Despite its good intentions, the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) is having a negative impact on patient recruitment for biomedical research, according to the Association of Academic Health Centers (AAHC; Washington). The group has proposed a revision that would allow research to defer to rules that already were in place before HIPAA was implemented.

"Enrolling subjects in a classical clinical trial is more difficult because the investigator has to spend time going through a consent and authorization process that can be very confusing," Gary Chiodo, MD, chief integrity officer at Oregon Health & Science University (Portland), told Medical Device Daily. "So rather than focusing on the procedures, protocols, benefits and risks of a trial, there's this side track into here's how your information is stored, protected and disclosed.' The investigator is really spending significant time not related to research."

Chiodo, who was part of an AAHC research workgroup on the topic, said HIPAA:

generates confusion and misinterpretations due to the rule's ambiguity;

a heavy administrative burden;

hampers research participant recruitment; and

impedes access to stored tissue and genetic data sets, data warehouses, medical records and community research.

Ironically, the AAHC points out that HIPAA may not offer any greater protection than longstanding regulations in the research arena.

"The spirit and motivation to protect patients and patient information is admirable and well-intended, but it was never intended for research and now we're seeing the unintended consequences," Elaine Rubin, PhD, AAHC's VP for policy and program, told MDD.

Both Chiodo and Rubin said that the privacy of research participants already is adequately protected by the Common Rule, which is the Office for Human Research Protections' (OHRP) federal policy for the protection of human subjects. Research participants also are protected by Certificates of Confidentiality issued by the National Institutes of Health and other agencies of the Department of Health and Human Services (DHHS).

Chiodo added that Institutional Review Boards, independent ethics committees charge with research oversight, add yet another layer of protection for study participants. IRBs are governed by the OHRP.

In a report just released by AAHC, HIPAA Creating Barriers to Research and Discovery, the group recommends that:

The DHHS revise the HIPAA privacy rule to allow it to defer to the Common Rule in matters of protecting the privacy of health information of research participants. Existing Common Rule guidelines already protect health information, and if an IRB believes that extra protection is warranted, it can require a Certificate of Confidentiality. Such revisions should be carried out through the DHHS Office of Civil Rights through their policy change mechanism.

The OHRP should provide updated guidance to emphasize the importance of preserving the privacy of protected health information.

Congress should implement a national genetic privacy act (GPA) or include a GPA in a revision of HIPAA.

"When the privacy rules were first crafted, genetic privacy acts at the state level were pretty rare," Chiodo said. "Now state privacy acts are more common, so I think the privacy rule needs to recognize that in the regular clinical patient environment, not just the research environment."

In its report, the AAHC states that implementation of a national GPA could help resolve the current conflicts and confusion over differences in state genetic privacy acts and HIPAA, which are currently hampering tissue bank and genetic data set research.

"Consent documents, which used to be 10 to 12 pages for really complex studies, are up to 30 pages long now," Chiodo said. "All of the forms are different and customized. They are just not user-friendly."

Chiodo pointed out that "We're a few years down the line since HIPAA implementation, so it's an opportune time to re-evaluate. At our institution we have anecdotal information that since HIPAA was enacted, we've had fewer than 30 patient requests for an accounting of disclosures and none have come from research subjects. It seems to me [that] human subjects who enter studies are interested in more substantive things than what's in the authorization form."

Rubin said the AAHC is now disseminating the report and has begun the process of advocating for change. "We're trying to find out what the right channel is to implement a change, whether that's done through rule making or legislation," she said.

The AAHC findings are based on focus group discussions of researchers and compliance personnel at five major academic health centers. It's not the first report, though, to tackle this topic. Dozens of articles in the Journal of the American Medical Association (JAMA) touch on the topic.

Last fall, for example, Roberta Ness, MD, chair of the department of epidemiology at the University of Pittsburgh, who was working with the Joint Policy Committee of the Societies of Epidemiology, published a web-based survey of more than 1,500 participants. Of those, 67.8% reported that the HIPAA privacy rule has made research more difficult.

"In this national survey of clinical scientists, only a quarter perceived that the rule has enhanced participants' confidentiality and privacy, whereas the HIPAA privacy rule was perceived to have a substantial, negative influence on the conduct of human subjects health research, often adding uncertainty, cost, and delay," according to the JAMA article.