HIPAA Compliance Strategies

Featured Health Business Daily Story Feb. 12, 2009

Major Research Association Reports That HIPAA Privacy Rule Is Harming Research

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

The privacy rule is impeding research, driving up costs, thwarting recruitment of subjects and causing community research partners to turn away from multicenter studies. To top it off, there's no proof the rule has actually improved privacy for researchers or the people they are studying. The only remedy is to exempt research from the rule entirely.

Five years after the privacy rule went into effect, this is the dire situation and perhaps extreme solution put forth in a report by an association of the nation's largest teaching hospitals and universities.

The new report, issued Jan. 15, argues that something must be done now. It was released by the Association of Academic Health Centers (AAHC), a group that includes more than 100 universities and their affiliated hospitals, such as George Washington University Medical Center and Rush University Medical Center.

"The AAHC believes that there are ways to protect privacy better without impeding the research enterprise as significantly as it has been since the implementation of the privacy rule," Elaine Rubin, AAHC vice president of policy and program, tells RPP.

The association says much research is already governed by "the Common Rule," which was adopted in 1991 by 17 federal agencies, including the National Institutes of Health, or by virtually identical regulations imposed by the Food and Drug Administration. It does recommend, however, that additional privacy protections be added to the Common Rule.

The association is also among the organizations calling for Congress and the Obama administration to take a measured approach to any privacy provisions that are added into the economic stimulus package along with health information technology.

AAHC's report backs up the findings of focus groups it conducted in 2007, showing no improvement over time and providing far more detail from more institutions about the worst aspects of the rule for its members. Among them: the accounting of disclosures requirement that also has many nonresearch hospitals fuming.

Responses came from vice presidents for research, legal counsels and chief compliance officers. The comments also reflect the input of principal investigators at the 27 institutions that participated in the survey.

The survey contained five sections and 46 questions, which probed the impact of the rule on the scope, pace and cost of research at the institution; research administration and processes; and multisite research and subject recruitment. Also addressed were problems with research using specific sources of data.

According to the report, the privacy rule "added a new dimension to research protections by strictly defining what constituted protected health information and what defined certain institutions, or covered entities, that held such information." It also made a change by "placing restrictions on how CEs use and share PHI."

"It was recognized soon after the HIPAA privacy rule was proposed that it posed substantial problems for the conduct of research because researchers needed access to medical records or other data that was now designated as PHI and subject to the restrictions placed upon the entities holding such information," the report says. "These limit-setting barriers have the potential to cause serious problems for the research enterprise as a whole."

Specifically, the survey found that:

• 70.8% of respondents characterized the rule's impact on the costs of research as negative or strongly negative.
• 59.1% of respondents characterized the impact of the privacy rule on the scope of research at their institution as negative or strongly negative.
• 63.6% said the pace of research at their institution was impacted negatively or strongly negatively by the rule.
• 68.8% of survey respondents said the impact of the rule on accessing identifiable information for multidisciplinary research was negative or strongly negative.

Accounting of Disclosures Is a Burden

Many hospitals and institutions contend that accounting for disclosures is a burden even though it's not clear that many actual requests are being made and fulfilled. Yet, simply preparing to respond to a request poses costs, the survey documented.

"The HIPAA privacy rule gives every patient the right to request a record of certain instances in which the institution shared (or disclosed) his or her PHI with another institution for the six years prior to the request," the AAHC says. "To comply with this accounting for disclosures requirement, institutions must maintain large quantities of detailed information on every patient and research participant and have it readily and easily accessible to fulfill requests at any time. Survey findings show that increased expenditures and staff, as well as changes in organizational structure, are required to maintain this information even though it appears that very few patients are requesting accountings of disclosures."

According to the survey, only 17% of respondents said their institution had received a "research-related" accounting request; 26% said they had not received requests, and another 56% were not sure if such a request had been handled.

Diversity Among Study Subjects Is Suffering

Patients in studies are less diverse and may now be limited to "well-educated and highly literate" individuals, the report states.

"Many researchers contend that only a well-educated and highly literate population could understand the complex and esoteric language of HIPAA authorization documents, resulting in denied access to research studies for a large segment of the population," the AAHC says. "Often people are very intimidated by the amount of paperwork, have difficulty trying to understand the complex maze of HIPAA terms and conditions, and thus are not able to focus on the issues related to the medical treatment."

"This negative impact on participant recruitment and the diversity of research participants has fundamentally changed the conduct of research. With a less diverse participant pool, the scientific credibility of research is at risk for the future," the report states.

Community Researchers Also Impacted

Research thrives on the involvement of community and smaller hospitals, because individuals who enroll in studies often remain in the care of their local physicians. They may also seek care in their usual hospital, and large clinical trials need the assistance of physicians for recruitment and for participation outside of academia. This is another area that is being hurt by the privacy rule, the study says.

"The privacy rule has the potential to pose a significant barrier to multi-site research, given the multiple restrictions it places on covered entities releasing PHI to other institutions. Community partners have been reluctant to participate in this research in the face of added administrative hurdles and complications, some of which arise from misinterpretation and lack of clarity in the rule," the report states.

"Neither HIPAA nor the Common Rule requires multiple approvals in the case of multi-site research. As long as one institution's institutional review board approves the protocol, the requirements for compliance have been met. However, a lack of clarity in the privacy rule, along with its guidance and a fear of liability, have resulted in more than 40% of survey respondents reporting that their institutions do require multiple approvals for multi-site research," the survey shows.

"The HIPAA privacy rule has now been fully implemented for five years and the problems observed at implementation remain today," the report says. "The privacy rule creates obstructions most significantly in research requiring access to stored tissues, genetic data-sets, patient registries, and data warehouses and medical records."

Next Steps Include Dialogue

If research were subject only to the Common Rule and not the privacy rule, some additions would be necessary, Rubin says.

"We are currently working on developing draft language of what new standards should be included in the Common Rule," she says. "The Common Rule currently just requires that the privacy and confidentiality of research participants be protected, and there are areas that require more explicit standard setting. We believe there are some aspects of the privacy rule that could be retained and moved into the Common Rule without creating the problems that exist today. For instance, guidelines for safeguards to participants' information could be included in the Common Rule," she tells RPP.

The AAHC will be meeting with a variety of government officials, including the Secretary's Advisory Committee on Human Research Protections, which advises HHS on subject protections for individuals in federally funded research "to further the dialogue on our recommendations," Rubin says.

"We are discussing our concerns and sharing the issue brief with people on the Hill who are responsible for the stimulus package and look forward to working with members of Congress to address the impact on research," she says.

Advertise With AIS

Privacy

Site Map