Jill Wechsler
|
A critical component of the Obama administration's health reform campaign is to expand adoption of electronic health information
systems. The recently enacted economic stimulus legislation provides $19 billion to support use of electronic health records
(EHRs) by doctors and hospitals and to develop standards and systems supporting electronic health information exchange.
This investment aims to jump-start development of an interoperable health care system that improves care, prevents medical
errors, reduces waste, and better informs treatment decisions. Electronic databases promise to accelerate detection of drug
adverse events and to streamline data collection.
Meanwhile, widespread transmission of personal health information (PHI) has generated demands for stronger protections against
unauthorized disclosure of patient records.
The HITECH (health information technology) portion of the stimulus bill aims to build public confidence in the system by requiring
patient notification of any unauthorized disclosure or "breach" of PHI, giving individuals more control over access to their
records and stiffening penalties for violations of the rules. HITECH does not directly address privacy in clinical research, but the new requirements promise to heighten efforts by doctors
and hospitals to protect patient data, which could further limit access to patient records that is useful for researchers
trying to identify eligible study subjects, design protocols, and assess health data.
Impeding research
The privacy requirements established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 limit how
"covered entities" (e.g., health plans, hospitals, and providers) may use or disclose electronically any individually identifiable
health information.
The aim of the privacy rule, which was finalized in 2003, is to ensure the confidentiality of patient medical records under
a system of expanding electronic transfer of information by health care institutions.
HIPAA offered no specific exemption from privacy requirements for clinical studies and health system research, even though
such activity already was governed by the Common Rule, Food and Drug Administration regulations, and other local and international
codes and policies.
In addition, those clinical investigators who also are covered entities, including physicians providing medical care and academic
research organizations attached to hospitals, have to comply with all HIPAA security and privacy requirements.
Confusion over interpretation of the privacy policy has impeded research, as providers block access to patient medical records
that can inform protocol development and permit follow-up on study outcomes.
For the most part, the biomedical research community has learned to live with HIPAA privacy requirements.
For clinical trials testing drugs and medical products, the informed consent process generally provides permission for researchers
to access medical records and evaluate study participant results. But the privacy requirements make the consent process more
complex and confusing to patients and impose added responsibilities on Institutional Review Boards (IRBs).
In addition, consent to participate in a specific study cannot be combined with authorization to access the data for later
research or to put the data in a repository for future analysis. Privacy rules thus make it difficult to follow patients over
time, creating problems in accounting for drop-outs and deceased trial participants and in designing postmarketing studies.
More patients refuse to provide additional consent after an initial study. Limiting studies to fewer consenting individuals
can lead to selection bias that can compromise results.
Cancer researchers complain of differing HIPAA privacy compliance approaches among institutions and privacy officers. Moreover,
population-based research, which often involves accessing patient records without informed consent, faces added obstacles.
Epidemiologists complain that privacy policies slow enrollment, raise costs, and even inhibit some hospitals from reporting
on infectious diseases and other health conditions.
New approaches needed
A new report from the Institute of Medicine (IOM), "Beyond the HIPAA Privacy Rule," finds that the current policy has increased
the cost and time of research projects, forcing researchers to abandon important studies while also confusing study participants
regarding their rights and protections.
Robert Califf, vice chancellor for clinical research at Duke University Medical Center, told the IOM panel at its October
2007 meeting that the HIPAA privacy rule was contributing to a repressive regulatory climate that has demoralized the clinical
research community and prompted an exit of clinical research from the United States to other countries.
