New research reveals a clash between two of the biggest issues in health care today: protecting individual patients' privacy and improving the quality, safety and cost of medical care for all patients.
In a paper published in the Archives of Internal Medicine, researchers from the University of Michigan Cardiovascular Center report how their research on heart attack care has been hampered by the national medical privacy regulations under a law known as HIPAA, which took effect two years ago last month.
In all, they write, the changes needed to comply with HIPAA have led to a drastic drop -- from 96 percent to 34 percent -- in the proportion of heart attack survivors and chest pain patients who take part in follow-up surveys after they leave the hospital. The changes have also dramatically increased in the cost of performing the surveys, and skewed the data because certain kinds of patients are more likely to agree to participate.
Post-hospitalization surveys are crucial to helping quality-minded hospitals like U-M assess and improve their care. Patients' names and other identifying details are removed before their information is entered into a database. Doctors can use the database to find out what treatments and preventive measures help patients most, and what factors worsen their chances. This information helps doctors improve care at their own hospital, and can be shared with others to help them improve too.
But HIPAA's current language requires that even quality-improvement research using anonymous data requires a written authorization from patients before their medical records can be reviewed and before they can be contacted for follow-up phone surveys. HIPAA stands for Health Insurance Portability and Accountability Act.
The patient permission forms must comply both with the privacy regulations and another set of federal laws governing research -- which means they are often several pages long and complicated. And HIPAA's current language leaves large amounts of room for interpretation, meaning that some hospitals might take a conservative approach and not attempt quality-improvement research, or allow researchers access to medical information at all.
"We won't solve safety, quality and cost issues in health care unless we do quality research, and our findings show that HIPAA, as currently written, has the potential to hinder that effort," says senior author Kim Eagle, M.D., clinical director of the U-M CVC. "Privacy is crucial. But quality-improvement research aims to generate public benefit, and as a society we have to be careful that we don't find ourselves on such a far extreme on one side of privacy protection that we actually paralyze our ongoing efforts to monitor and improve care."
Adds co-author Edward Goldman, J.D., "This study demonstrates an inadvertent effect of federal privacy regulations on important research. In a far-reaching attempt to legitimately protect patient privacy, HIPAA has made it very difficult to do critical health care research where the results would not harm patient privacy in any way." Goldman, U-M associate vice-president and deputy general counsel, advised the U-M Cardiovascular Outcomes Research and Reporting Program team on HIPAA-compliant research tactics.
In the newly published study, the research team reports that only one-third of 855 patients returned a mailed consent form that gave permission for a researcher to call them six months after their hospitalization for a heart attack or acute chest pain. Nearly 500 patients never responded, and 22 letters were returned as undeliverable. Fourteen patients answered by mail to state that they would not consent. The total consent rate was 34 percent.
Under the previous system of simply asking patients for their permission in a phone call, 96.4 percent of 1,221 patients agreed.
The lower participation rate with the HIPAA-compliant written consent means that the data collected would be less meaningful. The study also finds that patients who returned written consents were far more likely to be older, married and white than those who refused to consent or didn't answer.
Even as participation dropped, the cost of working in a HIPAA-compliant way rose. Computing time, staff hours, office supplies and postage would cost $8,704.50 in the first year of a research project, and $4,558.50 per year after that, on top of the usual costs of the research.
The team conducted the study just before HIPAA privacy laws took effect in April 2003, but acted as if HIPAA were in effect. This allowed them to track which patients sent back their consent forms and which did not, and to call those patients for a verbal consent so they could conduct the survey.
Co-author Eva Kline-Rogers, M.S., R.N., N.P., the manager of the M-CORRP program, notes that those follow-up calls can make a major difference in the rate of consent. Usually, callers find that a patient has forgotten to send the consent form back, has mislaid it, or thought it was junk mail.
"We find that many people misinterpret the mailing, and think it's something that it isn't," she says. "They ask us if they'll have to come in for a blood drawing or an appointment, when all we're asking for is permission to call them, ask them how they're doing and put their anonymous data into a database. Once we explain it, it's very rare for someone to refuse."
In the time since the study was conducted, HIPAA interpretation at U-M has changed in such a way that M-CORRP staff are now allowed to call patients who have not returned their consent forms after a few weeks. They can ask if the form has arrived and to offer to send another if it has not. If asked, they can explain what the study involves, and can encourage willing participants to send their consent forms back so that a researcher can call them.
But still, Eagle and his colleagues worry that many other hospitals will not take this kind of proactive approach to interpreting HIPAA. "At every national meeting I go to, HIPAA compliance and its impact on research is discussed," he says. "Interpretation is highly local, and the rules as written create such a range of interpretation that no one quite knows how to handle it. While we've been able to work with our legal office to make sure we're protecting privacy, other institutions may interpret the same law so strictly as to paralyze outcomes and quality research."
In all, Eagle and his colleagues hope that lawmakers can factor their data and other studies into deliberations about HIPAA's impact on research. "The public's welfare is served by studying and reporting on the quality of health care, and there must be a way, within the spirit of the privacy laws, to make that research less onerous," he says.
The data analysis for the new paper was led by David Armstrong, B.A., a recent Cornell University graduate who worked as an M-CORRP intern for several summers. Other authors are U-M biostatistician Jianming Fang, M.D., cardiologists Debabrata Mukherjee, M.D., M.S., and Brahmajee Nallamothu, M.D., MPH, and former research associate Sandeep Jani, MPH.