An official website of the United States government
The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.
The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
- Publications
- Account settings
- Browse Titles
NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.
Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009.
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.
- Hardcopy Version at National Academies Press
5 Effect of the HIPAA Privacy Rule on Health Research
Since the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was implemented by the U.S. Department of Health and Human Services (HHS) in April 2003, health researchers have asserted that the Privacy Rule has had a negative effect on researchers’ abilities to conduct meaningful research. The purpose of this chapter is to review the currently available evidence on the effect of the Privacy Rule on research, including surveys as well as other types of studies to measure impact. The chapter begins with an overview of several surveys that examined health researchers’ personal experiences with and opinions about the Privacy Rule. Many issues identified by survey respondents were also the focus of other types of studies, so the remainder of the chapter consists of a topical review of the available evidence regarding the effect of the Privacy Rule, and its interpretation, on health research. The following issues are reviewed in detail: (1) selection bias, (2) research efficiency, (3) abandoned research, (4) deidentified information, (5) the authorization process, and (6) concerns about potential legal consequences.
- OVERVIEW OF SURVEY RESULTS
As noted in previous chapters ( Chapter 1 in particular), the information gained by opinion surveys has limitations. The potential for bias exists because of the way the questions are worded and framed, and respondents may have self-motivated reasons for responding in a particular fashion. For example, individuals responding to surveys conducted by professional societies may be more likely to have encountered difficulties with the Privacy Rule than those who did not respond. Thus, information gathered from surveys is anecdotal and based on individual’s personal opinions; it does not constitute systematic data on the experience of all researchers.
Before discussing the relevant surveys in detail in this chapter, it is also important to recognize the strengths and weaknesses of these survey data. One strength is that multiple surveys addressed similar topics, and many respondents were affiliated with different institutions and different fields of health research. The fact that the respondents to the different surveys reported similar problems with conducting research under the Privacy Rule makes it more likely that results can be generalized and are not specific to a particular institution. Weaknesses include the size and low response rates of some surveys and, in some cases, the lack of a denominator, making it impossible to determine a response rate, which is an important measure to assess the representativeness of the results. Also, three of the surveys discussed below were conducted immediately or shortly after the Privacy Rule was implemented, before covered entities and other stakeholders had adequate time to adapt to the new regulation. However, more recent surveys of researchers’ experiences with the Privacy Rule, two of which were commissioned by the Institute of Medicine (IOM) committee, found that researchers were still reporting negative effects of the Privacy Rule on health research ( Box 5-1 ).
Health Researchers’ Experience with the Privacy Rule: Survey Results in 2003–2004 and 2007–2008. The Privacy Rule has increased the cost and time it takes to conduct a research project from start to finish (AAMC, NCAB, AHRQ, Ness, (more...)
Surveys to gauge the impact of the HIPAA Privacy Rule on health research have been undertaken by numerous agencies and organizations with various constituencies, including the Association of American Medical Colleges ( NCVHS, 2003 ), the National Cancer Advisory Board ( Ramirez and Niederhuber, 2003 ), the Agency for Healthcare Research and Quality ( Walker, 2005 ), Epidemiological Societies ( Ness, 2007 ), the HMO Research Network ( Greene et al., 2008 ), AcademyHealth ( Helms, 2008 ), the American Heart Association ( Ring, 2007 ), and the North American Association of Central Cancer Registries ( Deapen, 2006 ). In addition, structured interviews were undertaken by the American Society for Clinical Oncology ( ASCO, 2008 ), and focus groups were organized by the Association of Academic Health Centers ( AAHC, 2008 ). An overview of these projects is provided below (also see Table 5-1 ).
Summary of Relevant Surveys.
Association of American Medical Colleges Survey
In 2003, on the day that covered entities were required to be in compliance with the Privacy Rule, the Association of American Medical Colleges (AAMC) launched a survey to examine the Privacy Rule experiences of investigators, Institutional Review Board (IRB) personnel, privacy officials, research administrators, and deans. AAMC then created a database of case reports and research functions affected by the Privacy Rule based on 331 individuals’ responses. After analyzing the database, AAMC concluded that the Privacy Rule affects many types of health research, including clinical, health services, epidemiological, behavioral, biomedical, health economics, and outcomes research. The most common effects of the Privacy Rule on research reported were that the Privacy Rule: (1) reduced patient recruitment, (2) increased the likelihood of selection bias, (3) increased the costs of conducting research by requiring more paperwork and complicating the IRB approval process, (4) increased the number of errors in research when deidentified information was used, (5) made multisite trials more difficult because of variations in IRB interpretation of the Rule, and (6) caused researchers to abandon projects because of the increased number of rules for operating a research study ( NCVHS, 2003 ).
National Cancer Advisory Board Survey
The National Cancer Advisory Board (NCAB) 1 conducted a survey of health researchers’ experiences with the Privacy Rule in 2003. NCAB requested the names of Privacy Rule experts from cancer center directors, clinical cooperative group chairs, and principal investigators of Special Programs of Research Excellence. A total of 226 experts were identified. These experts were invited to visit a website and submit public comments on the effect of the Privacy Rule on cancer research. NCAB received 89 responses to the survey, for a 39 percent response rate. The survey showed that the majority of respondents believed that: (1) the Privacy Rule increased patient confusion, (2) the Privacy Rule’s complex documentation requirements delayed research, (3) differing interpretations of the Privacy Rule made conducting health research more challenging, and (4) the Privacy Rule created new barriers to the use of patient specimens collected during clinical trials ( Ramirez and Niederhuber, 2003 ).
AHRQ Survey
In 2004, the Agency for Healthcare Research and Quality (AHRQ) interviewed 33 senior health care researchers, privacy officers, research compliance officers, and IRB directors representing a variety of health settings in 18 states that covered all regions of the United States. With a 77 percent response rate, 92 percent of respondents reported an impact of the Privacy Rule on health research. Those reporting substantial impact were often involved in multisite studies where follow-up information from many patients was needed from many sources. Many respondents reported conflicting IRB decisions, difficulties with authorization as well as access to deidentified data, increased cost and time, and lack of participation from small hospitals and provider groups due to lack of resources. More than half of respondents thought that misinterpretations and overly conservative interpretations of the Privacy Rule were the cause of the difficulties ( Walker, 2005 ).
National Survey of Epidemiologists
The IOM committee commissioned a survey by Roberta Ness at the University of Pittsburgh. In 2007, Dr. Ness conducted a web-based survey of 1,527 epidemiologists who had submitted a new application to an IRB for a research project involving human subjects research since the Privacy Rule was implemented (see Appendix B for methodological details). The survey asked respondents to answer a number of questions on a 5-point Likert scale (1 = none, 5 = a great deal). More than 84 percent of respondents ranked the statement “the Privacy Rule made research easier” as a 1 or 2. In contrast, 68 percent of respondents ranked the statement “the degree to which the Rule made research more difficult” as a 4 or 5. Only 11 percent of respondents stated that the Privacy Rule strengthened public trust in research, and 26 percent responded that the Privacy Rule did a great deal to enhance participant confidentiality and privacy ( Figure 5-1 ).
FIGURE 5-1 National Survey of Epidemiologists: Scaled perceptions of the impact of the Health Insurance Portability and Accountability Act Privacy Rule. SOURCE: Ness (2007).
This survey also provided respondents with the opportunity to write in comments regarding their experiences conducting research under the Privacy Rule. A total of 427 comments were received; 90 percent were negative, 5 percent were neutral, and 5 percent were positive. The common themes in the comments were: (1) the Privacy Rule added patient burden without enhancing privacy protections, (2) institutions vary greatly in their interpretations of the Privacy Rule, and (3) many government agencies are confused about the demarcation between public health surveillance, which is exempt from the Privacy Rule, and health research. Finally, the survey found that many respondents believed the Privacy Rule added to research costs, caused delays to research projects, and made recruitment of research participants much more difficult ( Ness, 2007 ).
HMO Research Network Survey
The IOM committee also commissioned data-gathering efforts from the HMO Research Network (HMORN) of investigator and IRB members’ experiences operating under the Privacy Rule (see Appendix B for methodological details). The HMORN is a consortium of more than 250 scientists who work in 15 research centers based in health care delivery systems. The data collection efforts consisted of a web-based survey of investigators in the Cancer Research Network (conducted in fall 2007), a follow-up telephone survey of those investigators who reported having a study affected by the Privacy Rule, and a mailed survey to IRB administrators at the 15 HMORN sites (conducted in early 2008). The response rate for the investigator survey was 43 percent (235 investigators were invited to participate in the survey, and 89 responses were received). Respondents were mostly doctoral-level scientists, and 72 percent of them had been in research for 10 or more years. Twelve respondents completed telephone interviews. The response rate for the IRB administrator survey was 73 percent (11 of the 15 sites submitted responses).
The results of these surveys are consistent with those of previous surveys. Respondents reported numerous difficulties with conducting health research since the implementation of the Privacy Rule, including increased time required to conduct research, problems with gaining IRB approval for studies, impediments to multicenter research, confusion over the authorization process, and problems with the use of deidentified data. Of the investigators who responded, 74 percent reported having a study affected by the Privacy Rule. Of these respondents, 61 percent reported having a study affected more than once. In addition, 60 percent of the investigators reported difficulty conducting research under the requirements of the Privacy Rule. On the other hand, 59 percent of the investigators reported that the Privacy Rule has strengthened patient privacy.
The IRB administrators were more positive than the investigators regarding the Privacy Rule. Ninety percent of IRB administrators reported that the Privacy Rule strengthened patient privacy. In addition, 46 percent of IRB administrators said it was easy to work within the privacy regulations, as opposed to 36 percent of IRB administrators who said it was not easy to work within the regulations. Nonetheless, 63 percent of IRB administrators reported that the Privacy Rule has made conducting research more difficult. More than 72 percent of IRB administrators reported that the federal government needs to give more guidance to IRBs about interpreting and implementing the Privacy Rule ( Greene et al., 2008 ).
AcademyHealth Survey
To provide input to the IOM study, AcademyHealth conducted a survey in 2007 of researchers’ experiences operating under the Privacy Rule. AcademyHealth is a professional society for health services researchers and health policy analysts. Its mission is to strengthen the research infrastructure, promote the use of the best available research, and assist health policy and practice leaders in addressing major health care challenges. The organization conducted a web-based survey of principal investigators. All 3,461 AcademyHealth members were invited to participate in the survey by e-mail. A total 696 members responded. Out of this group, 396 members were principal investigators and met the criteria for inclusion in the survey analysis. In general, 75 percent of the survey respondents reported that their experiences with the Privacy Rule were negative. Only 6 percent of respondents reported that their experiences were positive. Nearly half—48 percent—reported that their institution provided support to assist researchers with HIPAA compliance and IRB issues, and 77 percent of the researchers at these institutions indicated that they used these resources. Respondents were also asked whether they believe the Privacy Rule strikes the correct balance between protecting individual privacy and allowing research to be conducted. A majority—63 percent—of the respondents reported that the Privacy Rule provides protection to individuals at the expense of access to research data; 28 percent reported that the Privacy Rule strikes the right balance between these two goods; and only 1 percent reported that the Privacy Rule provides access to research data at the expense of privacy protection for individuals ( Figure 5-2 ) ( Helms, 2008 ).
FIGURE 5-2 AcademyHealth Survey: Perspective on the balance of individual protections and research access. SOURCE: Helms (2008).
American Heart Association/American College of Cardiology Survey
The American Heart Association (AHA) and the American College of Cardiology (ACC) also conducted a survey in 2007. The 18,261 professional members of AHA and ACC were invited to complete a questionnaire by e-mail, and 656 individuals completed the survey. However, it is important to note that many professional members of AHA and ACC are practicing physicians, not researchers, and thus were not the intended audience for the survey. Of the individuals completing the survey, 61 percent reported that they had submitted an IRB application since the Privacy Rule was implemented. In general, the respondents indicated that the Privacy Rule had a negative impact on research and did not improve patient privacy. Only 22 percent of respondents reported that the Privacy Rule increased public trust in research, 44 percent reported that it increased confidentiality, 9 percent reported that it decreased privacy breaches, and 14 percent reported that patients’ privacy was better protected than before the Privacy Rule. Respondents also indicated that the Privacy Rule had a negative impact on research recruitment, the IRB approval process, the cost and time to conduct research, multicenter research, and the use of deidentified information ( Ring, 2007 ).
North American Association of Central Cancer Registries
In 2006, the North American Association of Central Cancer Registries (NAACCR) conducted a survey of its memberships’ experience operating under the Privacy Rule. NAACCR members represent population-based state, regional, and provincial cancer registries in Canada, the United States and its territories. These registries provide cancer incidence data for public health surveillance and research purposes. All 71 members of NAACCR were invited to participate in the survey and 55 responses were received, however, many of the members are not HIPAA covered entities. In general, the respondents indicated that the Privacy Rule has interfered with both basic cancer surveillance and registry-based research ( Deapen, 2006 ).
American Society of Clinical Oncology Interviews
The American Society of Clinical Oncology (ASCO) gathered qualitative information through structured interviews in early 2008 with 27 compliance officials and investigators from 13 institutions about their attitudes toward the Privacy Rule. Participants were presented with three research scenarios prior to their interviews: (1) communication with cancer survivors’ family members to request their participation in genetic studies intended to investigate familial cancer syndromes, (2) establishment and use of tissue and data banks that would contain protected health information (PHI), and (3) identification and consent of cancer survivors to participate in long-term survivorship studies. These scenarios were then discussed during the interviews to explore how the Privacy Rule standards are applied at the different institutions, and to gauge the opinions of the researchers and compliance officers toward the regulation.
Unlike some of the surveys, many of the ASCO interview participants indicated that the Privacy Rule had a positive effect on privacy by triggering a reconsideration of how confidential health information is handled in research. However, they also noted that different institutions’ IRBs have very different approaches to complying with the Privacy Rule, and this can impede important research. They identified the authorization process as the most significant challenge to complying with the Privacy Rule, especially for future research projects relying on stored tissue and databases. Compliance officers and researchers disagreed on the possibility of obtaining authorization for “future research.” Other problems identified included abandoned studies, a lack of training and useful guidance documents on the requirements of the Privacy Rule, and concerns about the security of research databases ( ASCO, 2008 ).
Association of Academic Health Centers Focus Groups
The Association of Academic Health Centers (AAHC) organized focus groups in fall 2007 at five institutions to examine researchers’ experiences operating under the HIPAA Privacy Rule. Each focus group included both researchers and compliance personnel from the institution, and all groups were asked the same set of questions. The focus groups reported problems with the Privacy Rule’s regulation of research similar to those found in the surveys. Major issues identified included overly conservative interpretation of the Privacy Rule by institutions, diminished ability to recruit research participants, obstacles in accessing stored tissue and genetic datasets, increased cost and time to conduct research, and increased complexity in the IRB review procedures. Participants also indicated that some hospitals and community physicians were opting out of research, rather than attempting to comply with the Privacy Rule ( AAHC, 2008 )
- SELECTION BIAS
Selection bias is created when data are more likely to be collected from one subset of the population than from a representative sample of the entire population (see Box 3-8 ). This can cause a systematic difference between the characteristics of the individuals included in a study and the individuals not included. Selection bias is problematic for research because it can lead to inaccurate results and it reduces the generalizability of research results to the general population, as indicated by the examples described below.
The Privacy Rule has the potential to contribute to selection bias because it requires researchers to seek patient authorization to access their health records in most situations (see Chapter 4 ). Selection bias occurs if the individuals who give permission for researchers to access their medical data differ from the group of individuals who are unwilling to give permission for their health information to be used in research. This section provides a detailed overview of the evidence regarding the Privacy Rule’s impact on selection bias. It starts with a description of relevant survey data from the researcher surveys described above, then provides a summary of several systematic studies that examined the effect of consent and authorization on selection bias. It concludes with a section summarizing several studies that specifically examined the Privacy Rule’s effect on research samples.
Two surveys provide evidence that researchers are concerned about the Privacy Rule introducing selection bias into research. In the AHRQ survey, 74 percent of respondents reported that they had experienced problems with sample representation and bias. One of the most commonly cited reasons for selection bias was that fewer patients have agreed to participate in research since the Privacy Rule was implemented. Respondents indicated that the complicated and lengthy authorization forms required by the Privacy Rule create an impediment to subject recruitment. Also, 42 percent of respondents reported that many small health care entities and other entities serving disadvantaged populations are not participating in research because of an inability to meet all of the Privacy Rule requirements. This results in the underrepresentation of minority populations in many research studies ( Walker, 2005 ).
A survey of NAACCR found similar results, with 36 percent of respondents reporting that the Privacy Rule had introduced selection bias into a research project. The response rate for this survey was 66 percent ( Deapen, 2006 ). A new privacy policy of Veterans Affairs has deepened concern about bias in cancer registries ( Kolata, 2007 ; see also Chapter 6 ). This policy goes beyond the requirements of the Privacy Rule by requiring each state to sign a national directive setting privacy standards for the use of patients’ health information. Some states have refused to sign the directive, asserting that it is not feasible to meet the requirements. As a result, cancer registries will not be representative of the entire U.S. population, and researchers and public health officials will have difficulty interpreting annual cancer statistics published by the National Cancer Institute.
General Studies of Consent and Selection Bias
Numerous studies have directly examined the effect of consent and authorization requirements on selection bias in a systematic manner ( Al-Shahi et al., 2005 ; Harris and Levy, 2008 ; McCarthy et al., 1999 ; Trevena et al., 2006 ; Tu et al., 2004 ; Ward et al., 2007 ; Woolf et al., 2000 ). Woolf and colleagues (2000) at Virginia Commonwealth University studied the effect of requiring patients to give consent on the demographics of research participants at an urban family practice center. Patients were recruited to complete the Health Assessment Survey (HAS). At the end of the HAS, patients were asked to give the researchers permission to contact them by phone or mail, and to review their medical records. Of patients who completed the HAS survey, 67 percent granted researchers consent to complete the follow-up activities, 25 percent actively denied consent, and 8 percent did not answer the question. Patients who gave consent were older, and included fewer women and African Americans than patients who did not give consent. Patients who actively denied consent were younger, included more women, and were more educated than patients giving consent. Also, patients who gave consent differed in health status from patients who denied consent. The researchers concluded that patients willing to release personal health information for health services research differed on important characteristics from patients denying consent ( Woolf et al., 2000 ).
A study conducted by Jack Tu and colleagues (2004) examined the effect of requiring consent on the representativeness of the Registry of the Canadian Stroke Network of the entire population of individuals with stroke. The researchers found that requiring consent before enrollment created a database that was not representative. Patients who agreed to participate in the stroke database were younger, more likely to be alert at admission to the hospital, more likely to be alive at discharge, and were more likely to speak English or French than those patients who did not agree to participate in the database.
In addition, the in-hospital discharge rates differed significantly between enrolled patients (7 percent) and unenrolled patients (22 percent). This difference was likely due to the difficulty in approaching critically ill patients and their family members for recruitment during the ordeal of a stroke. Also, many stroke patients were unable to give or decline to give consent because they were cognitively impaired. The selection bias occurred at hospitals with both high and low participation rates. Based on this study’s results, the Registry of the Canadian Stroke Network switched from a consent-based system to a system that uses deidentified patient data and does not require patient consent, to ensure the universality of the registry ( Tu et al., 2004 ). This change, however, eliminated the possibility of followup interviews with patients.
In Scotland, a study conducted by Rustam Al-Shahi and colleagues (2005) evaluated the effect of requiring consent on prospective, observational research. The researchers attempted to obtain informed consent to review the medical records and conduct annual follow-up questionnaires of all patients residing in Scotland who presented with intracranial vascular malformation between 1999 and 2002. An ethics board gave the researchers permission to collect baseline and follow-up data on those patients who did not give consent. The researchers found that adults who consented to participate in the study differed on important prognostic variables from patients who did not consent. For example, patients who gave consent were significantly less likely to have intracranial hemorrhage, or to be dependent at presentation. During the yearly follow-ups, patients who gave consent were significantly more likely to have received interventional treatment, less likely to have died, and more likely to have had an epileptic seizure than nonconsenters. The researchers concluded that requiring consent for observational research produced significant selection bias ( Al-Shahi et al., 2005 ).
McCarthy and colleagues (1999) studied a Minnesota law that required patient-informed consent before medical records were permitted to be used by researchers. In this pharmacoepidemiologic study, 73 of 140 potential research participants responded to a request for informed consent, with 26 of the potential research participants authorizing the use of their medical records for the study, and 47 declining. Although it is unclear whether there were important differences between the group of individuals granting informed consent and the group of individuals declining to give informed consent, the authors concluded that the low response rate compromised the generalizability of the study results. In contrast, the researchers achieved a 93 percent recruitment rate for this study in states without a privacy law requiring informed consent, where health care providers could grant access to patient medical records based on a general enrollment authorization. The low participation rate in Minnesota was directly attributed to the state privacy law ( McCarthy et al., 1999 ).
Similar results were found in the study that examined the effect of the recent Australian privacy legislation on selection bias in health research. Trevena and colleagues (2006) conducted a randomized trial comparing recruitment under an opt-out and an opt-in methodology. In the opt-out condition, potential research participants were informed that their physician was participating in a research study, and if they did not wish to be contacted by the researchers they should inform their physician and their contact information would be withheld. Under the opt-in condition, potential research participants could only be contacted by researchers if they affirmatively gave permission in writing, over the phone, or via e-mail to the researchers. This study found that a smaller percentage of potential research participants participated under the opt-in methodology (47 percent) compared to the opt-out methodology (67 percent). Although there was no difference in the age, sex, health status, or socioeconomic status between the opt-in and opt-out populations, individuals in the opt-in group were more likely (75 percent) to prefer an active role in making health care decisions than individuals in the opt-out group (45 percent). The researchers concluded that the opt-in method produced a sample of research participants who differed in important behavioral characteristics from the opt-out method participants ( Trevena et al., 2006 ).
In a study of the United Kingdom Data Protection Act of 1998, epidemiological researchers assessed their ability to recruit potential research participants under this Act. The researchers wrote to a number of physicians and recruited them to participate in the study. If the physicians agreed to participate, the researchers requested the physicians to randomly select 20 of their patients and ask them to consent to being contacted by the researchers. Those individuals granting consent to be contacted were then invited by the researchers to participate in the study. Following this methodology, the researchers were only able to obtain consent from 16 percent of the patients approached. They concluded that such a low participation rate led to selection bias, as well as inadequate statistical power and statistical significance. They documented that health care workers were overrepresented in the resulting study population ( Ward et al., 2007 ).
HIPAA Authorization and Selection Bias
Several studies have explicitly examined whether the provisions of the Privacy Rule contribute to biased research samples. Armstrong and colleagues (2005) at the University of Michigan conducted a 6-month follow up questionnaire for the Acute Coronary Syndrome Registry. They then compared the percentage of patients who gave consent pre-HIPAA and post-HIPAA for participation in the follow-up survey. In the pre-HIPAA time period, informed consent for the follow-up questionnaire was given over the phone by the patient. In the post-HIPAA era, written informed consent and authorization were required. The percentage of patients consenting to complete the questionnaire decreased from 96 percent in the pre-HIPAA era to 34 percent in the post-HIPAA era. Patients who gave consent post-HIPAA were more likely to be older, married, and white than those who refused to provide consent or did not respond. Patients who gave consent also had lower mortality rates at 6 months than patients who refused consent. The results suggest that implementation of the Privacy Rule led to selection bias in the Registry ( Armstrong et al., 2005 ).
Beebe and colleagues (2007) at the Mayo Clinic College of Medicine in Rochester, MN, followed up on the Armstrong study and conducted a randomized clinical trial that examined the effect of the Privacy Rule on response rate and selection bias. In this study, 6,939 research participants were randomly assigned to one of two research conditions: (1) one condition required patients to complete and return a HIPAA authorization form in order to participate in the study, and (2) in the second condition, patients were not required to complete a HIPAA authorization form to participate. The response rates were significantly different between the condition requiring an authorization form (38 percent) and the condition not requiring an authorization form (55 percent). However, unlike the studies described above, the researchers did not find that the lower response rate translated into a detectable selection bias ( Beebe et al., 2007 ).
The lack of detectable selection bias in this study could be the result of the authorization form used. Beebe and colleagues used a simple one-page authorization form. In the other studies discussed in this section, the authorization forms were much longer than one page and were often written in complex language. Simplifying the authorization form likely minimized the effect of requiring patient authorization on potential research participants’ willingness to participate in a study. However, as will be discussed below in the chapter section on the authorization process, a majority of covered entities require lengthy and highly legalistic authorization forms.
Another study that examined the effect of the Privacy Rule on selection bias was conducted by Dunlop and colleagues (2007) at Emory University in Atlanta. In this study the researchers investigated the impact of including an authorization form on the willingness of African Americans to participate in a clinical study of an antihypertensive medication. Research participants were randomly assigned to one of two study conditions in which they received either (1) an informed consent form (informed consent condition), or (2) an informed consent form and an authorization form (authorization condition). The researchers recorded the reasons that potential research participants gave for declining to participate in the study.
The study found that a smaller percentage of research participants in the authorization condition indicated a willingness to participate in the study than in the informed consent condition (27 percent versus 39 percent). This was especially true for individuals over 40 years of age with a high school education or less, and in men. In addition, individuals required to complete an authorization form were more likely to report the following reasons for declining to participate in the study: (1) concerns related to mistrust or fear of research, researchers, or research institutions, and (2) poor comprehension of forms. The researchers concluded that the Privacy Rule’s authorization requirement acted as a deterrent for African American participation in research ( Dunlop et al., 2007 ).
- EFFICIENCY OF RESEARCH
Substantial evidence indicates that many institution’s implementation and interpretation of the Privacy Rule have had a detrimental effect on health researchers’ ability to efficiently conduct information-based research. This section reviews the available evidence on the effect of the Privacy Rule, and its interpretation, on the efficiency of research in terms of (1) cost and time, (2) research participant recruitment, (3) IRB oversight of research projects, (4) international collaboration between researchers, and (5) the use of business associate agreements.
Cost and Time
In the 2000 version of the Privacy Rule, HHS estimated that the Privacy Rule would cost the health care industry more than $17.6 billion to implement. 2 The expected costs for research were projected to be more than $40 million the first year, and $585 million over 10 years. The 2002 version of the Privacy Rule reduced the projected costs for implementing the research provisions by $10 million the first year, and $146 million over 10 years. 3 HHS stated that it was difficult to conduct a true cost–benefit analysis of the Privacy Rule because the value of protecting health privacy is difficult to quantify. 4 However, in implementing the Privacy Rule, the agency clearly decided that the benefits of protecting privacy outweighed the economic costs of the Privacy Rule. The aggregate cost to research has not been measured or estimated since April 2003, and as outlined below, researchers’ estimates of the increase in cost and time attributable to the Privacy Rule vary widely.
In a recent article published in the Annual Review of Medicine , Nosowsky and Giordano (2006) reviewed the existing evidence on the effect of the Privacy Rule on research, and concluded that the costs projected by HHS have more than been realized by covered entities, researchers, and IRBs, although no figures were cited. They attributed the increased research costs to the large amounts of paperwork required by the Privacy Rule, increased staff time, and difficulties in recruiting research participants. They concluded that these additional burdens on research have pushed researchers to reformulate and abandon many studies. Furthermore, the authors speculated that these changes have increased the need for researchers to obtain additional funding, discouraged investigator-initiated research, and caused many smaller research projects to end ( Nosowsky and Giordano, 2006 ).
Many researchers report that the implementation of the Privacy Rule increased the cost of conducting health research and increased the time necessary to conduct a research project from start to finish. The national survey of epidemiologists found that most respondents believe the Privacy Rule increased the cost and time of conducting health research. In this survey, 90 percent of the respondents reported an increase in resource expenditure, with 40 percent indicating that the Privacy Rule increased research costs a great deal (i.e., 4–5 on the Likert scale). Half of the respondents indicated that the additional time required to comply with the Privacy Rule was great (4–5 on the Likert scale) ( Figure 5-3a ) ( Ness, 2007 ). In the AHA/ACC survey, 78 percent of respondents reported that the Privacy Rule increased the cost of research, and 79 percent reported that it increased the time to conduct research ( Ring, 2007 ).
FIGURE 5-3a National Survey of Epidemiologists: Impact on cost and time to complete research. SOURCE: Ness (2007).
The AcademyHealth survey results were similar, with 86 percent of respondents reporting that the Privacy Rule increased the time necessary for research, and 8 percent of those reporting that the increase was so great that it led some researchers to forego projects. In terms of cost, 73 percent of respondents reported that the Privacy Rule increased the cost of research (4 percent much more, 24 percent significantly more, and 45 percent somewhat more) ( Helms, 2008 ) ( Figure 5-3b ).
FIGURE 5-3b AcademyHealth Survey: Impact on cost and time to complete research. SOURCE: Helms (2008).
In the HMORN survey of investigators, 55 percent of respondents reported that study time lines were negatively affected by the Privacy Rule ( Figure 5-4 ). A third of the investigators indicated that the Privacy Rule delayed their research by 1 to more than 3 months. Also, investigators reported that the Privacy Rule led to a median of 20 additional staff hours required to comply with the requirements of the regulation. Twelve percent of respondents reported that 100 or more staff hours were required. In one extreme case in the structured interview portion of this survey, an inves tigator said that compliance with the HIPAA procedures required about 1,000–2,000 additional hours of staff time, and added $100,000–$200,000 in unanticipated costs ( Greene et al., 2008 ). In the NAACCR survey of cancer registries, 68 percent of respondents reported that the Privacy Rule delayed a research project or caused it to take longer than it would have taken pre-HIPAA. In addition, 66 percent of respondents indicated that the Privacy Rule had been cited as the reason for actions that interfered with nonresearch operations of the cancer registry, such as basic surveillance ( Deapen, 2006 ).
FIGURE 5-4 HMO Research Network Survey of Institutional Review Board Administrators. Responses to the question: Taken as a whole, do you think the Health Insurance Portability and Accountability Act Privacy Rule has added to…. (more...)
A number of researchers have attempted to quantitatively document the increased time and cost of research attributable to the implementation of the Privacy Rule at their institutions. It is important to note that these studies are site specific and depend on how institutions interpret and implement the Privacy Rule. A recent letter to the editor of Anesthesiology reported on the amount of research staff hours spent per month on recruitment and follow-up activities in a randomized clinical trial at the University of Pittsburgh, before and after the Privacy Rule went into effect. Implementation of the Privacy Rule led to a 75-hour increase per month in staff time spent updating work logs, and a 77-hour increase in time spent on HIPAA implementation tasks. According to the authors’ calculations, this was a 70 percent increase in staff hours above the monthly base workload. The authors did not try to determine which aspects of the Privacy Rule were responsible for the recorded increases ( Williams et al., 2007 ).
Similarly, the Armstrong study on the Acute Coronary Syndrome Registry documented that the incremental cost for this registry at the University of Michigan of complying with the Privacy Rule was $8,704.50 for the first year, and an additional $4,558.50 for each year thereafter. The authors did not report the total expenditure of the study but suggested that this was a substantial increase in the study’s budget ( Armstrong et al., 2005 ).
Johns Hopkins University estimates that the cost of complying with the Privacy Rule is about $2 million annually ( Friedman, 2006 ). Since the Privacy Rule was implemented, the institution calculated that it has required nearly 26,000 of its faculty and staff to pass a written test on their understanding of the Privacy Rule.
Recruitment
A number of researchers have also demonstrated that many interpretations of the Privacy Rule have made research recruitment more difficult ( Table 5-2 ). During a clinical trial evaluating the efficacy of an educational strategy to inform veterans about the National Cancer Institute/Department of Veterans Affairs Selenium and Vitamin E Cancer Prevention Trial (SELECT), Wolf and Bennett (2006) monitored the recruitment of research participants before and after implementation of the Privacy Rule. Several recruitment methods were used throughout this clinical trial, depending on the phase of HIPAA implementation. Before the Privacy Rule was implemented, potential research participants were directly approached by research assistants for informed consent. After the Privacy Rule was implemented, research assistants could no longer approach potential research participants; recruitment was done by hospital staff. The post-HIPAA recruitment protocol was modified once to increase participation rates. Under the modified protocol, potential research participants were introduced to the study by desk staff at the medical clinic where the study was conducted, all clinic staff members were reminded of the study, and a research assistant was stationed prominently in the medical clinic.
Research Participant Recruitment Before and After Implementation of the Privacy Rule.
The researchers were able to recruit seven patients a week in the preHIPAA phase. The average time to recruit a patient was 4.1 hours, for an average cost of $49 per patient. The study was on target to complete recruitment in 60 weeks. Immediately after the Privacy Rule was implemented, recruitment decreased by 73 percent to 1.9 patients per week. The average time to recruit each new patient was 14.1 hours, for a cost of $169 per patient. Meeting the recruitment goals of the study at this rate would require 158 weeks. The modified recruitment protocol increased recruitment to 7.1 patients a week, required 3.9 hours, and cost $52 per patient. The modified recruitment strategy was measured again at a later date in the study to assess whether the modified protocol could be maintained. During this time period, 5.2 patients were recruited per week. Research assistants needed an average of 5.4 hours to recruit each patient, for a cost of $65 per patient.
The authors concluded that the Privacy Rule dramatically hindered researchers’ ability to recruit research participants. Implementation of the Privacy Rule increased the cost and time required for recruitment and made it more difficult to achieve an appropriate-sized research sample. Although the modified protocol increased recruitment, the fact that the initial recruitment level could not be maintained over time suggests that the new protocol required a great deal of effort and did not completely solve recruitment difficulties. In addition, an intensive evaluation of a study’s recruitment process to devise a new strategy, as was required to develop the modified protocol, costs money, takes time, and may not always be possible ( Wolf and Bennett, 2006 ).
A reduced rate of recruitment following implementation of the Privacy Rule was also documented by Roberta Ness in the course of a study on pregnancy exposures and preeclampsia prevention at the University of Pittsburgh. Again, the recruitment methods were divided into several different time periods: (1) pre-HIPAA (1997–2001), (2) 2002, (3) April 2003–September 2003, (4) October 2003–May 2004, and (5) June 2004. In the pre-HIPAA time period, researchers recruited an average of 12.4 women a week. In 2002 recruitment was shut down completely for 4 months while the covered entity where the study was being conducted decided how to implement the requirements of the Privacy Rule.
From April 2003 to September 2003, recruitment was allowed to continue, but the covered entity was unwilling to grant any waivers of authorization. Researchers recruited only 2.5 women a week. In October 2003, the covered entity allowed waivers of authorization to be issued, and the researchers were able to review potential research participants’ medical records without obtaining authorization. However, the waivers of authorization required that the researchers obtain the consent of the potential research participants’ health care providers before the researchers could approach individuals for participation in the study. Approximately 5.7 women a week were recruited following this protocol. The need for the health care providers’ permission prevented recruitment from reaching pre-HIPAA levels. The covered entity merged with another covered entity in June 2004, and the waiver of authorization was retracted. Recruitment immediately fell to 3.3 women a week ( Ness, 2005 ). These recruitment numbers clearly demonstrate that the implementation and interpretation of the Privacy Rule, and the availability of waivers of authorization, can have an enormous influence on recruitment success. They also show that conducting research under changing policies, organization, or interpretations of the Privacy Rule can be problematic.
Several studies that were discussed previously provide further evidence that many interpretations of the Privacy Rule have made research recruitment more difficult. The Beebe study found that the percentage of potential research participants willing to participate declined when HIPAA authorization was required at the Mayo Clinic College of Medicine. More than half—55 percent—of potential research participants participated in the study when authorization was not required, but only 39.8 percent of potential research participants took part if they were required to complete an authorization form ( Beebe et al., 2007 ). In the Dunlop study, 39 percent of potential research participants indicated a willingness to participate in a clinical trial of a hypertensive medication when authorization was not required. Only 27 percent indicated a willingness to participate when authorization was required ( Dunlop et al., 2007 ).
Also, the national survey of epidemiologists found Privacy Rule modifications were needed in 84.8 percent of proposed research protocols. Of these cases, 68 percent of respondents reported that these modifications increased recruitment difficulties a great deal (4–5 on the Likert scale) ( Ness, 2007 ). In the AcademyHealth survey, 47 percent of respondents reported that the Privacy Rule decreased recruitment ( Helms, 2008 ). Similarly, the 49 percent of respondents to the AHA/ACC survey reported that the Privacy Rule decreased recruitment by more than 10 percent ( Ring, 2007 ).
IRB and Privacy Board Oversight
A previous IOM report noted that the workload of IRBs, and the complexity of their work, has been steadily increasing as a result of new and evolving requirements for research regulation and documentation ( IOM, 2002 ), including the HIPAA Privacy Rule. This heavy burden has increased the difficulty of both recruiting knowledgeable IRB members and allowing them sufficient time for the necessary ethical reflection to make appropriate decisions about human research projects. In addition, the report noted that the extreme variability in the approval decisions and regulatory interpretations among IRBs is one of the weaknesses in the current protection system ( IOM, 2002 ). Recent findings from surveys and other studies indicate that these issues are a continuing concern for both IRBs and Privacy Boards . This section provides a detailed review of the evidence that the Privacy Rule, and its interpretation, has had a detrimental effect on the oversight process for reviewing research proposals, including information on: (1) IRB approval, (2) exemption from full IRB review, (3) waiver of authorization, (4) differentiating types of research, and (5) inconsistent interpretation of the Privacy Rule by IRBs and Privacy Boards in multicenter research projects.
IRB Approval
Recent surveys provide evidence that the Privacy Rule, or its interpretation, has reduced the efficiency of health research by affecting researchers’ ability to move a study through the IRB approval process. In the AHRQ survey, 94 percent of respondents stated that the Privacy Rule impacted the design and conduct of health services research. The respondents who reported that the Privacy Rule had no impact on study design were all researchers who used only deidentified data and were not required to go through the IRB/ Privacy Board review process under the Privacy Rule ( Walker, 2005 ). Similarly, in the national survey of epidemiologists, 87 percent of respondents reported an increase in the time required for preparing a research proposal for review by an IRB ( Ness, 2007 ).
The AcademyHealth survey found that 69 percent of respondents reported difficulty gaining approval from IRBs to collect PHI. Respondents also reported difficulty gaining approval to collect PHI from health plans (32 percent), institution lawyers (29 percent), and physicians (25 percent). In the HMORN survey of investigators, respondents reported that they were required to submit a research project for a median of two additional IRB iterations after the Privacy Rule was implemented. Twenty percent of investigators reported that four or more IRB iterations were required. Also, investigators reported that in one-third of study protocols, modifications were due to an IRB requirement. In that survey, 29 percent of investigators reported that an IRB required them to modify their planned method of identifying potential research participants, 29 percent reported that an IRB put restrictions on the kind of identifiers that could be collected, and 59 percent reported that an IRB required a study to be modified to include additional consent and/or authorization language ( Greene et al., 2008 ). The AHA/ACC survey also found that 67 percent of respondents reported that the IRB submission process was made more complex by the Privacy Rule ( Ring, 2007 ).
Exemption from Full IRB Review
Certain types of research that pose minimal risk to human subjects are exempt from IRB review under the Common Rule (45 C.F.R. § 46.101). For these studies, an IRB chair or member can review an application for exemption and determine if the study meets the criteria for exemption. If the study qualifies for exemption, then no further IRB review is necessary. Expedited IRB review is a process allowed by the Common Rule (45 C.F.R. § 46.110) in which an IRB chair or member reviews the entire study protocol. A study conducted by O’Herrin and colleagues (2004) examined the effect of the Privacy Rule on applications for IRB exemption for proposed research projects at the University of Wisconsin. This study was broken down into three time periods: (1) September 1999–December 2000, during which there was no specific process for handling requests for IRB exemption for medical records studies; (2) January 2001–December 2002, during which the institution followed a standardized procedure for Applications for Exemption; and (3) January 2003–March 2003, during which the IRB became fully compliant with the Privacy Rule.
During Period 1, all the medical records research projects submitted to the IRB were approved under “expedited” IRB review procedures. In Period 2, 89 percent of the applications received an IRB exemption without revision. Of the applications that required revision, 36 percent were revised and successfully approved for exemption within 75 ± 64 days of the original submission. The remaining applications required review by the full IRB committee, but were all ultimately given approval. In Period 3, when the covered entity was in full compliance with the Privacy Rule, 59 percent of proposals received exemption from full IRB review without revision in 12 ± 23 days. Of the projects requiring revision, 50 percent were revised and approved within 29 ± 35 days of the initial submission.
The percentage of projects that required full IRB committee review increased from 0 percent in Period 1, to 7 percent in Period 2, to 16 percent in Period 3. The authors of this study concluded that the Privacy Rule complicated the IRB review process because a larger percentage of studies became ineligible for IRB exemption or expedited IRB review. Also, the complexity of the IRB approval process discouraged many researchers from completing their proposed research study. Of the applications that required full IRB committee review, 77 percent were abandoned by the researchers in Period 3. Most of the abandoned studies were chart reviews, and there was no evidence that the full IRB committee review was justified or a necessary change that safeguarded research participants’ privacy ( O’Herrin et al., 2004 ).
Waiver of Authorization
The Privacy Rule allows a covered entity to use and disclose PHI for research purposes without patient authorization if an IRB or Privacy Board determines that a research project meets three criteria, including minimal risk to patient privacy, and whether the study could practicably be conducted without the waiver of authorization and without access to and use of PHI (see Chapter 4 ). However, surveys indicate that many researchers have experienced difficulty in obtaining a waiver of authorization. In the national survey of epidemiologists, 40 percent of respondents reported that they had attempted to obtain a waiver of authorization under the Privacy Rule. Of these researchers, 31 percent reported a high level of difficulty in obtaining a waiver (4–5 on the Likert scale) ( Ness, 2007 ).
The AcademyHealth survey also examined this issue, with 62 percent of respondents reporting that they had been involved in one or more studies requiring waivers or alterations of authorization requirements by IRBs (65 percent had been involved in 2–5 studies, and 3 percent had been involved in more than 20 studies). Among respondents who had requested waivers or alteration of waivers from IRBs or Privacy Boards , 59 percent reported that the availability of existing datasets has been impacted by the Privacy Rule. Only 40 percent of the respondents who had requested waivers or alterations of authorization reported that they were successful in accessing data from an existing dataset in its original form under an approved waiver of authorization ( Helms, 2008 ). In the AHA/ACC survey, 59 percent of respondents reported attempting to obtain a waiver of authorization. Of those respondents, 69 percent reported the waiver was hard to attain ( Ring, 2007 ).
Differentiating Various Types of Research
Scientific and ethical difficulties may arise when rules that were developed to guide clinical research are applied to other kinds of research ( Casarett et al., 2005 ). Under the Privacy Rule, IRBs are charged with reviewing different types of health research that were previously not in their purview, including many types of health services research that use data that have been anonymized and are thus exempt under the Common Rule , so making judgments about approval and determining which research studies require a waiver of authorization is a challenge. Some evidence indicates that IRBs do not recognize important differences among various types of health research. In the AcademyHealth survey, 44 percent of the respondents reported that IRBs did not correctly differentiate between clinical research and health services research (and 25 percent were unsure). Clinical research often involves the study of a new drug or experimental treatment on human subjects. In contrast, respondents to the AcademyHealth survey reported that most of health services research involves survey or questionnaire data (82 percent), medical record review (70 percent), and administrative data (66 percent). Only a small portion of respondents reported doing health research studies that involved direct human contact; 9 percent reported conducting research that required the collection of specimens, and 5 percent reported conducting research on existing specimens. Also, survey respondents indicated that IRBs often did not differentiate between the cost and time required to conduct health services research compared to clinical research ( Helms, 2008 ).
Inconsistent Interpretation of the Privacy Rule: Multicenter Research
Research studies that entail the collection of data from multiple sites involve the jurisdiction of multiple IRBs or Privacy Boards . The Privacy Rule does not require a researcher to obtain a waiver of authorization from the IRB or Privacy Board of every entity that is contributing PHI. Covered entities are permitted to rely on a waiver of authorization approved by as few as one IRB or Privacy Board with jurisdiction. However, a covered entity may decide to require approval from its own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regardless of whether another IRB or Privacy Board had already granted a waiver of authorization. The Privacy Rule does not address potential disagreements between IRBs or Privacy Boards, but HHS “strongly encourages” researchers to notify IRBs and Privacy Boards of any prior reviews of a research protocol to reduce the chance of IRBs and Privacy Boards disagreeing.
Surveys indicate that the Privacy Rule has had a detrimental effect on the efficiency of multicenter health research because the participating covered entities, IRBs, and Privacy Boards interpret the Privacy Rule differently ( AAHC, 2008 ; Ring, 2007 ). Researchers conducting a single study at different locations are routinely required to go through multiple IRB/Privacy Board review processes, and to use different authorization forms and methodology across the various sites, even though the Privacy Rule permits reliance on the review or decision of one IRB or Privacy Board for all sites.
In the AHRQ survey, 65 percent of respondents reported problems satisfying the requirements of multiple IRBs for multisite studies. One area with which researchers reported significant frustration was the lack of consistent consent and authorization forms ( Walker, 2005 ). The AcademyHealth survey found that 28 percent of researchers who required a waiver of authorization to conduct a study were required to get the waiver from all research sites involved. Only 9 percent of the respondents reported that the same waiver was used at all sites, and 6 percent reported the waivers were required from more than one, but not all, sites. Three percent of the respondents reported that they were unable to proceed with a multisite study because they were unable to resolve disagreement among sites ( Helms, 2008 ).
In the HMORN survey of investigators, 78 percent of respondents reported participating in multicenter research. Of these respondents 54 percent indicated that different IRBs raised different concerns about the same study protocol, and 45 percent of respondents reported that these different concerns led to protocol variability across the different sites ( Figure 5-5 ). The HMORN survey of IRB administrators found that 4 of the 11 IRBs reported requiring proof of Privacy Rule–related training for all participating investigators in a study, even if they were from another site. This requirement is not a provision of the Privacy Rule ( Greene et al., 2008 ).
FIGURE 5-5 HMO Research Network Survey of Researchers: Multisite research. NOTE: HIPAA = Health Insurance Portability and Accountability Act; IRB = Institutional Review Board.
The national survey of epidemiologists also confirms that many researchers are frustrated with the process of conducting research at multiple covered entities. In the survey, 76.8 percent of respondents reported difficulties with the Privacy Rule when conducting multicenter research. The problems related to site-specific variability in the research design and method in 40 percent of studies. The survey further explored this issue by presenting survey participants with five case studies that should have been approved without patient authorization either unconditionally or with a waiver of authorization under the Privacy Rule. However, on each of the case studies, 4.7 to 33.8 percent of respondents reported that their IRB would disapprove the study. Only 4.9 to 33.8 percent believed that their IRB would unconditionally approve the studies, and 13.3 to 26.7 percent reported that they did not know what their IRB would require. To further complicate multicenter research, a minority of respondents (17.3 percent) knew of covered entities unwilling to do any clinical research, regardless of the IRB’s interpretation of the Privacy Rule ( Ness, 2007 ).
In addition to the survey results, several studies have directly examined the effect of the Privacy Rule, or its interpretation, on multicenter research. Lydon-Rochelle and Holt (2004) at the University of Washington documented their experience in attempting to access medical records from 19 area hospitals during the Privacy Rule implementation period, for a study designed to assess the accuracy of maternally linked birth records. They explained to the participating hospitals that their study protocol met the Privacy Rule waiver of authorization requirement and encouraged the hospitals’ IRBs to rely on their IRB’s approval of the study. However, the 19 IRBs displayed great variability in their willingness to approve the study.
None of the 19 hospitals agreed to rely on the researchers’ own institution’s IRB approval of the study. Ten hospitals used an expedited in-house IRB review process for the study, and 9 required a full IRB review of the study. The 9 IRBs requiring full review of the study cited concerns over the Privacy Rule’s civil and criminal penalties as the main reason for denying expedited review or for not honoring another IRB’s decisions. All 19 of the reviewing IRBs required different application forms, content, and procedures for complying with the Privacy Rule. The authors concluded that the Privacy Rule has increased the difficulty of conducting multicenter health research because of the challenges of navigating through many IRBs’ review processes ( Lydon-Rochelle and Holt, 2004 ).
A second study that examined the institutional variability in IRB approval processes was conducted by Newgard and colleagues (2005) . The researchers sent 27 hospitals an identical research protocol for a study examining a decision rule to identify children seriously injured in motor vehicle crashes in Los Angeles County. This was a minimal risk observational study and clearly met the requirements for a waiver of authorization. However, 6 of the 27 hospitals refused to participate in the study at all. Of the remaining 21 hospitals, the median time for the study to be approved by the covered entities’ IRBs was 118 days. Significant differences in approval times were seen across the different covered entities.
The researchers recognized they could not conclusively attribute the hospitals’ refusals to participate in the study and the long IRB review processes to the Privacy Rule itself. However, they believed the Privacy Rule was largely responsible for the results. They compared their experience to a previous study conducted in Los Angeles County before the implementation of the Privacy Rule. The same 27 hospitals were approached for participation in a randomized, controlled, interventional trial for emergent airway management in children with a waiver of consent. All 27 hospitals approved the airway protocol without change, while only 21 of the same 27 hospitals approved Newgard and colleagues’ minimal risk, noninterventional study. The authors believed this difference was directly attributable to the complex requirements of the Privacy Rule and the perceived institutional risks associated with research ( Newgard et al., 2005 ).
A third study that examined the impact of allowing multiple IRBs to review the same research proposal was conducted by Greene and colleagues (2006) . Participants were recruited through a mailed invitation for a survey of psychosocial outcomes after prophylactic mastectomy. A second mailing and a follow-up phone call were made to nonresponders. The study’s protocol was reviewed by six IRBs. All of the IRBs requested that the protocol, letters, and phone call script be modified. Resolving all of the IRBs’ concerns took two to eight iterations at each site, and achieving a uniform study methodology across the sites was impossible. Also, the response rates at the six institutions varied greatly, ranging from 40.9 to 70.8 percent among living individuals, to 60.7 to 84.6 percent among living individuals with physician consent and correct address.
The authors concluded that having multiple IRBs review the same study protocol lengthened the study time line, adversely affected the budget, and created protocol variability that may have affected response rate ( Greene et al., 2006 ). This study did not specifically focus on the Privacy Rule. However, as demonstrated by the other studies discussed in this section, since the Privacy Rule was implemented, IRBs are often unwilling to honor the decisions of other IRBs. The Privacy Rule likely contributed to the six IRBs in this study all insisting on reviewing the same research protocol and for the resulting variability in study design.
Business Associate Agreements
The AcademyHealth survey indicated that most health services researchers do not use business associate agreements to gain access to health data, but when they do, difficulties often arise. Twenty-two percent of the respondents reported using a business associate agreement to conduct research, and of these respondents, most reported that the business associate agreement negatively impacted research activities because it complicated the research process, made research more time consuming, and added more paperwork. Of the respondents who reported that they have used an existing dataset to conduct research, 28 percent indicated that they had to develop a business associate relationship with the covered entity to gain access to the dataset. Another 14 percent reported use of an intermediary organization that had a business associate relationship with the covered entity to gain access to an existing dataset ( Helms, 2008 ).
International Collaboration
A report by Dutch researchers suggests that the Privacy Rule, or its interpretation, has made it more difficult for international researchers to collaborate with U.S. research centers ( Kompanje and Maas, 2006 ). The authors recorded their experiences operating under the Privacy Rule in an international, multicenter, Phase III trial on the safety and efficacy of a neuroprotective agent in traumatic brain injury. The researchers compared the completion of screening logs between research centers in the United States and Europe. Because of the Privacy Rule, many of the U.S. screening logs had a large amount of missing data. All the European sites reported the actual age of the research participants on their screening logs, but only 5 of the 15 U.S. sites reported the age. The remaining 10 U.S. sites only reported whether the patient met the inclusion criteria for the study. Also, all the European sites reported the date and time of the injury, while only 10 U.S. sites provided this information. Information on secondary insults and the Glasgow Coma Scale were often omitted from the screening logs of U.S. sites.
Overly conservative or variable interpretations of the Privacy Rule prevented many U.S. sites from providing the requisite data to the researchers and made it difficult for the researchers to monitor their study for selection bias and quality ( Kompanje and Maas, 2006 ). In many situations, having international data is important to study a health problem. How often the Privacy Rule, or its interpretation, hinders U.S. collaboration in international research is unclear. But it is very conceivable that other international researchers have experienced frustrations similar to the Dutch researchers over collecting data from U.S. sites, or have even abandoned attempts to work with U.S. research centers due to the restrictions of the Privacy Rule.
- ABANDONED STUDIES
Some evidence, mostly in the form of case studies and survey results, shows that researchers have abandoned research studies that they would have pursued prior to the Privacy Rule. The paucity of systematic analysis is likely because abandoned research studies are more difficult to measure and to conclusively document than the other aspects of research that have been affected by the Privacy Rule. Documenting something that did not happen (i.e., an abandoned study) is more challenging than measuring something that did happen (e.g., selection bias, increased inefficiency). One study that examined abandoned studies in a systematic manner was the study by O’Herrin et al. (2004) , discussed previously. The researchers determined that 77 percent of research proposals at the University of Wisconsin that were required to be reviewed by the full IRB, rather than being exempted from IRB review or receiving expedited review, were abandoned by investigators. The study did not try to tease out the reasons for abandonment or the appropriateness of abandonment ( O’Herrin et al., 2004 ).
A well-publicized instance of the Privacy Rule leading to studies being abandoned was outlined in the San Francisco Chronicle . Reporting of cancer cases to the State of California Cancer Registry is required by law and should not have been affected by the implementation Privacy Rule. However, after the Privacy Rule became effective, 17 hospitals in the Bay area restricted the registry’s access to patient data, endangering many studies that relied on the California Cancer Registry for data. For example, a study examining why African Americans in the Bay Area have a higher risk of lung cancer than other racial and ethnic groups was nearly abandoned after the Privacy Rule came into effect because of the difficulty of collecting data ( Russell, 2004b ). This problem was created by the hospitals’ overly conservative interpretation of the Privacy Rule, not the actual requirements of the Privacy Rule. A settlement was eventually reached after 2 years of disagreement, and the California Cancer Registry now has full access to the files and records of cancer patients, as is required in all states ( Russell, 2004a ).
A second instance of an institution’s interpretation of the Privacy Rule leading to an abandoned study was reported in the Minneapolis Star Tribune . For more than 25 years, researchers at the University of Minnesota–Twin Cities were allowed to access more than 40,000 Minnesotans’ medical records as part of a longitudinal study into heart attacks and cholesterol-lowering drugs. This study depended on researchers viewing the medical records of patients without the individuals’ consent. After the Privacy Rule was implemented, data collection for this study was put on hold because the researchers were unable to obtain a waiver of authorization. The researchers decided not to seek additional grant money for the study because it was unclear whether they could continue without a seriously modified protocol under the Privacy Rule ( Kaiser, 2006 ; Shaffer, 2006 ).
In addition, a significant number of researchers surveyed attribute abandoned studies to the Privacy Rule. In the NAACCR survey, 19 percent of respondents cited the Privacy Rule as a reason for stopping or preventing a research project ( Howe et al., 2006 ). In the AHRQ survey, 45 percent of respondents described a study that had been stopped or altered because the respondents found it was not possible to redesign a study protocol to comply with the Privacy Rule. Examples of studies that were ended included: (1) follow-up studies where patients were tracked through a number of health facilities for services; (2) studies involving community health centers, community-based mental health and substance abuse programs, and rural sites; (3) longitudinal studies, where the Privacy Rule requires researchers to obtain multiple authorizations; and (4) research evaluating government programs and clinical interventions in order to improve patient population health ( Walker, 2005 ).
In the HMORN survey of investigators, 65 percent of respondents agreed that they were hesitant to pursue new study ideas due to the Privacy Rule ( Figure 5-6 ) ( Greene et al., 2008 ). In the AcademyHealth survey, 13 percent of respondents reported that an IRB or Privacy Board has prevented a study in which they were involved from moving forward due to the IRB or Privacy Board’s concern about violating the Privacy Rule. Ten percent of respondents said they considered or developed a study, but did not submit it to the IRB or Privacy Board because they thought it would not be approved due to their IRB or Privacy Board’s conservative interpretation of the Privacy Rule ( Helms, 2008 ). In addition, in the ASCO survey, six investigators said they had abandoned genetic studies on family members of individuals diagnosed with cancer because of difficulty in moving the projects through the IRB approval process. IRBs were most concerned about the privacy of the cancer patients ( ASCO, 2008 ).
FIGURE 5-6 HMO Research Network Survey of Researchers. Responses to the question: There are study ideas that I have considered pursuing, but am hesitant to do so because of the Health Insurance Portability and Accountability Act regulations. (more...)
- DEIDENTIFIED INFORMATION
In drafting the Privacy Rule, HHS specifically excluded deidentified information from the definition of PHI (see Chapter 4 ). In principle, researchers can access and use deidentified information without patient authorization. However, many researchers have reported that the deidentification provisions of the Privacy Rule do not provide an effective way to obtain health data for research. The two major problems reported are that researchers have difficulty obtaining deidentified information from covered entities and that data that have been deidentified according to the Privacy Rule provisions (which are more stringent than the Common Rule provisions) are of poor quality and difficult to use in research.
Access to Deidentified Data
Survey data indicate that researchers often have difficulty obtaining deidentified information from covered entities. In the national survey of epidemiologists, half of the respondents reported accessing deidentified information since the Privacy Rule was implemented. Of this half, 40 percent reported a high level of difficulty in gaining access to this deidentified information (i.e., 4–5 on the Likert scale) ( Ness, 2007 ). In addition, the AHRQ survey found that 39 percent of respondents reported problems obtaining deidentified data from covered entities or had problems creating deidentified datasets. Most respondents to the survey also reported concerns about the use of the statistical method to certify deidentified data. Many were looking for an alternative option to the “safe harbor” process of deidentification because they believed the resultant datasets were too restrictive for health services research ( Walker, 2005 ).
The HMORN survey of investigators also found similar results. Of the respondents, 42 percent reported that accessing deidentified data had occasionally been difficult, and 13 percent reported that it was “routinely difficult.” However, in the HMORN survey of IRB administrators, 4 of the 11 sites reported having individuals on staff who could assist with the deidentification of data using the statistical method ( Greene et al., 2008 ). In the AHA/ACC survey, only 32 percent of respondents reported attempting to use deidentified data for research. Of these respondents, 76 percent reported that the process was difficult ( Ring, 2007 ).
Quality of Deidentified Data
Clause and colleagues (2004) at the Albany College of Pharmacy designed a study to measure the amount of data that is lost when PHI is deidentified under the safe harbor provision of the Privacy Rule (see Chapter 4 ). For this study, the researchers first created a limited dataset from the pharmacy, administrative, and financial files of patients discharged from hospitals within the Northeast Health System. A limited dataset is a collection of health information compiled for research in which 16 direct identifiers are removed from the PHI (see Chapter 4 ). A limited dataset allows researchers to access more information than deidentified information because the Privacy Rule requires that researchers using a limited dataset enter into a data use agreement specifying the permitted uses and disclosures of the limited dataset. The researchers then converted the limited dataset into deidentified information under the safe harbor provision of the Privacy Rule, which requires removal of 18 personal identifiers. They measured data lost as a function of unique data elements (UDEs) for both the limited dataset and the deidentified information.
This study found that a large percentage of data was lost when information was deidentified. The limited dataset represented 4,738 patient discharges and contained 810,456 UDEs in 322,657 records. The deidentified dataset represented 4,733 patient discharges but only contained 562,171 UDEs. This means that the deidentified dataset contained 31 percent fewer UDEs than the limited dataset. The researchers reported that much of the information lost when the information was deidentified was of the type that is of the most interest to researchers, such as time between episodes of care. The researchers concluded that deidentified data removes too much information to produce data useful for conducting good research ( Clause et al., 2004 ).
Results from the AcademyHealth survey also indicate concern about the usefulness of deidentified data for research. In this survey, 62 percent of the respondents reported that the use of deidentified data had a negative impact on research, 38 percent reported that the removal of the required identifiers interfered somewhat with research, and 21 percent reported that the removal of identifiers interfered significantly with research. Only 3 percent of the respondents reported that the removal of identifiers did not interfere with research ( Helms, 2008 ).
- AUTHORIZATION PROCESS
The authorization provisions of the Privacy Rule are relevant to health researchers because although there are some situations in which researchers can obtain PHI without authorization (i.e., by obtaining an IRB/ Privacy Board waiver of authorization, or using limited datasets or deidentified information), for many research projects, researchers must obtain a signed authorization form from each research participant (see Chapter 4 ). Many researchers have expressed dissatisfaction with how the authorization process has been interpreted and implemented by covered entities. Researchers report that many IRBs and Privacy Boards require lengthy and complex wording to describe the authorization within consent forms. They claim that the extra language added to consent forms is confusing to research participants, burdens the informed consent process, and undermines research recruitment ( AAHC, 2008 ; Shalowitz and Wendler, 2006 ).
In the HMORN survey of investigators, 76 percent of respondents reported that they had incorporated the Privacy Rule’s requirements for authorization directly into their informed consent forms. However, in the structured interviews of investigators, all four respondents who conducted primary data collection reported that they were obliged by their IRB to augment the consent and authorization procedures for their studies after the Privacy Rule was implemented. All four investigators also stated that the Privacy Rule authorization language had an adverse effect on research recruitment because it increased patient confusion and frustration. Likewise, in the HMORN survey of IRB administrators, 54.6 percent of respondents stated that study participants are unduly burdened by the complexity of authorization forms ( Greene et al., 2008 ).
Studies analyzing the readability of Privacy Rule–compliant authorization forms document the effect of complex authorization forms on individuals’ willingness to participate in research. In a letter to the editor of the Annals of Internal Medicine , Breese and colleagues (2004) outlined an evaluation of the readability and length of authorization forms. The researchers analyzed the authorization templates from the 125 academic medical centers receiving the most funding from the National Institutes of Health and from 31 independent IRBs. First, the authors determined that the authorization form added an average of two pages of additional material to the informed consent form, or about 744 extra words.
Next, the researchers looked at the authorization forms’ readability using three formulas: the Simple Measure of Gobbledegook (SMOG), the Flesch-Kincaid reading level, and the Flesch Reading Ease Score. Using the SMOG formula to evaluate the authorization forms, the researchers found that the median reading level for the authorization templates was 13th grade (i.e., freshman year in college). All of the forms scored above the eighth-grade reading level. Under the Flesch-Kincaid reading-level formula, the researchers found that 97 percent of the forms were written above the eighth-grade reading level. Similarly, using the Flesch Reading Ease Score, the researchers found that 86.5 percent of the forms were “difficult” or “very difficult” to read. Only 3 of 111 authorization forms scored at the “standard English” reading level. The authors concluded that these results are problematic for researchers because half of the U.S. adult population reads at or below the eighth-grade level. A large percentage of potential research participants are likely unable to comprehend much of the information contained in authorization forms. The authors believe that many institutions view authorization forms as liability protection, rather than as a mechanism to inform research participants about a study ( Breese et al., 2004 ).
A similar study was conducted by Nosowsky and Giordano (2006) at the University of Michigan. They analyzed the National Institutes of Health’s model authorization form using Microsoft’s Flesch-Kincaid scale and found that it was written at a 12th-grade reading level. The authors concluded that many research participants cannot understand the forms they are required to sign. Thus, it is not surprising that researchers are reporting that the authorization process is causing confusion for research participants ( Nosowsky and Giordano, 2006 ).
Another study that examined whether the Privacy Rule authorization requirement has created a barrier to research was conducted by Shen et al. at Governors State University, University Park, IL. The researchers followed the authorization process in a school-based educational program for childhood obesity prevention as a case study. The authorization form used in this case study was as simple as possible. Most of the sentences on the form were taken directly out of the Privacy Rule regulation, and any additional sentences were required by the local IRB. However, despite an attempt to simplify the authorization form, only 21 percent of parents granted authorization for their children to participate in the school-based obesity program. The researchers concluded that the authorization form was overly complex, making many parents reluctant or unwilling to sign it. The authors noted, however, that the low recruitment rate recorded perhaps could have been more easily solved through better communication about the program with the students’ parents than through modification of the authorization forms ( Shen et al., 2006 ).
- CONCERNS ABOUT POTENTIAL LEGAL CONSEQUENCES
Because many institutions are risk averse, the AcademyHealth survey examined the impact of concerns about the penalty provisions of the Privacy Rule on research. Nineteen percent of the respondents reported that the penalties had no effect on efforts to obtain data from a covered entity, and 24 percent reported that penalties were considered by covered entities but ultimately did not prevent researchers from obtaining data. However, 26 percent of respondents reported that concerns about penalties have impeded access to data—16 percent reported that fear of penalties has prevented covered entities from providing data to researchers, and 10 percent reported that covered entities’ concerns about data privacy caused them to forego research activities. Nearly 30 percent of respondents were unsure what impact, if any, penalties have had on efforts to obtain data from covered entities ( Helms, 2008 ). Similar concerns were reported for a study using data from 19 hospitals near the University of Washington, as noted previously. The nine IRBs requiring full review of a study already approved by the IRB of the University cited concerns over the Privacy Rule’s civil and criminal penalties as the main reason for denying expedited review or for not honoring another IRB’s decisions ( Lydon-Rochelle and Holt, 2004 ).
Fear of civil suits could also lead IRB and Privacy Board members to be overly conservative in their decisions about research proposals brought before them, and could be a significant deterrent in recruiting qualified volunteers to serve on IRBs and Privacy Boards. Effective oversight of health research depends on the recruitment of qualified and knowledgeable volunteers to serve on IRBs and Privacy Boards, but the growth over the past decade of lawsuits naming individual IRB members as defendants 5 has created a chill that threatens the willingness of volunteers to serve on IRBs ( Hoffman and Berg, 2005 ; Icenogle, 2003 ; IPPC, 2008 ; Rose and Lodato, 2004 ; Shaul et al., 2005 ). Members of IRBs and Privacy Boards are generally indemnified by their institutions, but they are not immune from being named in a suit. Therefore they could still have to devote time and resources to defending themselves for decisions made by an IRB or a Privacy Board on which they served.
- POTENTIAL WAYS TO REDUCE INTERPRETIVE VARIABILITY AMONG IRBS, PRIVACY BOARDS, AND COVERED ENTITIES
HHS intended to allow covered entities, IRBs, and Privacy Boards to have some local control in implementing and interpreting the Privacy Rule as it applies to the use and disclosure of PHI for research. Sensitivity to local issues can be a desirable feature, particularly when institutions serve special populations or under unusual circumstances. However, variations in IRB and Privacy Board oversight may relate less to true local differences in the research environment than to the administrative differences and variability in the skills and resources of IRBs and Privacy Boards ( Casarett et al., 2005 ). There is no required certification process to ensure that IRB/Privacy Board members have sufficient knowledge and understanding of research ethics and regulation, and funding is often through indirect sources, such as grants.
Based on the evidence presented in this chapter, it is clear that over-interpretation of the Privacy Rule is common and that the substantial variability in interpretation among covered entities and oversight boards is detrimental to health research. More consistent application of the Privacy Rule would facilitate responsible research and also provide more meaningful protection of patient privacy. One potential way to begin to address this issue would be for HHS to regularly identify and disseminate “best practices” for responsible research ( IOM, 2000 ). Guidance materials and models or templates for things such as the authorization form (written at an appropriate reading level), waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. This endeavor could perhaps be accomplished as an activity of the National Institutes of Health (NIH) Roadmap, 6 under the direction of the Office for Civil Rights. An informative precedent for this activity is the National Practitioner Data Bank Guidebook 7 of the Health Resources and Services Administration, established through Title IV of the Healthcare Quality Improvement Act of 1986, Public Law 99–660. That guidebook, which is frequently updated, provides many case examples of what should be done in various situations.
Stakeholders—including researchers; research institutions, IRBs, and Privacy Boards ; sponsors of research; public health practitioners and agencies; patient and consumer organizations; and privacy experts—could have considerable influence on the adoption of best practices once they have been identified and thus could help to make privacy protections and IRB/Privacy Board decisions more uniform. For example, Requests for Proposals and other funding mechanisms could be more instructive on this point. Many academic researchers depend on their ability to procure funding from a source external to their institutions, and research sponsors also have obligations to protect research participants. As a result, major nonfederal funders could be a powerful force for adherence to ethical guidelines, even in the absence of strong federal regulations and enforcement.
Organizations whose primary missions are focused on promoting responsible and ethical research, such as Public Responsibility in Medicine and Research (PRIM&R) and the Association for the Accreditation of Human Research Protection Programs (AAHRPP), featured in Boxes 5-2 and 5-3 , could contribute much to the dynamic and ongoing process of developing best practices. These organizations educate IRB professionals, offer voluntary certification programs, and have hosted conferences to address ethical and legal challenges in research, including those related to HIPAA. Increased participation in PRIM&R and AAHRPP could extend understanding of regulatory requirements and foster national discourse about issues of interpretation and application of the Privacy Rule.
Public Responsibility in Medicine and Research (PRIM&R). The mission of PRIM&R is to promote ethical research in humans and animals. It tracks and provides input to policy initiatives and regulatory changes relating to ethical standards (more...)
Association for the Accreditation of Human Research Protection Programs (AAHRPP). AAHRPP is an independent, nonprofit entity that accredits organizations’ human research protection programs. Its mission is to accredit “high-quality human (more...)
An important point to remember is that HHS’s policy is to seek compliance first, rather than penalties, when a concern is brought to the agency’s attention (see Chapter 5 ). Institutions might be less inclined to be overly conservative in interpreting the Privacy Rule if this were stated more clearly in guidance materials. Simple clarification and clear communication of the way HHS will enforce the Privacy Rule and seek penalties would be helpful.
In addition, some limited protection against civil suits brought pursuant to federal or state law for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the Privacy Rule and the Common Rule could be beneficial. This limited protection should not include protection for willful and wanton misconduct in reviewing the research. Members of IRBs or Privacy Boards who receive limited protection against lawsuits may be less likely to interpret the Privacy Rule too conservatively. A similar provision was incorporated into the Ontario Personal Health Information Protection Act of 2004, under which members of Research Ethics Boards are immune for acts done and omissions made in good faith that are reasonable under the circumstances (see also Chapter 6 ). This type of immunity for IRB and Privacy Board members would be similar to the precedent of protection for peer review members under state laws and under the Health Care Quality Improvement Act of 1986.
Such protections might also facilitate multi-institutional research by reducing the variability among local IRBs and Privacy Boards because they might be more comfortable accepting the decision of a lead IRB/Privacy Board. But even in the absence of this sort of regulatory or statutory change, a clear statement from HHS regarding the acceptability, and thus the limits, of legal consequences of accepting the decision of another IRB or Privacy Board would help to facilitate multi-institutional research.
- CONCLUSIONS AND RECOMMENDATIONS
The evidence presented in this chapter demonstrates that implementation and interpretation of the Privacy Rule has had a significant effect on how health research is conducted in the United States. Although the Privacy Rule may have extended regulatory protections of privacy in health research that were desirable, the numerous studies reviewed here indicate that it has also had an unintended negative effect on health research, often due to variations in how covered entities, IRBs, and Privacy Boards interpret the complex regulations. Nonetheless, even if the effect on research has been negative, carefully considering the effect on privacy of any changes to the Privacy Rule as well as the effect on research is important. Many problems identified in this chapter could potentially be improved by HHS without changing the Privacy Rule itself.
More consistent application of the Privacy Rule would facilitate responsible research and provide more meaningful protection of patient privacy. Thus, the committee recommends that HHS regularly convene consensus development conferences in collaboration with health research stakeholders to collect and evaluate current practices in privacy protection in order to identify and disseminate best practices for responsible research. Stakeholders can then enable and encourage researchers to use these best practices in designing and conducting research involving the use of PHI.
Current guidance from HHS addresses only what is permissible under the HIPAA Privacy Rule; the guidance does not identify best practices. A dynamic, ongoing process for the identification and dissemination of best practices in privacy protection for various types of health research by HHS would facilitate reviews by IRBs and Privacy Boards and would lead to more consistent and appropriate decisions. Guidance materials with best practices and models or templates for things such as the authorization form, waiver of authorization form, data use agreements, and business associate agreements would make it easier for investigators to appropriately design research projects and put institutions at ease about decisions their IRBs and Privacy Boards make with regard to privacy concerns. Such guidance materials should be written as clearly and simply as possible, using an inclusive, dynamic, and transparent development process, and should override all prior guidance documents.
Stakeholders—including researchers; research institutions, IRBs, and Privacy Boards ; sponsors of research; public health practitioners and agen cies; patient and consumer organizations; and privacy experts—could have considerable influence on the adoption of best practices once they have been identified and thus could help to make privacy protections and IRB/Privacy Board decisions more uniform. Organizations whose primary missions are focused on promoting responsible and ethical research, such as PRIM&R and AAHRPP, can contribute much to the process.
Another potential way to reduce inconsistency and overly conservative interpretation would be to provide some limited legal protection for IRB and Privacy Board members, who may be fearful of lawsuits pertaining to IRB/Privacy Board decisions. The committee recommends that HHS—or, as necessary, Congress—provide reasonable protection against civil suits brought pursuant to federal or state law for members of IRBs and Privacy Boards for decisions made within the scope of their responsibilities under the HIPAA Privacy Rule and the Common Rule . The limitation on liability should not include protection for willful and wanton misconduct in reviewing the research, but should instead be for good-faith decisions, backed by minutes or other evidence, in responsibly applying the legal requirements under the HIPAA Privacy Rule or the Common Rule.
Recommendations put forth in previous chapters should also help to reduce variability and overinpretation of the regulations. These include facilitating greater use of data with direct identifiers removed and facilitating appropriate IRB and Privacy Board oversight of identification and recruitment of potential research participants (see Chapter 4 ). Clarifying the distinction between “research” and “practice” to ensure appropriate ethical oversight of the use of protected health information would also help IRBs and Privacy Boards make decisions that adequately protect patient privacy and facilitate responsible research (see Chapter 3 ).
However, as indicated in Chapter 6 , the committee believes that ideally, a bolder approach should be taken, with HHS developing a new approach to protecting privacy in health research that emphasizes privacy, security, accountability, and transparency and that is applicable to all health research in the United States.
- AAHC (Association of Academic Health Centers). HIPAA creating barriers to research and discovery: HIPAA problems widespread and unresolved since 2003. 2008. [accessed September 2, 2008]. http://www .aahcdc.org /policy/reddot/AAHC _HIPAA_Creating_Barriers.pdf .
- Al-Shahi R, Vousden C, Warlow C. Bias from requiring explicit consent from all participants in observational research: Prospective, population based study. British Medical Journal. 2005; 331 :942–945. [ PMC free article : PMC1261192 ] [ PubMed : 16223793 ]
- Armstrong D, Kline-Rogers E, Jani SM, Goldman EB, Fang J, Mukherjee D, Nallamothu BK, Eagle KA. Potential impact of the HIPAA Privacy Rule on data collection in a registry of patients with acute coronary syndrome. Archives of Internal Medicine. 2005; 165 (10):1125–1129. [ PubMed : 15911725 ]
- ASCO (American Society of Clinical Oncology). The impact of the Privacy Rule on cancer research: Variations in attitudes and application of regulatory standards. Alexandria, VA: ASCO; 2008. [ PubMed : 19620480 ]
- Beebe T, Talley N, Camilleri M, Jenkins SM, Anderson KJ, Locke GR. The HIPAA authorization form and effects on survey response rate, nonresponse bias, and data quality. Medical Care. 2007; 45 (10):959–965. [ PubMed : 17890993 ]
- Breese P, Burman W, Rietmeijer C, Lezotte D. The Health Insurance Portability and Accountability Act and the informed consent process. Annals of Internal Medicine. 2004; 141 :897–898. [ PubMed : 15583246 ]
- Casarett D, Karlawish J, Andrews E, Caplan A. Bioethical issues in pharmacoepidemiological research. In: Strom BL, editor. Pharmacoepidemiology. West Sussex, England: John Wiley & Sons, Ltd.; 2005. pp. 417–432.
- Clause SL, Triller DM, Bornhorst CPH, Hamilton RA, Cosler LE. Conforming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy. 2004; 61 (10):1025–1031. [ PubMed : 15160778 ]
- Deapen D. Negative impact of HIPAA on population-based cancer registry research: A brief survey. Springfield, IL: North American Association of Central Cancer Registries; 2006.
- Dunlop A, Graham T, Leroy Z, Glanz K, Dunlop B. The impact of HIPAA authorization on willingness to participate in clinical research. Annals of Epidemiology. 2007; 17 (11):899–905. [ PMC free article : PMC4096152 ] [ PubMed : 17689261 ]
- Friedman DS. HIPAA and research: How have the first two years gone? American Journal of Ophthalmology. 2006; 141 (3):543–546. [ PubMed : 16490505 ]
- Greene SM, Geiger AM, Harris EL, Altschuler A, Nekhlyudov L, Barton MB, Rolnick SJ, Elmore JG, Fletcher S. Impact of IRB requirements on a multicenter survey of prophylactic mastectomy outcomes. Annals of Epidemiology. 2006; 16 :275–278. [ PubMed : 16005245 ]
- Greene SM, Bennett S, Kirlin B, Oliver KR, Pardee R, Wagner E. Impact of the HIPAA Privacy Rule in the HMO Research Network. Seattle, WA: Group Health Cooperative Center for Health Studies; 2008.
- Harris MA, Levy AR. Personal privacy and public health: Potential impacts of privacy legislation on health research in Canada. Canadian Journal of Public Health. 2008; 99 (4):293–296. [ PMC free article : PMC6975712 ] [ PubMed : 18767274 ]
- Helms D. 2008 February 14 PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the AcademyHealth survey results.
- Hoffman S, Berg JW. The suitability of IRB liability. Case Legal Studies Research Paper No. 05-4. Feb, 2005. [accessed September 2, 2008]. http://papers .ssrn.com/sol3/papers .cfm?abstract_id=671004 .
- Howe HL, Lake AJ, Shen T. Method to assess identifiability in electronic data files. American Journal of Epidemiology. 2006; 165 (5):597–601. [ PubMed : 17182982 ]
- Icenogle DL. IRBs, conflict and liability: Will we see IRBs in court? Or is it when? Clinical Medicine & Research. 2003; 1 (1):63–68. [ PMC free article : PMC1069025 ] [ PubMed : 15931289 ]
- IOM (Institute of Medicine). Protecting data privacy in health services research. Washington, DC: National Academy Press; 2000. [ PubMed : 25057723 ]
- IOM. Responsible research: A systems approach to protecting research participants. Washington, DC: The National Academies Press; 2002. [ PubMed : 20669487 ]
- IPPC (International Pharmaceutical Privacy Consortium). 2008 March 30 Comments to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical research.
- Kaiser J. Rule to protect records may doom long-term heart study. Science. 2006; 311 :1547–1548. [ PubMed : 16543432 ]
- Kolata G. States and V.A. at odds on cancer data. The New York Times. 2007 October 10
- Kompanje EJO, Maas AIR. Is the Glasgow coma scale score protected health information? The effect of new United States regulations (HIPAA) on completion of screening logs in emergency research trials. Intensive Care Medicine. 2006; 32 :313–314. [ PubMed : 16468073 ]
- Lydon-Rochelle M, Holt VL. HIPAA transition: Challenges of a multisite medical records validation study of maternally linked birth records. Maternal & Child Health Journal. 2004; 8 (1):35–38. [ PubMed : 15125456 ]
- McCarthy DB, Shatin D, Drinkard CR, Kleinman JH, Gardner JS. Medical records and privacy: Empirical effects of legislation. Health Services Research. 1999; 34 (1):417–425. [ PMC free article : PMC1089011 ] [ PubMed : 10199685 ]
- National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality. Susan Ehringhaus’s testimony on behalf of the Association of American Medical Colleges. 2003 November 19
- Ness R. A year is a terrible thing to waste: Early experience with HIPAA. Annals of Epidemiology. 2005; 15 (2):85–86. [ PubMed : 15652712 ]
- Ness R. Influence of the HIPAA Privacy Rule on health research. JAMA. 2007; 298 (18):2164–2170. [ PubMed : 18000200 ]
- Newgard CD, Hui SH, Stamps-White P, Lewis RJ, Newgard CD, Hui S-HJ, Stamps-White P, Lewis RJ. Institutional variability in a minimal risk, population-based study: Recognizing policy barriers to health services research. Health Services Research. 2005; 40 (4):1247–1258. [ PMC free article : PMC1361194 ] [ PubMed : 16033503 ]
- Nosowsky R, Giordano TJ. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule: Implications for clinical research. Annual Review of Medicine. 2006; 57 (1):575–590. [ PubMed : 16409167 ]
- O’Herrin JK, Fost N, Kudsk KA. Health Insurance Portability and Accountability Act (HIPAA) regulations: Effect on medical record research. Annals of Surgery. 2004; 239 (6):772–778. [ PMC free article : PMC1356285 ] [ PubMed : 15166956 ]
- Ramirez AG, Niederhuber JE. Letter to the Honorable Tommy G. Thompson, Secretary of the Department of Health and Human Services. 2003 November 5
- Ring J. 2007October 1–2 PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the American Heart Association survey results.
- Rose BS, Lodato V. The role of class actions in litigation involving human research subjects. BNA Class Action Litigation Report. 2004 March 12
- Russell S. Dispute on medical record access settled: Cancer researchers wanted UC data on new cases quicker. San Francisco Chronicle. 2004a December 7:B1.
- Russell S. Medical privacy law said to be chilling cancer studies: Scientists fight for fast access to patient files. San Francisco Chronicle. 2004b September 26:A4.
- Shaffer D. Privacy laws jeopardize heart study: Researchers have put a well-known stroke and heart disease study on hold. Star Tribune. 2006 February 12
- Shalowitz D, Wendler D. Informed consent for research and authorization under the Health Insurance Portability and Accountability Act Privacy Rule: An integrated approach. Annals of Internal Medicine. 2006; 144 (9):685–688. [ PubMed : 16670138 ]
- Shaul RZ, Birenbaum S, Evans M. Legal liability in research: Early lessons from North America. BMC Medical Ethics. 2005; 6 (4):1–4. [ PMC free article : PMC1182131 ] [ PubMed : 15953387 ]
- Shen JJ, Samson LF, Washington EL, Johnson P, Edwards C, Malone A, Shen JJ, Samson LF, Washington EL, Johnson P, Edwards C, Malone A. Barriers of HIPAA regulation to implementation of health services research. Journal of Medical Systems. 2006; 30 (1):65–69. [ PubMed : 16548417 ]
- Trevena L, Irwig L, Barratt A. Impact of privacy legislation on the number and characteristics of people who are recruited for research: A randomized controlled trial. Journal of Medical Ethics. 2006; 32 :473–477. [ PMC free article : PMC2563378 ] [ PubMed : 16877628 ]
- Tu JV, Willison DJ, Silver FL, Fang J, Richards JA, Laupacis A, Kapral MK. Impracticability of informed consent in the registry of the Canadian stroke network. New England Journal of Medicine. 2004; 350 (14):1414–1421. [ PubMed : 15070791 ]
- Walker DK. Impact of the HIPAA Privacy Rule on health services research. Philadelphia, PA: Abt Associates, Inc.; 2005.
- Ward HJT, Cousens SN, Smith-Bathgate B, Leitch M, Everington D, Will RG, Smith PG. Obstacles to conducting epidemiological research in the UK general population. British Medical Journal. 2007; 329 :277–279. [ PMC free article : PMC498031 ] [ PubMed : 15284154 ]
- Williams BA, Irrgant JJ, Bottegal MT, Francis KA, Vogt MT. A post hoc analysis of research study staffing: Budgetary effects of the Health Insurance Portability and Accountability Act (HIPAA) on research staff workload during a prospective, randomized clinical trial. Anesthesiology. 2007; 107 (5):860–861. [ PubMed : 18073577 ]
- Wolf MS, Bennett CL. Local perspective of the impact of the HIPAA Privacy Rule on research. Cancer. 2006; 106 (2):474–479. [ PubMed : 16342254 ]
- Woolf SH, Rothemich SF, Johnson RE, Marsland DW. Selection bias from requiring patients to give consent to examine data for health services research. Archives of Family Medicine. 2000; 9 :1111–1118. [ PubMed : 11115216 ]
NCAB was appointed by the President of the United States to advise the HHS Secretary and the National Cancer Institute Director regarding the activities of the Institute and policies regarding these activities.
Standards for Privacy of Individually Identifiable Health Information : Final Rule, 67 Fed. Reg. 53,255 (August 24, 2002) (codified at 45 C.F.R. parts 160 and 164).
Id. at 53,258.
Id. at 53,255.
For examples of specific cases naming IRB members as individual defendants, see Robertson v. McGee (2001), Guckin v. Nagle (2002), and Scheer v. Burke (2003), available at http://www .sskrplaw.com/gene/index.html .
The NIH Roadmap was initiated in 2004 as “an integrated vision to deepen our understanding of biology, stimulate interdisciplinary research teams, and reshape clinical research to accelerate medical discovery and improve people’s health.” See http://nihroadmap .nih.gov/overview.asp (accessed January 13, 2009).
See http://www .npdb-hipdb .hrsa.gov/npdbguidebook.html (accessed January 13, 2009).
- Cite this Page Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 5, Effect of the HIPAA Privacy Rule on Health Research.
- PDF version of this title (1.6M)
- Disable Glossary Links
In this Page
Other titles in this collection.
- The National Academies Collection: Reports funded by National Institutes of Health
Related information
- PMC PubMed Central citations
- PubMed Links to PubMed
Recent Activity
- Effect of the HIPAA Privacy Rule on Health Research - Beyond the HIPAA Privacy R... Effect of the HIPAA Privacy Rule on Health Research - Beyond the HIPAA Privacy Rule
Your browsing activity is empty.
Activity recording is turned off.
Turn recording back on
Connect with NLM
National Library of Medicine 8600 Rockville Pike Bethesda, MD 20894
Web Policies FOIA HHS Vulnerability Disclosure
Help Accessibility Careers
Cancer Clinical Trials: Proactive Strategies pp 199–207 Cite as
The Privacy Rule (HIPAA) as it Relates to Clinical Research
- John M. Harrelson MD 2 &
- John M. Falletta MD 2
849 Accesses
4 Citations
Part of the book series: Cancer Treatment and Research ((CTAR,volume 132))
4. Conclusion
The Privacy Rule has increased the complexity of life for an investigator engaged in research with human subjects. However, contrary to the fears of many and the claims of some, the Privacy Rule need not stifle such research. By understanding all of the regulations that govern research with human subjects, including the Common Rule, FDA regulations and the Privacy Rule, investigators are able to perform scientifically sound and ethical research. The IRB with which the investigator works can be a valuable resource to guide the research team as the study is designed and submitted for approval.
This is a preview of subscription content, log in via an institution .
Buying options
- Available as PDF
- Read on any device
- Instant download
- Own it forever
- Compact, lightweight edition
- Dispatched in 3 to 5 business days
- Free shipping worldwide - see info
- Durable hardcover edition
Tax calculation will be finalised at checkout
Purchases are for personal use only
Unable to display preview. Download preview PDF.
August 2003 Complete Privacy, Security, and Enforcement (Procedural) Regulations Text (45 CFR Parts 160 and 164) http://www.hhs.gov/ocr/combinedregtext.pdf/ , Sponsor: DHHS Office for Civil Rights, Accessed: 23 January 2006.
Google Scholar
Code of Federal Regulations Title 45 Part 46 http://www.hhs.gov/ohrp/humansubiects/guidance/45cfr46.htm/ . Sponsor: DHHS Office for Human Research Protections, Accessed: 23 January 2006.
Guidance for Institutional Review Boards and Clinical Investigators, 1998 Update, Appendix E: Significant Differences in FDA and HHS Regulations http://www.fda.gov/oc/ohrt/irbs/appendixe.html/ , Sponsor: FDA, Accessed 23 January 2006.
Code of Federal Regulations Title 21 Part 56 http://www.cfsan.fda.gov/~lrd/cfr56.html/ , Sponsor: FDA, Accessed 23 January 2006.
HIPAA Privacy Rule — Information for Researchers http://privacyruleandresearch.nih.gov/ , Sponsor: NIH, Accessed 23 January 2006.
Privacy Boards and the HIPAA Privacy Rule http://privacvruleandresearch.nih.gov/pdf/privacy_boards_hipaa_privacy_rule,pdf/ , Sponsor: NIH, Accessed 23 January 2006.
Research Repositories, Databases and the HIPAA Privacy Rule http://privacyruleandresearch.nih.gov/research_repositories.asp/ . Sponsor: NIH, Accessed 23 January 2006.
Institutional Review Boards and the HIPAA Privacy Rule http://privacyruleandresearch.nih.gov/pdf/IRB_Factsheet.pdf/ , Sponsor: NIH, Accessed 23 January 2006.
Guidance on Research Involving Coded Private Information or Biological Specimens, August 10, 2004 http://www.hhs.gov/ohrp/humansubiects/guidance/cdebiol.pdf/ . Sponsor: DHHS Office for Human Research Protections, Accessed 23 January 2006.
Download references
Author information
Authors and affiliations.
Duke University Health System, Durham, NC, USA
John M. Harrelson MD & John M. Falletta MD
You can also search for this author in PubMed Google Scholar
Editor information
Editors and affiliations.
Department of Surgery, University of California Medical Center at Mount Zion, 1600 Divisadero Street, San Francisco, CA, 94143
Stanley P. L. Leong MD, FACS
Rights and permissions
Reprints and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC
About this chapter
Cite this chapter.
Harrelson, J.M., Falletta, J.M. (2007). The Privacy Rule (HIPAA) as it Relates to Clinical Research. In: Leong, S.P.L. (eds) Cancer Clinical Trials: Proactive Strategies. Cancer Treatment and Research, vol 132. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-33225-3_10
Download citation
DOI : https://doi.org/10.1007/978-0-387-33225-3_10
Publisher Name : Springer, Boston, MA
Print ISBN : 978-0-387-33224-6
Online ISBN : 978-0-387-33225-3
eBook Packages : Medicine Medicine (R0)
Share this chapter
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative
- Publish with us
Policies and ethics
- Find a journal
- Track your research
An official website of the United States government
Here’s how you know
Official websites use .gov A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Research Uses and Disclosures
217-may a covered entity accept documentation of an irb waiver of authorization.
Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher’s documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR 164.512(i) that the information requested is the minimum necessary for the research purpose. See 45 CFR 164.514(d)(3)(iii).
302-Will HIPAA hinder medical research
We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected.
303-Are some criteria so subjective that IRB and privacy boards may makeinconsistent determinations
Under the HIPAA Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied.
304-Does HIPAA prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing information
No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.
305-Does HIPAA permit creating a database for research purposes through an IRB or Privacy Board waiver
Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied.
306-Can researchers access existing databanks or repositories created prior to the compliance date without permission
Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).
307-How does the Rule help IRBs handle the additional responsibilities imposed by the HIPAA Privacy Rule
Recognizing that some institutions may not have IRBs, or that some IRBs may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board–which could have fewer members, and members with different expertise than IRBs.
308-By establishing new waiver criteria and authorization requirements, hasn't HIPAA modified the Common Rule
No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.
309-Is documentation of IRB and Privacy Board approval required by the HIPAA
No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.
310-Does HIPAA require a covered entity to create an IRB or Privacy Board before using or disclosing protected health information for research
The IRB or Privacy Board could be created by the covered entity or the recipient researcher, or it could be an independent board.
311-What does HIPAA say about a research participant's right of access to research records or results
With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a “designated record set.”
313-Do HIPAA's requirements for authorization and the Common Rule's requirements for informed consent differ?
Yes. Under the Privacy Rule, a patient’s authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual’s informed consent, as required by the Common Rule and the Food and Drug Administration’s (FDA) human subjects regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of protected health information.
314-When is a researcher considered to be a covered health care provider under HIPAA
A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule.
315-When can a covered determine whether a research component of the entity is part of their covered functions
A covered entity that qualifies as a hybrid entity, meaning that the entity is a single legal entity that performs both covered and non-covered functions, may choose whether it wants to be a hybrid entity. If such a covered entity decides not to be a hybrid entity then it, and all of its components, are subject to the Privacy Rule in its entirety. Therefore, if a researcher is an employee or workforce member of a covered entity that has decided not to be a hybrid entity, the researcher is part of the covered entity and is, therefore, subject to the Privacy Rule.
316-If a research subject revokes authorization to disclose information can a researcher continue using the information already obtained
Covered entities may continue to use and disclose protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study.
317-Can the preparatory research provision of the HIPAA Privacy Rule be used to recruit individuals into a research study
The preparatory research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity’s site.
318-Does HIPAA require documentation of IRB approval of an alteration or waiver of individual authorization
No. Documentation of IRB or Privacy Board approval of an alteration or waiver of individual authorization is only needed before a covered entity may use or disclose protected health information under 45 CFR 164.512(i)(1)(i).
319-If consent was obtained before the compliance date but the IRB modifies the document is authorization required
If informed consent or reconsent (ie., asked to sign a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research.
320-Can covered entities continue to disclose adverse event reports that contain information
Yes. The Office for Human Research Protections is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the Office for Human Research Protections either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities as permitted at 45 CFR 164.512(b).
321-Can covered entities continue to disclose information to the HHS Office for Human Research Protections
Yes. The Office for Human Research Protections is a health oversight agency under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to the Office for Human Research Protections for such compliance investigations either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for health oversight activities as permitted at 45 CFR 164.512(d).
Institutional Review Board Guidance from OCR
Institutional Review Boards and the HIPAA Privacy Rule FDA IRB Information Sheet FDA IRB Regulations Institutional Review Boards and the HIPAA Privacy Rule - NIH Fact Sheet Lawrence Livermore National Laboratory Office for Human Research Protections (OHRP) Office for Human Research Protections (OHRP) Guidebook
IMAGES
VIDEO
COMMENTS
Overview. Researchers in medical and health-related disciplines require access to many sources of health information, from archived medical records and epidemiological databases to disease registries, tissue repositories, hospital discharge records, and government compilations of vital and health records.
OCR Issues the HITECH Breach Notification Interim Final Regulation August 24, 2009 ; OCR Issues a Proposed Rule to Modify the HIPAA Privacy, Security, and Enforcement ...
An official website of the United States government. Here's how you know
4. hipaa, the privacy rule, and its application to health research. overview of hipaa; development of the privacy rule regulations; overview of the hipaa privacy rule hipaa and research; enforcement of the privacy rule; relationship between hipaa and other laws; conclusions and recommendations; references; 5.
THE PRIVACY RULE ("HIPAA") IN RESEARCH 11/20/2023 I. OVERVIEW The U.S. Congress passed the Health Insurance Portability and Accountability Act ... Each use or disclosure of PHI from a database or repository for research purposes is considered a separate research activity. As such, each use or ...
An official website of the United States government. Here's how you know
OVERVIEW OF SURVEY RESULTS. As noted in previous chapters (Chapter 1 in particular), the information gained by opinion surveys has limitations.The potential for bias exists because of the way the questions are worded and framed, and respondents may have self-motivated reasons for responding in a particular fashion.
First, Hopkins' entire clinical database is not a "research database" even though it may be used for research. When patients come to Hopkins, clinicians collect data and specimens that identify each patient ("health information"). This information is used for a myriad of treatment, payment and operations purposes.
Statement that the alteration/waiver satisfies the following 3 criteria: a. The use/disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on at least the following elements: i. An adequate plan has been proposed to protect the identifiers from improper use and disclosure; ii.
Authors and Affiliations. Duke University Health System, Durham, NC, USA. John M. Harrelson MD & John M. Falletta MD
The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
or post office boxes, all elements of dates (such as admission and discharge dates) and unique codes or identifiers not listed as direct identifiers.
or post office boxes, all elements of dates (such as admission and discharge dates) and unique codes or identifiers not listed as dir ect identifiers. 3 Research · · · and
The HHS regulations include the Federal Policy for the Protection of Human Subjects, effective August 19, 1991, and provide additional protections for pregnant women, fetuses, neonates, prisoners, and children involved in research. The HHS regulations can be found at Title 45 of the Code of Federal Regulations, Part 46.
A: There are two separate activities to consider: (1) The use or disclosure of PHI for creating a research database or repository and (2) The subsequent use or disclosure of PHI in the database for a particular research protocol. A covered entity's use or disclosure of PHI to create.
Review and approve HIPAA Written Authorizations (WA) when they are combined with an informed consent document 45CFR164.508(c)(1) and (2).; Approve and document determinations regarding waiver or alteration of the requirements for written Authorization 45CFR164.512(i)(1)(i) and 45CFR164.512(ii);; Receive HIPAA Attestation from investigators who propose to use PHI without an authorization including:
Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?
Frequently Asked Questions. Office for Civil Rights Frequently Asked Questions on the HIPAA Privacy Rule. Click here for access to the complete set.. HIPAA Privacy ...
As The Privacy Rule is implemented, researchers are asking how these rules might affect research that uses health information in databases and repositories. The ...
Research Uses and Disclosures. 217-May a covered entity accept documentation of an IRB waiver of authorization. 302-Will HIPAA hinder medical research. 303-Are some criteria so subjective that IRB and privacy boards may makeinconsistent determinations. 304-Does HIPAA prohibit researchers from conditioning participation in a clinical trial on an ...
Office for Human Research Protections (OHRP) Home - Dictionary - FAQ - News - Events - Resources - Site Map - Contact Information - HHS Vulnerability Disclosure Site last updated: 02/02/2007