Is It Time to Amend HIPAA Privacy Rule?Former ONC Official Advocates Changes to Support Reseach
It's time to consider amending the HIPAA Privacy Rule to enable the sharing of certain research data, without patients' authorization, to help improve the quality of care, says Douglas Fridsma, M.D., a former federal health IT leader.
Under HIPAA, patients' protected health information can be used by a covered entity without an individual's consent for three general activities - treatment, payment and healthcare operations, explains Fridsma, former chief science officer at the Office of the National Coordinator for Health IT, who in November joined the American Medical Informatics Association as its president and CEO. When it comes using patients' information for research, HIPAA allows patient data to be used without a patient's authorization only for research related to improving the quality of care within an institution where the patient was treated, or as part of internal "operations." Those findings cannot be published or shared outside the organization unless patients grant their permission, Fridsma explains in an interview with Information Security Media Group.
So, for example, if a hospital discovers that a particular surgical checklist reduces post-operative infections in its patients, "under current rules, that can't be published as a research finding" shared with other organizations, he says, unless all patients whose data was used grant their authorization, he says.
Letter to Congress
AMIA, an organization of about 5,000 biomedical and healthcare informatics professionals, recently wrote a letter to the House Committee on Energy and Commerce urging Congress to make changes to HIPAA to allow the use of PHI for certain "observational research" purposes without the need for patient consent.
AMIA said the change "would send a clear message to covered entities, business associates, institutional review boards, regulators and others, including patients, that utilizing the promise of health data is, in fact, a core responsibility of all the stakeholders in the healthcare system. Simply, we trust CEs and their BAs to use the health data of individuals for the purposes of treatment and payment and healthcare operations that facilitate their own functioning. We ought to trust them as well with the responsibility of conducting research with health data to improve the health of our nation."
A change in HIPAA would also support development of a "learning healthcare system," a concept that ONC is promoting. It's based on the notion that information that's generated during the care of patients can also be useful in understanding "how we can best improve the care that's being delivered," Fridsma explains.
In the interview, Fridsma also discusses:
- The potential impact of AMIA's suggested changes in HIPAA on other aspects of patient data privacy and security;
- Why AMIA is proposing that Congress direct the Department of Health and Human Services to create a multi-stakeholder "HIPAA barriers working group" to assess whether HIPAA impedes the use of patient information for research;
- Other recommendations that AMIA is making to Congress related to health IT safety and other issues.
Before joining AMIA in November, Fridsma spent more than five years in various leadership positions - including the roles of chief science officer and director of interoperability and standards - within the Department of Health and Human Services' Office of the National Coordinator for Health IT. Fridsma's work at ONC included involvement in the Blue Button effort to provide patients with secure and convenient access to their digital health records. Before joining ONC, Fridsma was on the teaching staff in the Department of Biomedical Informatics at Arizona State University and had a clinical practice at Mayo Clinic Scottsdale. In addition to a medical degree from University of Michigan, he has a Ph.D in biomedical informatics from Stanford University.