The Impact of the
Standards for Privacy of Identifiable Health Information
on conducting Health Services Research

Testimony of Jonathan Lawniczak, M.B.A.,
Coalition for Health Services Research

Before the
Subcommittee on Privacy and Confidentiality
of the
National Committee on Vital and Health Statistics

November 20, 2003

Introduction

Mr. Chairman and members of the Committee, thank you for the opportunity to testify today on how the Standards for Privacy of Identifiable Health Information (the Privacy Rule) has impacted health services research. I am Jonathan Lawniczak, M.B.A., Director of Government Relations for the Coalition for Health Services Research (Coalition).  The Coalition is the advocacy arm of AcademyHealth, the professional home for health services researchers, policy analysts, and practitioners. Through AcademyHealth, the Coalition represents more than 3,750 individual researchers, scientists and policy experts as well as 125 organizations that produce and use health services research information including universities, providers, employers, and health plans. Our members conduct much of this nation’s health services research, and share in the overall goals of the regulation in protecting the confidentiality of identifiable health information while sustaining the vitality of research.

Today I am going to talk generally about the impact the regulation has had as a whole on researchers conducting health services research, then discuss specific areas where problems occurred and how they were corrected, and finally, I will talk about some concerns that can only be addressed through modifications of the regulation. These comments are based upon interviews I have had with health services researchers who have attempted to collect data from covered entities since April 14, 2003.

Before discussing the areas of concern raised by researchers regarding the Privacy Rule, I would like to thank the Secretary and the Department of Health and Human Services (DHHS) for crafting a rule that has, for the most part, been workable. At this early stage of its implementation, it appears that the Privacy Rule has not placed insurmountable barriers in the path of conducting health services research. I specifically wish to thank the Secretary for the development of Limited Data Sets. This provision prevented untold difficulties and we are grateful for this change made to facilitate health research.

Difficulties that Can be Addressed Through Education Without Modifying the Rule

The good news is that many of the larger concerns of the health services research field were not realized. Before April 14, there was concern about how the “minimum necessary” requirement would apply and if it would be used by covered entities as a device for not releasing data. This turns out not to have been an issue. Our researchers were also very concerned about allowing covered entities to require a review of research proposals through their own institutional review boards (IRB) instead of requiring them to accept the decision of the IRB that did the initial review (usually from the institution where the researcher was based). While using multiple IRBs has caused some problems, it has not prevented researchers from gaining access to data. In general, the use of the IRB system seems to be a sensible course for assuring that the research protects the confidentiality of individually identifiable information.

While we have not seen instances in which the use of multiple IRBs prevented a researcher from obtaining data, it has slowed the process and added costs to the research. Multiple IRBs slow the process because conflicting requirements may be placed on the researcher by the IRBs. Some researchers have reported that this issue was resolved by simply accepting the most onerous requirement and then going back to the other IRBs to make sure they accept the change. When the requirements of the various IRBs are incompatible, researchers are required to negotiate with all the IRBs involved to resolve the conflicts. With the addition of this new phase of negotiations with IRBs added to the research process, costs have increased along with the time line needed to do the research. Unfortunately, Congress has not increased research budgets to accommodate the new requirements of working under the Privacy Rule.

Clearly, some IRBs are more knowledgeable about the Privacy Rule than others. Those IRBs that work with researchers on a continual basis are well informed about how the Privacy Rule applies to research and set the rules for the conduct of such research accordingly. Generally speaking, however, those covered entities associated with smaller institutions are not as knowledgeable about the research requirements and, thus, tend to overestimate what needs to be done, placing greater burdens on researchers than those that are mandated by the regulation. Again, this is an issue that can be resolved with technical assistance and more education to IRBs.

No one I had spoken with had either been denied data from a covered entity or heard of anyone who had. However, obtaining data still requires resolving several obstacles that were not in place last April. As with IRBs, it appears that the smaller the covered entity, the less knowledge they have regarding the provisions of the Privacy Rule that do not directly impact that entity. Thus, when a researcher requests data, the initial reaction is “HIPAA doesn’t allow that.” This occurred with every researcher I spoke to, even those planning on using individual authorization forms signed by the patients. Again, this slows the project, adding cost. We recommend that the Office of Civil Rights place greater emphasis on educating and providing technical assistance to smaller covered entities on the Privacy Rule requirements.

We have also heard from researchers who are concerned that it appears the implications of HIPAA and the privacy rule may be particularly complicated for Federal agencies that are simultaneously covered entities, data sources, and research sites themselves. Our researchers believe it would be helpful if the Office of Civil Rights could assist other units within DHHS and throughout the government  in understanding how they can most efficiently release their data for research while complying with the Privacy Rule requirements.

Issues Requiring Input from DHHS or Modification of the Privacy Rule

While the issues discussed thus far are of concern because of the added time and cost burdens added to research, they have somewhat ameliorated by education of the parties involved. The following discussion focuses on those issue areas where some type of input from DHHS is needed.

Some health services research takes place using large data sets requiring a waiver of authorization to obtain data simply because the number of records is too large to ask for individual authorization. Yet, there are health services researchers who must rely on individual authorizations to obtain their data. Researchers using individual authorizations are concerned about the length and complicated nature of the authorization form. We are told that before the Privacy Rule most consent forms were two to three pages long. However, the Privacy Rule adds two to three pages making the entire form four to six pages long. This is very daunting to patients who either try to read through the entire form or simply give up. Only those who can read and understand the form are willing to sign it, creating a selection bias in the research and harming recruitment efforts. But the researcher cannot account for the bias because he or she is unable, because of the Privacy Rule, to collect any information on those who refused to sign, making it impossible to compare the non-participants to the volunteers. What appears to make potential participants the most nervous is the language stating that if the researcher releases identifiable information to a third party and that third party releases this information to an unauthorized party, nothing can be done. This is very off-putting to those considering participation in a research study. We recommend that DHHS reexamine the authorization form requirements and modify them to make the form shorter and to make the language about third party release less ominous.

As you know, the Privacy Rule creates two methods for de-identifying information: (1) the safe-harbor method of removing 18 identifiers and (2) using statistically sound principles to determine which fields must be removed to render the information un-identifiable. In reviewing these two approaches health services researchers felt that only the safe-harbor mechanism would be used because the requirements for statistically de-identifying  data were too vague and subject to interpretation. During my conversations with researchers, I could find no one who was using this method. Yet, there are those who appreciate the effort that went in to developing this alternative approach to de-identifying information and feel that with some modification it could become a positive mechanism for de-identifying health data for research. While no one suggested a direct solution to this problem, it has been proposed that the Agency for Healthcare Research and Quality (AHRQ) and the National Institutes of Health (NIH) work together with statisticians to recommend a specific methodology for the statistical de-identification of health information. Such a “statistical summit” could take place every four to five years to address changing technologies and advancements in the area of statistics.

At this time, our researchers have had little interaction between state laws and the Privacy Rule. However, they are concerned that this could grow and present significant new challenges to those needing to obtain data. We recommend that DHHS reexamine the preemption clause and clarify what state laws are preempted by the Privacy Rule.

Researchers are also asking that DHHS clarify the differences between a covered entity and a public health entity. There are occasions when researchers attempt to gain access to data held by what they would consider a public health entity only to be told that “a HIPAA authorization” is needed. We understand that there is also confusion about this issue with public health entities as well.

Conclusion:

The Secretary and the Department are to be congratulated for crafting a regulation that appears at this point to allow researchers access to the data they need to conduct their studies. While it is still too early to know if the Privacy Rule functions as intended, apparently most of the problems regarding research and the Privacy Rule are being resolved through the education of covered entities and IRBs. Unfortunately, the onus for this education now falls entirely on the researchers, which delays and adds to the cost of doing research. It would be of great assistance if the Office of Civil Rights could devote greater resources to providing education and technical assistant to smaller covered entities (local hospitals and individual doctor offices) and the IRBs associated with these entities about the Privacy Rule research requirements. It would also be helpful if Congress recognized that the Privacy Rule increased costs for researchers and make a corresponding increase in the funding available for grants.

In addition to increasing resources for education, we are asking that the Privacy Rule be modified in the following ways:

• Shorten the required individual authorization consent form and make the language needed less ominous to potential research subjects.
• Work with statisticians to improve the statistical method of de-identifying information.
• Clarify what state laws are preempted by the Privacy Rule.
• Clarify the differences between a covered entity and a public health entity.

These changes will go a long way towards completing a Privacy Rule designed to protect confidentiality of information while allowing researchers access to the data they need to improve our health care.