Health IT Offers Both Promise and Problems

A critical component of the Obama administration's health reform campaign is to expand adoption of electronic health information systems. The recently enacted economic stimulus legislation provides $19 billion to support use of electronic health records (EHRs) by doctors and hospitals and to develop standards and systems supporting electronic health information exchange.

Jill Wechsler

This investment aims to jump-start development of an interoperable health care system that improves care, prevents medical errors, reduces waste, and better informs treatment decisions. Electronic databases promise to accelerate detection of drug adverse events and to streamline data collection.

Meanwhile, widespread transmission of personal health information (PHI) has generated demands for stronger protections against unauthorized disclosure of patient records.

The HITECH (health information technology) portion of the stimulus bill aims to build public confidence in the system by requiring patient notification of any unauthorized disclosure or "breach" of PHI, giving individuals more control over access to their records and stiffening penalties for violations of the rules.

HITECH does not directly address privacy in clinical research, but the new requirements promise to heighten efforts by doctors and hospitals to protect patient data, which could further limit access to patient records that is useful for researchers trying to identify eligible study subjects, design protocols, and assess health data.

Impeding research

The privacy requirements established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 limit how "covered entities" (e.g., health plans, hospitals, and providers) may use or disclose electronically any individually identifiable health information.

The aim of the privacy rule, which was finalized in 2003, is to ensure the confidentiality of patient medical records under a system of expanding electronic transfer of information by health care institutions.

HIPAA offered no specific exemption from privacy requirements for clinical studies and health system research, even though such activity already was governed by the Common Rule, Food and Drug Administration regulations, and other local and international codes and policies.

In addition, those clinical investigators who also are covered entities, including physicians providing medical care and academic research organizations attached to hospitals, have to comply with all HIPAA security and privacy requirements.

Confusion over interpretation of the privacy policy has impeded research, as providers block access to patient medical records that can inform protocol development and permit follow-up on study outcomes.

For the most part, the biomedical research community has learned to live with HIPAA privacy requirements.

For clinical trials testing drugs and medical products, the informed consent process generally provides permission for researchers to access medical records and evaluate study participant results. But the privacy requirements make the consent process more complex and confusing to patients and impose added responsibilities on Institutional Review Boards (IRBs).

In addition, consent to participate in a specific study cannot be combined with authorization to access the data for later research or to put the data in a repository for future analysis. Privacy rules thus make it difficult to follow patients over time, creating problems in accounting for drop-outs and deceased trial participants and in designing postmarketing studies.

More patients refuse to provide additional consent after an initial study. Limiting studies to fewer consenting individuals can lead to selection bias that can compromise results.

Cancer researchers complain of differing HIPAA privacy compliance approaches among institutions and privacy officers. Moreover, population-based research, which often involves accessing patient records without informed consent, faces added obstacles.

Epidemiologists complain that privacy policies slow enrollment, raise costs, and even inhibit some hospitals from reporting on infectious diseases and other health conditions.

New approaches needed

A new report from the Institute of Medicine (IOM), "Beyond the HIPAA Privacy Rule," finds that the current policy has increased the cost and time of research projects, forcing researchers to abandon important studies while also confusing study participants regarding their rights and protections.

Robert Califf, vice chancellor for clinical research at Duke University Medical Center, told the IOM panel at its October 2007 meeting that the HIPAA privacy rule was contributing to a repressive regulatory climate that has demoralized the clinical research community and prompted an exit of clinical research from the United States to other countries.

The best investigators are dropping out, he noted, further exacerbating a decline of U.S. health outcomes relative to the rest of the world.

The IOM panel recommends that HHS develop a new framework for protecting privacy in health research. It would rely on certification that institutions have policies and practices in place to protect data privacy and that they comply with the Common Rule for ethical study practices.

Such a carve-out from HIPAA for medical and health research, however, "is not going to happen," advised attorney Mark Barnes, in discussing the IOM recommendations at the March meeting of the HHS Secretary's Advisory Committee on Human Research Protections (SACHRP).

Barnes headed an effort in 2004 by SACHRP's predecessor organization to recommend research-related changes in the privacy rule and noted that the IOM panel raises many of the same issues involving researcher access to patient information.

In anticipation of opposition to a research exemption, the IOM advisors propose revisions in the privacy rule, including simplified authorization for interrelated research activities, clarity on when DNA samples are considered protected health information, greater ease in linking health data from multiple sources, and an easier authorization waiver process for patients.

Research organizations would have to meet a host of security standards that include data encryption, breach notification policies, and regular security audits and certification processes. Meanwhile, health IT experts envision a new approach to research that utilizes the innovative data-sharing capabilities of electronic information systems.

The established method raises privacy and security concerns because each investigator has to spend time and money collecting and analyzing data from diverse sources to assess such issues as disease incidence, provider performance, or the impact of a therapy on patients with certain conditions.

A distributed model for health surveillance and assessment builds a system for holding personal health information at the source that can provide data or summaries to authorized entities across a network.

The National Cancer Institute, for example, is developing a networked system that allows authorized researchers to access large sets of cancer data without collecting or centralizing that information.

Cerner Chairman Neal Patterson commented at a recent briefing on HIT, sponsored by Health Affairs, that a fully automated information system could provide an important platform for assessing whether a drug or medical treatment is helping patients and for designing Phase IV trials.

However, many researchers fear that privacy requirements will undermine the ability of a "wired" health care system to transform quality of care.

Califf of Duke described a "learning health care system" where clinical research is built into health care delivery, and disease specific registries provide precise data for mechanistic and specialty-based studies.

Such a system will be critical in the shift to personalized medicine, which will require access to personal health data to recruit subjects who meet increasingly specific genetic-based enrollment criteria, and to identify those individuals who should receive a treatment based on a specific genotype.

At the same time, advances in DNA sequencing and analysis will result in more genetic information being included in individual health records, which may heighten privacy concerns.

A different kind of system is needed to protect personal health information, while permitting access to data needed to create a more efficient system able to develop innovative therapies and to deliver high-quality care.

Jill Wechsler is the Washington editor of , (301) 656-4634 jwechsler@advanstar.com