HIPAA privacy law makes health research harder, more expensive
As the one-year anniversary of medical privacy regulations approaches, a new study shows the negative impact they may be having on certain kinds of health research.
At the Annual Scientific Session of the American College of Cardiology in New Orleans, researchers from the Cardiovascular Center (CVC) showed how the privacy portions of the Health Insurance Portability and Accountability Act (HIPAA) severely affected their ability to study heart attack patients after they left the hospital.
This kind of long-term "outcome" study is crucial for evaluating medical care, such as the number of patients who die or have complications after surgery or hospitalization.
But HIPAA requires written authorization from a patient before he or she can be contacted to gather personal health information for a research study. The U-M researchers previously had used a verbal privacy authorization, obtained when they called patients at home months after they left the hospital.
When they switched from verbal consent to a HIPAA-compliant written authorization that had to be mailed to patients and returned, they found a sizable drop in the percentage of patients who gave consent to be called.
The percentage participation plummeted from 96.1 to 38.5 percent. As a result, the consenting population was not representative of the entire group of patients the researchers wanted to study. That could bias study results.
"On top of this impact on the quality of data, the costs involved in asking for this written authorization were substantially larger than those for the verbal system," says Eva Kline-Rogers, a nurse with the Cardiovascular Outcomes Research and Reporting Program who helped lead the study. "To get consent from one patient, we calculated we'd spend $14.50 per patient in the first year of the study for computer, training, staff, administrative and mailing costs, and $7.50 each year afterward."
Avoiding the mailed authorization approach by asking patients for consent while they were still in the hospital would be cost-prohibitive and labor-intensive, she says.
Compliance with HIPAA privacy standards was mandatory as of April 14, 2003, though voluntary compliance was encouraged before that. The U-M team carried out its study during the voluntary period, using guidance from U-M clinical research officials about what they would have to do to comply.
"The balance between protecting patient privacy, while at the same time we strive to learn about the best methods by which to treat patients after certain types of conditions and/or treatments, is delicate," says Dr. Kim Eagle, clinical director of the CVC and senior author of the study. "If long-term patient outcomes are to be used to 'inform' current care, we must develop better ways of working with patients and regulatory agencies to define the proper balance."
In addition to the drop in authorization, the researchers found that those who returned the HIPAA-compliant written consent were more likely to be older, to be married, or to have high blood cholesterol, than those who didn't. They also were less likely to be widowed.
"HIPAA compliance will challenge researchers, institutions and ultimately patients as we try to learn about the outcomes of health care while trying to maintain patient privacy," Kline-Rogers says.
In addition to Kline-Rogers and Eagle, the study's authors are Sandeep Jani, Dr. Jianming Fang, Anchal Sud, Krishna Rangarjan, Shaneen Doctor, Bruce C. Rogers, Debra Smith and Cornell University student David Armstrong.