The Impact of HIPAA on Research

Vol. 17 •Issue 25 • Page 10
Hands-on Help

The Impact of HIPAA on Research

Calling all HIM professionals: step up and educate the health care workforce to support research and exchange of information.

Leslie: Another research study hit the news last month on the impact of the HIPAA privacy rule on research. There have been several researchstudies over the past couple of years; most have similar themes—a perceived negative impact of HIPAA on research.

Patty: There was good coverage of this particular study in the media. It was commissioned by the Institute of Medicine (IOM) of the National Academies of Science and is the first national survey of epidemiologists on this issue.

Leslie: And that isn’t the only study by IOM. The IOM’s National Cancer Policy Forum has also been studying the affect of HIPAA on cancer research.

Patty: There has been an outpouring of research scientists expressing concerns about the privacy rule. Researchers are documenting the impact of the rule in the form of anecdotal reports, case studies and observational research. In addition, several qualitative and quantitative research studies have also been performed and published identifying the barriers the privacy rule has created in conducting research.

Leslie: I think the research community is being heard, at least by IOM. They created a new committee in June to study the impact of the privacy rule on research. The committee, “Health Research and the Privacy of Health Information—The HIPAA Privacy Rule,” is expected to release a report of their findings sometime next year. Information about the committee’s work and associated meeting documents, research studies and presentations can be found at

Patty: Let’s talk about the recent research study on this topic: “Influence of the HIPAA Privacy Rule on Health Research.” This quantitative study was performed by Roberta Ness, MD, MPH, from the Joint Policy Committee, Societies of Epidemiology. This research study included the participation of 13 epidemiology societies who sent an e-mail with a link to a Web survey to each of their members. The epidemiologists were asked to complete a Web-based survey that included questions related to positive and negative aspects of the HIPAA privacy rule.

There were 1,527 responses to the survey. The majority of the respondents (67.8 percent) reported that research has been made more difficult because of the HIPAA privacy rule. They cited difficulties such as increased costs to implement research under HIPAA, confusing the informed consent process to include HIPAA authorization, perceived Institutional Review Board (IRB) variability within and among organizations, and confusion around public health surveillance activities as it relates to HIPAA.

Leslie: I find it concerning that in addition to what you have already mentioned, 49.1 percent indicated difficulty obtaining de-identified data. Given that the rule supports access to de-identified data this should not be a barrier.

Patty: I believe that some IRB’s are very conservative and don’t want to release de-identified data to researchers outside of their organization. It is not usually an issue within an organization, especially if the organization has good reporting systems that can aggregate data. However, researchers requesting de-identified medical records regardless of whether they are internal or external to that organization often meet with resistance. De-identifying data is expensive. There are often little to no resources available to support this labor intensive task.

Leslie: I can appreciate that prior to HIPAA it was easier to get access to medical records to conduct research, so I guess I can’t say I am surprised that epidemiologists find it difficult to conduct research under HIPAA requirements. Also, Dr. Ness points out that a weakness of this study is that the epidemiologists responding to this study were likely biased. Epidemiologists with strong feelings were more likely to participate.

Patty: I agree they were likely biased. However, I think this study and others like it bring up issues that have been bothering me for a while. Some of the experiences noted in this study mirror our own here at CARE as we support our research clients in their data collection efforts.

Although the HIPAA privacy rule was implemented in 2003, there is still a lot of confusion across the country as it relates to research. It’s not uncommon for legitimate research requests to be denied because of misinterpretation of the HIPAA privacy requirements, delaying or compromising important medical research. Many front line employees in health care provider settings apply treatment, payment and operations (TPO) requirements to research. This practice is inappropriate and negatively impacts research. It creates an unnecessary barrier that results in delays until the researcher finds someone knowledgeable to help him or her in accessing medical records, if the researcher has the time and energy to do so.

Leslie: It is ironic that you should say that there is confusion. The November-December 2007 Journal of AHIMA just arrived on my desk today. The Inside Look column in this issue urges HIM professionals to deal with the inconsistency and misinformation around HIPAA. In this case the reference is related to how HIPAA is often erroneously blamed as a barrier in the exchange of health information for treatment purposes. The author, Linda Kloss, the American Health Information Management Association’s (AHIMA) CEO, could have been talking about research also. In the column, Kloss sees this time in the evolution of HIPAA as a call to action for HIM professionals.

Patty: It is a call to action. Calling all HIM professionals!

Leslie: What exactly is the call to action related to research?

Patty: Well first off, HIM professionals can begin by educating and training employees who implement HIPAA policies and procedures within their organizations, including researchers. The best training tool is the booklet developed by the Department of Health and Human Services. It’s called “Protecting Personal Health Information in Research: Understanding the Privacy Rule.” The booklet can be downloaded for free at

HIM professionals can make it their goal to ensure that employees are not erroneously blocking access to medical records when informed consents and HIPAA authorizations are properly executed. And they can help guide researchers as they design their studies on all aspects related to HIPAA privacy. They can also be a resource when researchers run into barriers.

Leslie: I often hear you complain that some health care organizations won’t accept HIPAA authorizations from other health care organizations, even though the authorization meets HIPAA requirements and is IRB approved.

Patty: This does happen sometimes. In these cases, researchers have difficulty getting past this barrier and are forced to ask the research participant to sign the other organization’s HIPAA authorization form. What a waste of time and burden to the participant. Sometimes the participant declines to sign yet another form and the researcher may have to remove that participant from the study or indicate that records were not available, thus reducing the study sample size or creating further expense to recruit additional subjects.

Leslie: This also seems like a training issue.

Patty: I believe it is, but there are organizations that don’t want to accept another organization’s HIPAA authorization even if it meets all the requirements. On some level I understand this given our litigious environment. I think HIM professionals can play a role in educating their organization on the reasons why this practice is unnecessary and work to remove this barrier.

Leslie: Another important contribution for HIM professionals is to help researchers include required HIPAA language within the informed consent. Recruiting participants has been made more complex because of the addition of lengthy HIPAA text within informed consents.

Patty: Yes, that is an important contribution. HIM professionals can provide guidance to researchers to ensure that HIPAA language is included in informed consents without overwhelming the participant. In fact, confidentiality language is often already included in informed consents as part of the Common Rule and therefore it doesn’t require a complete re-write, just the addition of HIPAA privacy requirements that are missing.

Another strategy I have seen work successfully is to create a separate HIPAA authorization. That seems to work well when the authorization is formatted in the form of questions and answers.

Leslie: I think it’s also important for an HIM professional to be on the IRB, or to at minimum play an advisory role. IRB’s have been inconsistent with their application of HIPAA, which is not surprising given how often the requirements are misunderstood. As IRB’s become more experienced, they become more consistent in their decision making and application of HIPAA. But in general, many IRB’s are over-reaching the scope of HIPAA requirements, which can impact a researcher’s desire to submit research or to request the use of certain types of data.

Patty: HIPAA may have been implemented in 2003, but there is still much work to do in training and educating the health care workforce to support research and exchange of information.

Leslie: Privacy knowledge and skills is a core domain for HIM professionals. Regardless of one’s passion for coding, cancer registry, transcription or all things EHR, privacy is at the root of the HIM profession. We must step up and answer the call to action.

Patty: Absolutely! And on that note, Leslie and I wish our readers a wonderful holiday season and a HIPAA New Year!

Leslie: Did you really say that?

Patty: I did.

Leslie Ann Fox is chief executive officer and Patty Thierry Sheridan is president, Care Communications Inc., Chicago. They invite readers to send their thoughts and opinions on this column to [email protected] or [email protected].