The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) recently put out a “Request for Information on Modifying HIPAA Rules to Improve Coordinated Care.” PRIM&R decided to submit comments, thinking this might be a good opportunity to highlight how the Health Insurance Portability and Accountability Act (HIPAA) Rules could be improved for research. After all, the research community has long argued that HIPAA is confusing, awkward, inconsistent, and unnecessarily burdensome as applied to the research context.

The OCR was interested in hearing from the public about how to modify the HIPAA Rules to reduce regulatory burden, facilitate care coordination and case management, and “promote the transformation to value-based health care,” all while safeguarding patient privacy. In our submitted comments, PRIM&R urges the OCR to reconsider HIPAA in both the clinical and research settings, pointing out that the lines between research and clinical care are increasingly blurred. Nowhere is this more apparent than in “learning healthcare systems,” which are predicated on continuously collecting clinical care information to evaluate the comparative efficacy and safety of various standard health care interventions with the goal of improving patient care. 

When it comes to the research enterprise generally, PRIM&R notes that the lack of harmonization between the HIPAA Rules and the Common Rule in several key areas related to human subject protections results in confusion for research subjects and unnecessary burden for research institutions. To take just one example, covered entities are required to obtain from individuals both HIPAA authorization and informed consent for research, in order to be in compliance with both sets of regulations. Although not identical, there is significant overlap between the requirements for each, and institutions face the added burden of having to track both of these types of permission. And yet it is not clear that the HIPAA Rules provide additional privacy protections for individuals who take part in research, above and beyond those provided by the Common Rule. PRIM&R urges HHS to develop a harmonized approach in which a single description of confidentiality and privacy protections would suffice.    

There are also inconsistencies regarding where HIPAA’s privacy protections apply. Some research institutions are not considered “covered entities” bound by HIPAA, including the National Institutes of Health, the government’s primary health research agency. HIPAA also allows covered entities to determine whether or not to cover research information.

As the OCR considers modifications to HIPAA, we urge it to consult with the research oversight community about how the HIPAA Rules could be re-worked to better facilitate vital research while at the same time appropriately protecting research subjects’ privacy interests.

How do you think HIPAA should be improved for research? Do you think PRIM&R’s comments hit on all the main points? (Full set of comments can be found on our website.)