March 5, 2004
The Honorable Tommy G. Thompson
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Thompson:
As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Administrative Simplification provisions of HIPAA, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule).
The Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in Silver Spring, Maryland on November 19 and 20, 2003. The hearings, the first of several to be held, were intended to gather information about the effect of the Privacy Rule on public health and research, and on health care providers, health plans, and consumers. This letter conveys the Committee’s findings and its recommendations for action by the Department.
In general, witnesses at the November 2003 hearings reported less anxiety and confusion about complying with the Privacy Rule than did witnesses at NCVHS hearings prior to the compliance date. Several witnesses said that materials posted on the website of the Office for Civil Rights (OCR) were helpful, but they also stressed the need for OCR to expand its outreach and public education activities so that the Privacy Rule can be implemented effectively. It was noted that not all covered entities and consumers have access to the Internet.
A. Public Health
The Privacy Rule explicitly permits disclosure of protected health information (PHI) for public health purposes without the need for an authorization. The main issues involving public health are: (1) misunderstanding of the Rule that leads covered entities to limit their disclosures for this purpose, and (2) coordination of the public health disclosure provisions with other provisions, particularly the requirement to provide an accounting for disclosures.
In general, the witnesses stated that misunderstanding of the Privacy Rule by many covered entities was adversely affecting the reporting of notifiable conditions to public health officials. At least one witness suggested, however, that some covered entities might be using the Privacy Rule as an excuse to avoid the burden of public health reporting.
One of the witnesses, representing the Council of State and Territorial Epidemiologists (CSTE), testified about a CSTE survey of State and territorial public health epidemiologists and Centers for Disease Control and Prevention bioterrorism state grantees on syndromic surveillance systems. According to the survey, thirty-five percent of respondents said that the Privacy Rule had caused major obstruction or delay in disease reporting. Further, when asked about the requirement to account for disclosures to public health, twenty-five percent of the respondents said this “was a significant problem for their disease reporters.”
We also learned that immunization is another concern. Often, school officials need immunization information from covered providers to assess compliance with State laws requiring immunization as a condition of enrollment in school. State laws vary on whether a school is considered a public health authority and whether immunization records may be shared without the authorization of a parent or guardian. Thus, in many States, covered providers cannot disclose immunization information to schools without receiving a HIPAA-compliant authorization. A witness reported that inquiries among health departments found that if authorizations cannot be obtained, some children receive duplicate immunizations. If OCR could interpret disclosure of immunization information to school officials as a public health disclosure, the necessary information could be released without need for an authorization, thereby benefiting the children.
With regard to accounting for disclosures, the reporting of suspected cases of abuse and neglect has been a particular concern of social service agencies. In many States, agencies receiving reports of suspected cases of child abuse or neglect are prohibited from disclosing the report or the name of the individual or entity filing it. The state prohibitions on disclosure, however, apply only to the recipients of the reports and do not extend to health care providers, such as hospitals, that file them. Under the Privacy Rule, an abusing parent, acting as the personal representative of the minor child, may obtain an accounting of disclosures and learn of the report. This has the effect of discouraging the filing of reports of suspected abuse and neglect. An exception to the accounting for disclosures requirement for reports of suspected abuse and neglect would eliminate this problem.
B. Research: The Privacy Rule and the Protection of Human Subjects Rule
The witnesses at the hearing provided frank testimony describing the detrimental impact of the Privacy Rule’s research provisions on research activities. Much of the research affected by the Privacy Rule is subject to the Federal Policy for the Protection of Human Subjects (also known as the “Common Rule,” or the Protection of Human Subjects Rule, and codified for HHS at 45 CFR part 46, subpart A).
The witnesses at the hearing overwhelmingly supported the Privacy Rule’s intent of aligning its requirements with those of the Protection of Human Subjects Rule in order to promote consistency and ease of compliance. In some key instances, however, the Privacy Rule diverges from that rule in ways that cause either gaps in privacy protection or unnecessary obstacles to research. Additionally, due to the considerable confusion, compliance with the Privacy Rule’s provisions on research would be helped by clarification and expanded educational activities.
An example of the inconsistencies between the Privacy Rule’s research provisions and the Protection of Human Subjects Rule relates to “preparatory to research” activities. The Privacy Rule permits PHI to be reviewed by a researcher for purposes that are preparatory to research without either the patient’s authorization or a waiver or alteration of authorization by an Institutional Review Board (IRB) or privacy board. The concept of “preparatory to research” includes such activities as hypothesis development, protocol preparation, and certain research recruitment activities. Specifically, according to the Department’s August 2003 document, Institutional Review Boards and the HIPAA Privacy Rule, the Privacy Rule permits a researcher who is a workforce member of the covered entity to contact potential research subjects for the purpose of seeking an authorization as part of the covered entity’s health care operations. Even though such contact is construed as coming within health care operations, the interpretation permits recruitment of potential research subjects (an element of research) without IRB approval, and thereby violates the Protection of Human Subjects Rule.
The role of the IRB in reviewing authorization forms has also raised questions. The Privacy Rule permits an authorization for the use and disclosure of PHI in research to be combined with an informed consent document, although many researchers prefer to use separate documents. But according to Institutional Review Boards and the HIPAA Privacy Rule, the Privacy Rule does not require IRB review of authorizations, either as stand-alone documents or when combined with informed consent documents. The absence of any such role under the Privacy Rule has created confusion about whether IRBs, in their role under the Protection of Human Subjects Rule, have the authority or responsibility to review these authorizations to use and disclose information for research. Because the Protection of Human Subjects Rule charges IRBs with considering the adequacy of privacy and confidentiality protections for subjects, it would be helpful to have a clarification that there is nothing in the Privacy Rule that prevents them from reviewing authorization forms in discharging that responsibility.
An area in which the divergence of the two rules results in burdens on researchers involves general research authorizations. Under the Protection of Human Subjects Rule, subject to such limitations as an IRB deems appropriate, a research subject may provide informed consent for future, unspecified research. Under the current interpretation of the Privacy Rule, however, an authorization may not be for future unspecified research, and so a separate authorization must be obtained for each trial or study, or a waiver or alteration of authorization obtained from an IRB or privacy board.
Unless the Privacy Rule interpretation is changed, it will be exceedingly difficult to compile research repositories, including repositories containing collections of biological specimens linked to medical records, which are essential to many forms of research. While it is clear from the January 2004 document, Research Repositories, Databases, and the HIPAA Privacy Rule, that a waiver of authorization could be obtained from an IRB or privacy board for disclosure from the repository, this additional step further complicates the process.
Several other areas related to research also need to be addressed. Genetics researchers are concerned that any DNA sample, even if not linked with an individual, might not be considered “anonymous” because analyzing the sample could reveal the unique DNA identifiers of the individual. Clarification that unlinked DNA samples are not “identifiable” would resolve the issue.
Clarification also is needed on the applicability of the Privacy Rule to indirect participants (individuals who are not research subjects but whose PHI may be disclosed by research subjects), and to multi-institutional studies. The witnesses also identified some areas in need of additional outreach and education initiatives to counteract the reluctance or refusal of smaller institutions to participate in research because of misunderstanding the Privacy Rule and the standards for the de-identification of individually identifiable information.
C. Covered Entities and Consumers
Part of the hearing was devoted to testimony by covered entities and consumers on a broad range of issues. Several witnesses expressed concern about the Privacy Rule’s requirements for accounting for disclosures of PHI. In particular, many covered entities believe that the accounting requirement is burdensome as a result of the many disclosures required by law. Compounding the burden is the fact that many mandatory reports are submitted on paper because automated systems for filing the reports have not been developed. At the same time, the number of requests by consumers for an accounting of disclosures to date has been extremely small. The Committee will continue to examine the impact of the requirement to account for disclosures, and to consider whether to recommend changes.
Witnesses also expressed concerns about the need to distribute notices of privacy practices and to obtain and maintain the corresponding acknowledgments in nontraditional medical treatment settings. For example, cholesterol and blood pressure screenings are often provided at health fairs, and flu shots are often provided in such nontraditional settings as shopping malls and subway stations. Witnesses questioned whether it was necessary for covered entities to provide a notice of privacy practices in these circumstances, or to get and retain acknowledgments that individuals had received them.
A witness representing consumers suggested that OCR should expand its enforcement activities beyond merely investigating complaints to include compliance audits.
Based on the oral and written testimony presented at the hearing, NCVHS recommends the following:
- HHS should continue to expand its education and outreach activities, and special efforts should focus on public health reporting.
- HHS should regard disclosure of immunization information to schools as a public health disclosure, thereby permitting providers to disclose this information to school officials without an authorization.
- HHS should create an exception to the right of the individual to receive an accounting of disclosures in the case of reports of suspected child abuse or neglect.
- HHS should make further efforts to harmonize the Privacy Rule with the Protection of Human Subjects Rule.
- HHS should clarify that the Privacy Rule neither requires nor precludes IRB review of stand-alone authorizations for use or disclosure of PHI for research.
- HHS should consider, for nontraditional treatment settings, permitting an abbreviated notice of privacy practices, and/or eliminating the requirement to get and retain an acknowledgment that an individual received a notice.
We appreciate the opportunity to offer these comments and recommendations.
John R. Lumpkin, M.D., M.P.H.
Chairman, National Committee on Vital and Health Statistics
Cc: HHS Data Council Co-Chairs