Reforming the HIPAA Privacy Rule: Title and subTitle BreakSafeguarding Privacy and Promoting Research

President Obama envisions a national electronic medical records system as a high priority for national health care reform, and Congress recently authorized $20 billion for this technology in the stimulus package.¹ Health information technology (IT) could improve the quality and efficiency of health care and lower administrative costs.² It could also facilitate health research and thus speed the pace of medical advancements. Invasions of privacy and security breaches, however, pose major obstacles to the implementation of health IT.

The Health Information Portability and Accountability Act (HIPAA) Privacy Rule sought to safeguard the privacy and security of health records.³ Recently, the Institute of Medicine (IOM) concluded that the Privacy Rule does not adequately safeguard privacy and significantly impedes high-quality research.⁴ The result is that patients' medical records are not well protected and researchers cannot effectively search for important discoveries.⁵

Privacy—safeguarding personal information against unauthorized or unjustified disclosure—is a foundational individual good that respects personal dignity and protects patients from embarrassment, stigma, and discrimination. Privacy also has societal value because it encourages individuals to participate in socially desirable activities, including research and public health activities.

Research—a systematic investigation, including testing, data collection, and evaluation, designed to contribute to generalizable knowledge – is an equally compelling individual and societal good because it provides an understanding of and solutions to the nation's most pressing health problems. High-quality research facilitates scientific discovery and medical innovation necessary to save lives and improve the public's health.

Public policy should aim to achieve the dual benefits of personal privacy and improved research. Federal regulation, however, has failed to achieve either goal.

Coverage Gaps. Federal regulation does not apply comprehensively so significant gaps exist in coverage, leaving patients without protection against privacy invasions. The Privacy Rule regulates personally identifiable health information—“protected health information” (PHI)—held by “covered entities” (health plans, health care clearinghouses, and health care providers).³ Consequently, personal data held by numerous noncovered entities remain unregulated, such as data management or data warehousing companies, pharmaceutical companies, and public health agencies. At the same time, the Common Rule, which regulates human subjects research, applies principally to investigations conducted or supported by the federal government.⁶ Thus, research carried out with private funding might not have the same level of regulatory oversight. This is in sharp contrast to most other countries, in which privacy regulations are not limited to particular health care transactions or funding sources, but instead apply to all health data. There is no ethically principled reason for this patchwork of regulation.

Inconsistency. Marked differences between the Privacy Rule and Common Rule are confusing and lead to inconsistent oversight of research. The standards for future consent, deidentification of data, and recruiting patients vary under the 2 rules, leading to contrary results.⁷ (1) The Common Rule allows patients to consent to the use of their data and biological samples in future studies with institutional review board (IRB) oversight, but the Privacy Rule prohibits patient authorization for future studies. (2) The Common Rule allows deidentification of data under a more lenient standard (personal identity is not “readily ascertained”) than the Privacy Rule (a rigid “statistical” or “safe harbor” method). And (3) in the case of recruiting patients for studies, the Privacy Rule creates an artificial distinction between researchers who are internal or external to a covered entity, and offers less protections than the Common Rule.

Variable Interpretation. There is substantial variation in the way the federal rules are interpreted and implemented. Due to an increasingly heavy workload, the complexity of rules, and a dearth of experts willing to serve, IRBs and privacy boards vary considerably in their approval decisions and regulatory interpretations. This creates significant barriers to research, particularly in multisite studies, such as variations in protocol at different institutions and, at times, discontinuation of studies.⁸ The rules, moreover, are often interpreted so conservatively that vital research is hampered. Covered entities, for example, are often reluctant to permit access to data for research even when the Privacy Rule allows it. The extensive but vague criteria for waiver of patient authorization are especially problematic. Both rules use imprecise words such as “practicable,” “adequate,” and “minimal” without defining them or providing case examples of research that ought to go forward under a waiver of consent.

The Privacy Rule relies heavily on informed consent (authorization) to protect privacy. Although consent is a dominant theme in law and ethics, in practice it does not adequately protect privacy or facilitate responsible research. Multiple studies have demonstrated that patients do not read or understand complex privacy notices and consent forms, which often are designed to shield the institution from liability.⁹ Patients are often asked to give consent when they are sick and incapable of making complicated decisions. Moreover, consent cannot protect patients from security breaches or inappropriate disclosures by authorized individuals.¹⁰ Relying heavily on consent rather than strong privacy and security assurances shifts the focus from substantive to formalistic safeguards, providing patients with few meaningful choices and burdening the health system with a new level of bureaucracy and expense.¹¹

A primary focus on consent is also detrimental to valuable research. Investigators report a diminished ability to recruit participants,¹² obstacles in accessing stored tissue and genetic data sets,¹³ and increased complexity in IRB procedures, resulting in some hospitals and physicians opting out of research.¹⁴ A universal requirement for consent, moreover, creates selection bias, which limits the generalizability of results and leads to invalid conclusions.¹⁵

The IOM proposes a bold approach that would make federal regulations more effective in safeguarding privacy, more uniform and fairer in application, and less likely to impede research.⁴ Under the new framework, health research would be exempt from the HIPAA Privacy Rule. The Common Rule would apply to all interventional research, regardless of funding source, given the genuine potential for physical harm to participants. This would ensure regulatory oversight of many research projects that currently offer inadequate protection for participants.

A new approach to the oversight of information-based research would emphasize data security, transparency, and accountability. By focusing on fair informational practices, patients would gain strong privacy protection, with the assurance that their personal information would not be disclosed to their detriment and data would be protected against security breaches. The new system would include 2 alternatives to consent. First, studies could be conducted with ethical oversight focusing on measures to protect data privacy and security (ie, protection from harms that could result from data disclosure) and the potential public benefits of the research. Second, the new framework could include a certification for entities that undertake large-scale data collection for defined research purposes or to link data from multiple sources for the purpose of providing more complete deidentified data sets to researchers. Federal monitoring and enforcement would ensure regulatory compliance, and legal sanctions would prohibit unauthorized reidentification of data.

If national policy makers continue to rely on the Privacy Rule, rather than adopt a new framework, the Department of Health and Human Services (DHHS) should revise the Privacy Rule, with expanded guidance including best practices for privacy protection in responsible research. DHHS should, in particular, facilitate greater use of deidentified data; clarify the distinctions between “research” and “practice” to facilitate quality improvement and public health practice; and adopt consistent rules for activities conducted in preparation for research, such as identifying and recruiting potential research participants.

To maximize the usefulness of databases and biorepositories, DHHS should allow patient authorization for use of data in future research with ethical oversight; permit consent in a single form for using PHI in a clinical trial and storing biospecimens; clarify the circumstances under which DNA samples are considered PHI; and create a mechanism for linking an individual's information from multiple data sources.

Health IT certainly will be a key component of national health care reform, but it will fail unless policy makers safeguard privacy and facilitate responsible research for the public good. The stimulus package tightens privacy by subjecting business associates to the same rules that covered entities must meet; requiring notification to individuals whose data are breached, giving them a share of any fine for rule violations; and restricting the sale of PHI for marketing and fundraising.¹ The stimulus, however, does little to resolve the Privacy Rule's fundamental flaws, which hamper research and stifle delivery of quality health care, to the great detriment of patients and society.

Rather than seeing privacy and research as conflicting values, policy makers can improve both. To do so, they must move beyond formalistic rules toward fair information practices and uniform ethical oversight. They must also remove barriers to high-quality research, thereby attaining the societal benefits of scientific knowledge, medical advances, and protection of the public's health.