Report: HIPAA Privacy Rule Fails to Adequately Protect Privacy and Hampers Health Research

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not adequately protect the privacy of people's personal health information and hinders important health research discoveries, concludes a new report from the Institute of Medicine.

Congress should authorize the development of an entirely new approach to protecting personal health information in research, separate from the HIPAA Privacy Rule, said the committee that wrote the report. This new approach should apply privacy, data security and accountability standards uniformly to information used in all health-related research regardless of who funds or conducts the research.

If policymakers decide to continue relying on the current rule to protect privacy in health research, the committee recommends a series of changes to improve the rule and the guidance that the U.S. Department of Health and Human Services (HHS) gives on how to comply with it. Recommendations in the report include:

• Encryption should be required for all laptops, flash drives, and other portable media containing such data given the potential for these items to be lost or stolen.
• HHS and other federal agencies should develop a new approach to regulation that focuses on best practices in privacy, security, and transparency. The new framework should facilitate use of health data in which personally identifiable information is removed and should provide legal sanctions against unauthorized re-identification of individuals. It should provide ethical oversight of research in which use of personally identifiable information without individual consent is necessary. This oversight could be accomplished by local ethical review boards that assess proposed projects on a case-by-case basis, or institutions could be certified at the federal level to carry out this kind of research, having proved they have policies and practices in place to protect data privacy and ensure security.
• HHS should make it clear that people can grant permission in advance that samples or data collected from them for one research project can be used in future research. And the agency should simplify and clarify the criteria for making decisions about waiving requirements to obtain permission from every patient whose personal health information will be used in study.

The study was sponsored by the U.S. Department of Health and Human Services, Robert Wood Johnson Foundation, American Cancer Society, American Heart Association/American Stroke Association, American Society for Clinical Oncology, Burroughs Wellcome Fund, and C-Change. Established in 1970 under the charter of the National Academy of Sciences, the Institute of Medicine provides independent, objective, evidence-based advice to policymakers, health professionals, the private sector, and the public. The National Academy of Sciences, National Academy of Engineering, Institute of Medicine, and National Research Council make up the National Academies.