The Price of Privacy?

One year after the first comprehensive federal medical records privacy law took effect, researchers say that the regulations impede access to patients' files. Without this information, they argue, the nation's health care system--and its recipients--will suffer.

For years, nurse practitioner Eva Kline-Rogers routinely phoned people at home to see how they were doing 6 months after they had reported to the hospital with chest pain. It was more than a courtesy call. As the research coordinator of the Michigan Cardiovascular Outcomes Research and Reporting Program, Kline-Rogers wanted to find out whether patients had experienced additional angina, subsequent heart attacks, or any complications from the treatment they had received.

She and her colleagues had a nearly perfect follow-up rate. Then came the first federal comprehensive health care privacy law, the Health Insurance Portability and Accountability Act--better known as HIPAA. According to HIPAA's Privacy Rule, patients generally must give written authorization for their medical records to be used for research. So instead of a solicitous phone call, Kline-Rogers's recovering heart patients, average age 63, received an eight-page consent form requesting permission to be contacted for an interview.

Fewer than half of the nearly 1000 patients replied. Those who did tended to have higher blood pressure and cholesterol concentrations. That bias, coupled with the low response rate, dashed any chance of obtaining meaningful findings, says Kline-Rogers.

HIPAA was designed to prevent discrimination, stigmatization, or loss of insurance or employment due to misuse of medical records. The federal privacy rule allows people to see their own medical records, describes how their doctors and health plans may use them, and usually lets the individual decide whether to make his or her information available for research, says Beverly Woodward, a privacy expert at Brandeis University in Waltham, Massachusetts. Policymakers deemed such protections necessary in order to respond to public concerns that computerized medical records have become easier to exchange--perhaps too easy. Massachusetts, for example, sold part of a database of medical information collected on state employees and their dependents to an unidentified company.

But even before it took effect last April, the Privacy Rule drew criticism from research organizations. Studies using medical records would become difficult--if not impossible--to perform, they said, because of the rule's requirement that researchers obtain specific consent to use individual data, or, in the absence of specific consent, strip the records of so much identifying information that accuracy could suffer. Now, nearly 1 year after the mandatory changes, emerging evidence lends credence to some of those concerns.

HIPAA's detailed consent forms seem to be increasing costs and discouraging potential subjects, according to preliminary reports from 331 people across the country who conduct, oversee, or review research involving human subjects or their medical data, says Susan Ehringhaus, associate general counsel of the Association of American Medical Colleges. What's worse, the law could be thwarting efforts to improve care, assess the safety of drugs and devices on the market, investigate the causes of medical error, and conduct genetic research.

"If we have the whole story about patients' outcomes, we can learn from our mistakes and successes and optimize care for patients in the future," wrote deputy editor Julie Ingelfinger and editor-in-chief Jeffrey Drazen in the 1 April issue of The New England Journal of Medicine.

Scientists around the world are grappling with the consequences of similar, stricter privacy regulations. Efforts to obtain written consent for a national registry of stroke patients in Canada also hit snags of low enrollment and distorted data. According to the New England Journal of Medicine study, one-half or fewer of the eligible patients agreed to participate, and the data seemed to be biased toward people who were younger, white, male, more alert when admitted to the hospital, and more likely to speak English than French.

"Deaths will occur because of the effects of the data-protection law on British medical research," warns Julian Peto, chair of epidemiology at Cancer Research UK. The British privacy law, although well-intentioned, needs to strike a better balance between individual confidentiality and public health research, he concludes in an editorial in the 1 May British Medical Journal.

In the United States, some experts wonder whether HIPAA is doing what it is supposed to--giving people control over their health information. The observation that fewer people seem to be allowing their medical records to be used in research seems more a product of confusion and mistrust than of informed decision-making, says Joanne Pollak, general counsel for Johns Hopkins Medicine. Kline-Rogers agrees. She and her colleagues sent out the HIPAA consent forms in a "test run" before they became mandatory. When Kline-Rogers received few replies, she followed up by phone. "Some people said, 'Oh, I didn't know what that was, so I just threw it out,' " she says.

Misunderstandings on the part of hospitals and health care providers might also be contributing to the regulations' seemingly detrimental effects on research. "Much of the problem lies in overinterpretation of HIPAA," says oncologist Dale Hammerschmidt, director of education in human subjects protection at the University of Minnesota Medical School in Minneapolis. The new privacy rule, he notes, does not substantially alter the federal protections offered to human research subjects since 1981. But the HIPAA regulations call for "stiff financial penalties for breaches," causing lawyers and administrators to institute policies that go "far, far, far beyond what HIPAA requires."

Some privacy advocates are skeptical that HIPAA is impeding research. "I need more proof that there's a real problem," says Winnie Roche, assistant professor of health law at Boston University. Until then, HIPAA might not be perfect--Roche calls it the "worst-drafted regulation" she's ever seen--but she says it's the best thing we've got for protecting the privacy of research subjects.

On 26 May, the National Institutes of Health and the Agency for Healthcare Research and Quality will sponsor a 1-day conference that will spell out how research can best be conducted under the Privacy Rule. In the meantime, Kline-Rogers is working with attorneys and with the board that reviews and approves human studies at her university to find better ways that she and her colleagues can preserve confidentiality and conduct valid research. Legal counsel has given her permission to pick up the phone and call the heart patients--but only to ask if they received a consent form and offer to send another.

Carol Cruzan Morton is a science writer in Belmont, Massachusetts, who now understands the privacy form she signed at her doctor's office.