New research reveals a clash between two of the biggest issues in health care today: protecting individual patients' privacy and improving the quality, safety and cost of medical care for all patients.
In a paper published in the Archives of Internal Medicine, researchers from the University of Michigan Cardiovascular Center report how their research on heart attack care has been hampered by the national medical privacy regulations under a law known as HIPAA, which took effect two years ago last month.
In all, they write, the changes needed to comply with HIPAA have led to a drastic drop -- from 96 percent to 34 percent -- in the proportion of heart attack survivors and chest pain patients who take part in follow-up surveys after they leave the hospital. The changes have also dramatically increased in the cost of performing the surveys, and skewed the data because certain kinds of patients are more likely to agree to participate.
Post-hospitalization surveys are crucial to helping quality-minded hospitals like U-M assess and improve their care. Patients' names and other identifying details are removed before their information is entered into a database. Doctors can use the database to find out what treatments and preventive measures help patients most, and what factors worsen their chances. This information helps doctors improve care at their own hospital, and can be shared with others to help them improve too.
But HIPAA's current language requires that even quality-improvement research using anonymous data requires a written authorization from patients before their medical records can be reviewed and before they can be contacted for follow-up phone surveys. HIPAA stands for Health Insurance Portability and Accountability Act.
The patient permission forms must comply both with the privacy regulations and another set of federal laws governing research -- which means they are often several pages long and complicated. And HIPAA's current language leaves large amounts of room for interpretation, meaning that some hospitals might take a conservative approach and not attempt quality-improvement research, or allow researchers access to medical information at all.
"We won't solve safety, quality and cost issues in health care unless we do quality research, and our findings show that HIPAA, as currently written, has the potential to hinder that effort," says senior author Kim Eagle, M.D., clinical director of the U-M CVC. "Privacy is crucial. But quality-improvement research aims to generate public benefit, and as a society we have to be careful that we don't find ourselves on such a far extreme on one side of privacy protection that we actually paralyze our ongoing efforts to monitor and improve care."
Adds co-author Edward Goldman, J.D., "This study demonstrates an inadvertent effect of federal privacy regulations on important research. In a far-reaching attempt to legitimately protect patient privacy, HIPAA has made it very difficult to do critical health care research where the results would not harm patient privacy in any way." Goldman, U-M associate vice-president and deputy general counsel, advised the U-M Cardiovascular Outcomes Research and Reporting Program team on HIPAA-compliant research tactics.
In the newly published study, the research team reports that only one-third of 855 patients returned a mailed consent form that gave permission for a researcher to call them six months after their hospitalization for a heart attack or acute chest pain. Nearly 500 patients never responded, and 22 letters were returned as undeliverable. Fourteen patients answered by mail to state that they would not consent. The total consent rate was 34 percent.
Under the previous system of simply asking patients for their permission in a phone call, 96.4 percent of 1,221 patients agreed.
The lower participation rate with the HIPAA-compliant written consent means that the data collected would be less meaningful. The study also finds that patients who returned written consents were far more likely to be older, married and white than those who refused to consent or didn't answer.
Even as participation dropped, the cost of working in a HIPAA-compliant way rose. Computing time, staff hours, office supplies and postage would cost $8,704.50 in the first year of a research project, and $4,558.50 per year after that, on top of the usual costs of the research.
The team conducted the study just before HIPAA privacy laws took effect in April 2003, but acted as if HIPAA were in effect. This allowed them to track which patients sent back their consent forms and which did not, and to call those patients for a verbal consent so they could conduct the survey.