The HIPAA Privacy Rule Yesterday and Today
A Brief History of HIPAA and the Privacy Rule
The Health Insurance Portability and Accountability Act (HIPAA) was passed on August 21, 1996, with the dual goals of making health care delivery more efficient and increasing the number of Americans with health insurance coverage. These objectives were pursued through three main provisions of the Act: (1) the portability provisions, (2) the tax provisions, and (3) the administrative simplification provisions. The focus of this report, the HIPAA Privacy Rule, was promulgated under the third provision. The administrative simplification provisions of HIPAA instructed the Secretary of the U.S. Department of Health and Human Services (HHS) to issue several regulations concerning electronic transmission of health information, which was expanding greatly in the early 1990s. The primary purpose of these provisions was to standardize the use of electronic health information, but Congress also recognized that advances in electronic technology could endanger the privacy of health information. Thus, HIPAA mandated the development of nationwide security standards and safeguards for the use of electronic health care information as well as the creation of privacy standards for protected health information.1
Although the Common Rule2 imposed some requirements on the use of health information in research, federal regulations specifically targeting health information privacy were lacking. In accordance with the administrative simplification provisions, HHS developed the HIPAA Privacy Rule, which set out detailed regulations regarding the types of uses and disclosures of personally identifiable health information that are permitted by the covered entities.3 HHS first issued a proposed version of the HIPAA Privacy Rule for public comment in 1999, but because of the enormous volume of comments received regarding the regulations, as well as a change in executive branch leadership following the 2000 Presidential election, the HIPAA Privacy Rule evolved through several iterations before the final version was issued in 2002 (45 C.F.R. parts 160 and 164). Most health care providers and health plans were required to be in compliance with this version of the HIPAA Privacy Rule by April 14, 2003. Small health plans were given until April 14, 2004, to be in compliance.
The primary targets of the HIPAA Privacy Rule were information uses and transactions necessary for the provision of health care, but the final regulations also apply to a great deal of health research. Congress recognized the important role that health records play in conducting health research, and wanted to ensure that implementation of the HIPAA Privacy Rule would not impede researchers’ continued access to such data. This is reflected in two House reports on HIPAA with identical language, stating: “The conferees recognize that certain uses of individually identifiable information are appropriate, and do not compromise the privacy of an individual. Examples of such use of information include … the transfer of information from a health plan to an organization for the sole purpose of conducting health care–related research. As health plans and providers continue to focus on outcomes research and innovation, it is important that the exchange and aggregated use of health care data be allowed” (U.S. Congress, 1996a,b).
In response, HHS attempted to create a system that mandated privacy protection for individually identifiable health information while allowing important uses of the information in health care and research. Thus, researchers must now follow the provisions of the HIPAA Privacy Rule when obtaining data from a covered entity.
Privacy and Health Research
Health research and privacy protections both provide valuable benefits to society, and the two topics are interrelated. Researchers know that trust is essential for patients to be willing to participate in research, and many patients value research and are willing to share their health information in the hope of reaping some benefit from scientific advances for themselves or their families. Collection and analysis of health information is necessary to attain the full benefits of health research for the individual, the family, and the community. The challenge is to identify the most essential components of both privacy protection and research, to ensure maximal benefit and minimal risk.
Some health research projects with important implications for health care improvements and public health protections entail the analysis of information that many would consider sensitive. For example, some research examines information regarding individuals’ sexuality, or smoking, alcohol, and drug use habits. Also, it may be necessary to collect information on an individual’s social, racial, or economic status to study the influence of poverty, nutrition, and social relationships on health. Many research projects now also study a person’s genetic profile to gain insight into predispositions for diseases. Epidemiology and public health research may trace disease incidence and characteristics, or response to treatments.
Research participants are more willing to share personal information and more likely to truthfully answer research questions when they believe the privacy of their personal information is protected against inadvertent or unwanted disclosure. This helps to assure individuals that their risk of harm in participating, including economic, social, or psychological harm, is minimal (Hodge et al., 1999). Furthermore, when researchers have access to accurate and comprehensive medical datasets, the results are more likely to be valid and meaningful to broad populations.
Since the HIPAA Privacy Rule was implemented, privacy advocates and others have argued that the United States needs stronger privacy protections than are provided in the HIPAA Privacy Rule (Friedman, 2006; Gellman, 2006; Sobel, 2007). These demands have generally focused on health care rather than health research, and are based to a large extent on theory, opinions, and anecdotal experiences. As noted in the methods section below, a Harris Poll undertaken during the course of this study provided new and current insight into the experiences and expectations of the U.S. public with regard to privacy in health research. A review of the relevant literature, including surveys and focus group studies, can be found in Chapter 2.
After reviewing the available evidence, the committee concluded that the public is deeply concerned about the privacy and security of personal health information, and that the HIPAA Privacy Rule has reduced, but not eliminated, those concerns. In some surveys, the majority of respondents were not comfortable with their health information being provided for health research except with notice and express consent. But in others, a majority of respondents were willing to forgo notice and consent if various safeguards and specific types of research were specified. As noted in Chapter 3, surveys also indicate that the majority of Americans are supportive of health research, but they lack information about how research is conducted and are rarely informed about research results that may have a direct impact on their health.
The Concerns of Health Researchers
Researchers began raising concerns about the potential impact of the HIPAA Privacy Rule on health research when the regulations were first proposed. However, researchers did not play a large role in shaping the final version of the HIPAA Privacy Rule published by HHS. Most of the comments that HHS received from the research community during the notice of proposed rulemaking period were focused on urging HHS not to include research within the HIPAA Privacy Rule regulations at all. Few comments suggested alternatives to the regulatory scheme proposed by HHS, or gave HHS constructive comments on how to incorporate the research provisions into the rule (IOM, 2006).
After the date of compliance for the HIPAA Privacy Rule, the concerns of researchers escalated. Numerous anecdotal reports and expert opinions, along with a number of surveys, indicate that the HIPAA Privacy Rule has had a negative effect on the ability of researchers to conduct valid research due to new restrictions on access to health data, and has not produced a measurable increase in the protection of data used in research (NCVHS, 2003; Ramirez and Niederhuber, 2003; Tovino, 2004; Walker, 2005) (see also Chapter 5). Because of the reported concerns about the HIPAA Privacy Rule’s effect on research, several organizations have provided HHS with recommendations on how to improve the way the HIPAA Privacy Rule regulates research. The past recommendations of the National Committee on Vital and Health Statistics, the Association of American Medical Colleges, and the HHS Secretary’s Advisory Committee on Human Research Protections are listed in Appendix A. As noted in the methods section below, several new surveys were also undertaken during the course of this study to provide more current, systematic data for the committee’s deliberations. The committee also reviewed a number of studies that attempted to assess the impact of the HIPAA Privacy Rule on health research. A complete review of the literature can be found in Chapter 5.
Origins of the Study
The 2003 Annual Report of the President’s Cancer Panel, which made a number of recommendations regarding issues affecting cancer survivors, also included a recommendation that “The Institute of Medicine (IOM) should be commissioned to evaluate the impact of HIPAA provisions and provide guidance to legislators on amendments needed to make this law serve the interests of cancer survivors and others” after concluding that the HIPAA Privacy Rule slowed research on cancer survivors in a variety of ways (President’s Cancer Panel, 2004). The Panel’s 2005–2006 report again called for an evaluation of the HIPAA Privacy Rule provisions that were thought to inhibit the ability to track and collect data for research on cancer survivors (President’s Cancer Panel, 2006). Based on those recommendations, the IOM’s National Cancer Policy Forum held a workshop on the topic, inviting a diverse group of speakers representing many relevant stakeholders from academia, industry, and the public. The proceedings of that workshop, held June 16, 2006, were then reported in a summary published by the IOM (IOM, 2006).
At that workshop, speakers reiterated many of the challenges described above in applying the HIPAA Privacy Rule to health research, noting that despite having several years to learn and adapt to the new rules, as well as new guidance from HHS and the Office for Civil Rights (OCR), researchers are still facing difficulty in working under the HIPAA Privacy Rule. Although the goal of the HIPAA Privacy Rule was to establish a uniform set of federal standards to be applied nationwide, many speakers testified that there is enormous variation among institutions and oversight boards in the way the regulations are interpreted and applied, with many adopting exceptionally conservative interpretations. Moreover, it was reported that many smaller institutions lacked the staff and infrastructure to implement the regulations on research and ensure compliance, and were opting out of research entirely to avoid the risk of penalties for HIPAA noncompliance (IOM, 2006). However, many speakers also stressed the need to maintain or strengthen the privacy protections for personal health information.
Following the publication of the IOM’s National Cancer Policy Forum’s workshop summary, the governing board of the National Academies determined that a consensus study to examine the effects of the HIPAA Privacy Rule on health research would be of value, and funding for the study was obtained from diverse sources, including the National Institutes of Health, the National Cancer Institute, the Burroughs Wellcome Fund, the Robert Wood Johnson Foundation, the American Heart Association (AHA)/ American Stroke Association, the American Cancer Society, the American Society for Clinical Oncology (ASCO), and C-Change.
Committee Appointment and Charge
The funders of the study asked the IOM to examine the available evidence to determine whether the HIPAA Privacy Rule was impacting the conduct of health research. As a major funder of the study, HHS had a particular interest in distinguishing direct effects of mandates in the HIPAA Privacy Rule on the conduct of research from the variable influence of interpretation and implementation of the regulations by various institutions and oversight boards.
To examine the question, the IOM appointed a 15-member committee with a broad range of expertise and experience covering various fields of health research; privacy of health information; health law, regulation, and ethics; human research protections and IRBs; health center administration; use and protection of electronic health information; and patient advocacy. The IOM committee was charged with the task of proposing recommendations that would facilitate the efficient and effective conduct of responsible health research while maintaining or strengthening the privacy protections of identifiable health information, as follows:
An Institute of Medicine committee will investigate the effects on health research of the Privacy Rule regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) section on Administrative Simplification and prepare a report. In conducting the study, the committee will:
- Consider the range of study types, such as clinical trials, epidemiologic designs, research using tissue repositories and databases, public health research, and health services research, to the extent that available data and evidence allow;
- Consider research carried out by the full range of sponsors: government, public and private academic, and for-profit sectors, including the pharmaceutical, biotechnology, and medical device industries;
- Review provisions of the Privacy Rule relevant to health research, including those dealing with authorizations and accounting of disclosures of personal health information, deidentification of data, reviews preparatory to research, and others, and on reviewing them, may identify provisions that merit priority attention and analysis;
- Consider issues of interpretation and implementation of the Privacy Rule, as well as of harmonization with overlapping provisions of the Common Rule and Food and Drug Administration regulations, which have existed much longer;
- Examine the potential impact of the Rule on public health research, on the recruitment of research subjects for studies, on carrying out research internationally, and on research using data and biomaterials in databases and tissue repositories; and
- Consider the needs for privacy of identifiable personal health information and the value of such privacy to patients and the public.As data and evidence allow, the needs and benefits of patient privacy will be balanced against the needs, risks, and benefits of identifiable health information for various kinds of health research. The committee will formulate recommendations for alterations or retention of the status quo accordingly.
The committee reviewed the available published literature and obtained input from experts in the field and interested individuals and institutions. The literature review, as well as the proceedings of the IOM workshop described above, demonstrated there was a dearth of systematic data to determine whether the HIPAA Privacy Rule was having an impact on health research. Because many published reports were based on isolated anecdotes or small surveys, the IOM committee sought larger surveys with national coverage. As a result, the IOM, in consultation with committee members, took the unusual step of commissioning4 several surveys to assess current perceptions among health researchers of the effect of the HIPAA Privacy Rule on research, and to gauge the public’s perception of and expectations for privacy in health research. The first survey entailed a national web-based survey of U.S. epidemiologists overseen by Dr. Roberta Ness at the University of Pittsburgh. A second project, undertaken by Sarah Greene and Dr. Ed Wagner at the Group Health Center for Health Studies in Seattle, involved a survey of HMO Research Network (HMORN) investigators and a survey of HMORN Institutional Review Boards. A Harris Interactive Poll of the public, developed by Alan Westin of the Privacy Consulting Group, served as the third survey. Detailed descriptions of the methodologies and analysis for each of the surveys can be found in Appendix B. Several additional surveys and focus groups were undertaken independently by organizations, with the intent of providing input to the IOM committee. Those organizations include AcademyHealth, AHA, ASCO, the American Association of Central Cancer Registries, and the Association of Academic Health Centers.
Surveys are useful in identifying the main issues surrounding the HIPAA Privacy Rule’s regulation of research, but it is important to recognize the limitations of opinion surveys. As noted briefly in Chapters 2, 3, and 5, designing quality surveys presents many challenges. These challenges include ensuring that the respondents are truly representative of the population being surveyed, developing the wording of questions, framing the responses provided, analyzing the relationship and potential influence of questions to each other in the survey process, and applying statistical analyses to the data acquired. Although they are helpful in gaining the perspective of populations of interest, such as current members of the health research community or of the public, survey methods are also prone to subject bias and error. Motivational factors may influence the results of surveys that address sensitive subjects, and respondents may be unwilling to provide accurate information for reasons of self-protection or personal gain (Wentland and Smith, 1993). In addition, experiments in social psychology suggest that responses to survey questions regarding attitude are influenced by environment, survey type, and the context in which the question is presented (Tourangeau et al., 2000). The committee’s intention in presenting findings from opinion surveys, including those commissioned by the IOM, is to shed light on opinions regarding the influence of the HIPAA Privacy Rule on health research and patient privacy; it is not an attempt to definitively determine cause and effect.
The Committee’s Conclusions and Recommendations
The recommendations put forth in this report represent committee consensus that was developed through review and discussion of the above information sources. There are three general methods for improving the current system: (1) HHS and its OCR could provide more guidance to IRBs, Privacy Boards, institutions, and other participants and stakeholders, which is the simplest and most direct way to achieve change; (2) regulatory changes to the HIPAA Privacy Rule provisions may be necessary in some cases, but are more difficult to undertake; and (3) statutory change of HIPAA or other legislation at the federal or state level, which is the most difficult to accomplish. The committee tried to be as modest as possible in proposing recommendations to achieve its goals, with the aim of making it easier to effect change if policy makers agree with our proposals.
After reviewing the available evidence, the committee concluded that covered entities, Institutional Review Boards (IRBs), Privacy Boards, and researchers alike have faced difficulty in interpreting and implementing the complex regulation. There is a great deal of variation in how these stakeholders have responded to the HIPAA Privacy Rule, with many covered entities, IRBs, and Privacy Boards interpreting the HIPAA Privacy Rule very conservatively. These interpretations impede some important research activities, and can also limit the validity and generalizability of some research results. The variation in interpretation is especially problematic for multi-institutional research projects. Gaining IRB or Privacy Board approval from multiple institutions for a particular project is challenging and can lead to significant delays or even abandoned studies, and also can result in protocol variations at different research sites. The committee also found that for some provisions of the HIPAA Privacy Rule, the burdens are heavy and the privacy protections in research are small.
Therefore, the committee concluded that the HIPAA Privacy Rule, as currently interpreted and implemented, impedes research without protecting privacy as well as it should. The committee’s approach to its task evolved as the study progressed and the group began thinking about potential recommendations. The committee decided to approach the problem in two ways. First, the committee proposes a bold, innovative, and more uniform approach to the dual challenge of protecting privacy and supporting beneficial and responsible research.5 Although this new approach may be harder to implement in the short term, it should help stimulate fresh ideas about the best ways to protect privacy and improve research as the nation thinks about these two interrelated values over the next several years. Second, the committee makes a series of detailed proposals to improve the HIPAA Privacy Rule and associated guidance. These recommendations aim to reduce variability in the interpretation of the HIPAA Privacy Rule as applied to research, and to facilitate important health research within the scope of the HIPAA Privacy Rule through revised and expanded guidance, or by altering some provisions that pose a hindrance to research but do not provide significant privacy protections. The committee’s last set of recommendations do not directly relate to the HIPAA Privacy Rule, but should be adopted regardless of which of the committee’s approaches is implemented (the new framework or revisions to the HIPAA Privacy Rule and associated guidance). These include improving the security of identifiable health information, encouraging service on Institutional Review Boards and Privacy Boards, and providing more information to the public about research results, how health research is conducted, and how it contributes to the welfare of individuals and society as a whole.
Framework of the Report
Chapter 2 describes the value and importance of health information privacy with an overview of how informational privacy has been protected by law; a review of survey data on public opinions, expectations, and experiences; and a discussion on the security of health data.
Chapter 3 describes the value and importance of responsible health research, and includes an overview of how health information is used in research and how federal regulations govern the conduct of research.
Chapter 4 provides an overview of the HIPAA Privacy Rule and how privacy regulations apply to health research, including a discussion of the HIPAA Privacy Rule’s relation to other regulations that govern the privacy of health information in research.
Chapter 5 reviews the available evidence, including results from recent surveys, on the impact of the HIPAA Privacy Rule on the conduct of health research.
Chapter 6 describes the limitations of the HIPAA Privacy Rule, and proposes a new and broader framework for the protection of privacy in health research.
The Appendixes provide a summary of previous recommendations to HHS about the HIPAA Privacy Rule and health research, as well as a description of the surveys commissioned by the committee (survey methods and analysis).
- Protected health information is personally identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Protected health information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232(g), records described at 20 U.S.C. 1232(g)(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.2
- The “Common Rule” is the term used by 18 federal agencies who have adopted the same regulations governing the protection of human subjects of research.3
- 45 C.F.R. § 160.103 (2006), a health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.4
- The surveys were commissioned with private funding. No federal funds were used to support collection of survey data.5
- Responsible health research is methodologically sound, scientifically valid, protects the rights and interests of study subjects, and addresses a question or problem relevant to improving human health.
- Friedman DS. HIPAA and research: How have the first two years gone? American Journal of Ophthalmology. 2006;141(3):543–546. [PubMed]
- Gellman R. Crimes and sanctions. Journal of AHIMA. 2006;77(9):96–97. [PubMed]
- Hodge JG Jr, Gostin LO, Jacobson PD. Legal issues concerning electronic health information: Privacy, quality, and liability. Journal of the American Medical Association. 1999;282(15):1466–1471. [PubMed]
- IOM (Institute of Medicine). Effect of the HIPAA Privacy Rule on health research: Proceedings of a workshop presented to the National Cancer Policy Forum. Washington, DC: The National Academies Press; 2006.
- National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality. Susan Ehringhaus’s testimony on behalf of the Association of American Medical Colleges. 2003 November 19
- President’s Cancer Panel. Living beyond cancer: Finding a new balance. 2004. [accessed May 1, 2008]. http://deainfo.nci.nih.gov/ADVISORY/pcp/pcp03-04rpt/Survivorship.pdf .
- President’s Cancer Panel. Assessing progress, advancing change. 2006. [accessed June 15, 2008]. http://deainfo.nci.nih.gov/ADVISORY/pcp/pcp07rpt/pcp07rpt.pdf .
- Ramirez AG, Niederhuber JE. Letter to The Honorable Tommy G. Thompson, Secretary of Department of Health and Human Services. Washington, DC: November 5, 2003.
- Sobel R. The HIPAA paradox: The Privacy Rule that’s not. Hastings Center Report. 2007;37(4):40–50. [PubMed]
- Tourangeau R, Rips L, Rasinski K. The psychology of survey response. Cambridge, UK: Cambridge University Press; 2000.
- Tovino SA. The use and disclosure of protected health information for research under the HIPAA Privacy Rule: Unrealized patient autonomy and burdensome government regulation. South Dakota Law Review. 2004;49(3):447–502. [PubMed]
- U.S. Congress, House of Representatives, Committee on Ways and Means. Health Coverage Availability and Affordability Act of 1996. 1996a March 25, 1996
- U.S. Congress, House of Representatives, Committee of Conference. Health Insurance Portability and Accountability Act of 1996. 1996b July 31, 1996
- Walker DK. Impact of the HIPAA Privacy Rule on health services research. Philadelphia, PA: Abt Associates, Inc.; 2005.
- Wentland EJ, Smith KW. Survey responses: An evaluation of their validity. San Diego, CA: Academic Press; 1993.
Originally published by the U.S. National Library of Medicine, 2009, to the public domain.