Health Insurance Portability and Accountability Act (HIPAA)
Comment by Epi Working Group at NCI Conference on Confidentiality, Data Security, and Cancer Research
Bethesda, Maryland, 11/30-12/2/99
Subject: Comments on electronic data privacy regulations due to HHS on February 17.
Dear ACE Colleague:
The Department of Health and Human Services (DHHS) has proposed an extensive patient privacy regulation as required by a 1996 provision of the Health Insurance Portability and Accountability Act (HIPAA). The proposed regulation could have a profound negative effect on biomedical research. The regulation is cumbersome and erects new roadblocks to epidemiologic research according to David Korn of the Association of American Medical Colleges (Washington Fax, February 4, 2000). In addition, proposed st andards on safeguarding the identity of individuals may be impossible to meet. The proposed regulations may prove particularly cumbersome for those engaged in clinical trials. Key concerns include:
- The requirement of "patient authorization" in addition to informed consent that is time-limited and duplicative. The potential need for multiple authorizations over time from participants in longitudinal studies may have a negative effect on participation rates. This authorization also may impede research using archived specimens or data.
- Additional criteria to be considered by IRB’s for exemptions from informed consent. The criteria appear to duplicate others that already can be applied by IRB’s, and also appear to require the removal of identifiers at the completion of the approved research. There are implications for tissue banks or specimen repositories.
- A two-tiered system for public and private research. The double-standard may become an obstacle to Federally-funded research.
- Disclosure to research participants of their results even when the interpretation of these results has not yet been validated for medical decision making, and placing the burden for disclosure on the researchers who collect such data.
- Documentation of Disclosure. Health care providers and health data clearinghouses must document all disclosures of health information for purposes unrelated to treatment or payment. This is likely to add considerably to the administrative burden of providers and repositories and may discourage them from providing medical records to researchers.
- Civil and criminal penalties for violations. Civil penalties up to $25,000 or criminal penalties as high as $250,000 and 10 years in jail will discourage health care providers and health care data clearinghouses from providing data to researchers.
Comments on the proposed regulation are due to DHHS on February 17. While many biomedical organizations are expected to comment, it is essential that individual epidemiologists also weigh in. The full text of the regulation (45 C.F.R. Parts 160-164, Standards for Privacy of Individually Identifiable Health Information) along with related material can be found on the Internet at aspe.hhs.gov/admnsimp or by choosing the Federal R egister link at www.gpo.access.gov
An excellent summary has been prepared by the American Medical Informatics Association (AMIA). It can be found on their website, www.amia.org. A draft of their proposed response to DHHS is also available at the site. The AAMC will also post their comments at www.aamc.org
The ACE executive committee and several members of the Policy Committee are reviewing the document in order to draft a letter on behalf of the College. A draft will be posted on our website (www.acepidemiology.org) as soon as it is available. In addition, Bob Hiatt has shared with the College comments that were prepared by an NCI epidemiology workgroup who met last fall to consider best practices in data privacy and confidenti ality. These also will be posted on the website.
Last updated 2/21/2000 by Victor Schoenbach