HIPAA privacy rule fails to protect patients, hampers health research
"This new approach should apply privacy, data security, and accountability standards uniformly to information used in all health-related research regardless of who funds or conducts the research," according to the IOM.
If policymakers decide to continue relying on the current rule to protect privacy in health research, the committee recommends a series of changes to improve the rule and the guidance that the U.S. Department of Health and Human Services (HHS) gives on how to comply with it.
In addition, all institutions conducting health research must strengthen data protection as security breaches are a growing problem for health information databases. Among the measures that should be taken the IOM advised that encryption should be required for all laptops, flash drives and other portable media given the potential for these items to be lost or stolen, the report said.
The committee's recommendations aim to boost regulations and practices that effectively protect personally identifiable health information, while changing provisions of the HIPAA Privacy Rule or its interpretations that have proved to be ineffective, according to Lawrence O. Gostin, IOM committee chair. Gostin is also a professor of law and director of the O'Neill Institute for National and Global Health Law at Georgetown University Law Center in Washington, D.C.
While the HIPAA Privacy Rule regulates what uses and disclosures of personally identifiable health information are permitted by health plans, healthcare providers, and other entities covered by the regulation, it is difficult to reconcile with other federal regulations governing healthcare research involving personally identifiable information.
HHS and other federal agencies should develop a new approach to regulation that focuses on best practices in privacy, security, and transparency, the committee wrote.
The new framework should facilitate use of health data in which personally identifiable information is removed, should provide legal sanctions against unauthorized re-identification of individuals, and should provide ethical oversight of research in which use of personally identifiable information without individual consent is necessary.
"This oversight could be accomplished by local ethical review boards that assess proposed projects on a case-by-case basis, or institutions could be certified at the federal level to carry out this kind of research, having proved they have policies and practices in place to protect data privacy and ensure security," the report said.
If the current HIPAA Privacy Rule is kept, the committee recommended several ways to revise the rule and its guidance on compliance. For example, HHS should make it clear that people can grant permission in advance that samples or data collected from them for one research project can be used in future research, according to the committee.
The U.S. Department of Health and Human Services, Robert Wood Johnson Foundation, American Cancer Society, American Heart Association/American Stroke Association, American Society for Clinical Oncology, Burroughs Wellcome Fund, and C-Change sponsored the study.