New Patient Privacy Regulations May Hinder Research

March 1, 2001
Oncology NEWS International, Oncology NEWS International Vol 10 No 3, Volume 10, Issue 3

WASHINGTON-New patient privacy regulations instituted by the Department of Health and Human Services (HHS) will affect oncology from research to private practice. The new rules set privacy standards governing the release of health information that might reveal the identity of individual patients.

WASHINGTON—New patient privacy regulations instituted by the Department of Health and Human Services (HHS) will affect oncology from research to private practice. The new rules set privacy standards governing the release of health information that might reveal the identity of individual patients.

Although views vary on how severe the effects might be for oncologists, there seems little doubt that the new rules will impose additional burdens for researchers and clinicians alike.

"It’s not as bad as it could have been, but it could have been a lot better," Anna D. Barker, PhD, speaking for the American Association for Cancer Research (AACR), told ONI. Dr. Barker is president and CEO of Bio-Nova, Inc. (Portland, Oregon). "They did listen to some of the public comments, and I think they made an effort to simplify some of the particularly onerous kinds of recommendations that were in the original plans," Dr. Barker added. However, she said, "there are still several things in the rule that are problematic in terms of how they are going to affect medical research."

The new rules apply to all personal health information—including paper records, oral communications, and electronic information created or held by all persons and organizations covered by the regulations. HHS said that the final rule also requires that most providers get their patients’ consent for routine use and disclosure of health records, in addition to requiring their authorization for non-routine disclosures.

According to the HHS, the new privacy regulations will do the following:

Limit the nonconsensual use and release of private health information.

Give patients new rights to access their medical records and to know who else has accessed them.

Restrict most disclosure of health information to the minimum needed for the intended purpose.

Establish new criminal and civil sanctions for improper use or disclosure.

Establish new requirements for access to records by researchers and others.

Health care providers, most health care plans, and health care clearinghouses must comply with the regulations no later than Feb. 26, 2003. Small health care plans—those with receipts totaling less than $5 million annually—have until Feb. 26, 2004, to comply. However, a movement is building to extend the final compliance dates because of concerns that providers and others will be unable to fully comply by the deadlines.

Moreover, the new Bush Administration may seek to revise the new rules. Sen. James M. Jeffords (R-VT) scheduled a hearing to review the new regulations almost immediately after being elected chairman of the Senate Health, Education, Labor, and Pensions Committee.

The rules apply to all consumers, whether they are insured privately, uninsured, or covered by public programs such as Medicare. However, federal law only authorizes the HHS secretary to cover those three entities. As a result, several other entities, including life insurance companies and workers’ compensation programs, are exempted from the regulations, which allows them to use and reuse patient information without prior consent.

"Only Congress can fill these critical gaps," notes an analysis by the Health Policy Project at Georgetown University.

Process Began in 1996

The issuance of HHS’ final rules is the culmination of a process that began in 1996 and kicked into full gear after the failure of Congress to enact a patient privacy law. The Health Insurance Portability and Accountability Act of 1996 stated that if Congress had not enacted such legislation by Aug. 21, 1999, HHS was to issue regulations to safeguard patient information.

The proposed regulations, released in Nov. 1999, drew more than 52,000 comments from the public, advocacy groups, provider organizations, insurers, medical institutions, cancer researchers and their organizations, and the National Cancer Advisory Board.

The new HHS rules impose less harsh restrictions on researchers than those originally proposed. "Having said that, there will be a significant bureaucracy put in place around research that is going to be expensive and time consuming," Dr. Barker said. "Basically, it is going to slow down research and, most likely, further discourage people from doing research, especially clinical research."

Estimates from outside HHS of the added annual cost for medical researchers to comply with the rules range from $4 billion to $22 billion, according to Dr. Barker. HHS estimates the cost at $17.6 billion.

Jerome Yates, MD, PhD, senior vice president for population sciences and health services, Roswell Park Cancer Institute, agrees that the regulations are more acceptable than those proposed.

"Originally, HHS had proposed asking for informed consent every time someone was going to go to a database to analyze the data and use it for publication," said Dr. Yates, speaking for the National Coalition for Cancer Research. "Now you don’t have to go back to patients, for example, for tumor registry data that you want to analyze for incidence or survival."

Use for Commercial Purposes

One section of the rules, which allows the use of patient information for fund raising and commercial purposes, has generated great concern among providers and patient and privacy groups.

"My concern is that what was formerly prohibited is now allowed," Dr. Yates said in an interview with ONI. "There is a potential for real abuse of information and of the rules having exactly the opposite effect of what was intended in terms of protecting the patient’s privacy."

Federal Penalties for Noncompliance With Patient Privacy Rules

Civil penalties for non-criminal violations of the privacy rules, including disclosures made in error, range from $100 to $25,000 a year per violation for each standard.

Criminal penalties for knowingly violating the regulations are up to $50,000 and 1 year in prison for obtaining or disclosing protected health information.

Obtaining or disclosing protected information under "false pretenses" caries a penalty of up to $100,000 and 5 year’s prison time.

The penalty for obtaining protected information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm is up to $250,000 and 10 years in prison.

Dr. Yates noted that many cancer patients are extremely sensitive about others knowing that they have the disease—even, sometimes, close family members. He has had complaints from patients even about getting mail with the Roswell Park return address on it.

"You can imagine how a breast cancer patient might feel if she got an advertisement from a breast prosthesis company with an obvious return address. I am very concerned that somebody is liable to say, let’s have a blanket protection of privacy, as we had originally intended," Dr. Yates said.

States Can Be More Restrictive

The new federal regulations set a minimum level of compliance. However, they also allow states to impose more stringent rules, if they wish to do so. Minnesota, for example, has a more restrictive law already in force. "If you want to do clinical trials around the country, and one or more states have more onerous requirements for privacy than the federal standard, you are going to be hard pressed to enroll people in clinical trials," Dr. Barker said.

A major change from the original proposal allows providers to fully disclose a patient’s medical record to another provider for treatment purposes. However, notes HHS, "for most disclosures, such as health information submitted with bills, providers may send only the minimum information needed for the purpose."

Employers that sponsor health plans for employees are barred from obtaining health information for use in making employment decisions.

Empowering Patients

The regulations empower patients with new rights regarding their medical records. Besides regulating the disclosure of information, patients have the right to see their medical records and request corrections; to obtain documentation of disclosures of the health information; and to get an explanation of their privacy rights and how their disclosed information might be used.

Federal penalties are included for violations of the privacy rules (see box).