Health Insurance Portability and Accountability Act (HIPAA)
Must There Be a Trade-Off Between Privacy and Quality of Health Care, or Can We Advance Both?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) presents an important challenge to the healthcare system in its evolution from a cottage industry to a new, yet-to-be determined form. To guide the system rationally requires clinical research on a massive scale. Will HIPAA stimulate an advance in medical research so that we have evidence to guide our medical decisions and policies, or will it lead to Draconian restrictions that push the healthcare system toward a less rational, less informed approach?
Medical practice evolved in the 20th century from an almost purely anecdote-based apprenticeship system to a system in which doctors were trained by learning the mechanisms of disease and serving apprenticeships in which they learned the “tools of the trade.” Records were kept on paper and, although classification of disorders has been critical to all areas of scientific study, attention to nomenclature has been largely unsystematic in medicine. In parallel, a complex array of computerized systems has been developed for the business side of medicine, with little connection to the actual delivery of care. The dissociation between clinical and billing systems reflects the incorrect idea, basic in medical training, that doctors, armed with knowledge of disease mechanisms, can practice medicine by using deductive reasoning with little need for empirical decision support.
Most recently, the Internet and supporting information systems have revolutionized the nonmedical world. Compare the functioning of the banking industry versus that of the healthcare industry. Almost anyone with a bank account can withdraw funds or pay bills from anywhere on Earth via computer. Making sensitive information about people’s finances available is possible because of common nomenclature and data standards adopted by the finance industry. In contrast, the medical community is a haphazard mix of paper- and computer-based systems with multiple nomenclatures that do not allow the multipurpose use of data. Thus, healthcare providers complete one set of forms for billing, another for clinical records, and yet a third for research purposes. Furthermore, within the billing and research domains, different companies and government agencies use different terms with little to no standardization.
Substantial pressure for change in medicine reflects 4 key global trends:
Theories based on pathophysiology often are incorrect when used to guide medical diagnosis and therapy. Instead, we need empirical evidence on which to base sound medical practice. The emphasis on evidence-based medicine1,2 will increasingly drive more robust clinical-research efforts, particularly as financial pressures from our aging population, with its chronic diseases, continue to intensify.3,4
Our understanding of the biology of medicine is being revolutionized by the unraveling of genomics, proteomics, and metabolomics, leading to a vision of personalized medicine, or matching a person’s characteristics to their medical needs. Increasingly, the selection of specific therapies for patients on the basis of expected differences in clinical benefit will depend not on single genetic markers but instead on combinations of genes or proteins.5 This complexity will drive the development of information systems as the best way to match patients with effective therapies. Although some have argued for years that doctors cannot integrate the complex data needed for medical decisions,6 vast amounts of new data will make this point as never before.
Our society is changing radically with regard to the issues of personal choice and control. This trend toward empowerment of patients is playing out most visibly in terms of using the Internet for health information and advice.
Finally, powerful societal forces are reshaping the view of medical quality. Beginning with the Institute of Medicine’s report on medical errors7 and continuing through its report on the “quality chasm,”8 medical quality is perceived as much more than isolated assessments. Healthcare organizations will be held to standards against defined measures, including safety, effectiveness, patient centeredness, timeliness, efficiency, and equity. One of the basic concepts of quality—to what extent healthcare delivery improves the health of recipients and is consistent with professional standards—is the issue of necessary care. This idea holds that a medical practice, if defined by a professional standard as a practice that would harm the patient if not used, should be a minimum standard of care below which clinical practice cannot sink.9
Into this environment of rapidly evolving concepts comes the Health Insurance Portability and Accountability Act (HIPAA).10 This legislation and its administrative interpretation could produce good, bad, or frankly ugly results. The ultimate outcome will depend largely on the approach taken by the medical community.
To the extent that HIPAA motivates standardization of medical information, it will be doing a large favor for both patients and their doctors. Our system of clinical research is not delivering the information that healthcare decision-makers need.11 A major reason for this failure is the lack of standardization, so that enormous expenses are generated to create structures to capture research data.12 The recent announcement13 by key government agencies of an effort to use common data standards marks an important, but limited, move in this direction.
Furthermore, we need to improve our approach to the privacy of medical information in this complex era. Patients and consumers have good reason to seek more confidential management of their private health data. The stakes have become higher with advances in genomics and predictive risk equations for insurance calculations. Standardized approaches to both technology and behaviors promise to deliver a more confidential system to patients.
A recent report by the Clinical Research Roundtable11 outlined deficits in our current clinical-research enterprise, particularly the “second translational block,” in which initial observations in human studies are translated into clinical practice. To the extent that our fragmented healthcare system remains unable to communicate within itself about clinical knowledge, this block will remain very limiting. The recent efforts by the Clinical Research Roundtable and planning efforts by the National Institutes of Health (NIH)14 and the Agency for Healthcare Research and Quality (AHRQ) offer promise to reduce this informatics “Tower of Babel.”
Ceding ownership of medical records to patients is a powerful, timely move. Not only does this give patients access to their own data, but it also could improve data flow among providers and healthcare facilities. A recent literature review concluded that despite the need to answer many remaining questions, giving patients direct electronic access to medical records appears to be a positive step.15 One can envision a time when research networks can be constructed by involving providers and patients with access to selected common data by analysis centers operating under carefully defined rules for data privacy.
As a legislative mandate that was not enacted by Congress, HIPAA is a reflection of the national will that now requires interpretation by each “covered entity.” Given the severity of the penalties for violating the HIPAA guidelines, including significant fines and criminal prosecution, most covered entities likely will interpret the regulations in the most conservative manner. Much of the activity in our fragmented healthcare system occurs when two entities interact, however. If each entity takes the most conservative approach to interpretation of HIPAA, the effect on providers can more than double, and “transaction costs” can be enormous.
Every medical-products company has devised its own standard for interpreting the HIPAA regulations in clinical research to meet the April 14, 2003, deadline for implementation, even though they may have no direct case to be involved under the regulations. Only now are these multiple interpretations being sent to already overburdened investigators and institutional review boards (IRBs). For an active research center, this could require adapting to >100 different interpretations of HIPAA. The research system that already is overwhelmed with paper documentation incurs yet another significant increment of reporting that is unrelated to the primary activity of doing clinical research. In a recent review of the topic, Annas commented that “it is a bit strange to see the federal government focusing so much attention on protecting the medical records and privacy of human subjects when it is the autonomy, health and safety of human subjects that need and deserve greater protection in the research setting”.16
Clinical practice will be affected by HIPAA, and the initial approach has been disheartening to practitioners. Already inundated by demands for compliance, it is difficult for many practitioners to see how current medical practice can be sustained and yet meet this new “letter of the law.” In our current system of paper records and incompatible computer systems, the risk of inadvertent data exposure is substantial, and the cost of makeshift efforts to provide workaround fixes is enormous.17
The impact of HIPAA on clinical research could be profound. Until clinical research becomes accepted as a routine part of clinical practice, beleaguered practitioners will have another reason to avoid becoming involved in research. Keeping up with regulations in routine patient care is difficult enough, but HIPAA has added yet another layer of regulation and oversight. This comes as IRBs already are reeling from a constant barrage of new regulation and criticism.18,19
Health-services research often provides key insights into the effectiveness of clinical research’s penetration into the healthcare delivery system and the variability in use of specific services. Health-services research likely will be negatively affected by the move to more guarded distribution of private information to researchers. In accordance with the HIPAA-driven definition of proper IRB oversight, after the required patient “de-identification,” research data may not have sufficient identifiers to allow linking with other databases to determine the relationships between patterns of care and long-term outcomes. Inability to determine the long-term impact of technologies could have a major negative effect on public health in a system that already is overwhelmed by new technologies of uncertain value.
The medical community is being bombarded by several converging forces. Perhaps the most evident is the increasing concern that legal remedies will be sought to deal with perceived (and often real) mistakes or substandard practices. This fear can cause functional paralysis from extreme risk avoidance, as healthcare-delivery entities increasingly rely on professional risk managers to frame decisions in terms of the safest approach from a legal perspective rather than the safest approach from a best-outcomes perspective. What protects an institution from legal difficulty (risk avoidance) may not be in the interest of individual patients or communities of patients, who increasingly depend on medical evidence to advance diagnostic and therapeutic technologies. Without a pathway developed under the leadership of the NIH, AHRQ, the Center for Medicare and Medicaid Services (CMMS), and Food and Drug Administration, the system of research could become increasingly paralyzed as most of the transaction costs for research may be exhausted in response to regulations that have no useful purpose. This delay in vital research has been termed the “lethal lag” by patient advocacy groups, who are rightfully concerned that new scientific discoveries are not being translated efficiently into saving lives and reducing disability. The costs of research that will not be performed because of these restrictions must be weighed against the putative benefit of more extreme measures to protect patient confidentiality.
The Way Out
We have at least one very good way to approach the issue of HIPAA in the best interest of our patients. HIPAA must rally the healthcare system to change from a cottage industry to an information-driven enterprise in which realistic standards are set and evaluated to enhance both medical care and privacy. This rally will require an alliance between patients and their caregivers and a commitment to studying which policies will advance both causes.
Such an effort could lead to the following conclusions:
(1) We need a common national, and preferably global, approach to data standards and nomenclature that will allow sharing of health data. For clinical purposes, this approach would ensure that providers are not forced to guess about how to prescribe therapies because they lack access to critical data. For research purposes, the standards would markedly reduce research costs by eliminating the need to create entirely new data structures when new research questions are asked. The data could be harnessed instead of being collected on top of medical and billing data.
(2) Discussions at the NIH have spawned the idea of a “safe haven” for researchers, which would define standards to improve both data confidentiality and access rather than one at the expense of the other. By evaluating our current array of regulations and well-intended policies (which often conflict), a common standard should be possible with a composite “end point” of making clinical research as simple as possible without sacrificing privacy or patient protection. Investigators and entities that can adhere to these standards could produce an unprecedented amount of research. This strategy also may help solve the current health-services researchers’ dilemma.
(3) The public must be more effectively engaged in this discussion. No one knows better than those with life-threatening or debilitating diseases and their families the importance of lethal lag (time between discovery and use by patients) induced by the inefficiency in our clinical-research system. On the other hand, simply rushing products to market will not solve the problems of uncertain efficacy for inadequate therapies or, worse yet, therapies that prove to be harmful after reaching the market. By raising public awareness and involving patients in their own medical care, we could create provider/patient networks that can answer critical questions rapidly and disseminate those findings into practice directly.
(4) Such an approach will succeed only with a significant infusion of capital specific to this purpose. In this time of great financial uncertainty, it may seem difficult to discuss capitalization, but an investment now could provide great dividends for the future.
(5) Academic medical centers must develop better structures for housing centers that study the effect of increasing regulation, so that they can become more streamlined and directed toward strategies that will most improve the public health. All too often, overreaction to individual incidents stimulates regulations, which are enacted despite a lack of evidence.20 The research system should be relentless in providing empirical feedback of the consequences, both intended and unintended, of well-intentioned regulations.
(6) Academic centers must do a better job of providing a system for the training of clinical investigators and the nurturing of clinical research careers. The Clinical Research Roundtable has reported the short shrift given to clinical research and the need for funding agencies to emphasize this area of research.
In the final analysis, we are optimistic that we will find our way out from under the current oppressive burden of HIPAA. The underlying principles are correct despite the misguided nature of many of its applications and the daunting specter of the possible penalties. Constant monitoring and feedback from clinicians, investigators, and patients could dramatically accelerate development of an informatics platform that links them in such a fashion that the empirical evidence needed to guide care will be continuously available within acceptable standards for individual privacy.
The opinions expressed in this article are not necessarily those of the editors or of the American Heart Association.
DeMets DL, Califf RM. Lessons learned from recent cardiovascular clinical trials: part I. Circulation. 2002; 106: 746–751; 880–886.
DeMets DL, Califf RM. Lessons learned from recent cardiovascular clinical trials: part II. Circulation. 2002; 106: 880–886.
Califf RM, DeMets DL. Principles from clinical trials relevant to clinical practice: part I. Circulation. 2002; 106: 1015–1021.
Califf RM, DeMets DL. Principles from clinical trials relevant to clinical practice: part II. Circulation. 2002; 106: 1172–1175.
Kohn LT, Corrigan JM, Donaldson MS, eds. To Err Is Human: Building a Safer Health System. Washington, DC: Institute of Medicine/National Academy Press; 2000.
Committee on Quality of Health Care in America. Crossing the Quality Chasm: a New Health System for the 21st Century. Washington, DC: Institute of Medicine/National Academy Press; 2001.
Muhlbaier LH. HIPAA in Clinical Trials: A Practical Guide for Research Compliance. Marblehead, Mass: HCPro, Inc; 2002.
Eisenstein EL, Lemons PW II, Tardiff BE, et al. Reducing the costs of phase III cardiovascular clinical trials. Am Heart J. 2003. In press.
US Department of Health and Human Services. Federal government announces first federal e-gov health information exchange standards. Available at http://www.hhs.gov/news/press/2003pres/20030321a.html. Accessed March 27, 2003.
Buckovich SA, Rippen HE, Rozen MJ. Driving toward guiding principles: a goal for privacy, confidentiality, and security of health information. JAMA. 1999; 6: 122–133.
The CERTs Risk Assessment Workshop Participants. Risk assessment of drugs, biologics and therapeutic devices: current approaches and future directions. Pharmacoepidemiol Drug Saf. 2003. In press.