Patient Privacy: Researchers say they're hamstrung by HIPAA

June 27, 2008

The landmark federal law for guarding patient information hampers basic research as well as the electronic data sharing that would support it.

The landmark federal law for guarding patient information hampers basic research as well as the electronic data sharing that would support it, according to areport from the Association of Academic Health Centers.

Based on focus groups consisting of researchers and administrators at academic health centers, the AAHC study paints a dismal picture of how a well-intentioned law can backfire. Consider, for example, the unclear regulatory language that spells out the law’s privacy provisions, according to the report. It’s resulted in conflicting interpretations among research institutions and state governments that “makes multi-site and inter-state research more difficult, if not impossible.” Community hospitals and medical practices that have an understandably murky understanding of the law take an ultra-cautions approach and often shy away from collaborating with academic health centers on projects rather than risk incurring a violation.

The administrative burden of complying with HIPAA’s privacy rule is another powerful deterrent. HIPAA “busy work” includes completing required paperwork, educating researchers on legal do’s and don’ts, and de-identifying patient data, which devalues genetic data since it’s more illuminating when associated with a patient’s peculiar conditions, according to the AAHC.

The hassles of HIPAA also make it harder to recruit participants in clinical studies. For starters, it’s more difficult to review patient records to identify eligible candidates and glean contact information. The sheer length and complexity of HIPAA documents that must be reviewed appear to make potential participants “less likely to agree to join studies.” At the same time, HIPAA regulations often prevent researchers from contacting participants for follow-up data.

Focus groups told the AAHC that HIPAA generally hindered the ability of researchers to tap electronic health record systems, forcing them to settle for hard-copy versions and all of their drawbacks. Likewise, one institution reported that HIPAA “stymied” its efforts to create an integrated EHR system, considered vital for interdisciplinary research.

The AAHC study suggested several cures for these problems. The most drastic one is to generally remove researchers from the purview of the HIPAA privacy rule and instead hold them accountable to the so-called Common Rule that currently governs government-funded research with human subjects. “Existing Common Rule guidelines already protect health information,” the study states. The AAHC notes that HIPAA wasn’t drafted with research in mind, nor are researchers covered entities under the law.