Potential Impact of the HIPAA Privacy Rule on Data Collection in a Registry of Patients With Acute Coronary Syndrome

Background  Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule has the potential to affect data collection in outcomes research.

Methods  To examine the extent to which data collection may be affected by the HIPAA Privacy Rule, we used a quasi-experimental pretest-posttest study design to assess participation rates with informed consent in 2 cohorts of patients eligible for the University of Michigan Acute Coronary Syndrome registry. The pre-HIPAA period included telephone interviews conducted at 6 months that sought verbal informed consent from patients. In the post-HIPAA period, informed consent forms were mailed to ask for permission to call to conduct a telephone interview. The primary outcome measure was the percentage of patients who provided consent. Incremental costs associated with the post-HIPAA period were also assessed.

Results  The pre-HIPAA period included 1221 consecutive patients with acute coronary syndrome, and the post-HIPAA period included 967 patients. Consent for follow-up declined from 96.4% in the pre-HIPAA period to 34.0% in the post-HIPAA period (P<.01). In general, patients who returned written consent forms during the post-HIPAA period were older, were more likely to be married, and had lower mortality rates at 6 months. Incremental costs for complying with the HIPAA Privacy Rule were $8704.50 for the first year and $4558.50 annually thereafter.

Conclusions  The HIPAA Privacy Rule significantly decreases the number of patients available for outcomes research and introduces selection bias in data collection for patient registries.

On August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted. After several public comment periods and revisions, the US Department of Health and Human Services issued the Standards for Privacy of Individually Identifiable Health Information (ie, the Privacy Rule) that would be enacted under HIPAA.¹ The deadline for compliance with the new privacy rule was set for April 14, 2003. The required changes have substantially affected every health plan, health care provider, and health care clearinghouse in the United States and have involved considerable human and financial resources.

The HIPAA Privacy Rule creates regulations for managing protected health information, which is defined by the HIPAA Privacy Rule as “individually identifiable health information” held or transmitted by a covered entity or its business associates in any form: electronic, paper, or oral. Before HIPAA, quality improvement (QI) projects were not generally viewed as research if the initial intent was to conduct a QI project for the institution. In some cases, the intent was QI and research, and investigators would use de-identified data to publish their experiences and findings.² Under this paradigm, QI was generally concerned with improving care for patients, and the “Common Rule”— which governs research with human subjects and usually requires written informed consent from the subject—seldom applied.³

In the Common Rule and under the HIPAA Privacy Rule, research is defined as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Under these guidelines, if the initial intent was to publish a report for general knowledge, institutional review boards (IRBs) may classify any QI projects as research. If so, it would require that a QI project obtain written informed consent before patient contact for any routine follow-up questionnaires and assessments. Quality improvement so classified may be severely biased if consent is selectively obtained from only a few patients. Moreover, compliance is likely to incur additional costs. We report how compliance with the HIPAA Privacy Rule has affected a large research consortium using the example of a specific QI-focused registry of patients with acute coronary syndrome (ACS).

In anticipation of the HIPAA Privacy Rule enactment, we devised a protocol to compare our ability to obtain informed consent for patients to participate in a 6-month follow-up questionnaire for our ACS registry in pre- and post-HIPAA environments. The entire study period occurred before implementation of the HIPAA Privacy Rule so that we could compare outcomes between the approaches. The protocol, therefore, did not violate any contemporaneous privacy rules. We worked specifically with the University of Michigan IRB and its legal counsel on the creation of these protocols. In addition, the IRB annually reviews and approves data collection methods for our ACS registry, which itself is compliant with the HIPAA privacy regulations.

We compared patient information during 2 periods. From May 1, 1999, to August 30, 2001, or the pre-HIPAA period, patient follow-up proceeded using the following protocol: patients with a primary or secondary diagnosis of acute myocardial infarction or unstable angina and ischemic symptoms within 24 hours of hospital admission were identified retrospectively. Patients were then contacted by telephone 6 months after hospital discharge. Patients or their significant others were asked at the beginning of the call to provide verbal informed consent to discuss follow-up care. If the patient agreed, a standard questionnaire was implemented over the telephone. If the patient declined to give consent, follow-up was generally considered incomplete, but some self-evident information was collected (ie, mortality if the patient had answered the telephone). If the patient could not be reached by telephone, the medical record was examined for any subsequent hospitalizations at the University of Michigan during the 6 months. If the medical record was not available or was incomplete, the Social Security Death Registry was accessed for mortality information. Patients who could not be contacted and who did not have a recent medical record but who were not in the Social Security Death Registry were considered to be alive.

The second period of study, or the post-HIPAA period, was from September 1, 2001, to March 31, 2003. This period was actually before the HIPAA start date. For this period, we devised a protocol in anticipation of the changes mandated by the HIPAA Privacy Rule (Figure). This period allowed us a chance to follow a post-HIPAA protocol while continuing to collect data under the more flexible pre-HIPAA protocol. During the post-HIPAA period, all patients were sent a letter asking for written consent for our study team to conduct follow-up with a telephone call based on a strict interpretation of the HIPAA Privacy Rule.

Patients who did not return written consent forms were contacted by telephone and were asked whether the consent form had been received. If the consent form had been received and the patient had not yet returned it, verbal consent and follow-up were then performed during the same telephone call with the understanding that the consent form would be signed and mailed. If the consent form had not been received, a brief explanation of the database and the reason for the telephone call was provided. Patients then were asked whether a second consent form could be mailed. Follow-up was performed by a second telephone call when the second consent form was returned. If a second consent form was never returned, then the medical records and the Social Security Death Index were accessed as described previously in this subsection.

The primary outcome measure of interest was the percentage of patients who provided consent for performing the follow-up questionnaire. During the pre-HIPAA period, consent was considered complete if a patient agreed to complete the questionnaire at the time of telephone contact. Consent was considered complete in the post-HIPAA period when a written letter agreeing to participate was returned by the patient. For the main analysis, consent rates in the pre-HIPAA period were compared with those in the post-HIPAA period. We also compared characteristics and outcomes between patients in the post-HIPAA period who provided written consent and those who did not. Additional characteristics and outcomes used in these comparisons included routine data elements collected in the ACS registry: age, sex, ethnicity, marital status, comorbid conditions (eg, diabetes mellitus, hyperlipidemia, and hypertension), and cardiovascular-related outcomes.

To estimate the incremental costs associated with obtaining consent for follow-up during the post-HIPAA period, we evaluated calculated costs in 2 categories: fixed “start-up” costs and ongoing costs. Fixed start-up costs included database setup and computer programming, time invested by the nurse project manager, training of employees, attorney fees, and additional IRB-related costs. Ongoing costs were estimated for each additional patient enrolled in the follow-up and included administrative assistance and materials (envelopes, stamps, and other mailing items). Ongoing costs also included the number of hours needed for additional programming necessary for the new follow-up system and the time required for a nurse project manager to obtain legal review, oversee training of all research personnel, and implement the protocol related to HIPAA.

Differences between categorical variables were analyzed using standard χ² tests, and differences between continuous variables were analyzed using 2-sample t tests. All tests were 2-sided, with statistical significance set at α = .05. All analyses were performed using statistical software (SAS version 8.2; SAS Institute Inc, Cary, NC).

We identified 1221 patients during the pre-HIPAA period and 967 patients during the post-HIPPA period. Overall success in obtaining 6-month follow-up occurred in 1177 patients (96.4%) during the pre-HIPAA period and 329 (34.0%) in the post-HIPAA period (P<.01 for differences). Written consent forms were mailed to 855 patients (88.4%), whereas 112 patients (11.6%) were not mailed consent forms owing to administrative oversights associated with instituting several simultaneous requirements for the post-HIPAA period. Of 855 patients to whom written consent forms were mailed, 343 (40.1%) returned a completed form: 329 (95.9%) granted consent and 14 (4.1%) refused consent. Thus, we did not obtain written consent from 638 patients overall. Reasons for failing to obtain written consent included no response (n = 490), letter not sent out (n = 112), mail undeliverable (n = 22), and patient refusal (n = 14).

Table 1 displays the results of the analysis comparing patient characteristics and outcomes between patients in the post-HIPAA period who provided written consent and all others without written consent. Patients in the post-HIPAA period who provided written consent were statistically significantly more likely to be older, married, and white than those who refused to provide consent or who did not respond. In addition, we found statistically significantly lower mortality rates at 6 months in patients who provided written consent but no differences in myocardial infarction, stroke, or rehospitalization between the 2 groups.

The incremental costs associated with implementing protocol changes to comply with the HIPAA Privacy Rule are given in Table 2. Estimates of total start-up costs were $4146.00, and ongoing annual costs were $4558.50, resulting in $8704.50 in additional costs related specifically to compliance with the HIPAA Privacy Rule during the first year.

We found evidence that in patients with ACS at the University of Michigan, a strict interpretation of the HIPAA Privacy Rule significantly reduced our ability to obtain consent for a telephone-based follow-up questionnaire at 6 months. In addition, we found that compliance with the HIPAA Privacy Rule led to different rates of responses across various subgroups of patients—particularly those related to demographics such as age, marital status, and ethnicity. This may have led to a selection bias because patients who provided written consent had lower mortality rates at 6 months than those who did not give consent or who did not respond. We also estimated that compliance with the HIPAA Privacy Rule led to a nontrivial increase in overall costs. Although some of these costs may have been required regardless of the registry or may have been shared by other research programs, most were items directly related to managing the ACS registry.

We did not report specific reasons why patients were unlikely to return written consent forms through the mail. Although speculative, we have some potential explanations. First, the form itself and the accompanying letter are lengthy and confusing. The form mandated by our IRB was 8 pages long, and it was required that 2 copies be sent to each patient—1 for their records and 1 that was to be signed and returned. The size of these documents may have created an exaggerated sense of how involved the process truly was and could have been seen as daunting by patients. Second, the consent forms may be subject to administrative and logistical oversights, such as being mislabeled, inappropriately addressed, lost with other mail, or written off as junk mail by patients after delivery. Future research is needed to identify specific reasons for patients not returning written consent forms and methods to overcome these obstacles.

The ambiguity of the HIPAA Privacy Rule also presents a problem to outcomes researchers.⁴ Our IRB’s interpretation of the HIPAA Privacy Rule is limited to our single institution. It may be different from the way in which other research centers may have interpreted the rule. However, we, and others, suspected that due to the harsh penalties for breaching HIPAA regulations, an incentive exists for research centers to conservatively interpret the HIPAA Privacy Rule.³ For this reason, we used a strict definition of consent in the post-HIPAA period. Owing to ongoing interpretation from the federal government, it has been possible to relax these rules somewhat since the HIPAA Privacy Rule was instituted on April 1, 2003. Also, because of the simultaneous QI nature of our work, we are permitted to contact patients by telephone if a written consent form is not returned to determine whether one had ever been received and potentially to arrange for a second letter to be delivered. Other institutions may also implement similar strategies to improve rates of consent in their own QI-focused patient registries.

Another potential option is to try to obtain consent for follow-up while the patient is in the hospital. This allows for the additional opportunity to enroll patients for research even outside of QI-focused projects. There are several limitations to this strategy. First, it has substantial cost implications because researchers and support staff would need to be available to obtain consent on the wards. Funding to support this strategy would be difficult for QI-focused projects and for many observational studies. In addition, even when resources are available, it may be difficult to obtain consent for several logistical reasons. Tu et al⁵ found that even with a full-time, dedicated research nurse on the floor, consent rates were low, and many patients either died or left the hospital before consent could be obtained in a registry of stroke patients in Canada. Similar to our study, Tu et al⁵ also noted that data on consenting patients were also potentially biased and that costs were substantial. Our study expands on the work of Tu et al⁵ by demonstrating that there continue to be challenges associated with obtaining written consent even after hospital discharge.

Finally, we believe that distinguishing between QI-focused projects and other forms of outcomes research deserves important mention. When a QI-focused project is undertaken with the intent to analyze and publish the data, it is research and should be submitted to an IRB for review and approval before data collection. This has been the policy in our ACS registry since its inception. On other occasions, projects that are not initially intended to produce data for publication may yield unexpected results that should be published. Under such circumstances, submission to the IRB at that point may be undertaken, and the IRB should be given the opportunity to determine whether publishing the results would produce harm that exceeds the benefits of having others see and learn from the unexpected results. In this way, the IRB may continue to serve as an independent assessor of the incremental value of a project under complex circumstances.

The present study should be evaluated in the context of the following limitations. As described previously herein, this study involved the experiences of a single institution. Other medical centers may have identified other ways of complying with the HIPAA Privacy Rule during their QI-focused and research projects. Various strategies may be associated with different response rates for obtaining consent and may lead to different fixed and ongoing costs. We assumed a conservative interpretation of the HIPAA Privacy Rule that required written consent to be obtained before contact for a telephone-based follow-up questionnaire. We believe that the harsh penalties mandated by the HIPAA Privacy Rule create a strong incentive for research centers to interpret it strictly.³ Despite this limitation, we believe that this study provides a real example of the potential implications of the HIPAA Privacy Rule on data collection in outcomes research, particularly after hospital discharge.

The implementation of the HIPAA Privacy Rule has led to widespread speculation regarding its ultimate impact.^4,6-8 Although everyone agrees that maintaining patient privacy is a laudable goal, the HIPAA Privacy Rule may create a substantial burden and prohibit the development of valuable research. We showed that a strict interpretation of the HIPAA Privacy Rule leads to a marked decrease in the ability to obtain consent and that this may result in less representative registries of patient populations, potentially biased outcomes, and increased costs. Further discussions need to be undertaken among researchers, the lay public, and government to establish better strategies for protecting patient privacy without discouraging or biasing QI-focused and outcomes research.

Correspondence: Kim A. Eagle, MD, Cardiovascular Center, University of Michigan, 300 N Ingalls, N18B02, Ann Arbor, MI 48109-0477 (keagle@umich.edu).

Accepted for Publication: December 23, 2004.

Funding/Support: This study was supported by the Mardigian Foundation, Bloomfield, Mich.

Financial Disclosure: None.

Acknowledgment: We thank the University of Michigan IRB for their ongoing help in revising the data collection methods for this ACS registry.