The Coalition for Health Services Research is the advocacy arm of AcademyHealth providing a unified voice for advancing the field of health services research.

home
search sitemap contact us

Position on the Health Information Privacy Regulation

On December 28, 2000, the United States Department of Health and Human Services (DHHS) issued the regulation establishing "Standards for Privacy of Individually Identifiable Health Information." This regulation establishes requirements on covered entities (health care providers, health plans, and health care clearinghouses) regarding how they must handle individually identifiable health information and to whom it may be released. The regulation also defines de-identified information and establishes two mechanisms for de-identifying information.

Association for Health Services Research Privacy Position
In considering the implications this pending regulation would have for the field of health services research, the Association for Health Services Research (AHSR) Board of Directors saw the need to develop a process to determine when a policy position was needed. The Board agreed that taking a policy position should be a relatively rare event and that the AHSR should not take policy position unless, among other things, a "policy poses a clear and compelling threat to the field of health services research."

Believing that the privacy issue was such an issue, AHSR submitted a comment letter to DHHS on February 17, 2000 on the draft privacy regulation. The submission of this comment letter followed a briefing conducted for the AHSR Board on December 16, 1999. As the comment letter stated in the opening paragraph "many of our members rely for their research on data that would be protected by these regulations. Thus, although AHSR does not frequently take positions on public policy issues, this is one in which we believe that presenting the perspective of researchers is critical." The comment letter, which was unanimously approved as policy by the AHSR Board of Directors on February 14, 2000, is summarized below.

  • AHSR "support[s] the overall intent of the proposed rule and support[s] the approach undertaken to facilitate access to individually identifiable health information for research purposes."
  • Believing that limitations imposed by the underlying statute (the Health Insurance Portability and Accountability Act of 1996) constrained the authority of DHHS, AHSR took the position that "Congress should pass comprehensive Federal privacy legislation as soon as possible". Despite this concern, Congress did not pass legislation and the final regulation is based upon the HIPAA statute.
  • Given some of the difficulties posed in the draft regulation, AHSR took the position that this regulation "should be modified or clarified in order to ensure continued research access to individually identifiable health information."

Background on Subsequent Academy/Coalition Activities
The Coalition, inheritor of the AHSR advocacy mission, has presumed that the Academy policy is to balance the need to protect the confidentiality of individually identifiable health information and to assure that health services researchers have access to data needed for their research. Toward that end, the Coalition has been assessing the extent to which the final regulation might limit access to data for health services research. Where limitations have been found, the Coalition has been exploring how these might be rectified considering where mechanisms such as clearinghouses to de-identify information may be needed, and where the regulation itself may need to be clarified or modified.

After release of the final regulation, the Coalition staff reviewed and developed a summary of the regulation, and interviewed six health services researchers from a variety of settings to determine how this regulation would affect their research. A discussion draft was developed outlining these concerns and served as the basis for an Academy seminar held with fifteen leading health services researchers in Washington, DC on August 28, 2001, to learn more about how this new regulation would affect the field of health services research.

Several issues of concern were raised by the health services researchers at the seminar:

  • The minimum necessary requirement;
  • Covered entity potential for regulatory sanction even if release of information has been approved by an IRB;
  • The cost involved in removing identifiers to meet both the minimum necessary requirement and to de-identify the information;
  • What information needs to be removed in order for information to be considered de-identified; and
  • How IRBs are going to handle approving health services research projects.

When the minimum necessary clause is combined with possible substantial financial penalties for release of information, health services researchers are faced with the potential that covered entities are not going to make protected health information available to researchers, nor are covered entities likely to de-identify information. This results from the regulation’s requirement that covered entities can only provide the minimum necessary information to carry out a project. The regulation also makes the covered entity legally responsible if it inappropriately releases the information. The researchers attending the seminar stated that they know of instances where legal counsel for covered entities believe the covered entities are potentially liable for millions of dollars in fines if they provide information to researchers and it is later determined that they should not have done so. For this reason, legal counsel are taking the position that covered entities should not be releasing information, even if an IRB has approved the project.

An in-depth analysis of the regulation shows that the responsibility for determining minimum necessary resides with the IRB, not the covered entity. However, there are several concerns regarding this approach:

  • Covered entities retain responsibility for the release of data, even if such release has been approved by an IRB;
  • Multiple IRBs may be used, leading to the possibility of different minimum necessary standards and different determinations in individual projects; and
  • IRBs are going to act very conservatively in determining what data is minimally necessary until they gain the expertise needed to make these determinations or the issue is clarified either by the regulators or by the courts.

The drafters of the regulation did not intend to impede health services researchers from gaining access to data. However, unless a “safe harbor” or similar mechanism can be established that clearly absolves the covered entity from any subsequent penalty for the release of information that has been sanctioned by an IRB, data “lockdown” is a potential result.

It is important to note, given the restrictions Congress placed upon the drafters of the regulation, only covered entities would fall under the scope of the regulation. This means that the regulators could not hold researchers liable for any misuse or release of data. Thus, the regulators had to place the onus of meeting the requirements onto covered entities and not the researchers.

The same situation pertains to de-identifying information. The regulators clearly meant to protect the privacy rights of individuals while providing researchers easy access to data that would not compromise privacy rights. Two methods are given for de-identifying information. The statistical method of de-identifying information laid out in the regulation makes it very difficult to determine if the legal threshold for de-identification had been met. This approach is, therefore, not viewed as a practical solution since it has been shown that certain individuals with the knowledge and skill are capable of re-identifying practically any information.

The other mechanism used to de-identify information is the removal of 18 identifiers listed in the regulation. Unfortunately, the researchers attending the seminar did not view this approach as practical. Since the removal of all of these identifiers significantly reduces the usefulness of the data for most health services research projects, researchers noted that if ways could be found to permit the use of zip codes and dates that met the intent of the regulation but also provided needed geographic detail and approximate dates, this would still protect confidentiality and provide useful data for health services research.

It is also anticipated that where health plans and providers make data available, they will most likely charge at least for their direct costs to de-identify information or to remove information not deemed the minimally necessary to complete a project. It was agreed by the researchers at the seminar that it was very unlikely that payments for indirect costs would be increased to cover this new expense. This will significantly increase the cost for doing health services research.

For these reasons, the researchers attending the August 28 seminar made these recommendations.

1) The Academy should undertake an aggressive educational campaign to make health services researchers and IRBs aware of their responsibilities and obligations under the regulation.
2) The Coalition request that DHHS either clarify or modify the regulation in such a way as to assure that the minimum necessary requirement and the liability issues do not discourage covered entities from releasing data to health services researchers, and to make the de-identification of information less onerous.

Academy Findings:

The Academy Board of Directors endorsed the following findings at its December 7, 2001 meeting:

  • The health information privacy regulation will likely be implemented as scheduled on April 14, 2003;
  • Health services researchers support the intent of the regulation, the overarching goal of protecting the confidentially of personally identifiable information and the use of the IRB process to approve and oversee health services research projects;
  • Health services research projects using personally identifiable information will need IRB approval and oversight;
  • The combination of the minimum necessary clause and the concern over sanctions has the potential to cause covered entities not to release health information to health services researchers, causing a compelling threat to the field of health services research;
  • Methods for statistical de-identification of information are difficult to achieve or significantly reduce the value of these data for health services research; and
  • IRBs should be offered guidance concerning the types of confidential data that may be approved via a fast track process.

Academy Position

The Academy Board of Directors approved the following position statement at its December 7, 2001 meeting:

  • The Academy for Health Services Research and Health Policy supports the intent of the regulation.
  • The Academy should undertake an aggressive educational campaign to make health services researchers and IRBs aware of their responsibilities and obligations under the regulation.
  • The sections of the regulation that could lead to data lockdown should be clarified or modified in order to ensure continued timely IRB-approved access to individually identifiable health information for health services research.
  • The requirements under the regulation for creating and using de-identified information should be reviewed to determine if they could be clarified or modified to allow the resulting de-identified information to be more useful to researchers while maintaining individual confidentiality.

AcademyHealth