U.S. Department of Health and Human Services
Margaret Hamburg, M.D.
Assistant Secretary for Planning and Evaluation
Attention:  Privacy-P, Room G-322A
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201

Dear Assistant Secretary Hamburg:

The Association for Health Services Research (AHSR) is pleased to offer comments on the proposed Standards for Privacy of Individually Identifiable Health Information (45 CFR parts 160-164), that appeared in the Federal Register, Volume 64, No. 212, Wednesday, November 3, 1999.  AHSR represents over 2,800 researchers and users of health services research in academic, industry, foundation, and public settings.  AHSR's primary mission is to increase the contribution that health services research makes to improving the health care system and health status of Americans.  Many of our members rely for their research on data that would be protected by these regulations.  Thus, although AHSR does not frequently take positions on public policy issues, this is one in which we believe that presenting the perspective of researchers is critical. 

Preamble

We recognize that the Department of Health and Human Services (DHHS) is constrained in the scope of applicability of these proposed regulations by the limitations imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Given these statutory limitations and the complexity of the issues addressed by the regulations, we strongly commend DHHS for the care and detailed reasoning that went into the development of these proposed standards for privacy of individually identifiable health information.  We also agree with the Department's call for "Congress to pass comprehensive Federal privacy legislation as soon as possible" to address additional privacy needs that do not fall under the authority of this proposed rule. We support the overall intent of the proposed rule and support the approach undertaken to facilitate access to individually identifiable health information for research purposes. 

Health services research has made significant contributions to our understanding of how the organization, financing, and delivery of health services affect the health status of Americans.  Many of these contributions require, and will continue to require, research access to individually identifiable health information.  Our comments below identify several provisions contained in the proposed regulations that we believe should be modified or clarified in order to ensure continued research access to individually identifiable health information.  Our recommended changes are not intended in any way to weaken the rule's privacy protections.  AHSR strongly supports the need for national standards for the confidentiality of health information and the intent of these regulations to achieve such standards.  Our recommendations are made in the spirit of achieving the desired goal of strong national privacy standards without posing adverse consequences for conducting health services research.  We believe that many of the privacy concerns regarding the use of data for research purposes would be more easily addressed if either of the following two approaches were taken: (1) the review and reporting criteria for the newly created privacy boards be raised to the standards required for IRBs, essentially extending the Common Rule with respect to privacy protections to all research and then modifying some of the proposed provisions as described below; or (2) if the most stringent aspects of the regulations with respect to de-identification and accounting of disclosures are limited to research requests that have only gone through privacy board approval, rather than IRB or IRB-equivalent approval.

As requested in the November 3, 1999 announcement, our comments on specific provisions of the rule are "subject labeled" and appear in the same order as the provisions contained in the rule.  Each subject heading also includes the corresponding Federal Register page number reference for the subject.

AHSR strongly supports the principle that confidentiality of individually identifiable health information must be protected to preserve individual privacy rights and the integrity and reliability of health information.  Not only do many of our members undertake research using individually identifiable health information, but all of our members are also patients with their own privacy concerns.  We recognize the particular importance of privacy concerns with respect to individually identifiable health information and support the intent of these proposed standards to prevent unauthorized access to, or release of, individually identifiable health information.  We also support the accompanying strong penalties for violations of the standards.  Moreover, as an organization, we believe that health researchers have an inherent responsibility to adhere to the highest ethical standards in protecting confidentiality of health information and recognize that long term public support for health services research is best maintained if the public feels comfortable in how individually identifiable health information is being handled.

Certain types of health information are clearly more sensitive than others.  However, even variables such as HIV-positive status change in their degree of personal and public sensitivity over time.  Furthermore, for research to be able to focus on the most important policy-relevant variables, such sensitive data must be collected and made available subject to the necessary safeguards.  We believe that special protection should not be granted to specific variables or data values, but that covered entities, Institutional Review Boards (IRBs), and privacy boards should be cognizant of the various levels of sensitivity for differing types of data and how they should be handled.  We will discuss this further below.

Specific authorization by the individual will be required by these regulations before his or her information could be used for purposes such as marketing or fund-raising.  We strongly agree but would emphasize that covered entities be required to exercise caution in asking for such permission.  Consider, for example, requests for names and addresses by an insurer offering expanded health insurance coverage for HIV positive individuals, or a letter regarding a support group for patients with Herpes.  The covered entity might send letters to patients asking for permission to pass on their names to these groups, but what if those letters were opened by a household member who did not know about the patient's condition?  Clearly, the sensitivity of such letters is greater than if the focus were on patients with back problems or dandruff.  Such a request could be couched so that anyone reading the request other than the patient would not be led to ask sensitive questions, and the at-risk patient would still be able to be in control.  However, these methods are not easily set in regulation.  (For example, the letter could merely be a generic invitation for addressee-or 'occupant'- to contact the organization if he or she is interested in learning about expanded health insurance coverage, without any mention that it might be targeted for people with HIV disease.)  This may be an area in which covered entities are encouraged to exercise caution, and to be particularly concerned about conditions that are likely to be sensitive.  In fact, researchers and IRBs have substantial experience in this area arising from situations in which patients need to be contacted to grant consent for studies that require individual consent. The section concerning research information unrelated to treatment might be interpreted in a way that could be problematic for research.  We believe that this section is intended to prevent information concerning an identifiable individual derived as part of a research study from flowing back to a covered entity.  Some research findings may not be of sufficient quality to be useful at an individual level, but may be quite valuable in characterizing groups of people.  For example, data from individuals may be used in a study of risk factors associated with a specific disease.  Although such risk factors may not be sufficiently sensitive or specific to target individuals, they may indicate that groups of people are at substantially increased risk of the disease.  A covered entity should be able to use such information to tailor intervention programs to selected groups of people, based on these risk factors.  The distinction made here is that these interventions are offered to all people with the risk factors, not just those in the research project.  This section should be clarified so as not to preclude such use of the data, as long as this use would not put an individual at additional risk merely because of his or her participation in the research. 

The requirement that only the minimum necessary data be released may substantially hamper the use of certain types of data.  In general, it can be fairly easy to strip or encrypt certain variables from electronic files, but quite problematic when dealing with paper files, such as medical records in which the patient's name appears on every document, when such files are covered under the regulations.  Although a researcher may have no need to know the patient's name (or only a transient need, as discussed below), access to the complete medical record may be needed.  Covered entities are unlikely to be willing to copy and block out every appearance of the patient's name.  Furthermore, if a small number of records are required from many different sites, it is impractical to have the researcher abstract the necessary data from the records on-site at the covered entities.  It is also frequently the case that analysis of the data results in potential explanations that require 'another look' at the raw data, for example to extract additional variables, so copying the records is the only practical solution. One practical approach would be for the researcher to offer to become a 'business partner' to the covered entity for the purposes of abstracting the needed information.  The researcher could then have access to the full medical record, but with the appropriate privacy restrictions attached to any further disclosure of the data.  For example, in many situations the research project can be divided into data collection and data analysis phases.  In some cases, the researcher may actually subcontract with coding or abstracting firms for the first phase.  In this example, for the data analysis stage of the research, de-identified records are all that are needed, but the data collection phase involves identifiable records.  The proposed regulation envisions the covered entity doing the data collection and de-identification, or reducing the data to minimally necessary variables.  In our alternative version, we would make explicit the acceptability of the covered entity contracting with the researcher to undertake this first phase, in essence making it a business partner.  An explicit statement of the acceptability of this approach, perhaps with an example of model language that would meet the minimal requirements of passing down the privacy conditions, while assuming little in the way of substantive 'business operations,' would facilitate this option. A second approach would extend this model, perhaps making available data for research from sites that are not now readily accessible, but would be made even more difficult under the proposed regulations.  In general, there is an enormous amount of effort needed to select, copy, and abstract medical records, and this is further complicated by the need to negotiate privacy safeguarding arrangements with each covered entity.  On the other hand, once the data are collected, they can often be of great value to multiple researchers, the vast majority of whom can rely on de-identified records.  In the 'business partner' approach, the researcher is assumed to initiate contact with one or more covered entities, and is then able to access the data under suitable safeguards by being considered a business partner.  In the second approach, we would expand the notion of a health care clearinghouse to allow such entities to collect data from many other covered entities, even complete medical records, for the purpose of generating research files that would be either suitably de-identified or released under the appropriate safeguards.  This would allow a large number of small health care entities to participate in research studies.  We would assume that the data would not be 'sold' to such clearinghouses, but could be 'rented' or 'licensed' and the clearinghouse, as a covered entity, would be subject to all the requirements of a covered entity.  However, because the data base would be much larger, and users might not know the specific identities of the covered entities supplying the data, de-identification could be possible while making available more variables than would be possible if the researcher had direct contact with the sources of the data.  For example, if one knew a record came from a specific hospital, then a patient's age and diagnosis might be enough to identify an individual, but if pooled with records from many hospitals in several different communities, then additional information might be included without risking identification of an individual. Such research data clearinghouses would have substantial economies of scale and would be able to be quite 'sophisticated' assessors of privacy risks and encryption strategies.  Although private entities may enter this market, especially if its acceptability is made explicit, it would be valuable to have public or semi-public entities involved to help set the standards of behavior and facilitate access to otherwise unavailable data.  For example, such a public entity might also be able to access and link other data with health records, such as occupational histories (from FICA records) with medical records to identify occupational causes of illness and injury.

We support the general intent of the provision to allow an individual to request that a covered entity restrict further uses and disclosures of protected health information for treatment, payment or health care operations.  However, it should be made clear such requests would not restrict the right of a provider to make disclosures under §164.510, in particular, for research uses.  That is, it would be particularly troublesome for research if records are unavailable because of individual requests.  We also recommend that the final regulations recognize and address the potential for complexities to arise because multiple covered entities are involved, and one covered entity could agree to a restriction that affects the use of information by another covered entity that has not agreed to the restriction.

Creation of de-identified information (p. 59946)

The availability of de-identified information, or public-use data files, makes it easier to undertake various types of research.  Unfortunately, the elimination of all the variables listed in 164.506(d) is so extensive as to preclude certain types of important research. One approach we offer for consideration is that used by the California Office of Statewide Health Planning and Development (OSHPD), which collects discharge abstract data from all licensed hospitals and releases two versions of de-identified files to the public.  Both files include all patient diagnoses and procedures, hospital identifier, patient's gender, and other information.  Version A has the patient's age, day of week and month of admission, the first 3 digits of the patient's zip code, and an encrypted unique record linkage number.  Version B includes age measured only in categories, quarter, rather than day and month of admission, and has no record linkage number, but it does include a 5-digit zip code.  OSHPD felt that Version A would be of more use to researchers and version B would be of more use to marketers.  Both files are readily available for sale to anyone.  OSHPD also provides a file with all the variables of Version A but with a 5-digit zip code.  This 'non-public' version C is available to researchers upon approval by the Office, but the review is straightforward. Allowing sophisticated covered entities, such as OSHPD, to make available partially de-identified files for research use without requiring the full waiver process of 164.510(j) would be highly desirable.  The intent is that such data have a low probability of a risk of disclosure.  Since all researchers would be able to have their requests for this level of partially de-identified data approved by an IRB, this process allows IRBs to focus their attention on proposals requiring more sensitive variables, such as social security number and exact birth date.

It is proposed that at the termination of a contract between a covered entity and a business partner, all data must be returned or destroyed.  Although this is reasonable in general, it should not be applied in the same manner to data provided for research purposes.  Although the proposed regulations do not seem to include research in the business partner category, we have suggested that such relationships may be appropriate in some instances in a limited form.  In some instances, covered entities may not have IRBs or privacy boards, and may not want to undertake the burden of abstracting and de-identifying data.  It may then be advantageous to the covered entity if the researchers were to be construed as business partners in order to have access to protected information for the purpose of undertaking that aspect of the research.  If so, the obligation to return or destroy the protected information should be at the conclusion of the need for the data for research purposes.  It is important to note that many scientific journals and funding agencies require that data be maintained for five or more years after publication to be able to address any question of the validity of the study.  Thus, researchers will need to maintain the data long after the funding for the project has expired.

We agree with the requirement that covered entities obtain individual authorization before the listed disclosures are undertaken, but as discussed under the section on 'Treatment, payment and health care operations', such requests for authorization should be made in a manner that does not disclose sensitive information merely by requesting authorization.  We agree that an individual should have the right to revoke the authorization for information to be disclosed, but to make this effective, the proposed rule should address whether data can be 'sold' or just rented.  That is, if a list containing information that can be disclosed is just rented, then there is a mechanism for assuring that the request for revocation will be honored effective at the next 'rental cycle' so that an end date can be offered to the individual beyond which his or her data will not be further used for those purposes.  As discussed before, these sections with respect to authorization should not apply to data used for research purposes when granted a waiver.

Research vs. operations  It is certainly true that there are 'projects' involving data that could easily be either construed as research or operations, such as efforts to measure quality of care.  Particularly when undertaken by researchers at clinical entities, the activities may be identical, except for funding.  It has often been frustrating for researchers to have to go through a complicated IRB approval process for access to selected medical records when a colleague uses the same records for a quality improvement study without such reviews.  We hope that as IRBs and privacy boards get more experience with record and data-based studies, their reviews will become simpler.  On the other hand, regardless of the approval process, the patient sensitive information should be handled in appropriate ways.  In this regard, there has traditionally been more oversight of the protection of data accessed for research than for operations. We believe that, as the expectations concerning both the ethical and legal requirements for protecting confidential data in operations under these regulations become better understood, the difference will be irrelevant from a patient's perspective, because the safe handling of the data should be comparable.

Given the constraints of the legislative authority, the establishment of privacy boards to 'mimic' the IRBs is a useful approach.  It would seem, however, that carrying over the requirement that the privacy board "include at least one member not affiliated with the institution conducting the research" may not capture the spirit of the IRB requirement.  In many instances, the privacy board may be established by the covered entity, rather than the research organization.  To avoid a conflict of interest, we recommend that "or providing the data" be added after "conducting the research." We agree with the decision to not require specific contracts between the covered entity and the researcher.  We wish to point out, however, that there may be times when such contracts would allow much more ready access to data while reducing the burden on the covered entity in attempting to remove all but the minimally necessary information.   (See comment above.) We understand the HIPAA statute constrains these regulations to focus on the providers, not the users of data, and thus limits the ability to control inappropriate use and re-disclosure.  However, we believe some of the proposed provisions go far beyond what is necessary.  They may seriously restrict certain types of research, not because the research involves any significant risk, but because they impose substantial cost and logistical problems.  This is not to say that we assume that because a disclosure is for research, it should be unregulated.  Federally funded research is already regulated under the common rule, with significant penalties for scientific misconduct, and many research entities require that non-federally funded research also be reviewed by IRBs.  The AHSR would be happy to work on developing appropriate legislation to address other aspects of privacy with respect to research not covered under HIPAA. We believe that IRBs have developed the processes that have worked well in allowing research while protecting privacy.  Given the absence of legislative authority to have all research covered under the Common Rule, we would recommend that a set of review bodies comparable to IRBs, with similar processes and criteria for the protection of privacy, be developed.  We believe that such IRBs and IRB equivalents can provide sufficient review and oversight to allow greater access to identifiable data than would be the case for research requests not going through such a process.  The discussion below offers an example of how greater access might be accorded under an IRB approved protocol.

In discussing the criterion for a research waiver of authorization that the use or disclosure "involves no more than minimal risk to the subjects," it is useful to consider several aspects of risk.  One is the nature of the information to be disclosed.  Arguably, the risk of harm associated with data from a study of ankle injuries is less than that of a study of HIV disease.  In general, review boards take these differences in potential harm into account in their implicit weighing of benefits and risks, and we are not proposing different standards with respect to the nature of the medical problem or treatment, although review boards may request different methods by which information may be handed.  Thus, the major issue is the extent to which inadvertent disclosure is a serious risk.  One dimension of this is the ease with which the data identify an individual, and a second dimension is the likelihood that these identifiable data may be disclosed. 

In the first dimension, the identifiable nature of the data ranges from (a) names and addresses, to (b) unique numerical identifiers, such as social security numbers, to (c) combinations of variables such as age, gender, zip code and date of admission to hospital.  In the first instance, a record with name and address places a patient at risk merely by being left out on someone's desk while another person is visiting.  (This highest level of exposure is actually quite common in health delivery settings and is not covered by the proposed regulations.  Likewise, patient confidentiality is breached far more often in overheard elevator conversations than in research settings.)  Data of the second type by themselves uniquely identify an individual, but pose a much lower risk because an observer would have to realize the field is a social security number, recognize the string of digits, and determine that number is identical to one the observer knows.  The chance an individual record would be identified in such a manner is so small as to pass the test of 'very low probability'.  Of course, if one had a computer file of such data, and another file of social security numbers, one could identify certain individuals.  The same is true for the even more secure records in which all unique identifiers are omitted, but combinations of variables, such as birth date and zip code, allow a very high probability of matching records with another file. This discussion points out that once names (and arguably addresses) are removed, inadvertent disclosure is close to impossible, and privacy would be jeopardized only with intent, effort, and extended access to the data.  Although the computer matching might not take long, the data sets would need preparation and the 'matcher' would have to know the characteristics of the data.  Again, this is not something accomplished while looking over someone else's shoulder.  Put another way, accidental disclosure is unlikely.  Although someone could steal data from a researcher, or hack into a research computer and potentially find sensitive data if one knew where to look, it would be far easier to get records by hacking into the data base of a hospital where the data originate in an uncoded form. The second dimension, or likelihood the data may be inappropriately disclosed, relates to the intent of the recipient and the amount of time the data are at risk.  If the researcher can minimize the time during which records have potentially identifiable information, the risk of disclosure can be further reduced.  It is frequently the case that variables such as social security number, birth date, and admission date are needed to link two different research files and assure the validity of the linkage.  Once the records have been linked, there is often no need for those identifiers and they can be stripped off, leaving only 'de-identified' data that can be used by anyone for analysis.  It is not uncommon that during a two-year project, the sensitive data need be part of the file for only a couple of weeks, so the window of vulnerability to hackers is minimized.  Thus, while the data to be disclosed may be sensitive, and the identifiers would suggest significant risk, the study protocol can minimize that risk.  This leads to our suggestion that existing IRBs and similarly constituted review groups should have the expertise and processes to approve such protocols, while privacy boards may not.

The proposed regulations seem to exempt clearinghouses from requirements for providing access and correction of individual records.  To the extent that clearinghouses may merge data, if the merge is not always exactly perfect, their work product may be incorrect even if the raw information provided by the covered entity was correct.  The analogy here is to the problems people have when their credit history gets confused with that of another individual's.  Some remedy should be allowed in such circumstances. 

The proposed regulations would allow a covered entity to deny an individual access to his or her own information if a "licensed health care professional has determined that, in the exercise of reasonable professional judgment, the inspection and copying requested is reasonably likely to endanger.."  Although the proposed rule suggests that a physician, physician assistant, or nurse is envisioned in this role, it should be noted that a wide variety of occupations are recognized and licensed by the states as health professions, including acupuncture, dental auxiliary, and hearing aid dispensing.  The expertise of such professionals may be needed in some instances, but the regulation might clarify that the individual be one whose training would allow an assessment of endangerment due to release of data.  It would be appropriate to include mental health professionals in the list. It is not clear if the covered entity is required to make the data available in a reasonably accessible form.  For example, some organizations will maintain data only in a coded form, e.g., using just ICD9 and CPT codes (or worse, locally defined codes). The data are translated and displayed in text form only when in use.  Providing a copy of the electronic record, even if hard copy, would be useless without the necessary translation of the codes.  This is not to suggest that medical terminology would have to be translated and interpreted in plain English, but that numeric and similar codes should be translated.

As outlined in these regulations the right to an accounting of disclosures is likely to create a major hindrance to research.  There are two reasons for our concern.  First, because covered entities would not have to keep such an accounting for disclosures related to treatment, payment, and health care operations, the substantial logistical and operational costs associated with such accounting could be avoided by refusing to disclose data for research.  This is especially problematic because the costs of establishing such a tracking system are very substantial and are unlikely to be able to be borne by any particular research project, even if the project is able to cover the routine costs of data access and extraction.   The second reason for concern is the possibility that such a 'right' could substantially increase unwarranted concern among patients.  Large data sets are likely to contain millions of patient records, and will be used by hundreds of researchers for various projects.  In the vast majority of cases, the data released would be potentially identifiable under the definition of these regulations, but only by someone actively attempting to do so, (see discussion under the comments on Research) and the identifiers are used only to link records to create an analytic file.  If even a small fraction of these patients are concerned about privacy, perhaps just because there is some discussion of it in the media, they may request to see who has accessed their files.  Seeing that hundreds of researchers have received 'potentially identifiable information' is certain to further increase their concerns, lead to increased media attention, and a snowball effect among the public that will essentially shut down research. There is certainly no evidence that the costs associated with such a universal system for tracking and accounting for disclosures are worth the potential reduction in disclosures or loss of peace of mind to patients.  Until much more narrowly defined approaches to assuring privacy safeguards in the use of data for all research can be crafted, perhaps with new legislation, a broad right to an accounting of disclosures should not be established.  It is important to recall in this regard that patient identities are far more likely to be disclosed via 'overheard elevator conversations' among individuals involved in treatment, payment, and health care operations than by researchers. If there is judged to be a compelling need to establish a right to an accounting of disclosures, this right should be drawn as narrowly as possible to be in keeping with the magnitude of the risk.  The greatest risk is associated with records having names and addresses attached.  Although rarely needed for most research, one can imagine projects that legitimately require this information and would be able to justify this need to an IRB or privacy board.  It might be reasonable to keep track of such requests in a manner linkable to the patient record, so an accounting of such requests could be made.  On the other hand, the tracking of individual disclosures should not extend to files from which the names have been deleted, because the risk of inadvertent disclosure (as described above) is much smaller, and the risk of unwarranted concern much greater, because typically so many more people's records are involved.  This much more limited form of accounting maintains the ability of the disclosing entity to know and keep track of the records disclosed in response to each research request.  In response to an inquiry from a patient, the entity would be able to distinguish which researchers had access to the patient's records with his or her name and address, and which had access to large numbers of records with identifiable information, but without names.  A patient requesting to know who had access to his or her information would then receive a response such as this:  Professors A, B, and C, with research projects approved by the following IRBs, had access to your directly identifiable data.  The following researchers, D, E, F, and G, also working under IRB (or IRB equivalent) reviewed protocols, had access only to electronic versions of your potentially identifiable data, along with data from all patients at this facility, but no names or addresses were included. 

The statutory language requires federal preemption of state laws, except for those with privacy safeguards that are more stringent.  Although we are concerned about the impact of non-uniform rules, we recognize the advantages of having states explore better ways to maintain patient privacy.  On the other hand, overly stringent rules may cause serious harm to other public goals, such as research and public health.  To better understand the issues at hand while the new regulations are being implemented, and as states consider alternative approaches, we urge the Secretary to monitor carefully state laws that are 'contrary and more stringent' and issue an annual report on the effects of such laws.  Not only are we concerned that some state laws may be too stringent and have adverse consequences for research and other public goals, but some that are intended to be more stringent may, in fact, not be so because of loopholes or enforcement problems.  Our experience with the unintended consequences of the ERISA legislation suggests that careful and ongoing monitoring of pre-emptive legislation is needed. Thank you for the opportunity to provide these comments.  AHSR strongly supports the need for national standards for the confidentiality of health information and we look forward to working with the Department as the process for developing these standards moves forward.

Sincerely,

Diane Rowland, Sc.D., M.P.A.
President W. David Helms, Ph.D.
Chief Executive Officer