Government Affairs Home > HIPAA

Statement on "Standards For Privacy of Identifiable Health Information; Final Rule"

Mr. Chairman and members of the Committee, thank you for the opportunity to testify today. I am Jennifer Kulynych, J.D., Ph.D., Director in the Division of Biomedical and Health Sciences Research at the Association of American Medical Colleges (AAMC). The AAMC membership comprises the 125 accredited U.S. medical schools; the 16 accredited Canadian medical schools; some 400 major teaching hospitals; 95 academic and professional societies representing over 100,000 faculty members; and the nation's 67,000 medical students and 102,000 residents. Our members conduct much of this nation's biomedical and behavioral research, and share a profound interest in protections for research participants, including protections for the privacy of individual volunteers and the confidentiality of research data. The AAMC strongly supports measures that will strengthen the capacity of human research participant protection programs to safeguard privacy and confidentiality in research while sustaining the vitality of the research enterprise.

We believe, however, that the final medical privacy rule, Standards for the Privacy of Individually Identifiable Health Information , is not such a measure. The rule needlessly intrudes upon the current Institutional Review Board (IRB) system of research oversight, burdening biomedical and behavioral research with onerous procedural requirements, ambiguous regulatory standards, and extensive new liability concerns. Previously, AAMC detailed the final rule's deficiencies in comments submitted to the Secretary of DHHS; that comment letter is appended to my written testimony. Today I will focus upon impediments the rule creates to research that is overseen by an IRB acting in accordance with the federal research regulations, known as the "Common Rule." These impediments are more than a mere inconvenience; in the view of the AAMC they will constrict researchers' access to essential medical information and impose an undue burden on the conduct of research. Consequently, unless modified the privacy rule threatens the viability of research that is already subject to significant oversight, jeopardizing the welfare of patients who await new medical products and therapies.

The AAMC's overarching concern is that the rule imposes new civil and criminal liability upon hospitals, health plans, and providers who use or disclose data for research purposes, even when such uses and disclosures are approved by an IRB. Under the privacy rule a covered entity must shoulder this additional legal risk whenever it makes research-related determinations regarding "minimum necessary" and "de-identification," whenever it provides an accounting of research disclosures, and whenever its IRB or privacy board acts to waive the rule's authorization requirements. The new liability under the rule is above and beyond the legal consequences that flow from an entity's failure to observe federal research regulations or applicable state laws.

Increased liability, particularly when coupled with the compliance burden imposed by the rule's procedural requirements, creates a substantial disincentive for covered entities to accommodate the needs of researchers. As your chair, Dr. Lumpkin, noted in a February 7, 2000 letter to the Assistant Secretary for Planning and Evaluation concerning the NPRM (and as AAMC warned in our comment letter), disincentives created by the rule may well cause covered entities for whom research is not a core mission to conclude that the cost - and the risks - of disclosing data for research are simply too great. The threat is most severe to research that requires access to large numbers of medical records; for example, public health and epidemiological studies, health services research, post-approval assessment of the safety and effectiveness of drugs and medical devices, and the retrospective studies required to understand and eliminate the systemic causes of medical errors.

As you weigh the costs and benefits of the rule and consider whether it does indeed unduly burden or threaten research, please keep in mind that current federal requirements do address the privacy of participants in federally-regulated "Common Rule" research. IRBs reviewing research under the Common Rule must evaluate all risks to participants, including risks to privacy. The Common Rule grants IRBs the flexibility to determine, on a case-by-case basis, which physical, procedural, and technical safeguards are necessary to protect participants' privacy and confidentiality. An IRB may not approve research unless it finds that such safeguards are adequate. 45 C.F.R. 46.111(a)(7). Likewise, an IRB may not grant a waiver of informed consent unless it documents that, inter alia, the research is of minimal risk and the waiver will not adversely affect the participants' rights and welfare. 45 C.F.R. 46.116(d)(1) and (2).

When research is subject to IRB oversight, therefore, the IRB must routinely analyze whether research-related intrusions into participants' privacy are warranted and whether risks of a breach of confidentiality have been properly minimized. The IRB must also review and approve the content of all information provided to participants during the informed consent process. The medical privacy rule would supplant IRB discretion in these matters by overlaying complex authorization requirements and a new set of waiver criteria, some of which are hopelessly ambiguous and likely to promote gridlock within an already overburdened IRB system.

It may be argued that the Common Rule requirements are insufficient to address privacy risks, justifying the imposition of the privacy rule's new waiver and authorization criteria for uses and disclosures of protected health information in research. Recall, however, that as this committee observed in its 1997 report to the Secretary, you have received no testimony or other evidence of documented breaches of privacy resulting from the use of health records by researchers. Notwithstanding the lack of evidence for a threat to privacy arising from research, if additional safeguards are deemed necessary, a more appropriate remedy would be to modify the Common Rule criteria to ensure that IRBs fully consider issues of privacy. In 1998 testimony on medical records confidentiality legislation before the House Subcommittee on Government Management, Information, and Technology, the AAMC endorsed the addition of objective privacy review criteria to the Common Rule. Specifically, when reviewing research the IRB should be required to document a finding that, when identifiers will be retained, the research would be impracticable without the use of identifiable information. The IRB should also be required to review the physical, technical, and procedural safeguards for participant confidentiality.

With respect to the privacy rule's authorization provisions, the AAMC believes that for IRB-reviewed research, these new requirements are, on balance, unnecessarily burdensome, discouraging to investigators, and likely to dissuade participants. Once the privacy rule is implemented a clinical trial participant could be asked to sign as many as three research-related forms in addition to the standard consent for participation: a consent for the use and disclosure of protected health information (PHI) for treatment, an authorization for the use or disclosure of PHI created in the trial, and an authorization for the use or disclosure of existing PHI (e.g., information that is in the participant's medical records). These forms, per the rule's mandate, must contain lengthy, precisely-worded disclosures. The specificity of the prescriptions contained within the authorization provisions would also appear to preclude investigators from retaining identifiable health information obtained in a clinical trial for future research not yet envisioned at the time of authorization.

The AAMC believes as well that at least some of the new waiver criteria are unnecessary and problematic for IRB-reviewed research. As I noted earlier, federal research regulations permit a waiver of consent only when the IRB has made a series of findings, including a finding that the research is of minimal risk and a finding that the research will not adversely affect participants' rights and welfare. Under the privacy rule, when granting a waiver of authorization IRBs, or, alternatively, privacy boards, must consider and document findings for yet another set of criteria. Certain of these, such as the requirement that the research be of minimal risk, or that it be impracticable without the waiver, are duplicative of criteria already found in the Common Rule.

Others, such as the requirement that the research not adversely affect participants "privacy rights and welfare" or that the "privacy risks" be reasonable in relation to anticipated benefits, are inherently ambiguous and thus extremely problematic. Although an IRB can evaluate safeguards for participant confidentiality, there is no agreed-upon normative standard or metric by which to make determinations about "privacy rights" or "privacy risks," particularly in research that must be deemed minimal risk as a threshold criterion. We fear that an IRB's review of waiver requests could easily become mired in irresolvable debates over "privacy rights," based on little more than personal beliefs.

We are aware, however, that the rule apparently would permit expedited review of any eligible request for a waiver of authorization. A strict reading of the rule suggests that a covered entity might have no reason ever to convene a board to review waiver requests, but could instead delegate this review function to the IRB or privacy board chair. If this is indeed the Department's intent, we question whether the rule's additional compliance and liability burdens are justified, given that scrutiny of the research proposal would increase only incrementally beyond that presumably afforded by the Common Rule.

The privacy rule exempts from its requirements any information that a covered entity has successfully "de-identified." In the preamble to the NPRM, the Department expressed the wish to encourage the use of "de-identified" medical information in research. The AAMC enthusiastically supports this objective, but we are dismayed that the Secretary has set a single standard for de-identification that, although it may serve other purposes, is so high as to render the resulting data useless for most epidemiological, health services, and other population-based research purposes. Researchers from health services and epidemiological research societies have shared with us their concern that much of what they do would be infeasible, if not impossible, using only information that has been de-identified to the HIPAA standard.

The de-identification standard provides that health information is presumptively identifiable unless there is "no reasonable basis" to believe that re-identification is possible. As a legal matter, this standard is difficult to meet. Even when invoking the rule's safe harbor provisions for de-identification - which we believe are completely unworkable in the research context - a covered entity may never be entirely confident that information meets the regulatory requirements. To invoke the de-identification safe harbor provisions the covered entity must either obtain a statistician's determination that the risk of re-identification is "very small" - a criterion without any objective reference point - or remove from the data 18 specific identifiers, plus any element that the entity actually knows could be used, alone or in combination with other information, for re-identification.

These "catchall" provisions and an unrealistically broad list of specific identifiers undermine the basic utility of the de-identification safe harbor and make it likely that many covered entities will decline to de-identify data for research purposes. Moreover, as the National Cancer Institute observed in a 1999 policy paper entitled Confidentiality, Data Security and Cancer Research, certain types of data, particularly pedigrees and genotype data for rare diseases, may be inherently identifiable in the hands of sophisticated parties. We question whether such data could ever be de-identified to the HIPAA specifications.

Since the release of the proposed rule in November of 1999, the AAMC has worked diligently to raise awareness, within the Department and the Congress, and among our membership, about the rule's serious negative consequences for research. We continue to urge the Department to modify the privacy rule to create an exception for uses or disclosures of information in Common Rule research. Such uses and disclosures should not be subject to the privacy rule's authorization and waiver requirements, nor its "minimum necessary" and "accounting for disclosures" provisions. Instead, IRBs should continue to apply the Common Rule - modified if necessary to incorporate objective privacy review criteria - when determining the form of consent, both for participation and for the use of PHI, and when granting waivers.

Similarly, the IRB should be permitted to determine, taking into account the relevant circumstances in each case, when information has been sufficiently "de-identified" to permit its disclosure to researchers without authorization or a waiver of consent. In the alternative, the privacy rule's de-identification standard for research purposes should be modified to resemble the standard articulated in Representative Greenwood's (R-PA) Medical Information Protection and Research Enhancement Act of 2001, which would require the removal of direct identifiers. Concerns about the inappropriate secondary use of research data should be addressed by requiring IRBs to obtain written assurances from investigators that the data will not be used or disclosed for unauthorized purposes.

When drafting the privacy rule the Secretary recognized that certain vital public health purposes warranted an exception to the authorization and waiver requirements. Accordingly, the rule contains a series of exceptions for disclosures such as those made to public health agencies, child protection officials, and employers who track workplace injuries as required by OSHA regulations. The AAMC believes that research, which benefits individual patients and society at large, is an equally vital public health purpose. Entities who conduct or participate in research that complies with the Common Rule should not be encumbered by costly new bureaucracies or penalized with additional liability. In summary, the justification for imposing upon IRB-reviewed research additional requirements beyond the Common Rule is, to quote from Dr. Lumpkin's February 7, 2000 letter to the Department, "hard to understand."

On behalf of the AAMC, I would again like to thank the Committee for inviting us to discuss our very serious concerns about the final rule and our proposal for a modification that would exempt Common Rule research.