HIPAA rule hikes cost of research
New research reveals a clash between two of the biggest issues in health care today: protecting individual patient privacy and improving the quality, safety and cost of medical care for all patients.
In a paper published in the Archives of Internal Medicine, researchers from the Cardiovascular Center (CVC) report how research on heart attack care has been hampered by the national medical privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA), which took effect just over two years ago.
In all, they write, the changes needed to comply with HIPAA have led to a drastic dropfrom 96 percent to 34 percentin the proportion of follow-up surveys completed after patients leave the hospital.
In the study, the research team reports that only one-third of 855 patients hospitalized for a heart attack or acute chest pain returned a mailed consent form that gave permission for researchers to call six months after their dismissal. Nearly 500 patients never responded, and 22 letters were returned as undeliverable. Fourteen patients answered by mail to state that they would not consent. The total consent rate was 34 percent.
Under the previous system of asking patients for their permission in a phone call, 96.4 percent of 1,221 patients agreed.
"We won't solve safety, quality and cost issues in health care unless we do quality research, and our findings show that HIPAA, as currently written, has the potential to hinder that effort," says senior author Dr. Kim Eagle, clinical director of the CVC.
Post-hospitalization surveys are crucial to helping quality-minded hospitals like U-M assess and improve care. Patients' names and other identifying details are removed before their information is entered into a database. Doctors can use the database to find out what treatments and preventive measures help patients most, and what factors worsen their chances.
But current HIPAA language requires that even quality-improvement research using anonymous data must have written authorization from patients before medical records can be reviewed, and before they can be contacted for follow-up phone surveys.
"Privacy is crucial. But quality-improvement research aims to generate public benefit, and as a society we have to be careful that we don't find ourselves on such a far extreme on one side of privacy protection that we actually paralyze our ongoing efforts to monitor and improve care," Eagle says.
Co-author Eva Kline-Rogers, manager of the Michigan Cardiovascular Outcomes Research and Reporting Program, says that follow-up calls can make a major difference in the rate of consent. Usually, callers find that a patient has forgotten to send the consent form back, has mislaid it, or thought it was junk mail.
"We find that many people misinterpret the mailing, and think it's something that it isn't," she says. "They ask us if they'll have to come in for a blood drawing or an appointment, when all we're asking for is permission to call them, ask them how they're doing and put their anonymous data into a database. Once we explain it, it's very rare for someone to refuse."
The changes also have dramatically increased the cost of performing the surveys. The cost of working in a HIPAA-compliant way would cost $8,704.50 in the first year of a research project, and $4,558.50 per year after that, on top of the usual costs of the research.
Eagle and his colleagues hope that lawmakers factor their data and other studies into deliberations about HIPAA's impact on research.
David Armstrong, who worked as an M-CORRP intern, led the data analysis for the new paper. Other authors are U-M biostatistician Dr. Jianming Fang, cardiologists Dr. Debabrata Mukherjee and Dr. Brahmajee Nallamothu, and former research associate Sandeep Jani.