Joseph Conn reports:
The American Medical Informatics Association is asking Congress to amend a central federal healthcare privacy rule, in order to give medical researchers access to patient records without their consent.
A see-saw battle has been waged at the federal policy level for more than a decade over patient consent regarding medical records, with patient privacy advocates arguing that control over information about one’s self is the definition of privacy.
So, not surprisingly, a leading privacy advocate reacted negatively to the AMIA request.
“It’s shocking that they don’t have enough data yet, they’re going after more?” said Dr. Deborah Peel, a psychiatrist who heads the Patient Privacy Rights Foundation in Austin, Texas. “We completely support the opinion that every research use should be disclosed to the patient.”
Read more on Modern Healthcare.
It’s not just disclosure, of course, that’s at issue. It’s also the issue of consent or at the very least, the right to opt out of use of PHI.
This blogger believes that Congress should not amend HIPAA to permit research use of PHI without patient consent.
Since 2001, HIPAA has allowed very broad access to patients’ health data for “12 national priority purposes” without consent, including for “research” use (See: 45 C.F.R. § 164.512.).
But patients have no knowledge whether there are 100s or 1000s of disclosures of their health data for “research” or what corporations or entities have their health data. Further, only 1% of the public would agree to allow unfettered access to their health data for “research” (See Westin’s survey for the IOM: http://patientprivacyrights.org/wp-content/uploads/2010/01/WestinIOMSrvyRept.pdf–see slide #27).
The “research” loophole in HIPAA allows corporations to use patient health data w/o consent, because the there is no definition of who/what can conduct ‘research”. This loophole led to the creation of a massive hidden US health data broker industry–not to what Congress expected: genuine academic research designed to benefit patients instead of corporate revenues.
US patients’ health data is the most valuable data in the Digital Age, therefore Patient Privacy Rights believes the public should have the right to know what’s going on by having access to real-time “accounting for disclosures” of all “research” uses of health data.
See below for language in the citation on the HIPAA “research” loophole that allows the use of health data w/o consent, from the “OCR Summary of the HIPAA Privacy Rule”: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf :
“Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes”:
“Research. “Research” is any systematic investigation designed to develop or contribute to generalizable knowledge. The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.”
Thanks for your informative comment, Deb. You and I are on the same page about this nonconsensual use of patient information. If HIPAA’s to be amended, it should be to grant more control to patients, not less.