Excerpt

The U.S. Department of Health and Human Services (HHS) developed a set of federal standards for protecting the privacy of personal health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule set forth detailed regulations regarding the types of uses and disclosures of individuals’ personally identifiable health information—called “protected health information”—permitted by “covered entities” (health plans, health care clearinghouses, and health care providers who transmit information in electronic form in connection with transactions for which HHS has adopted standards under HIPAA). A major goal of the HIPAA Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of information needed to promote high-quality health care. The HIPAA Privacy Rule also set out requirements for the conduct of health research.

The Institute of Medicine Committee on Health Research and the Privacy of Health Information (the committee) was charged with two principal tasks : (1) to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge” ; and (2) to propose recommendations to facilitate the efficient and effective conduct of important health research while maintaining or strengthening the privacy protections of personally identifiable health information.

Contents

• The National Academies
• Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule
• Reviewers
• Acknowledgments
• Summary
  • BEYOND THE HIPAA PRIVACY RULE: ENHANCING PRIVACY, IMPROVING HEALTH THROUGH RESEARCH
  • RECOMMENDATION I. DEVELOP A NEW APPROACH TO PROTECTING PRIVACY IN ALL HEALTH RESEARCH
  • RECOMMENDATION II. REVISE THE PRIVACY RULE AND ASSOCIATED GUIDANCE
  • RECOMMENDATION III. IMPLEMENT CHANGES NECESSARY FOR BOTH POLICY OPTIONS ABOVE (RECOMMENDATIONS I AND II)
• Overview of Conclusions and Recommendations
  • DEFINITIONS
  • THE HIPAA PRIVACY RULE
  • THE COMMITTEE’S CHARGE AND THE OVERARCHING GOALS OF THE RECOMMENDATIONS
  • THE COMMITTEE’S RECOMMENDATIONS
• 1. Introduction
  • BRIEF HISTORY OF HIPAA AND THE PRIVACY RULE
  • PRIVACY AND HEALTH RESEARCH
  • PRIVACY CONCERNS
  • THE CONCERNS OF HEALTH RESEARCHERS
  • ORIGINS OF THE STUDY
  • COMMITTEE APPOINTMENT AND CHARGE
  • METHODS
  • THE COMMITTEE’S CONCLUSIONS AND RECOMMENDATIONS
  • FRAMEWORK OF THE REPORT
  • REFERENCES
• 2. The Value and Importance of Health Information Privacy
  • CONCEPTS AND VALUE OF PRIVACY
  • HISTORICAL DEVELOPMENT OF LEGAL PROTECTIONS OF HEALTH INFORMATION PRIVACY
  • SECURITY OF HEALTH DATA
  • The HIPAA Security Rule and Its Limitations
  • POTENTIAL TECHNICAL APPROACHES TO HEALTH DATA PRIVACY AND SECURITY
  • CONCLUSIONS AND RECOMMENDATIONS
  • REFERENCES
• 3. The Value, Importance, and Oversight of Health Research
  • CONCEPTS AND VALUE OF HEALTH RESEARCH
  • OVERSIGHT OF HEALTH RESEARCH
  • DISTINGUISHING HEALTH RESEARCH FROM PRACTICE
  • THE IMPORTANCE OF EFFECTIVE COMMUNICATION WITH THE PUBLIC
  • CONCLUSIONS AND RECOMMENDATIONS
  • REFERENCES
• 4. HIPAA, the Privacy Rule, and Its Application to Health Research
  • OVERVIEW OF HIPAA
  • DEVELOPMENT OF THE PRIVACY RULE REGULATIONS
  • OVERVIEW OF THE HIPAA PRIVACY RULE
  • HIPAA AND RESEARCH
  • ENFORCEMENT OF THE PRIVACY RULE
  • RELATIONSHIP BETWEEN HIPAA AND OTHER LAWS
  • CONCLUSIONS AND RECOMMENDATIONS
  • REFERENCES
• 5. Effect of the HIPAA Privacy Rule on Health Research
  • OVERVIEW OF SURVEY RESULTS
  • SELECTION BIAS
  • EFFICIENCY OF RESEARCH
  • ABANDONED STUDIES
  • DEIDENTIFIED INFORMATION
  • AUTHORIZATION PROCESS
  • CONCERNS ABOUT POTENTIAL LEGAL CONSEQUENCES
  • POTENTIAL WAYS TO REDUCE INTERPRETIVE VARIABILITY AMONG IRBS, PRIVACY BOARDS, AND COVERED ENTITIES
  • CONCLUSIONS AND RECOMMENDATIONS
  • REFERENCES
• 6. A New Framework for Protecting Privacy in Health Research
  • REVIEW OF THE LIMITATIONS OF THE PRIVACY RULE
  • THE NEW FRAMEWORK
  • THE NEW FRAMEWORK ADDRESSES THE OVERARCHING GOALS
  • RELEVANCE OF THE RECOMMENDATION TO OTHER FEDERAL ACTIONS
  • CONCLUSIONS AND RECOMMENDATIONS
  • REFERENCES
• Abbrevations and Acronyms
• Glossary
• Appendices
  • Appendix A Previous Recommendations to the Department of Health and Human Services
  • Appendix B Commissioned Survey Methodology
  • Appendix C Committee Member and Staff Biographies

The project is sponsored by the National Institutes of Health and the National Cancer Institute, the Robert Wood Johnson Foundation, American Cancer Society, American Heart Association/American Stroke Association, American Society for Clinical Oncology, Burroughs Wellcome Fund, and C-Change. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project.

NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.