4HIPAA, the Privacy Rule, and Its Application to Health Research

Publication Details

This chapter provides an overview of the development of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and describes how it applies to health research. A section at the end of the chapter also describes the relationships between HIPAA and other federal and state laws. Because a great deal of health research in the United States is also subject to the Common Rule (described in Chapter 3), disparities between these two federal rules are also noted where relevant throughout the chapter.

OVERVIEW OF HIPAA

HIPAA was passed on August 21, 1996. It was intended to make health care delivery more efficient and to increase the number of Americans with health insurance coverage. These objectives were pursued through three main provisions of the Act: (1) the portability provisions, (2) the tax provisions, and (3) the administrative simplification provisions.

Portability and Tax Provisions

The portability provisions of HIPAA aimed to prevent individuals from losing health care coverage due to a preexisting condition when changing to a new employer’s health plan. The portability provisions also aimed to reduce the number of unemployed or self-employed individuals without health insurance by making it easier for individuals to purchase health insurance without their employer.

Similarly, the tax provisions of HIPAA were also intended to make it easier for individuals to maintain health insurance. The tax provisions pursued this goal by modifying existing tax laws to make health insurance more affordable. HIPAA does not regulate the price of health insurance, but rather, it relies on tax breaks and other tax incentives to reduce health care costs (Chaikind et al., 2005).

Administrative Simplification Provisions

The administrative simplification provisions of HIPAA instructed the Secretary of the U.S. Department of Health and Human Services (HHS) to issue several regulations concerning the electronic transmission of health information. These provisions were included in the final version of HIPAA because health plans had requested federal legislation in this area from Congress. The use of electronic health information was expanding in the early 1990s, and the health care industry was unable to standardize the process and use of electronic health information without federal action.1

The security standards are one set of regulations mandated by the administrative simplification provisions of HIPAA. The Act instructed the Secretary of HHS to develop nationwide security standards and safeguards for the use of electronic health care information. The resulting HHS regulations spell out specific administrative, technical, and physical security procedures that healthcare plans, providers and clearinghouses must incorporate into their operations to prevent unauthorized access, use, and disclosure of protected health information (CMS, 2005). HHS published the final HIPAA Security Rule in the Federal Register on February 20, 2003. Health plans and providers were required to be in compliance with these measures by April 2004 (see Box 2-2).

The administrative simplification provisions of HIPAA also directed the Secretary to develop standards for unique health identifiers for patients, employers, health plans, and providers. Unique health identifiers are national numbers that could be used to identify the individual or organization in standard health transactions. The Centers for Medicare & Medicaid Services (CMS) has issued standards for the unique health identifiers for employers and providers, and unique health identifiers for health plans are under development. However, Congress has prevented CMS from implementing a standard for the unique health identifier for patients by inserting language into the annual appropriations bill every year since HIPAA was enacted (Chaikind et al., 2005).

Finally, the administrative simplification provisions of HIPAA mandated the creation of privacy standards for the protection of personally identifiable medical information. Although privacy protections were not a primary objective of the Act, Congress recognized that advances in electronic technology could erode the privacy of health information, and included the privacy provision in HIPAA (IOM, 2006). In accordance with the administrative simplification provisions, HHS developed the Privacy Rule, which constitutes a broad-ranging federal health privacy regulation (see Table 4-1). Incorporating many of the basic fair information practices,2 the Privacy Rule generally restricts the use or disclosure of protected health information, except as permitted by the individual or as authorized or required by the Privacy Rule. Its provisions also impose on covered entities affirmative requirements to safeguard the information in their possession. The Privacy Rule gives individuals certain rights with respect to their health information (reviewed by Pritts, 2008).

TABLE 4-1. Timeline of the HIPAA Privacy Rule.

TABLE 4-1

Timeline of the HIPAA Privacy Rule.

DEVELOPMENT OF THE PRIVACY RULE REGULATIONS

Congress did not include detailed privacy requirements in HIPAA. The terms of HIPAA required the Secretary of HHS to submit detailed recommendations to Congress by August 1997 on ways to protect the privacy of personally identifiable health information. These recommendations were to include suggestions on ways to protect individuals’ rights concerning their personally identifiable health information, procedures for exercising such rights, and the uses and disclosures of information that should be authorized or required under HIPAA.3 If Congress did not enact privacy legislation within 3 years of the passage of HIPAA, the Act required the Secretary of HHS to issue privacy regulations for the protection of personally identifiable health information within 42 months of HIPAA’s enactment.4

In response to this mandate, HHS submitted recommendations for protecting the privacy of personally identifiable health information to Congress in September 1997. In these recommendations, Secretary Shalala advocated for the passage of federal privacy legislation, rather than relying on HHS to pass a set of privacy regulations. Shalala’s report stated, “This report recommends that Congress enact national standards that provide fundamental privacy rights for patients and define responsibilities for those who service them” (Shalala, 1997).

Although numerous bills that attempted to address health information privacy were introduced, Congress was unable to finalize privacy legislation on the time schedule mandated in HIPAA. During the 1999 congressional session alone, eight such bills were introduced. However, none of these bills was passed. As a result, Congress passed the responsibility of creating health privacy protections to HHS.

Over the course of developing the current Privacy Rule, HHS went through four iterations of the Rule. HHS followed Secretary Shalala’s 1997 recommendations to Congress in shaping the regulations (Redhead, 2001). First, HHS issued a proposed version of the Privacy Rule for public comment on November 3, 1999, that drew more than 50,000 comments (Stevens, 2000). Based on these comments, HHS issued the second version of the Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information, in December 2000.5 Before this version of the Privacy Rule could take effect, the Secretary of HHS was inundated with unsolicited public comments and criticism regarding the Privacy Rule. Health care insurers and providers were concerned that the Privacy Rule would make health care industry operations less efficient. They were particularly concerned about the requirement that they obtain authorization prior to making any routine disclosure of personally identifiable health information for health care operations, treatment, or payment. The comments received also suggested that this version of the Privacy Rule would prevent pharmacists from filling prescriptions and searching for potential drug interactions before patients arrived at pharmacies; interfere with providing emergency medicine in situations where it would be impossible to obtain patient authorization before treatment; and delay the scheduling and preparation of hospital procedures until the doctor could obtain patient authorization.6

In March 2002, HHS, under the Bush Administration, published a proposed modification to the Privacy Rule, which reopened the rule-making process and created a new period for submitting public comments. This version of the Privacy Rule drew more than 24,000 comments. Incorporating the suggestions collected through the second notice of proposed rule-making period, HHS issued the final version of the Privacy Rule in August 14, 2002.7 This is the current, effective, and codified version of the Privacy Rule (45 C.F.R. parts 160 and 164). Most health care providers and health plans were required to be in compliance with this version of the Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance.

OVERVIEW OF THE HIPAA PRIVACY RULE8

Entities Subject to the Privacy Rule

The Privacy Rule applies to “covered entities,”9 which are individuals or organizations that electronically transmit health information in the course of normal health care practices. Covered entities include health care providers, health plans, and health care clearinghouses. Health plans are entities that provide or pay the cost of medical care, such as private health insurers or managed care organizations, and governmental payors and health programs such as Medicaid, Medicare, or Veterans Affairs. Health care clearinghouses generally refer to billing services, and health care providers include hospitals, doctors, and other health care professionals and facilities that provide treatment (Table 4-2).

TABLE 4-2. The Uneven Application of the HIPAA Privacy Rule: Examples of HIPAA Covered Entities and Non-Covered Entities.

TABLE 4-2

The Uneven Application of the HIPAA Privacy Rule: Examples of HIPAA Covered Entities and Non-Covered Entities.

If an entity that meets one of the categories of a covered entity also performs functions unrelated to health care, it can become a hybrid entity by designating in writing its “health care components.”10 Only these health care components are then bound by the Privacy Rule. For example, if a university includes an academic medical center with a hospital, the entire university will be classified as a covered entity unless the university elects to be a hybrid entity by designating only the hospital as the health care component. By doing this, only the hospital has to comply with the Privacy Rule. The classification of researchers within a hybrid entity depends on the nature of the work performed (e.g., whether the researchers are within the health care component, providing health care, or conducting electronic transactions) (HHS, 2004c).

Type of Information Protected

The Privacy Rule protects all personally identifiable health information, known as protected health information (PHI), created or received by a covered entity. Personally identifiable health information is defined as information, including demographic information, that “relates to past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care for the individual” that either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”11

The Privacy Rule does not protect personally identifiable health information that is held or maintained by an organization other than a covered entity (HHS, 2004c). It also does not apply to information that has been deidentified in accordance with the Privacy Rule12 (see later section on Deidentified Information).

Restrictions on Use and Disclosure

Covered entities may not use or disclose PHI except as permitted or required by the Privacy Rule.13 A covered entity may disclose PHI without the individual’s permission for treatment, payment, and health care operations purposes. For other uses and disclosures, the Privacy Rule generally requires the individual’s written permission, which is an “authorization” that must meet specific content requirements. The Privacy Rule then establishes a number of exceptions to this general rule, allowing covered entities to use and disclose PHI without the individual’s authorization in certain situations. For example, the Privacy Rule permits the disclosure of PHI without the individual’s authorization in the following circumstances:

  • To business associates14
  • For public health purposes as required by state and federal law15
  • To public agencies for health oversight activities, such as audits; inspections; civil, criminal, or administrative proceedings; and other activities necessary for the oversight of the health care system16
  • To law enforcement officials17
  • For judicial and administrative proceedings, if the request for information is made through a court order18
  • For research19

Most of these permitted uses and disclosures are subject to detailed conditions. For example, the Privacy Rule allows covered entities to disclose PHI without individual authorization to its “business associates,” which are defined as persons or entities that perform, on behalf of the covered entity, certain functions or services20 that require the use or disclosure of PHI, provided adequate safeguards are in place.21 As a general rule, these safeguards take the form of a business associate agreement whereby the business associate agrees not to use or disclose the PHI it receives except as permitted by the agreement or by law (Box 4-1).

Box Icon

BOX 4-1

Business Associate Agreements. A covered entity must obtain assurances in writing that the business associate will: (1) use the information only for the purposes for which it was engaged by the covered entity; (2) safeguard the information from misuses; (more...)

In the case of public health practice, the Privacy Rule notes that there is a legitimate need for public health authorities and others working to ensure the health and safety of the public to have access to PHI. As a result, the Privacy Rule permits, but does not require,22 covered entities to disclose PHI without authorization for specified public health purposes (Box 4-2). Disclosures for research are discussed in detail in subsequent sections of this chapter.

Box Icon

BOX 4-2

The HIPAA Privacy Rule and Public Health Practice. The Privacy Rule defines public authorities as any “federal, tribal, or local agency or person or entity acting under a grant of authority or contract with the agency, including state and local (more...)

Individual Rights

The Privacy Rule also confers rights on individuals with respect to their PHI (reviewed by Pritts, 2008). Under the Privacy Rule, individuals have the right to23:

  • Receive a notice of privacy practices from a health care provider or a health plan that must, among other things, inform patients of the anticipated uses and disclosures of their health information that may be made without the patients’ consent or authorization.24
  • See and obtain a copy of their own health information.25
  • Request an amendment of information that is incomplete or inaccurate.26
  • Obtain an accounting of certain disclosures that the covered entity made of their PHI over the past 6 years.27

HIPAA AND RESEARCH

Although health research was not a focus of HIPAA, Congress recognized the important role that health records play in conducting health research and wanted to ensure that privacy protections would not impede researchers’ continued access to such data. This is reflected in two House Reports on HIPAA with identical language, stating:

“The conferees recognize that certain uses of individually identifiable information are appropriate, and do not compromise the privacy of an individual. Examples of such use of information include … the transfer of information from a health plan to an organization for the sole purpose of conducting health care-related research. As health plans and providers continue to focus on outcomes research and innovation, it is important that the exchange and aggregated use of health care data be allowed” (U.S. Congress, 1996a,b).

In creating the current research provisions of the Privacy Rule, HHS considered several options. One option considered was exempting PHI used in research from the regulations, but HHS rejected this option, noting some reported shortcomings of the protection of the privacy and confidentiality of health information in research (reviewed by Pritts, 2008).28 A U.S. General Accounting Office report prepared in anticipation of federal health privacy legislation noted that confidentiality protections were not a major thrust of the Common Rule, and oversight boards tended to give confidentiality less attention than other research risks because they had the flexibility to decide when it was appropriate to review confidentiality protection issues (GAO, 1999). The report noted that although “[t]he actual number of instances in which patient privacy is breached is not fully known … in an NIH [National Institutes of Health] sponsored study, IRB [Institutional Review Board] chairs reported that complaints about the lack of privacy and confidentiality were among the most common complaints made by research subjects.” In addition, the compliance staff of the HHS Office for Protection from Research Risks (now Office of Human Research Protections) related that they had investigated several allegations involving human subjects protection violations resulting from a breach of confidentiality over the past several years and that the complaints related to (1) research subject to IRB review and (2) research outside federal protection (GAO, 1999).

HHS also considered requiring researchers to obtain individual authorization in all situations where a covered entity might want to disclose PHI for research. But this option would have made many research projects nearly impossible to carry out. Instead, HHS created the current system, which attempted to protect individual privacy while still allowing researchers access to data.

In proposing the Privacy Rule, HHS acknowledged that ideally, it would have preferred to directly regulate researchers by extending the protections of the Common Rule to nonfederally funded research and imposing additional criteria for the waiver of authorization in research.29 However, HHS recognized that it did not have the authority to do so, and therefore, it attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing disclosure restrictions on covered entities.

The following sections provide a detailed overview of the Privacy Rule provisions regulating research, along with comparisons to the provisions of the Common Rule (see Chapter 3 for a general overview of the Common Rule).

Research Uses and Disclosures with Individual Authorization

Individuals may voluntarily authorize the use and disclosure of their PHI for essentially any reason, including for research purposes. To be valid under the Privacy Rule, an authorization must be “specific and meaningful”30—that is, it must provide a clear description of the information to be used or disclosed. The authorization must also be written in plain language, and contain core elements (e.g., signature of the individual, description of purpose of requested use or disclosure) and statements addressing the individual’s right to revoke authorization, as well as circumstances under which services or payment may be conditioned on signing the authorization.31

Authorization under the Privacy Rule differs from informed consent in research (reviewed by Pritts, 2008). Authorization states how, why, and to whom the PHI will be used and/or disclosed for research, and seeks permission for that use or disclosure. In contrast, informed consent describes the potential risks and benefits of research and seeks permission to involve the subject, although it also provides research participants with a description of how the confidentiality of the research records will be protected. The Privacy Rule permits, but does not require, review of authorization forms by an IRB or a Privacy Board (see Box 4-3). In contrast, under the Common Rule, IRBs are required to review and approve informed consent documents for human subjects research. However, if the authorization is combined in the same document as the informed consent document, then IRB approval must be sought for the combination (HHS, 2004c).

Box Icon

BOX 4-3

IRBs and Privacy Boards. Institutional Review Boards (IRBs) and Privacy Boards have different scopes of review. The Common Rule requires IRBs to review research projects involving human subjects for risk of harm to the subjects and to ensure that the (more...)

Authorization of Future Research

Under the Common Rule, it is permissible to obtain patient consent for future research with biological samples or information stored in databases, with oversight by an IRB, if such future uses are described in sufficient detail to allow an informed consent. Historically, IRBs typically have tried to craft informed consent language on a case-by-case basis to allow for some measure of consent to future, largely unspecified research uses, but also to require some level of detail with respect to the categories of types of uses of the information or specimens, and to emphasize confidentiality protections for identified data and tissues (Barnes and Heffernan, 2004). For example, a consent form may specify that the tissue will be kept for research to learn about, prevent, or treat the type of cancer that affects the subject.

However, such language is too general to comply with the more stringent HIPAA authorization requirements. Under the Privacy Rule, authorizations for the use or disclosure of PHI must include “[a] description of each purpose of the requested use or disclosure.”32 In the August 2002 Final Rule, HHS commented that research-related purposes described in the authorization must be “study specific” and indicated that authorizations for “unspecified future research” would be considered overly broad and invalid.33 In other words, HHS regards all future uses of PHI as inherently nonspecific, and the Privacy Rule does not permit an individual to grant authorization to nonspecific research.

For example, the creation and maintenance of a biospecimen bank or database is considered a specific research activity under the Privacy Rule, but authorization for any future studies undertaken with the data or materials cannot be sought at the time of collection. However, the process of recontacting individuals whose biospecimens are stored to obtain consent for each and every research project for which the samples could be used is widely viewed as impractical, if not impossible, especially as more and more samples are collected. This situation can be quite problematic for studies using stored biological samples (Barnes and Heffernan, 2004; Bledsoe, 2004; Rosati, 2008; Rothstein, 2005).

HHS received comments suggesting that general descriptions of future research could meet the requirement of “meaningful and specific” authorization, but HHS noted that the Privacy Rule does not require IRB or Privacy Board review of uses and disclosures made with individual authori zation, and thus covered entities would be left to decide whether or not the initial authorization was broad enough to cover subsequent research.34 The HHS response went on to note that authorization for future research would not be required if a waiver of authorization was granted for a subsequent study by an IRB or a Privacy Board (see the section regarding Waiver of Authorization).

However, the committee recommends that this discordance between the Privacy Rule and the Common Rule be eliminated through guidance explicitly stating that future research may go forward if the authorization describes the types or categories of research that may be conducted with the PHI stored in a biospecimen bank or database, and if an IRB or Privacy Board determines that the proposed new research is not incompatible with the initial consent and authorization and poses no greater than minimal risk to the privacy of individuals (Wendler, 2006). Future consent for research is ethically valid if appropriate security measures are in place, donors have the right to withdraw consent, and new studies are reviewed and approved by an IRB or Privacy Board (Hansson et al., 2006). Furthermore, a prohibition on future consent actually limits individual autonomy. If individuals desire to authorize the use of their PHI for future research, they should be able to do so.

Compound Authorization

If a covered entity plans to collect and store PHI in a research repository in conjunction with a clinical trial, HHS has stated that the HIPAA authorization for storage of the PHI in the repository must be separate from the HIPAA authorization for disclosure of PHI associated with participation in the clinical trial. HHS came to this conclusion through a complex series of interpretive steps (reviewed by Rosati, 2008). First, it is generally not permissible to condition treatment on the provision of an authorization, although the Privacy Rule does permit a covered entity to condition treatment in a clinical trial on signing an authorization.35 Second, although the Privacy Rule generally permits researchers to combine an authorization form with any other type of written permission (including another authorization), the Privacy Rule prohibits combining authorizations where the covered entity conditions the provision of treatment on signing only one of the authorizations, but not the other.36 Because HHS has concluded that collection of PHI for a clinical trial and for a repository are separate research activities, researchers cannot condition participation in the clini cal trial on signing authorization to include PHI in the repository (HHS, 2004d). Thus, HHS has determined that the two authorizations cannot be combined in one form unless the form has separate signature lines for each authorization, and the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the contribution of PHI to the repository.

Ideally, all relevant information pertaining to authorization should be integrated into one simple document, but there is much confusion about these complex provisions of the HIPAA Privacy Rule (Rosati, 2008). Misperceptions about restrictions on individuals’ ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation are widespread. Some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. The excess paperwork that results is burdensome for patients, can reduce the informed nature of authorization by confusing patients, and may reduce patient participation in research. The committee believes that guidance from HHS to clearly indicate that a single authorization form with two signature lines is permissible in such circumstances would reduce variability and increase the informed nature of authorization.

Research Uses and Disclosures Without Individual Authorization

Documented IRB or Privacy Board Approval of Such Use or Disclosure

In crafting the Privacy Rule, HHS acknowledged that it is not always possible to obtain authorization for using or disclosing PHI for research, particularly in fields such as health services research and epidemiological research, where thousands of records may be involved (Pritts, 2008). It also recognized the potential for selection bias (see Box 3-8) when authorization is required. In light of these factors, HHS concluded that there were circumstances under which it is appropriate to disclose PHI for research without authorization. HHS noted, however, “[T]he privilege of using individually identifiable health information for research purposes without individual authorization requires that the information be used and disclosed under strict conditions that safeguard individuals’ confidentiality.”37

One situation in which the Privacy Rule permits a covered entity to use and disclose PHI for research purposes without obtaining authorization from each patient is when an IRB or a Privacy Board (Box 4-3) reviews a research proposal to use PHI and determines whether to grant a “waiver” of authorization to the researcher for that particular research protocol.38

The Privacy Rule sets out complex standards for IRBs and Privacy Boards to apply in deciding whether to grant a waiver of authorization for a particular research study. The IRBs and Privacy Boards must determine whether a study meets all of the following criteria39:

  1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
    1. An adequate plan to protect the identifiers from improper use and disclosure;
    2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this subpart;
  2. The research could not practicably be conducted without the waiver or alteration; and
  3. The research could not practicably be conducted without access to and use of the PHI.

An IRB or a Privacy Board may waive the authorization requirement in whole or in part. A complete waiver of authorization means that no authorization is required for the covered entity to use and disclose PHI. A partial waiver means that the IRB or Privacy Board determined that a covered entity does not need authorization for the uses and disclosure of the PHI for one part of a research project, but does need to obtain authorization from patients for another part of the project. For example, an IRB or a Privacy Board often grants a partial waiver to allow PHI to be disclosed to researchers to access PHI to identify potential subjects for a study. However, if only a partial waiver of authorization is granted, the researchers will need to obtain HIPAA authorization before the PHI for each individual patient is used for the research project. An IRB or Privacy Board may also approve a request for an alteration that removes some, but not all, required elements of an authorization, using the same criteria for a waiver of authorization.

The final and codified provisions above share only some of the language used in the Common Rule40 to determine whether it is allowable to alter the elements of informed consent or to waive the requirement of obtaining informed consent. This difference can create a challenge for the IRB decision-making process (Rothstein, 2005).

The concept of “practicability” is used in both the Common Rule and in the HIPAA authorization criteria, but there is no guidance as to what factors (e.g., feasibility or cost) should be considered in determining whether the criteria are met (IOM, 2006; IPPC, 2008; Rothstein, 2005). HHS commentary in the December 2000 Final Rule briefly mentioned cost as one factor that could be considered in determining practicability41 (HHS, 2000), but guidance documents do not define what is “practicable” or “impracticable.” As a result, institutions apply varying standards indepen- dently, often too conservatively to allow even low-risk research to proceed (see also Chapter 5). For example, some institutions interpret impracticable as “not at all possible” and require researchers to demonstrate that a study will fail without a waiver of authorization.

Moreover, stakeholders across the board, from researchers to individual patients, have questioned the meaning of the “practicability” standard (Pritts et al., 2008; Tovino, 2004). One focus group study indicated that patients may find it appropriate to consider two factors in determining whether it is practicable to conduct the research without the waiver of authorization: whether having to contact each patient first would (1) make the study less scientifically valid or (2) make the results less useful in improving medical care (i.e., would produce selection bias) (Pritts et al., 2008).

There are also no clear standards regarding what constitutes adequate protection of privacy, or what constitutes a minimal risk to privacy. The concept of minimal risk implies that there is a risk threshold, above which protections should be stricter. However, clearly defining the threshold is problematic. The terms “adequate plan” and “adequate written assurance” are highly subjective, and thus different institutions are likely to set varying thresholds for “minimal risk.” Thus, to facilitate appropriate authoriza tion requirements for responsible research, the committee recommends that HHS simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study.

In the 2000 version of the Privacy Rule, one of the criteria for waiver of authorization was that “the privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individual, and the importance of the knowledge that may rea sonably be expected to result from the research.”42 In 2002, HHS deleted this criterion from the Final Rule, stating that it was “unnecessarily duplicative of other provisions to protect patients’ confidentiality interests.”43 It may have been more appropriate to retain this criterion and omit the criteria for impracticability.

If the current waiver criteria are to be retained, the IOM committee believes that a clear and reasonable definition of practicability, along with specific case examples of what should or should not be considered impracticable or of minimal risk, could perhaps reduce variability and overly conservative interpretation of these provisions.

Simplification or clarification of the waiver criteria would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards. Covered entities are permitted to rely on a waiver of authorization approved by a single IRB or Privacy Board with jurisdiction. However, covered entities often decide to require approval from their own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regardless of whether another IRB or Privacy Board already granted a waiver of authorization. This leads to delays and variability in the protocol at different sites (see also Chapter 5). Simplification would also be very helpful for smaller or community-based institutions that do not have internal counsel or regulatory affairs specialists, and are thus more likely to opt out of research that requires decisions about authorizations.

Activities Preparatory to Research

A second situation where a covered entity is permitted to use and disclose PHI without obtaining authorization is for activities that are preparatory to research.44 Review by an IRB or a Privacy Board is also not required for activities preparatory to research. A covered entity may permit researchers to look through its medical records in order to develop research protocols and to aid the recruitment of research participants if it obtains from the researcher representations that the information sought is necessary for the research purpose, that information will be reviewed only for the stated purposes preparatory to research, and that no PHI will be removed from the covered entity by the researcher in the course of the review45 (HHS, 2004a).

Many research studies, especially those focused on rare conditions with limited eligible patient populations, rely on large-scale medical chart reviews and searches of patient databases to identify patients who might be eligible for and might benefit from a particular study. Sufficient patient enrollment in a timely fashion is essential to ensure the meaningfulness and reliability of the research results. However, confusion regarding what is permitted under this component of the Privacy Rule is widespread (SACHRP, 2004), and surveys and studies indicate that patient recruitment has become more difficult and costly under the varying interpretations of the Privacy Rule (see Chapter 5).

HHS has issued multiple guidance statements on this topic, but these statements, some of which have been contradictory, have failed to eliminate confusion (reviewed by SACHRP, 2004). According to current HHS guidance on the Privacy Rule, researchers (both internal and external to a covered entity) may conduct a review of medical records under the preparatory to research exception. However, only internal researchers (an employee or member of the covered entity’s workforce) may contact potential subjects about the possibility of enrolling in a study under this provision of the Privacy Rule. HHS guidance on the Privacy Rule indicates that external researchers are not allowed under the preparatory to research exception to record or remove contact information of patients from a covered entity. External researchers must get an IRB/Privacy Board approved waiver of authorization to perform any recruitment activities. This creates an artificial distinction between internal and external researchers that actually provides less privacy protection than that afforded by the Common Rule, which requires that any activities preparatory to research involving human subjects, or related to initial recruitment of subjects for research studies, be reviewed and approved by an IRB (HHS, 2003). Thus, the Privacy Rule permits conduct that is prohibited by the Common Rule (Rothstein, 2005).

IRBs historically have required all communications about an available research study to come from the individual’s caregivers, not from an investigator unknown to the potential subjects (SACHRP, 2004). Moreover, research shows that patients prefer to be approached by their clinician or an associated nurse as opposed to a stranger (Damschroder et al., 2007; Kass et al., 2003; Robling et al., 2004; Westin, 2007; Willison et al., 2007), and HHS has reported that most allegations of violations of the Privacy Rule related to research come from patients upset at receiving recruitment calls from unknown researchers (Heide, 2007).

According to the Secretary’s Advisory Committee on Human Research Protections (SACHRP), “The consequence of these confused and complex interpretations of research recruitment requirements has been to layer unnecessary, and extremely burdensome, tasks onto human subjects research. It appears, for example, that in some institutions, boilerplate business associate contracts are being signed, and that template applications for partial waivers of authorization are being routinely granted, as methods of perfunctory compliance with these confusing Privacy Rule requirements. Another effect of the enormous confusion has been that other institutions are hesitant to permit many recruitment activities critical to the continuation of the research enterprise, out of fear that they are in some way misinterpreting the government’s current positions on research recruitment. SACHRP is very concerned that the bureaucratic complexities here undermine, rather than enhance, the attention that needs to be paid to the welfare and interests of subjects in the research recruitment process” (SACHRP, 2004).

The IOM committee believes that new guidance documents from HHS that clarify and simplify the rules for activities preparatory to research, and harmonize them with the Common Rule—by requiring IRB/Privacy Board approval for all researchers (internal and external) prior to contact ing potential subjects—would help to eliminate this confusion and facilitate ethical research that protects patient privacy.

Research on Protected Health Information of Decedents

The third situation where a covered entity is permitted to disclose PHI without authorization is for research using the PHI of decedents. Covered entities are not required to obtain authorization from the personal representative or next of kin to conduct research on a decedent’s PHI, nor are they required to receive a waiver of authorization. These provisions are similar to the Common Rule, which defines a “human subject” as a “living individual.”46

However, the Privacy Rule does require that researchers make several representations, either in writing or orally, to the covered entity prior to the covered entity granting the researcher access to a decedent’s PHI. These representations include:

  • The use or disclosure being sought is solely for research on the PHI of decedents
  • The PHI is necessary for research
  • The death of the individual is documented, if requested by the covered entity47

Apparently some covered entities interpret the Privacy Rule more conservatively by requiring researchers to obtain authorization from next of kin, or a waiver of authorization from an IRB or Privacy Board, in order to access the PHI of decedents (Ness, 2007).48

Deidentified Information

Researchers can also access deidentified health information stored by covered entities without obtaining authorization, waiver of authorization, or IRB/Privacy Board approval. Deidentified information does not qualify as PHI, and therefore is not protected under the Privacy Rule—it can be disclosed to researchers at any time (HHS, 2004c). The Privacy Rule offers two methods to deidentify personal health information. Under the statistical method, a statistician or person with appropriate training verifies that enough identifiers have been removed that the risk of identification of the individual is very small. Under the “safe harbor” method, data are considered deidentified if the covered entity removes 18 specified personal identifiers from the data (Box 4-4).49 In the process of deidentifying information, the covered entity may assign a code to the deidentified information so that it may reidentify it, but the code may not be derived from information related to the individual (e.g., Social Security number). Furthermore, the covered entity may not disclose the key to the code to anyone else.50 These provisions of the Privacy Rule are based on the federal statistical agencies’ policy of using statistical methods to assess and protect the confidentiality of individuals’ data they collect and release (Interagency Confidentiality and Data Access Group, 1999; Subcommittee on Disclosure Limitation Methodology, 1994).

Box Icon

BOX 4-4

HIPAA “Safe Harbor” Deidentification Method. The HIPAA “safe harbor” method of deidentification requires that each of the following identifiers of the individual or of relatives, employers, or household members of the (more...)

These provisions are more stringent than those of the Common Rule, leading to situations in which some coded data might be subject to the Privacy Rule, but not the Common Rule (Rothstein, 2005). The Common Rule does not apply to research if “the identity of the subject is [not] or may [not] be readily ascertained by the investigator or associated with the information accessed by the researcher” (see Chapter 3).51 In practice, this can mean that a covered entity may no longer routinely disclose for research data that have been anonymized according to the Common Rule (Pritts, 2008). This discrepancy between deidentification standards under the two rules can give rise to situations in which research with anonymized data that are exempt from IRB oversight under the Common Rule may still require a decision by an IRB or a Privacy Board to determine if a waiver of individuals’ authorization of disclosure for the use of their information for research purposes is appropriate under the Privacy Rule. But because IRBs have not had to review these protocols in the past, they may find it difficult to make appropriate decisions about waivers.

The Privacy Rule restrictions put greater emphasis on the possibility that health data could be reidentified using publicly available databases. Determining what information can be released without inappropriately compromising the privacy of the individual respondents is inherently a statistical issue (Fienberg, 2005) (see also discussion on privacy-preserving data mining and statistical disclosure limitation in Chapter 2). Record linkage technology has advanced rapidly in the past 10 years, and large public list searches are readily available for integration with “deidentified” data, making it easier to reidentify data than when the Common Rule was implemented (De Wolf et al., 2006; Pritts, 2008). For example, an academic exercise showed that it was possible to identify the names and addresses of 97 percent of the registered voters in Cambridge, Massachusetts, using the birth date and full postal code (Sweeney, 1997). In a nonacademic setting, New York Times reporters were also able to identify “anonymous” AOL clients whose search habits had been posted on the web for research projects by linking their search history to other available data (Barbarq and Zeller, 2006).

Studies indicate that even after removal of the 18 identifiers required under the safe harbor method of the Privacy Rule, recipients could reidentify individuals in a study dataset with a moderately high expectation of accuracy by applying only diagnosis and medication combinations (Clause et al., 2004). In short, even the Privacy Rule’s deidentification standard may not be stringent enough to protect the anonymity of data in today’s technological environment (Pritts, 2008). However, strong security measures (as recommended in Chapter 2) and the implementation of legal sanctions against the unauthorized reidentification of deidentified data (as recommended in subsequent sections of this chapter) may be more effective in protecting privacy than more stringent deidentification standards.

Limited Datasets

Many researchers have argued that removal of all 18 data categories as required by the HIPAA Privacy Rule’s deidentification standards can render the dataset unusable for many research projects (Casarett et al., 2005; HHS, 2002; Kulynych and Korn, 2002; SACHRP, 2004) (see also Chapter 5).52 For example, general areas of origin, residence, and work may be essential to epidemiological and other studies of topics such as disease incidence. Likewise, treatment dates are essential information for determining treatment effects, including adverse side effects. Concerns were also raised that deidentification would impede longitudinal studies, and subsequent research has indicated that information deidentified using the safe harbor method of removing all of the listed identifiers results in lost chronological spacing of episodes of care (Clause et al., 2004).

Because of these concerns, some stakeholders urged HHS “to permit covered entities to disclose PHI for research if the protected information is facially deidentified, that is, stripped of direct identifiers, so long as the research entity provides assurances that it will not use or disclose the information for purposes other than research and will not identify or contact the individuals who are subjects of the information.”53 Others were more specific and requested that the Privacy Rule be amended to allow the use of keyed-hash message authentication code (HMAC), asserting that this mechanism would be valuable for researchers because it allows the recipient to link clinical information about the individual from multiple entities over time. In direct response to these requests, HHS modified the Privacy Rule and created a category54 of partially deidentified data called the “limited dataset,” which may be used and disclosed for research without obtaining individual authorization or IRB/Privacy Board approval.55

To qualify as a limited dataset, 16 of the more direct identifiers—such as names, addresses, Social Security numbers, and medical telephone numbers—must be removed from the data. However, the following elements may be included in a limited dataset: city, state, ZIP Code, elements of date, and other numbers, characteristics, or codes not listed as direct identifiers in the regulation (including HMAC). A limited dataset may be created by a covered entity or the covered entity can enter into a business associate agreement with another party, including the intended recipient, to create the limited dataset on its behalf.56

To disclose a limited dataset for research without individual authorization, the covered entity must enter into a data use agreement with the recipient. These contracts specify the recipient of the limited dataset and require the recipient to agree to a number of conditions, including:

  • Not to use or disclose the limited dataset other than as permitted by the agreement or as required by law
  • To use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement
  • To report to the covered entity any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware
  • To ensure that any agents to whom the recipient provides the limited dataset agree to the same restrictions and conditions as the original recipient
  • Not to identify the information or contact the individuals whose records are included in the dataset57

Although some researchers have indicated that the use of limited datasets may be “enticing” (Pace et al., 2005), there do not appear to be any studies about the use of limited datasets in the United States (Pritts, 2008). France reportedly uses the equivalent of limited datasets from numerous hospitals to conduct epidemiologic research (Berman, 2002), but the French health care system and legal environment are quite different than in the United States. In testimony at an Institute of Medicine workshop on the HIPAA Privacy Rule and health research, legal experts noted the shortcomings of the limited dataset (IOM, 2006). For example, in some health care settings, it can be challenging to identify an individual who will sign a data use agreement on behalf of the covered entity and thus manage the contract according to the perceived risk and obligation to monitor how that limited dataset is used. At the other extreme, it was noted that some covered entities were signing data use agreements as a matter of course, and thus providing little meaningful privacy protection to the patient (IOM, 2006).

Thus, the committee recommends that HHS encourage greater use of limited datasets and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively.

Linking Data from Multiple Sources

A single database may not provide a complete picture of a patient’s condition or health history, so combining information from multiple sources is often necessary (IOM, 2000). HHS stated that one intent of the limited dataset provisions was to permit data to be used and disclosed in a coded manner such that the recipient of the data could link one person’s data longitudinally over multiple settings.58 However, linking data continues to be problematic for researchers under the HIPAA Privacy Rule (IOM, 2006; IPPC, 2008).

The Privacy Rule addresses data aggregation only with respect to health care operations,59 not research. However, it is possible in principle under the Privacy Rule for a researcher to aggregate PHI from multiple covered entities with authorization or IRB/Privacy Board waiver of authorization. Obtaining individuals’ authorization for research that entails the review of thousands of medical records is unrealistic, though, and even with a waiver of authorization, covered entities with large datasets are often reluctant to allow researchers access to PHI, as noted above (see also Chapters 5 and 6). More commonly, data are provided to researchers with direct identifiers removed. But because datasets from multiple sources cannot be linked to generate a more complete record of a patient’s health history without a unique identifier, such datasets often are of minimal value to researchers and are not frequently used. A third party may also collect PHI from covered entities and aggregate the data for research by establishing business associate agreements (BAs) with the various data sources, but in practice, BAs are used infrequently for this purpose (AcademyHealth, 2008). This approach is complicated and impractical to set up for individual research projects. Moreover, BAs can be established by covered entities to gain competitive advantage, rather than to collaborate in research.

The committee believes that a better approach would be to establish secure, trusted, nonconflicted intermediaries that could develop a protocol, or key, for routinely linking data without direct identifiers from different sources and then provide more complete and useful deidentified datasets to researchers. One way this could be accomplished, for example, might be through data warehouses that are certified for the purpose of linking data from different sources (IOM, 2000). The organizations responsible for such linking would be required to use strong security measures and would maintain the details about how this linkage was done, should another research team need to recreate the linked dataset. Using such intermediaries would increase patient privacy protections and allay concerns of covered entities, and thus would facilitate greater use of health data for research and also lead to more meaningful study results.

CMS provides a similar service for Medicare and Medicaid data, via contractors who create standardized data files that are tailored for research (Box 4-5). The agency has begun pilot projects to aggregate Medicare claims data with data from commercial health plans and, in some cases, Medicaid, in order to calculate and report quality measures for physician groups. A broader effort to link data from diverse sources has been initiated by the Agency for Healthcare Research and Quality (AHRQ), called the National Health Data Stewardship Entity.60 AHRQ is also involved in implementing the Patient Safety and Quality Improvement Act of 2005, which encourages creation of Patient Safety Organizations to receive information from hospitals, doctors, and health care providers on a privileged and confidential basis, for analysis and aggregation.61 Although the purpose of the latter two initiatives is for monitoring health care quality, they could provide a model for data aggregation applicable to health research as well.

Box Icon

BOX 4-5

The Chronic Conditions Warehouse. Section 723 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 instructed the Secretary of the U.S. Department of Health and Human Services to make Medicare data more readily available to researchers (more...)

The HIPAA administrative simplification provisions specifically provided for the creation of a unique individual identifier, but work on this project has been halted because there is a great deal of controversy regarding how it could be implemented without comprising individual privacy. Federal agencies are also under pressure from the Office of Management and Budget to reduce the use of Social Security numbers as unique identifiers. But the development of some type of linking key (not based on Social Security numbers) would make linkages more efficient, standardized, and reliable and less costly. Moreover, this type of linkage could greatly facilitate many types of information research, provide more extensive health histories and facilitate public health surveillance, and improve quality of care (HHS, 1998; Hillestad et al., 2008).

Genetic Information and the Privacy Rule

Research involving genetic information presents perhaps some of the most challenging areas for protecting the privacy of health information (Bregman-Eschet, 2006; Farmer and Godard, 2007; Greely, 2007; NBAC, 1999). With recent technological advances in biomedical research, it is now possible to learn a great deal about disease processes and individual variations in treatment effectiveness or susceptibility to disease from genetic analyses because the DNA sequences comprising a person’s genome strongly influence a person’s health. New knowledge of the human genome, combined with advances in computing capabilities, are expected to help decipher the roles that genetics and the environment play in the origins of complex but common human diseases, such as cancer, heart disease, and diabetes. In this genomic age of health research, patient samples stored in biospecimen banks can provide a wealth of information for addressing long-standing questions about health and disease, and efforts are underway to create large genomic databases for that purpose (Adams, 2008; Greely, 2007; Lowrance, 2002; Lowrance and Collins, 2007). However, it is particularly difficult to assess the potential harms to individuals who are the subjects of research in these rapidly advancing areas (NBAC, 1999; Pritts, 2008), and precedent does not appear to provide sufficient guidance in this relatively uncharted territory (Lowrance, 2002; Lowrance and Collins, 2007). Moreover, HHS has not issued clear guidance on how the Privacy Rule applies to DNA samples or sequences (IOM, 2005).

HHS guidance documents indicate that tissue or blood itself is not protected under the Privacy Rule unless it contains or is associated with HIPAA identifiers (HHS, 2004b). HHS has further stated that the results of an analysis of blood or tissue, if containing or associated with personally identifiable information, would be PHI. However, the research community remains uncertain about whether genetic information accompanying biospecimens is protected under the Privacy Rule because the list of identifiers includes “biometric identifiers” and “unique identifying characteristics”62 (NCVHS, 2004).

The European Union, which has a more restrictive privacy regime than the United States, does not consider DNA in and of itself to be a direct identifier (DPWP, 2007). Genetic information does not itself identify an individual in the absence of other identifying information. However, in some circumstances, a person’s genetic code could be construed as a unique identifier in that it could be used to match a sequence in another biospecimen bank or databank that does include identifiers (Lin et al., 2004; Malin and Sweeney, 2004).

As genetic information becomes more prevalent in research and health care, the latter scenario is more likely to occur. For example, in January 2008, the NIH began requiring data from the Genome Wide Association Study63 to be submitted to a central databank in an anonymous and aggregated form. That database was publicly accessible until August 2008 when officials at NIH removed the database from the public Website, citing concerns about patient confidentiality (Couzin, 2008; Zerhouni and Nabel, 2008). Those concerns stemmed from a study showing that a new type of DNA analysis could confirm the identity of an individual in a pool of similarly masked data if that person’s genetic profile was already known (Homer et al., 2008). NIH intends to move the aggregate genotype data to a secure, controlled-access database with policies for review and approval of data access requests (Zerhouni and Nabel, 2008).

Also, as we enter the era of personalized medicine, genetic information is more likely to be included in a person’s health records. But at the same time, realization of the promises of personalized medicine will require research on DNA from a great many diverse individuals whose medical histories are well documented. Therefore, the committee believes that the establishment of consistent standards for use and protection of genetic information is important and advocates a focus on strong security measures. To facilitate appropriate use of DNA in health research, the committee recommends that HHS clarify the circumstances under which DNA samples or sequences are considered PHI. In addition, it recommends the adoption of strict prohibitions on the unauthorized reidentification of individuals by anyone from DNA sequences.

Regardless of how genetic information is regulated under the HIPAA Privacy Rule, a federal prohibition of genetic discrimination is necessary to allay privacy concerns and diminish potential negative consequences of unintended disclosure of genetic information. Many people are concerned about genetic discrimination—the misuse of genetic information by insurance companies, employers, and others to make decisions based on a person’s DNA—so it is important both to protect the privacy of genetic information and to protect people against such discrimination. The Genetic Information Nondiscrimination Act (GINA), recently signed into law, hopefully will begin to address some of these concerns.

Accounting of Research Disclosures

The “accounting of disclosures” provision of the HIPAA Privacy Rule gives individuals the right to receive a list of certain disclosures that a covered entity has made of their PHI in the past 6 years, including disclosures made for research purposes.64 The accounting of disclosures (AOD) must also include certain substantive information related to each disclosure, including the date of the disclosure, the identity of the person who received the information, a description of the information disclosed, and a statement of the purpose of the disclosure.

The AOD requirement was intended “as a means for the individual to find out the nonroutine purposes for which his or her PHI was disclosed by the covered entity, so as to increase the individual’s awareness of persons or entities other than the individual’s health care provider or health plan in possession of this information.”65 This requirement does not actually protect privacy; it merely requires covered entities to record disclosures that have already happened. In addition, the AOD requirement does not constitute an audit trail, as there are numerous exceptions to the requirement, including disclosures for health care operations, pursuant to an authorization, as part of a limited dataset, for national security or intelligence purposes, and to correctional institutions or law enforcement official. Therefore, AOD cannot provide individuals with some of the information they may want, such as a list of employees who looked at their medical record when they were in the hospital (AHIC, 2007; Pritts, 2008).

Disclosures made for research purposes under a waiver of authorization, or for public health purposes as required by law, must be included in the AOD. In fact, HHS has noted that “making a set of records available for review by a third party constitutes a disclosure of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record.” The Privacy Rule has an exception for research involving groups of 50 or more subjects, which allows the generation of a general list of all protocols for which a person’s PHI may have been disclosed, but even in that case, there is a considerable administrative obligation. Furthermore, in many medical facilities, that list is very extensive, and thus is relatively meaningless to a particular patient.

This aspect of the Privacy Rule places a heavy administrative burden on health systems and health services research that achieves little in terms of protecting privacy. Moreover, HHS has not given covered entities any guidance on practical ways to fulfill this requirement in an efficient manner. Annual surveys of health care privacy officers undertaken by the American Health Information Management Association (AHIMA) since 2004 have found that many facilities report difficulties with the AOD requirement (AHIMA, 2006). Furthermore, the surveys have found that the demand for AOD is extremely low. Two-thirds of respondents reported receiving no requests at all. Nearly a third indicated that they would like to see a change to the AOD provisions—the most frequently cited Privacy Rule provision among all respondents, and by far among those with more than 20,000 admissions/discharges per year. Based on these results, AHIMA concluded that “for many, this provision is not only burdensome but also significantly inefficient.”

The National Committee on Vital and Health Statistics (NCVHS), the Association of American Medical Colleges (AAMC), and SACHRP have all recommended changes to the AOD provisions (see Appendix A). Witnesses at the first public hearing held by the NCVHS Subcommittee on Privacy and Confidentiality, held in August 2001, suggested that covered entities were likely to refuse to share PHI because of the burden of the AOD provisions. NCVHS stated that it supported an individual’s right to an AOD, but suggested that HHS issue guidance to provide covered entities with ways to fulfill this requirement in a convenient and practical manner. To date, no efforts have been undertaken to identify organizations that have successfully implemented the AOD requirement, or the practices that they have put in place (Pritts, 2008).

Case reports gathered for AAMC’s database also indicated that this provision is a tremendous burden to providers and researchers and has resulted in many covered entities refusing to make PHI available to researchers. AAMC recommended that the AOD requirement be eliminated for research, if IRB/Privacy Board approval is given, asserting that most AOD do not provide any meaningful information to the individual and that it would be better to investigate any questionable disclosures as they occur.

SACHRP made a similar recommendation, stating that the Privacy Rule imposes sufficient privacy protections without applying this portion of the Privacy Rule to research. Indeed, SACHRP concluded that the cost and burden of compliance with AOD requirements was so high that institutions were likely to accept the risk of noncompliance rather than incur the cost of compliance. Noting that researchers must establish a certain standard of privacy protections before an IRB or a Privacy Board will grant a waiver of authorization, or before a covered entity will permit a researcher to access PHI preparatory to research, SACHRP recommended that covered entities should inform patients in the HIPAA “Notice of Privacy Practices” that their PHI may be used and disclosed for research purposes without their authorization if sufficient privacy safeguards are in place. The IOM committee concurs, and recommends that HHS reform the requirements for the accounting of disclosures of protected health information for research. In the interest of transparency, institutions should maintain a list, accessible to the public, of all studies approved by an IRB or Privacy Board, in place of the AOD requirement. However, as the health care system moves toward broader implementation of electronic health records, automatic tracking of audit trails will be an important component to incorporate.

ENFORCEMENT OF THE PRIVACY RULE

The Privacy Rule sets out both civil and criminal penalties for covered entities that breach the Rule.66 The civil penalty provision allows a $100 fine per violation for disclosure made in error, with a maximum fine of up to $25,000 per year. The criminal penalties for persons who knowingly obtain or disclose personally identifiable information include fines of up to $50,000 and imprisonment for up to 1 year. If the crime is committed under false pretenses, the individual or organization faces fines up to $100,000 and 5 years of imprisonment. Penalties for the sale or use of PHI for commercial advantage, personal gain, or malicious harm are fines of up to $250,000 and 10 years of imprisonment.

The Privacy Rule does not provide for a private right of action by patients or research participants.67 Thus, an individual whose privacy is violated under the Privacy Rule cannot sue the covered entity or individual who breached his or her privacy. Rather, an individual can file a claim with HHS’s Office for Civil Rights (OCR). OCR is in charge of enforcement and decides whether and when to pursue a regulatory investigation and penalties against a covered entity (Stevens, 2003). In addition, it is important to note that this does not prevent an individual from pursuing a private right of action under state law (Pritts, 2008).

The Compliance and Enforcement regulations stress cooperative compliance over the imposition of penalties (reviewed by Pritts, 2008). The regulations specifically provide that the Secretary will, to the extent practicable, seek the cooperation of the covered entity in obtaining compliance.68 If an investigation indicates a failure to comply, the regulations provide that the Secretary will first attempt to resolve the matter by informal means.69 Such informal resolutions include demonstrating compliance, a completed corrective action plan, or a resolution agreement (HHS, 2007).70 Only if a covered entity does not take action to resolve the noncompliance will HHS contemplate imposing civil monetary penalties on the covered entity.71

Also, a covered entity that is itself in compliance with the Privacy Rule will not be held liable for the actions of a business associate that breaches the terms of its business associate agreement. A covered entity that knows of a pattern of activity or practice of a business associate that constitutes a material breach of its contract must take reasonable steps to cure the breach or end the violation.72 If such efforts are unsuccessful, the covered entity must terminate the contract if feasible.73 If termination is not feasible, the covered entity must report the problem to the Secretary.74 So long as a covered entity complies with these procedures, it is not liable for the actions of its business associates and will not be assessed civil monetary penalties (HHS, 2006).75

Between April 2003 and March 2008, OCR received more than 33,000 complaints alleging violations of the Privacy Rule (Barr, 2008). Most of the complaints have been filed against health care providers, including physician practices, general hospitals, pharmacies, and outpatient clinics, and largely deal with health information uses, disclosures, and safeguards. The number of complaints OCR has received that relate to research is unclear (NCVHS, 2005). In the majority of cases, OCR determined that the complaint did not present an eligible case for enforcement, either because OCR lacked jurisdiction, the complaint was untimely, or the activity did not violate the Privacy Rule.

To date, there have been no civil penalties imposed against any covered entity for breaching the Privacy Rule. Similarly, there have only been three criminal prosecutions under the Privacy Rule of individuals involved in medical identity theft (Rahman, 2006).76 In spite of this enforcement record, many covered entities remain hesitant to share health information due to concerns about liability (Pritts, 2008).

In surveys, many providers and payors self-report that they are not in compliance with the Privacy Rule. In a recent survey by Phoenix Health Systems, 20 percent of providers and 13 percent of payors reported that they have had insufficient incentives to incur the cost of implementing all the requirements of the Privacy Rule. In the survey, none of the participating providers was able to show that it had complied with every provision of the Privacy Rule. Payors only reported doing marginally better (Phoenix Health Systems, 2006). In surveys by AHIMA, about 40 percent of hospitals and health systems reported full compliance with HIPAA regulations, while about 15 percent believed they were less than 85 percent compliant (AHIMA, 2006). More than half the respondents indicated that resources were the most significant barrier to full privacy compliance, noting a particular need to support education and training of new staff.

RELATIONSHIP BETWEEN HIPAA AND OTHER LAWS

Federal Research Statutes

Several other federal statutes regulate research and affect the types of research projects that can be carried out in the United States. The federal regulations most relevant to health research are the Common Rule77 and the Food and Drug Administration (FDA) Protection of Human Subjects Regulations, which have similar origins and intent78 (see Chapter 3). Both the Common Rule and the FDA regulations are concerned primarily with the physical risks to humans associated with participation in a research study. Neither set of regulations provides detailed and prescriptive regulations for the protection of privacy (HHS, 2002). Nonetheless, there are numerous instances in which the Privacy Rule and the Common Rule diverge, as described above.

General Federal Laws

The Privacy Rule also often interacts with other federal laws. In the preamble to the Privacy Rule, HHS stated that there should be few instances where the Privacy Rule conflicts with existing statutes or regulations. Where potential conflicts do exist, HHS stated that an attempt should be made to resolve the conflict so that both laws apply. For example, if a statute or regulation permits the dissemination of PHI, but the Privacy Rule prohibits the use or disclosure of PHI without authorization, the covered entity is able to comply with both sets of laws. The entity could obtain HIPAA authorization prior to disseminating the information as permitted by the other law (HHS, 2000).

The fact that a covered entity is permitted to use or disclose PHI “as required by law” under the Privacy Rule reduces a number of potential conflicts between the Privacy Rule and other federal rules.79 HHS provided an example to explain this point. If a previous statute or regulation requires a specific use or disclosure of PHI that the Privacy Rule appears to prohibit, the section of the Privacy Rule that permits uses or disclosures “as required by law” would allow this disclosure to be made. Also, HHS specifically stated that if a statute or regulation prohibits a use or disclo sure of PHI that the Privacy Rule permits, the earlier, more specific statute applies (HHS, 2000).

As a result, covered entities are often subject to both the Privacy Rule and other federal statutes and regulations simultaneously. In many situations, researchers must comply with the Privacy Rule and the Common Rule or the FDA Protection of Human Subjects Regulations. Medicare providers must comply with the requirements of the Privacy Rule and the Privacy Act of 1974. Health care providers in schools, colleges, and universities must comply with the Privacy Rule and the Family Educational Rights and Privacy Act. Substance abuse treatment facilities must comply with the Privacy Rule and the Substance Abuse Confidentiality provisions of the Public Health Service Act, Section 543 and its regulations. There are innumerable examples where the Privacy Rule and another federal statute both must be followed (HHS, 2000).

State Laws

Similar to the Privacy Rule’s relationship to other federal statutes, the relationship between the Privacy Rule and state privacy laws is also complicated. In general, the Privacy Rule preempts contrary state laws relating to the privacy of health information. Generally, this means that if it is impossible for a covered entity to comply with both the Privacy Rule and the state law in question, the Privacy Rule will be applied in the situation and the state law will be considered void.80

This general rule has three exceptions. First, any state law that is not contrary to the Privacy Rule is not preempted. If it is possible for a covered entity to comply with both the Privacy Rule and the state law simultaneously, there is no preemption of the state law, and the covered entity must comply with both sets of privacy rules.

Second, state laws that are contrary to the Privacy Rule, but provide more protection to the privacy of health information, are not preempted by the Privacy Rule. The Privacy Rule sets a national floor for the protection of PHI, not a national ceiling. More stringent means that the state law: (1) prohibits or restricts a use or disclosure in circumstances that would be permitted under HIPAA; (2) permits greater rights of access or amendment for the individual who is the subject of the PHI; (3) provides an individual with a greater amount of information regarding disclosure, rights, and remedies; (4) narrows the scope or duration of any legal permission to use PHI, or increases the privacy protections afforded to PHI; (5) provides for the retention or reporting of more detailed information for longer durations; or (6) provides greater privacy protection for the individual with respect to any other matter.

The third exception to the general preemption rule is in the public health arena. State laws that are contrary to the Privacy Rule—but provide for the reporting of disease or injury, child abuse, birth, or death, or for conducting public health surveillance, investigation, and intervention—are not preempted by the Privacy Rule. States are permitted to set their own rules regarding what type of information can be collected by public health agents and how that information is used (HHS, 2004c).

Applying this preemption rule and determining what privacy laws must be followed in any given state can be a difficult task for covered entities. All states provide some protection for the privacy of health information. However, they differ greatly in what type of protection they provide, and thus, interact differently with the federal Privacy Rule. To successfully conduct a preemption analysis, a covered entity must become familiar with both the state laws and the Privacy Rule, interpret how the state and federal regulations interact with each other, and correctly determine the situations in which the Privacy Rule preempts state law. Many of the provisions in the Privacy Rule do not have directly corresponding provisions in state laws. This makes comparing the two sets of rules a technical and tedious task. One of the main impediments to a covered entity complying with the Privacy Rule is likely the lack of understanding of what the Privacy Rule actually requires in each state (Pritts, 2002).

CONCLUSIONS AND RECOMMENDATIONS

The HIPAA Privacy Rule was written to provide consistent standards in the United States for the use and disclosure of PHI by covered entities, including the use and disclosure of such information for research purposes. In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protection of human subjects (the Common Rule), FDA regulations pertaining to human subjects,81 and other applicable federal or state laws.

Inconsistencies, for example, in federal regulations and their interpretations governing the deidentification of personal health information, obtaining individuals’ consent for future research, and the recruitment of research volunteers make it challenging for health researchers seeking to comply with all these regulations to undertake important research activities. In addition, there is substantial variation in the way in which institutions interpret and apply the Privacy Rule (see also Chapter 5).

Additional guidance from HHS, along with some changes in interpretation by HHS, would reduce misunderstandings of the Privacy Rule provisions by covered entities, IRBs, and Privacy Boards and help to harmonize federal regulations governing health research, which would in turn reduce complexity for researchers and covered entities, and thereby help to ensure consistent and appropriate privacy protections for patients. Thus, HHS should develop revised and expanded guidance materials for the Privacy Rule.

For example, HHS should develop guidance to clearly state that future research with repositories can go forward under the Privacy Rule with IRB/Privacy Board oversight. Many institutions create and maintain databases with patient health information as well as repositories with biological materials collected from patients, and use them for many types of health research, including studies to understand diseases or to compare patient outcomes following different treatments. Once created, these collections offer a cost-effective resource for rapidly addressing new research questions as technologies and knowledge advance. Collecting the samples and data necessary to address each new research question as it arises could take years, or even decades, at great expense. Thus, the pace and efficiency of medical progress is significantly enhanced by using established resources whenever feasible. Under the Common Rule, it is permissible to obtain patient consent for future research, with IRB oversight, as long as such future uses are described in sufficient detail to allow an informed consent.

However, the provisions of the Privacy Rule, as interpreted by HHS, have made it more difficult to effectively use these valuable resources for research. As a result, patients must be recontacted to obtain individual authorization for any additional studies undertaken with the data and samples collected unless the researchers obtain a waiver or alteration of authorization from an IRB or a Privacy Board. Recontacting patients for additional authorization is not only impractical, but even in those instances when it is possible, it can be intrusive and burdensome for patients and their families. The committee believes that authorization for future use of these databases and biospecimen banks should be appropriate for protecting privacy as long as there is an IRB or a Privacy Board overseeing the research. Thus, HHS should eliminate the discordance between the Privacy Rule and the Common Rule through guidance explicitly stating that future research may go forward if the authorization describes the types or categories of research that may be conducted with the PHI stored in the biospecimen bank and if an IRB or a Privacy Board determines that the proposed new research is not incompatible with the initial consent and authorization, and poses no greater than minimal risk.

Because science is evolving very quickly, one cannot adequately anticipate what knowledge will be gained in the future, and significant opportunities for beneficial research could be lost without some alterations to the way in which this portion of the Privacy Rule is interpreted. Databanks and biospecimen banks created and maintained with federal funds in particular should be used for multiple studies as often as feasible, given the high cost of such activities and the high value of investigating and comparing multiple scientific questions from the same pool of data.

Additional guidance from HHS is also needed to clarify the circum stances under which DNA samples or sequences are considered PHI. The research community remains uncertain about whether genetic information accompanying biospecimens is protected under HIPAA because the list of HIPAA identifiers includes “biometric identifiers” and “unique identifying characteristics.”82 Although genetic information does not itself identify an individual, a person’s genetic code could be construed as a unique identifier in that it could be used to match sequence in another biospecimen bank or databank that does include identifiers. As genetic information becomes more prevalent in research and health care, concerns regarding genetic privacy and discrimination are likely to intensify. Thus, the establishment of consistent standards for use and protection of genetic information is important. The committee advocates a focus on strong security measures, with the goal of realizing the full potential of personalized medicine. In addition, unauthorized reidentification of individuals from DNA sequences, by anyone, should be strictly prohibited.

The committee also recommends that HHS issue guidance to clearly indicate that when researchers seek to store data and materials collected in conjunction with a clinical trial, a single authorization form with two sig nature lines is permissible if the text clearly delineates the two activities and states that the participant is not required to sign the portion authorizing the contribution of PHI to the repository. Informed consent and authorization are essential for the protection of individuals who volunteer to participate in clinical trials. Thus, it is imperative that the informed consent and authorization documents are easily understood and meaningful to the individuals involved. Ideally, all relevant information should be integrated into one simple document, but the HIPAA Privacy Rule’s complex provisions have generated misperceptions about restrictions on individuals’ ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation, and some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form. Such misperceptions can diminish the informed nature of consent and authorization because they can lead to patient confusion and misunderstanding.

HHS should also simplify the procedures for the identification and recruitment of potential research participants and harmonize them with the Common Rule. The provisions regarding these activities that are preparatory to research are complex, confusing, and actually provide less privacy protection than the Common Rule. The committee believes that IRBs and Privacy Boards can protect research participants, including their privacy and confidentiality interests, and thus recommends that IRB/Privacy Board approval (as required under the Common Rule) should be required for all researchers (internal and external to the covered entity) prior to contacting potential subjects. When making a decision about whether to approve research projects, the IRB or Privacy Board should review and consider the investigator’s plans for contacting patients, and also ensure that the information will be used only for research projects approved by the IRB or Privacy Board and not be disclosed to anyone else.

HHS should also take steps to facilitate greater use of data with direct identifiers removed. Because the Privacy Rule and the Common Rule define personally identifiable information and deidentification differently, there is a discrepancy between what research is exempt from the Common Rule and what research is exempt from the Privacy Rule. This discrepancy can give rise to situations in which research with anonymized data that are exempt from IRB oversight under the Common Rule may still require a decision by an IRB or a Privacy Board to determine if a waiver of individuals’ authorization for the use of their information for research purposes is appropriate under the Privacy Rule.

Also, there appears to be a great deal of confusion about how to meet conditions of data use agreements for limited datasets, which have been stripped of the 16 most direct identifiers and can be used and disclosed for research without obtaining individuals’ authorization or an IRB/Privacy Board waiver of authorization. HHS could help to ameliorate this situa tion by issuing clear guidance on how to set up and comply with data use agreements more efficiently and effectively.

New tools are also needed to facilitate important health research by allowing new hypotheses to be tested with existing data. One major challenge of using data from which direct identifiers have been removed is that a patient’s health information is rarely stored in one single location, and data from multiple sources cannot be linked to generate a more complete record of a patient’s health history without a unique identifier. As a result, these datasets often are of minimal value to researchers and are not frequently used. A trusted intermediary that could link data from different sources and then provide more complete and useful deidentified datasets to researchers would facilitate the greater use of health data for research and lead to more meaningful study results while also increasing patient privacy protections and allaying concerns of covered entities. Thus, HHS should develop a mechanism for linking data from multiple sources so that more useful datasets can be made available for research in a manner that protects privacy, confidentiality, and security. Similar efforts have been initiated by AHRQ for the purpose of monitoring health care quality.

The committee also concluded that for some provisions of the Privacy Rule the burdens are heavy and the privacy protections are small. Reconsideration of such provisions may be necessary if society is to derive maximal benefits from health research. In particular, the required accounting of disclosures entails a heavy administrative burden on health systems and health services research that achieves little in terms of protecting privacy. The committee recommends that the Privacy Rule permit medical facilities to inform patients in advance that PHI might be used for health research (with IRB/Privacy Board oversight) or for public health purposes, and the Privacy Rule should be altered to exempt these activities from AOD requirements.

Robust safeguards are already in place to protect the privacy of PHI disclosures in health research via IRBs and Privacy Boards. As the health care system moves toward broader implementation of electronic health records, however, automatic tracking of audit trails will be important to incorporate. Technology advances will likely make automatic AOD tracking feasible, affordable, and widely available in the future. Until then, the committee recommends that disclosures of PHI made for health research and public health purposes be exempted from the HIPAA Privacy Rule’s AOD requirement. However, in the interest of transparency, institutions should maintain a list, accessible to the public, of all studies approved by its IRB or Privacy Board.

HHS should also simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study. If the current criteria for waiver of authorization are to be retained, a clear and reasonable definition of impracticability from HHS, along with specific case examples of what should or should not be considered impracticable or of minimal risk, could reduce variability and overly conservative interpretations among IRBs and Privacy Boards.

Case examples should help delineate what IRBs and Privacy Boards should do to facilitate research, rather than just defining what is permissible. For example, it is appropriate to allow use of registries, clinical databases, and biospecimen banks for justifiable scientific inquiries. HHS should clearly state that IRBs and Privacy Boards should not impede research that is permissible under the Privacy Rule without a compelling concern (for example, if participant solicitation plans are inappropriate or if the principal investigator is unqualified).

Simplification or clarification of the waiver criteria would be especially helpful for multi-institutional studies, which fall under the jurisdiction of multiple IRBs or Privacy Boards, and for smaller or community-based insti tutions that do not have internal counsel or regulatory affairs specialists, and are thus more likely to opt out of research that requires decisions about authorizations. With better guidance, all covered entities would have more confidence in their decisions, and might be more willing to rely on a lead IRB/Privacy Board decision in the case of multi-institutional studies.

REFERENCES

  1. AcademyHealth. 2008 PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on AcademyHealth survey results.
  2. Adams R. Progress vs. privacy. CQ Weekly. 2008 May 26, 1404
  3. AHIC (American Health Information Community) Confidentiality, privacy, and security workgroup, summary of the 14th web conference. 2007. [accessed August 27, 2008]. http://137.187.25.8/healthit/ahic/materials/summary/cpssum_100407.html .
  4. AHIMA (American Health Information Management Association) The state of HIPAA privacy and security compliance. 2006. [accessed April 20, 2008]. http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf .
  5. Barbarq M, Zeller T Jr. Confidentiality issues for data miners. Artificial Intelligence in Medicine. 2006;26:25–36.
  6. Barnes M, Heffernan KG. The “future uses” dilemma: Secondary uses of data and materials by researchers and commercial research sponsors. Medical Research Law and Policy Report. 2004;3:440–452.
  7. Barr S. HIPAA enforcement of Privacy Rule stresses voluntary compliance, HHS official says. BNA Privacy and Security Law Report. 2008;7(13):479.
  8. Berman JJ. Confidentiality issues for data miners. Artificial Intelligence in Medicine. 2002;26(1):25–36. [PubMed: 12234715]
  9. Bledsoe M. HIPAA models for repositories. ISBER Newsletter: International Society for Biological and Environmental Repositories. 2004;4(1):1–4.
  10. Bregman-Eschet Y. Genetic databases and biobanks: Who controls our genetic privacy? Santa Clara Computer & High Technology Law Journal. 2006;23:1.
  11. Casarett D, Karlawish J, Andrews E, Caplan A. Bioethical issues in pharmacoepidemiological research. In: Strom BL, editor. Pharmacoepidemiology. West Sussex, England: John Wiley & Sons, Ltd.; 2005. pp. 417–432.
  12. Chaikind H, Hearne J, Lyke B, Redhead CS. CRS report for congress: The Health Insurance Portability and Accountability Act (HIPAA) of 1996: Overview and guidance on frequently asked questions. 2005. [accessed August 27, 2005]. http://www.law.umaryland.edu/marshall/crsreports/crsdocuments/RL3163401242005.pdf .
  13. Clause SL, Triller DM, Bornhorst CPH, Hamilton RA, Cosler LE. Conforming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy. 2004;61(10):1025–1031. [PubMed: 15160778]
  14. CMS (Centers for Medicare & Medicaid Services) Overview: Security standards. 2005. [accessed March 27, 2007]. http://www.cms.hhs.gov/SecurityStandard/
  15. CMS. Criteria for review of requests for CMS research identifiable data. 2008. [accessed April 23, 2008]. http://www.cms.hhs.gov/PrivProtectedData/02_Criteria.asp#TopOfPage .
  16. Couzin J. Whole-genome data not anonymous, challenging assumptions. Science. 2008;321:1278. [PubMed: 18772401]
  17. Damschroder LJ, Pritts JL, Neblo MA, Kalarickal RJ, Creswell JW, Hayward RA. Patients, privacy and trust: Patients’ willingness to allow researchers to access their medical records. Social Science & Medicine. 2007;64(1):223–235. [PubMed: 17045717]
  18. De Wolf VA, Sieber JE, Steel PM, Zarate AO. Part II: HIPAA and disclosure risk issues. IRB: Ethics and Human Research. 2006;28(1):6–11. [PubMed: 16680873]
  19. DPWP (Data Protection Working Party) Opinion 4/2007 on the concept of personal data. 2007. [accessed August 28, 2008]. http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf .
  20. Farmer Y, Godard B. Public health genomics (PHG): From scientific considerations to ethical integration. Genomics, Society and Policy. 2007;3:14–27.
  21. Fienberg SE. Confidentiality and disclosure limitation. Encyclopedia of Social Measurement. 2005;1:463–469.
  22. GAO (Government Accounting Office) Medical records privacy: Access needed for health research but oversight of privacy protections is limited. Washington, DC: GAO; 1999.
  23. Greely H. The uneasy ethical and legal underpinnings of large-scale genomic biobanks. Annual Review of Genomics and Human Genetics. 2007;8:346. [PubMed: 17550341]
  24. Hansson M, Dillner J, Bartram C, Carlson J, Helgesson G. Should donors be allowed to give broad consent to future biobank research? Lancet Oncology. 2006;7(3):266–269. [PubMed: 16510336]
  25. Heide C. 2007 PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the HIPAA Privacy Rule & research: Update from HHS Office for Civil Rights.
  26. HHS (Department of Health and Human Services) White paper on unique identifiers. 1998
  27. HHS. Standards for privacy of individually identifiable health information; Final Rule. 65 Fed. Reg. 82462. 2000 [PubMed: 11503738]
  28. HHS. OCR guidance explaining significant aspects of the Privacy Rule. 2002. [accessed August 27, 2008]. http://www.hhs.gov/ocr/hipaa/privacy.html .
  29. HHS. Institutional review boards and the HIPAA Privacy Rule. 2003. [accessed August 21, 2008]. http://privacyruleandresearch.nih.gov/pdf/IRB_Factsheet.pdf .
  30. HHS. Clinical research and the HIPAA Privacy Rule. 2004a. [accessed August 27, 2008]. http://privacyruleandresearch.nih/gov/pdf/clin_research.asp .
  31. HHS. Guidance on research involving coded private information or biological specimens. 2004b. [accessed August 21, 2008]. http://www.hhs.gov/ohrp/humansubjects/guidance/cdebiol.pdf .
  32. HHS. Protecting personal health information in research: Understanding the HIPAA Privacy Rule. 2004c. [accessed April 17, 2007]. http://privacyruleandresearch.nih.gov/pr_02.asp .
  33. HHS. Research repositories, databases, and the HIPAA Privacy Rule. 2004d. [accessed August 27, 2008]. http://privacyruleandresearch.nih.gov/research_repositories.asp .
  34. HHS. Frequently asked questions: Is a covered entity liable for, or required to monitor, the actions of its business associates? 2006. [accessed August 27, 2008]. http://www.hhs.gov/hipaafaq/providers/business/236.html .
  35. HHS. How OCR enforces the HIPAA Privacy Rule. 2007. [accessed August 27, 2008]. http://www.hhs.gov/ocr/privacy/enforcement/hipaarule.html .
  36. Hillestad R, Bigelow JH, Chaudhry B, Dreyer P, Greenberg MD, Meili RC, Ridgely MS, Rothenberg J, Taylor R. Identity crisis: An examination of the costs and benefits of a unique patient identifier for the U.S. health care system. RAND Corporation; 2008.
  37. Homer N, Szelinger S, Redman M, Duggan D, Tembe W, Muehling J, Pearson JV, Stephan DA, Nelson SF, Craig DW. Resolving individuals contributing trace amounts of DNA to highly complex mixtures using high-density SNP genotyping microarrays. PLoS Genetics. 2008;4(8):e1000167. [PMC free article: PMC2516199] [PubMed: 18769715] [Cross Ref]
  38. IFMC (Iowa Foundation for Medical Care) Chronic condition data warehouse: User manual. 2008. [accessed August 27, 2008]. http://www.ccwdata.org/downloads/CCW%20User%20Manual.pdf .
  39. Interagency Confidentiality and Data Access Group. Checklist on disclosure potential of proposed data releases. 1999. [accessed January 13, 2009]. http://www.fcsm.gov/committees/cdac/checklist_799.doc .
  40. IOM (Institute of Medicine) Protecting data privacy in health services research. Washington, DC: National Academy Press; 2000.
  41. IOM. Implications of genomics for public health: Workshop summary. Washington, DC: The National Academies Press; 2005.
  42. IOM. Effect of the HIPAA Privacy Rule on health research: Proceedings of a workshop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press; 2006.
  43. IPPC (International Pharmaceutical Privacy Consortium) 2008 Comments to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical research.
  44. Kass NE, Natowicz MR, Hull SC, Faden RR, Plantinga L, Gostin LO, Slutsman J. The use of medical records in research: What do patients want? Journal of Law, Medicine & Ethics. 2003;31:429–433. [PMC free article: PMC4816216] [PubMed: 14626550]
  45. Kulynych J, Korn D. The effect of the new federal medical-Privacy Rule on research. New England Journal of Medicine. 2002;346(3):201–204. [PubMed: 11796857]
  46. Lin Z, Owen AB, Altman RB. Genomic research and human subject privacy. Science. 2004;305(5681):183. [PubMed: 15247459]
  47. Lowrance WW. Learning from experience, privacy and the secondary use of data in health research. London: The Nuffield Trust; 2002. [PubMed: 15072055]
  48. Lowrance WW, Collins FS. Identifiability in genomic research. Science. 2007;317:600–602. [PubMed: 17673640]
  49. Malin B, Sweeney L. How (not) to protect genomic data privacy in a distributed network: Using trail re-identification to evaluate and design anonymity protection systems. Journal of Biomedical Informatics. 2004;37:179–192. [PubMed: 15196482]
  50. NBAC (National Bioethics Advisory Commission) Research involving human biological materials: Ethical issues and policy guidance, report and recommendations. Vol. 1. Rockville, MD: NBAC; 1999.
  51. NCVHS (National Committee on Vital and Health Statistics) Letter to Secretary Thompson—recommendation on the effect of the Privacy Rule. 2004. [accessed August 27, 2008]. http://ncvhs.hhs.gov/040305l2.htm .
  52. NCVHS. Seventh annual report to congress on the implementation of the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) 2005. [accessed August 27, 2008]. http://ncvhs.hhs.gov/050908rpt.htm .
  53. Ness R. Influence on the HIPAA Privacy Rule on health research. JAMA. 2007;298(18):2164–2170. [PubMed: 18000200]
  54. Pace WD, Staton EW, Holcomb S. Practice-based research network studies in the age of HIPAA. Annals of Family Medicine. 2005;3(Supp. 1):S38–S45. [PMC free article: PMC1466957] [PubMed: 15928217]
  55. Phoenix Health Systems. US healthcare industry HIPAA compliance survey results: Summer 2006. 2006. [accessed April 5, 2007]. http://www.hipaadvisory.com/action/surveynew/
  56. Pritts J. Testimony before the National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality: Implementation of the federal standards for privacy of individually identifiable health information. 2002. [accessed August 27, 2008]. http://www.ncvhs.hhs.gov/021030p6.htm .
  57. Pritts J. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. 2008. [accessed March 15, 2008]. http://www.iom.edu/CMS/3740/43729/53160.aspx .
  58. Pritts J, Neblo M, Damschroder L, Hayward R. Veterans’ views on balancing privacy and research in medicine: A deliberative democratic study. Michigan State University Journal of Medicine and Law. 2008;12:17–31.
  59. Rahman N. Medical: Reflections on privacy: Recent developments in HIPAA Privacy Rule. I/S: A Journal of Law and Policy for the Information Society. 2006;2(3):685.
  60. Redhead CS. CRS report for congress: Health information standards, privacy and security: HIPAA’s administrative simplification regulations. Washington, DC: Congressional Research Service; 2001.
  61. Robling MR, Hood K, Houston H, Pill R, Fay J, Evans HM. Public attitudes towards the use of primary care patient record data in medical research without consent: A qualitative study. Journal of Medical Ethics. 2004;30:104–109. [PMC free article: PMC1757117] [PubMed: 14872086]
  62. Rosati K. 2008 PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the challenges with biorepositories, databases, and future research.
  63. Rothstein MA. Research privacy under HIPAA and the Common Rule. Journal of Law, Medicine & Ethics. 2005;33(1):154–159. [PubMed: 15934672]
  64. SACHRP (Secretary’s Advisory Committee on Human Research Protections) Letter to Secretary Thompson. 2004. [accessed August 27, 2008]. http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html .
  65. Shalala DE. Confidentiality of individually-identifiable health information: Recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996. 1997. [accessed August 27, 2008]. http://aspe.hhs.gov/admnsimp/pvcrec0.htm .
  66. Stevens GM. CRS report for Congress: Summary of the proposed rule for the privacy of individually identifiable health information. Washington, DC: Congressional Research Service; 2000.
  67. Stevens GM. CRS report for Congress: Compliance with the HIPAA medical Privacy Rule. Washington, DC: Congressional Research Service; 2003.
  68. Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology. Statistical policy working paper 22: Report on statistical disclosure limitation methodology. 1994. [accessed January 13, 2009]. http://www.ciser.cornell.edu/NYCRDC/helpful_links/WP-22-OMB-totalreport.pdf .
  69. Sweeney L. Weaving technology and policy together to maintain confidentiality. Journal of Law, Medicine & Ethics. 1997;25:98–110. [PubMed: 11066504]
  70. Tovino SA. The use and disclosure of protected health information for research under the HIPAA Privacy Rule: Unrealized patient autonomy and burdensome government regulation. South Dakota Law Review. 2004;49(3):447–502. [PubMed: 16493842]
  71. U.S. Congress, House of Representatives, Committee of Conference. Health Insurance Portability and Accountability Act of 1996. 104th Cong., 2d Sess; July 31; 1996.
  72. U.S. Congress, House of Representatives, Committee on Ways and Means. Health Coverage Availability and Affordability Act of 1996. 104th Cong., 2d Sess; March 25; 1996.
  73. Wendler D. One-time general consent for research on biological samples: Is it compatible with the Health Insurance Portability and Accountability Act? Archives of Internal Medicine. 2006;166(14):1449–1452. [PubMed: 16864754]
  74. Westin A. How the public views privacy and health research. 2007. [accessed November 11, 2007]. http://www.iom.edu/Object.File/Master/48/528/%20Westin%20IOM%20Srvy%20Rept%2011-1107.pdf .
  75. Willison DJ, Schwartz L, Abelson J, Charles C, Swinton M, Northrup D, Thabane L. Alternatives to project-specific consent for access to personal information for health research. What do Canadians think?; Paper presented at 29th International Conference of Data Protection and Privacy Commissioners; Montreal, Canada. September 25–28.2007.
  76. Zerhouni EA, Nabel EG. Protecting aggregate genomic data. Science. 2008;322:44. [PubMed: 18772394]

Footnotes

1

Personal communication, M. Wilder, Hogan and Hartson, March 17, 2007.

2

U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (September 11, 1997), and Standards for Privacy of Individually Identifiable Health Information: Proposed Rule, 64 Fed. Reg. 59918, 59923 (1999).

3

Health Insurance Portability and Accountability Act, 45 C.F.R. § 264(a)–(b) (2006).

4

See 45 C.F.R. § 264(c)(1) (2006).

5

Standards for Privacy of Individually Identifiable Health Information: Final Rule, 65 Fed. Reg. 82461 (2000).

6

Standards for Privacy of Individually Identifiable Health Information: Final Rule, 67 Fed. Reg. 53181, 53209 (2002).

7

See 67 Fed. Reg. 53181 (2002).

8

Some material in this section is adapted from a background paper by Pritts (2008).

9

See 45 C.F.R. § 160.103 (2006).

10

See 45 C.F.R. § 164.105(a)(2)(iii)(c) (2006).

11

See 45 C.F.R. § 160.103 (2006).

12

See 45 C.F.R. § 164.502(d) (2006).

13

See 45 C.F.R. § 164.502(a) (2006). A covered entity is required to make a reasonable effort to use and disclose only the minimum amount of PHI needed for the intended purpose. See 45 C.F.R. § 164.502(b) (2006).

14

See 45 C.F.R. § 164.506(e) (2006).

15

See 45 C.F.R. § 164.510(b) (2006).

16

See 45 C.F.R. § 164.510(c) (2006).

17

See 45 C.F.R. § 164.510(f) (2006).

18

See 45 C.F.R. § 164.510(d) (2006).

19

See 45 C.F.R. § 164.512 (2006).

20

Some common functions that business associates perform for covered entities include recruiting subjects, data analysis, processing, or administration; utilization review; quality assurance; and practice management.

21

See 45 C.F.R. § 164.502(e) (2006).

22

Only states have the authority to require mandatory public health reporting.

23

See 45 C.F.R. § 164.520 (2006).

24

See 45 C.F.R. § 164.520 (2006).

25

See 45 C.F.R. § 164.524 (2006).

26

See 45 C.F.R. § 164.526 (2006).

27

See 45 C.F.R. § 164.528 (2006).

28

U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (September 11, 1997) (hereinafter “Secretary Recommendations”); 64 Fed. Reg. 59918, 59968 (1999); 65 Fed. Reg. 82461, 82691 (2000).

29

See Secretary Recommendations (1997) and 64 Fed. Reg. 59918, 59968 (1999).

30

See 45 C.F.R. § 164.508(c)(1)(i) (2006).

31

As a general rule, covered entities may not condition the provision of treatment payment or eligibility for benefits on the provision of an authorization (with the exception of research-related treatment). See 45 C.F.R. § 164.508(b)(4) (2006).

32

See 45 C.F.R. § 164.508(c)(1)(iv) (2006).

33

See 67 Fed. Reg. 53181, 53226 (2002).

34

Id.

35

See 45 C.F.R. § 164.508(b)(4)(i) (2006).

36

See 45 C.F.R. § 164.508(b)(3) (2006).

37

See 64 Fed. Reg. 59918, 59967 (1999).

38

See 45 C.F.R. § 164.512(i)(1)(i) (2006).

39

See 45 C.F.R. § 164.512(i)(2)(ii) (2006).

40

See 45 C.F.R. § 116(d) (2005).

41

See 65 Fed. Reg. 82461, 82697 (2000).

42

See 65 Fed. Reg. 82461, 82816 (2000).

43

See 67 Fed. Reg. 53181, 53229 (2002).

44

See 45 C.F.R. § 164.512(i)(1)(ii) (2006).

45

See 45 C.F.R. § 164.512(ii) (2006).

46

See 45 C.F.R. § 102(f) (2005).

47

See 45 C.F.R. § 164.512(i)(1)(iii) (2006).

48

Personal communication, J. Bailey-Wilson, National Institutes of Health, National Human Genome Research Institute, April 29, 2007. Personal communication, Rachel Nosowsky, Miller, Canfield, Paddock and Stone, PLC, October 23, 2008.

49

See 45 C.F.R. § 164.514(b) (2006).

50

See 45 C.F.R. § 164.514(c) (2006).

51

See 45 C.F.R. § 46.102(f) (2005).

52

See 67 Fed. Reg. 53181, 53232 (2002).

53

See 67 Fed. Reg. 53181, 53234 (2002).

54

See 45 C.F.R. § 164.514(e)(3)(i) (2006).

55

See 67 Fed. Reg. 53181, 53234 (2002).

56

See 45 C.F.R. § 164.514(e)(3)(ii) (2006).

57

See 45 C.F.R. § 164.514(e)(1) (2006).

58

See 67 Fed. Reg. 53181, 53235 (2002).

59

See 45 C.F.R. § 164.501 and 164.504(e)(2)(i) (2006).

60

National Health Data Stewardship: Request for Information, 72 Fed. Reg. 30803 (2007).

61

Patient Safety and Quality Improvement: Final Rule, 73 Fed. Reg. 70732 (2008).

62

See 45 C.F.R. § 164.514 (2006).

63
64

See 45 C.F.R. § 164.528 (2006).

65

See 67 Fed. Reg. 53181, 53245 (2002).

66

See 45 C.F.R. part 160, subparts C and E (2006).

67

See, for example, Doe v. Bd. of Trustees of Univ. of Illinois, 429 F. Supp. 2d 930, 944 (N.D. Ill. 2006); Poli v. Mt. Valley’s Health Ctrs., Inc., 2006 U.S. Dist. LEXIS 2559, No. 05-2015, 2006 WL 83378, at 13-14 (E.D. Cal. January 11, 2006); Haranzo v. Dep’t of Rehabilitative Servs., 2005 U.S. Dist. LEXIS 27302, No. 7:04-CV-00326, 2005 WL 3019240, at 4 (W.D. Va. November 10, 2005); Dominic J. v. Wyo. Valley West High Sch., 362 F. Supp. 2d 560, 573 (M.D. Pa. 2005); Univ. of Colo. Hosp. Auth. v. Denver Publ. Co., 340 F. Supp. 2d 1142 (D. Colo. 2004); O’Donnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1179-80 (D. Wyo. 2001).

68

See 45 C.F.R. §160.304 (2006).

69

See 45 C.F.R. §160.312(a)(1) (2006).

70

Id.

71

Id.

72

See 45 C.F.R. § 164.504(e)(1)(ii) (2006).

73

Id.

74

Id.

75

See 45 C.F.R. § 160.402(b) (2006).

76

See U.S. v. Gibson, 2004 WL 2188280 (W.D. Wash. 2004) and U.S. v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division.

77

See 45 C.F.R. part 46(a) (2005).

78

See 21 C.F.R. parts 50 and 56 (2008).

79

See 45 C.F.R. § 164.512(a) (2006).

80

See 45 C.F.R. part 160, subpart B (2006).

81

See 21 C.F.R. parts 50 and 56 (2008).

82

See 45 C.F.R. § 164.514 (2006).