Six hundred three (53%) respondents thought that in 0% of institutional review board (IRB) applications the implementation of Health Insurance Portability and Accountability Act (HIPAA) would have a positive effect on protection of human subjects. In comparison, 438 (39%) thought that in 0% of IRB applications HIPAA implementation would have a negative effect on protection of human subjects. One hundred nineteen (11%) respondents thought that in at least 75% of IRB applications HIPAA implementation would have a positive effect on protection of human subjects. In comparison, 185 (17%) thought that in at least 75% of IRB applications HIPAA implementation would have a negative effect on protection of human subjects. A total of 346 respondents answered “don't know.”
Customize your JAMA Network experience by selecting one or more topics from the list below.
Ness RB, Joint Policy Committee, Societies of Epidemiology FT. Influence of the HIPAA Privacy Rule on Health Research. JAMA. 2007;298(18):2164–2170. doi:10.1001/jama.298.18.2164
Context Anecdotal reports suggest that the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA Privacy Rule) may be affecting health research in the United States.
Objective To survey epidemiologists about their experiences with the HIPAA Privacy Rule.
Design, Setting, and Participants Thirteen societies of epidemiology distributed a national Web-based survey; 2805 respondents accessed the survey Web site and 1527 eligible professionals anonymously answered questions.
Main Outcome Measures Responses related influences such as research delays and added cost after Privacy Rule implementation, frequency and type of Privacy Rule–related institutional review board modifications, level of difficulty obtaining deidentified data and waivers, experiences with multisite studies, and perceived participant privacy benefits under the rule. Respondents ranked their perceptions of Privacy Rule influence on 5-point Likert scales.
Results A total of 875 (67.8%) respondents reported that the HIPAA Privacy Rule has made research more difficult at a level of 4 to 5 on a Likert scale, in which 5 indicates a great deal of added cost and time to study completion. A total of 684 (52.1%) of respondents identified a “most affected” protocol. Respondents indicated that the proportion of institutional review board applications in which the Privacy Rule had a negative influence on human subjects (participants) protection was significantly greater than the proportion in which it had a positive influence (P < .001).
Conclusion In this national survey of clinical scientists, only a quarter perceived that the rule has enhanced participants' confidentiality and privacy, whereas the HIPAA Privacy Rule was perceived to have a substantial, negative influence on the conduct of human subjects health research, often adding uncertainty, cost, and delay.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule was intended to strike a balance between protecting the privacy of individually identifiable health information and preserving the legitimate use and disclosure of this information for important social goals.1 Protecting health information privacy is a longstanding and widely held goal of the public, legislators, and the research community.2-4 However, many researchers have expressed concerns that since implementation in April 2003, the Privacy Rule has adversely affected the progress of biomedical research.
The Privacy Rule permits health care provider organizations (“covered entities”) to disclose individually identifiable health information (called protected health information) for research purposes only if the researcher has obtained from each patient written authorization to access his or her medical record or, if that is impractical, has obtained a waiver of the authorization requirement from an institutional review board (IRB). The rule does not require patient authorization (or a waiver) for the disclosure to researchers of limited data sets (ie, information from which most of 18 identifiers specified in the rule have been removed, such as geographic information related to the individual, including zip code, and dates related to the individual, such as birth dates and admission dates). Such disclosures do, however, require a data use agreement between the provider organization and the researcher.
The Privacy Rule also addresses disclosures for public health purposes. The rule permits disclosures to public health authorities without the patient's authorization when required by another law (such as mandatory reporting) or when the public health authority is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, including public health surveillance. The Privacy Rule's restrictions do not apply to fully deidentified health information (ie, information from which all 18 specified identifiers have been removed or which a qualified statistician has determined has only a small risk of being used to identify the participants involved with the information).
Anecdotal stories in the news media report that epidemiologic and clinical research studies have been halted or slowed by the Privacy Rule.5-11 A recent review suggested that researchers are revising or abandoning some projects.12 Data from single institutions or studies in peer-reviewed journals demonstrate sizeable reductions in recruitment or increases in cost after the rule's implementation.13-15
The lack of generalizable studies designed to assess the rule's influence limits the ability to assess effects. In January 2007, the Institute of Medicine of the National Academies, in an attempt to strengthen the evidence base, commissioned a national survey about the Privacy Rule among epidemiologists for the purpose of informing an Institute of Medicine committee study on this topic. The survey addressed questions of the scope, degree, type, and variability of influence from the HIPAA Privacy Rule experienced by epidemiologists conducting research on US human subjects (participants).
Epidemiologists were surveyed because they are an identifiable professional group of scientists engaged in human subjects research, and their research often involves the use of medical records. We enlisted support from all professional groups that, to our knowledge, represent US epidemiologists employed in academia, industry, government, and nongovernment organizations. These included the Section on Epidemiology, American Academy of Pediatrics; American College of Epidemiology; American College of Preventive Medicine; American Public Health Association Epidemiology Section; Council on Epidemiology & Statistics, American Diabetes Association; International Genetic Epidemiology Society; International Society for Environmental Epidemiology; International Society for Pharmacoepidemiology; Society for the Analysis of African-American Public Health Issues; Society for Clinical Trials; Society for Epidemiologic Research; Society for Healthcare Epidemiology; and Society for Pediatric and Perinatal Epidemiology. Of 14 societies approached, the 13 listed above participated.
Each society e-mailed all of its active membership and requested that they respond to a Web-based survey on the Privacy Rule. E-mail lists are updated annually for purposes of dues collection. Identical e-mails requesting participation in the survey were sent to the membership of each society 3 times, once a month during a 3-month period (January-April 2007). In an effort to avoid response duplication, because a substantial number of epidemiologists belong to more than 1 organization, we asked respondents, both in the cover e-mail and in the introduction to the survey, to respond only once. Individual responses were submitted anonymously over the Internet such that they could not be linked to any individual. IRB approval as an exempt protocol was obtained at the University of Pittsburgh and reviewed and approved by the National Academies' IRB.
The 13 participating epidemiology societies sent e-mails to a total of 10 347 individual addresses. A cover e-mail asked professionals engaged in the conduct of US-based human subjects research and who recognized the term Health Insurance Portability and Accountability Act or HIPAA to respond. A total of 2805 individuals accessed the Web site and 2376 individuals answered a screening question that asked, “Since HIPAA was implemented in April 2003, how many new applications involving human subjects have you submitted to a US IRB?” Respondents answering zero were thanked for their time and no further questions were asked. The 1527 respondents who provided a nonzero response are the participants in these analyses.
We asked questions about both positive and negative potential influences of the HIPAA Privacy Rule, including the influence of the rule on participant privacy, confidentiality, and public trust, as well as on research procedures. Four general approaches were used to ascertain information. First, we asked questions with quantitative response categories. These questions addressed issues such as the frequency of various types of data collection undertaken by respondents, changes in participant recruitment before and after the implementation of the Privacy Rule, frequency of IRB modifications secondary to Privacy Rule provisions and their effect, level of difficulty in obtaining deidentified data and waivers, familiarity with covered entities' opting out of research because of the rule, studies conceived but not submitted to IRBs because of Privacy Rule concerns, and perceived effect of the Privacy Rule on patient confidentiality. We also asked survey respondents their sex, training, employment, and sources of funding.
Second, we asked researchers for their perceptions rated on 5-point Likert scales about issues such as the ease and difficulty of conducting research under the Privacy Rule and the effect the rule has had on participant privacy/confidentiality.
Third, respondents were asked whether and under what circumstances their IRB would approve each of 5 case studies. These involved retrieval of historical identified medical records, access to identified participants in a hospital-based cancer registry, access to deidentified data in a hospital-based tissue bank, review of medical records of deceased individuals, and request for a limited data set (defined by the Privacy Rule) from a nonaffiliated hospital.
Finally, respondents were asked open-ended qualitative questions, including a final request: “Please tell us your stories about HIPAA. These will help us to understand all of the circumstances in which HIPAA has affected your research.”
After development of a draft instrument, survey content was vetted and modified by members of the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule. In a pilot phase, questions were distributed to 10 epidemiologists at the University of Pittsburgh. After completing the survey, the respondents were debriefed to identify ambiguities, streamline the instrument, and determine how readily a typical epidemiologist could answer questions. After the instrument was finalized, timed pilot tests took 10 to 15 minutes to complete.
Simple descriptive statistics, retaining each distinctive response category, were used to analyze these data. We collapsed 5-point Likert scales that were anchored by “none” and “a great deal” into 1 to 2, 3, and 4 to 5. We chose to report categories rather than central tendencies to retain the full and unedited character of the data. We also elected to report only univariate analyses because our focus is on a description of the self-reported impact of the Privacy Rule, rather than predictors of responses.
Responding epidemiologists were predominantly women (59.0%) and mostly employed in academia (66.0%) (Table 1). The year of their terminal degree was broadly spread over more than 30 years. About one-third received 0% to 24% salary from extramural grants/contracts, whereas nearly 40% received 75% to 100% from these sources.
In reporting general perceptions of the impact of the HIPAA Privacy Rule, a majority of respondents reported that the degree to which the rule made research easier was low, at 1 to 2 (84.1%) on a 5-point Likert scale anchored at 1 = none, and that the degree to which the rule made research more difficult was high, at 4 to 5 (67.8%) on a 5-point Likert scale anchored at 5 = a great deal (Table 2). Almost 40% indicated that the Privacy Rule increased research costs in the high range of 4 to 5, and half indicated that the additional time added by the rule to complete research projects was high, at 4 to 5. Almost half indicated that the Privacy Rule had affected research related to public health surveillance at the high level of 4 to 5. The perceived benefit of the rule with respect to strengthening public trust was reported as high, at 4 to 5, by only 10.5% of respondents, and only 25.9% believed that the rule had enhanced participant confidentiality/privacy in the high range of 4 to 5.
When asked about the proportion of IRB applications in which the HIPAA Privacy Rule had a positive effect on human subjects protection and the proportion in which the rule had a negative effect on human subjects protection, more respondents indicated that the rule had a negative than a positive human subjects influence (P < .001) (Figure).
Respondents next answered a series of questions related to specific Privacy Rule provisions. Nearly half reported accessing deidentified data without authorization, and 40.2% indicated that the level of difficulty experienced had been in the high range of 4 to 5 (Table 3). About 40% had attempted to obtain a waiver, and 30.6% reported the level of difficulty in doing so was high, at a level of 4 to 5. Of epidemiologists involved in multi-institutional studies, 76.8% reported that these protocols elicited Privacy Rule concerns, and among these protocols, rule concerns resulted in site-specific variability in 39.6%. A minority of respondents (17.3%) knew of covered entities unwilling to do clinical research, and a minority (15.6%) reported that an IRB-approved protocol had not been honored by a covered entity because of Privacy Rule concerns. As many as 1 in 9 epidemiologists (11.5%) had conceived of a study but not submitted it to an IRB because they thought they could not obtain approval under the HIPAA Privacy Rule.
More than half (52.1%) of respondents identified a particular protocol most affected by the Privacy Rule and were asked about these to assess specific logistic hurdles and benefits (Table 4). The frequency of “most affected” protocols was relatively constant each year from 2003 through 2006. Privacy Rule–related modifications were necessary in 84.8% of protocols, and 37.6% of respondents reported that these modifications strengthened confidentiality. At the same time, 67.5% indicated that the modifications increased recruitment difficulties at a level of 4 to 5.
We presented 5 case studies, each of which, according to Privacy Rule provisions, should have been allowable without patient authorization either unconditionally or with a waiver (Table 5). Notable variability in responses within each case study was evident. The proportion of respondents who believed that their IRB would disapprove each study ranged from 4.7% to 20.2%. Another 4.9% to 33.8% believed that their IRB would unconditionally approve each study; 13.3% to 26.7% indicated that they did not know how their IRB would decide on the particular case.
In the last survey question, we asked respondents to tell us about their HIPAA experiences. Four hundred twenty-seven respondents wrote comments. Ninety percent of these included negative comments about the effect of HIPAA on research, 5% were neutral (the researcher had not been affected or was engaged in only exempt activities), and 5% were positive (HIPAA clarification was identified as helpful).
Several themes were evident. First, researchers expressed frustration and concern that the implementation of the Privacy Rule had added patient burden without substantially enhancing privacy protection, noting that the Common Rule already incorporates many protections (eg, “An already cumbersome patient consent form now has an additional page-and-a-half explaining HIPAA restrictions. This detracts from the informed consent process pertaining to the more critical issue: the actual medical risks and benefits of participating.”).
Second, respondents documented substantial variability between institutions in their interpretation of Privacy Rule regulations (eg, “HIPAA is confusing for all stakeholders and generally serves as more of an impediment to clinical research than it should be. No one argues the merits of patient protection, only that the guidelines lend considerable variance in interpretation by IRB and other governing boards that may preclude a patient from participating in beneficial research.”).
Third, respondents voiced concerns that HIPAA slowed the progress of research (eg, “In the main, HIPAA has not prevented any research that I have desired to pursue. What it has done is to slow the research enterprise through its training and compliance elements. I and my staff spend more and more time doing compliance related things and less and less time doing actual research.”).
Fourth, some respondents indicated confusion within government agencies about the demarcation between public health surveillance, which is often exempt from the Privacy Rule, and research (eg, “Besides research, HIPAA has affected basic public health surveillance for reportable diseases and has caused much confusion among healthcare providers that provide us with that information.”).
We report the results of a national survey of epidemiologists to assess the influence of the HIPAA Privacy Rule on human subjects research. The general perception, expressed by two-thirds of respondents, was that the rule made research more difficult, in the high range of 4 to 5 on a Likert scale, wherein 5 equals a great deal, adding cost and time to research completion. Half of respondents identified a most affected protocol.
Previous case reports or single-institution/single-study experiences support these findings. In a comparison of the conduct of a cohort study at the University of Pittsburgh pre– and post–Privacy Rule, I previously13 documented that recruitment decreased from 12.4 on average per week (in 1997 to 2001) to 2.5 to 5.7 on average per week (in 2003). Similar experiences were reported by Armstrong et al14 in 2 cohorts conducted by the University of Michigan. Before the Privacy Rule, verbal informed consent was obtained at the initiation of survey telephone interviews; postrule, informed consent needed to be obtained by mail before the conduct of telephone interviews. Consent declined from 96.4% to 34.0%.
Wolf and Charles15 reported in a before-and-after study of veterans recruited to the Selenium and Vitamin E Cancer Prevention Trial that implementation of the Privacy Rule resulted in a 72.9% decline in patient accrual and a 3-fold increase in mean personnel time spent recruiting. After streamlining of HIPAA-compliant procedures, recruitment returned to prerule levels, although time and cost per recruited participant remained about 30% higher than before implementation of the Privacy Rule.
An IRB case study from the University of Wisconsin–Madison supports this survey finding that IRB applications are commonly affected by the Privacy Rule.16 IRB applications for medical record research increased throughout the 2000-2003 period from rare to 199 per year; those requiring full board approval increased from almost none to 31 per year. Of protocols requiring full board approval in 2003, 77% were abandoned.
Whether reports of adverse effects on human health research from the Privacy Rule represent growing pains associated with implementation vs a continuing effect has been debated.17 This survey documented that the frequency of most affected applications has been stable since implementation of the Privacy Rule. Respondents reported that it was often difficult to obtain waivers and deidentified data sets, which were intended to allow access to health information in human subjects research without patient authorization. Yet, case reports show some better understanding of Privacy Rule restrictions over time. For example, Privacy Rule implementation triggered several California hospitals to restrict research access to the longstanding rapid case reporting system provided by the California State Cancer Registry.6 More than a year later, the University of California reversed its stance.
Inconsistency among academic institutions in the interpretation of the Privacy Rule presents an important challenge.17 Respondents to this survey provided responses widely distributed from no to yes unconditionally to yes with conditions when asked whether particular case studies would be approved by their IRB. Moreover, many specific instances of perceived institutional variability were documented in the open-response section of the survey. This suggests either that IRBs differ in their response to a given protocol or that investigators vary in their perceptions of IRB responses, either of which is an important problem revealed by this survey.
Some concerns previously raised about the effect of the Privacy Rule on research were reported to occur, but infrequently, including covered entities dropping out of multicenter consortia and clinical researchers not even seeking IRB approval for conceived study designs. The survey was not designed to examine the effect of the Privacy Rule on inclusion of racial/ethnic minorities.
Two concerns not raised in previous research were found in this study. First, only one quarter of respondents indicated that the rule enhanced privacy/confidentiality in the Likert high range of 4 to 5. More globally, respondents perceived that the influence of the rule on overall research participant protection is more negative than positive. In their qualitative responses, the length and complexity of Privacy Rule–related authorization forms were cited as complicating understanding of consent/authorization procedures.18 Second, half of respondents indicated that the Privacy Rule is seriously affecting research related to public health surveillance. A caveat is that this question did not clarify whether the rule had a positive or a negative effect. However, in qualitative responses, concern was voiced that HIPAA might be impeding public health surveillance and confusion was voiced about the line between research and surveillance,19 which raises the concern that the rule is affecting surveillance itself. Whether this poses any threat to combating epidemics and other public health dangers requires investigation.
According to examination of then current reports and testimony from knowledgeable parties, the Secretary's Advisory Committee on Human Research Protections in 2004 recommended to the Secretary for Health and Human Services sweeping modifications to the rule to mitigate any adverse affects on research. The Department of Health and Human Services has not responded to these recommendations.
Strengths of this survey include its national scope and composite of survey methods. Weaknesses include the likely bias of clinical researchers in general and more particularly that of epidemiologists, who require access to large volumes of medical records. A full delineation of the effect of the Privacy Rule on research requires additional data collection from IRBs, other science professionals, and research participants. Information from these sources would help to determine whether the effects reported here are a result of the regulations or local IRB interpretation. Our survey was not designed to delineate between these possibilities; instead, it was designed to describe the degree and type of influence HIPAA is having on research.
Survey respondents might be even more biased than epidemiologists in general in that they may be the individuals who have had, or have perceived themselves to have had, difficulties with the rule. It is also possible that some individuals submitted duplicate responses to the online survey. Because individual responses were submitted anonymously over the Internet, we were unable to determine the frequency with which this occurred, if at all.
Estimation of response bias typically entails measuring nonresponse. Unfortunately, we could not accurately calculate a response rate for this survey because a sizeable but unknown number of epidemiologists are members of more than 1 society, so the denominator of e-mails sent substantially overestimates the number of independent individuals invited to participate; and epidemiologists not involved in the conduct of US-based human subjects research or who did not recognize the term HIPAA according to the stated purpose of the survey in the introductory e-mail likely never accessed the Web site.
Finally, this survey did not address whether the effects reported may reflect the wishes that now can be expressed by better informed participants about the use of their health information and thus are the intended and laudable goals of the Privacy Rule.
The acquisition of data is critical to assessing the benefits and risks of the HIPAA Privacy Rule. In this first national survey of epidemiologists, one quarter perceived that the HIPAA Privacy Rule has enhanced participant confidentiality/privacy, whereas the majority reported that the HIPAA Privacy Rule has added uncertainty, cost, and delay to the conduct of US research involving human participants.
Corresponding Author: Roberta B. Ness, MD, MPH, University of Pittsburgh, Graduate School of Public Health, 130 DeSoto St, A530 Crabtree Hall, Pittsburgh, PA 15261 (email@example.com).
Author Contributions: Dr Ness had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.
Study concept and design, acquisition of data, analysis and interpretation of data, drafting of the manuscript, critical revision of the manuscript for important intellectual content, and statistical analysis: Ness.
Financial Disclosures: None reported.
Funding/Support: This work was supported by contract IOM-2241-06-002 from the Institute of Medicine, National Academies.
Role of the Sponsor: The funding organization had input into the survey design and assisted in revision and approval of the manuscript.
Additional Contributions: Joint Policy Committee, Societies of Epidemiology leaders involved in the review of the manuscript include Mary Haan, DrPH, MPH, and Michael Bracken, PhD, MPH (Society for Epidemiologic Research); John Acquavella, PhD (American College of Epidemiology); George Rutherford, MD, and Ruth Etzel, MD (Section on Epidemiology, American Academy of Pediatrics); James A. Gaudino, MD, MPH, MS, Stanley H. Weiss, MD, and E. Oscar Alleyne, MPH (American Public Health Association Epidemiology Section); Dorothy Stephens, MPH, and Chandra Ford, PhD, MLIS (Society for the Analysis of African-American Public Health Issues); and Daniel Wartenberg, PhD (International Society for Environmental Epidemiology). We thank Joy Pritts, JD (Georgetown University), Roger Herdman, MD, and Harvey Fineberg, MD, PhD (Institute of Medicine) for their comments and suggestions on the manuscript. We also thank Debra Bass, MS, and Katherine Simpson for technical assistance. No one named herein received compensation for their contributions.