to it, the Federal Policy for Protection of Human Research Subjects (the "Common Rule") was the only major regulatory framework. An HHS advisory committee has proposed modifications to HIPAA that would better coordinate the rule's requirements with those of the Common Rule, but these modifications must be formally adopted by the new Secretary for Health and Human Services, Mike Leavitt.
Given that HIPAA regulations concerning human subject research are difficult to interpret and might soon change again, this discussion aims to help us all sort out what considerations investigators conducting dementia research with human participants should take into account. Is there a way to comply with HIPAA, anticipate likely changes to it, and protect the rights of research participants all at the same time? Here are suggested issues we could consider:
- Record searches and patient recruitment in dementia studies reach far beyond the confines of a clinic or hospital setting to include nursing homes, respite programs, and social service organizations. To one extent or another, these institutions all must comply with HIPAA to cooperate in research. What needs to be done to ensure they become compliant, and do so at minimal cost to the research project and the cooperating institutions?
- HIPAA requires standard and consistent practices and policies for handling data during collection, analysis and storage. Researchers need to develop more careful data-transfer policies and to adopt more sophisticated data de-identification processes. How can that be done without unduly burdening smaller recruitment sites, such as nursing homes, that are still using paper records?
- Should we explore blanket opt-in consent for record searches, perhaps at the time of diagnosis or hospitalization?
- If a potential research participant is identified through a HIPAA-compliant records search, how should that subject be contacted?
- What if a potential participant is identified and contacted, but does not remember the diagnosis, fully understand it, or has not been told by the family and gets upset as a result?
- Under certain circumstances, telephone consent is acceptable under HIPAA. Is this appropriate with demented individuals?
- Should people with AD and other neurodegenerative illnesses be treated as a vulnerable research class, much like the mentally retarded, and offered special protections?
- No consensus currently exists regarding acceptable degrees of risk for persons who are cognitively impaired. Should consensus be sought, who should seek it, and how should it be articulated?
- The right to self-determination must be respected in principle but a dementia patient's capacity to make decisions declines with disease progression. Should ongoing assessment be made of the person's ability to give consent? How, and at what point in the course of the disease, should consent surrogates be identified?
- Do policies for consenting and recruiting patients with dementing diseases need to be more clearly articulated and harmonized between research institutions, advocacy organizations, and industry?
- HIPAA does not adequately address genetic privacy, nor does any federal law. Genetic research affects not only the subject at hand, but also their living relatives and their descendants. What sorts of privacy guidelines should apply?
- HIPAA restrictions make it more likely that researchers will draw research subjects from their own patient pool. Will this practice diminish the power and depth of such studied? How should conflict of interest in patient care versus research be addressed?
- Amendments by the Bush administration to HIPAA weakened the firewall between drug companies and individual physicians. Does that threaten the integrity of research?
Association of American Medical Colleges Project to Document the Effects of HIPAA on Research (.pdf)
By Susan H. Ehringhaus, J.D.
Testimony on Behalf of the Association of American Medical Colleges Before the National Committee on Vital and Health Statistics (.pdf)
Subcommittee on Privacy, by Susan H. Ehringhaus, J.D.
Secretary's Advisory Committee on Human Research Protections (SACHRP) (.pdf)
March 29-30, 2004 Meeting Presentations
Submit a Comment on this Live Discussion