HIPAA medical privacy standards might cause snags

Dylan Thomas

With new federal patient medical information privacy laws taking effect April 14, University researchers working with health data are facing some new changes.

Although the University’s prior emphasis on patient privacy will make most changes minor, questions remain about how researchers and the public will react.

Moira Keane, Research Subjects Protection program director, said researchers who use private medical information in their studies – such as epidemiologists – will need to demonstrate to a greater extent how they will protect that information. This will be done when they submit research proposals to the Institutional Review Board, which approves studies involving human subjects.

The new regulations will also require that research subjects are provided more information about how their medical records will be kept confidential and about how to retrieve their own information from medical databases, Keane said.

The new medical information regulations are part of the 1996 Health Insurance Portability and Accountability Act.

A byproduct of the act – intended to ease the transfer of health care coverage from one insurance company to another – was needed to set a national standard for the use and transfer of private medical records. Researchers, clinicians and anyone who deals with private patient medical information must comply with the new standards.

Keane said many of the privacy standards HIPAA established were already addressed by Minnesota’s relatively strict privacy laws and University regulations.

However, HIPAA has the potential to cause a few snags in research procedures. It could slow the approval of research, and subject waivers – with more instructions on how and what information will be used – could scare some people from participating in research.

Keane said concern about HIPAA’s effect on the approval process was an “exaggeration.” Researchers will still be able to conduct studies, but must now submit more specific plans for the protection of private research subject medical information.

Keane said researchers who work strictly with medical records will have several options for working with the records when they cannot receive subject approval.

Included in the new regulations is a clause allowing researchers to use “de-identified” information, which maintains the subject’s autonomy.

However, that data is essentially useless. For the information to be useful, waivers requiring more subject data are necessary, Keane said.

And with the possibly disconcerting effect of longer waivers, some researchers say informing the public of the research’s practical value will make people more willing to allow researchers to use their information.

Kristin Anderson, a University associate professor whose research focus is cancer epidemiology, said it is important for the public to understand the new laws were developed to place a check on the insurance industry, not because researchers were misusing information.

“We need to make the distinction very, very clear that insurance companies are a different issue than people who are trying to better the lives of Minnesotans,” Anderson said.

Another aspect of HIPAA preparations is University-wide privacy training, now in process. For researchers, this includes a combination of educational videos and online training through the University’s WebCT program.

Mary Hourigan, HIPAA coordinator for the University’s School of Public Heath, said the school’s preparations are now focused on the mandatory training. Although many University clinicians have already undergone their version of the WebCT training program, the research version is not yet available.

Otherwise, preparations have gone smoothly, Hourigan said. In fact, she said the changes made under HIPAA laws will simply make the school’s privacy procedures more comprehensive.

“I love HIPAA because it’s just made us smarter,” Hourigan said.

Dylan Thomas welcomes comments at [email protected]