The role of consent in health information research
A health information research study uses thousands and thousands of medical records to learn about illness and the efficacy of certain drugs and other treatments. To be most effective, such studies have to be able to link symptoms, treatments and their outcomes for each patient in order to find patterns and correlations that are hidden when health data is aggregated.
For example, an aggregated study of a heart medicine might show promise, but a non-aggregated study might also show that the same medicine, when used by patients who also take a second drug, is actually harmful. With aggregation, the harm to this second set of patients appears only as a diminishment of efficacy overall because there may be no way to identify which patients took the second drug and had a bad outcome.
A great deal can be learned from such research, and it is much less expensive and safer than clinical trials because it uses only existing data and does not expose patients to unproven drugs and treatments. The only risk to patients is a breach of privacy.
How much information from health care data should be available to researchers to try to learn more about various illnesses and the efficacy of certain drugs or other treatments? Fred H. Cate, Distinguished Professor and C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, presented the argument Jan. 19 at the Health Care Ethics Seminar that researchers should be allowed to use personally identifiable information with certain safeguards. This would allow research into actual patients and their outcomes rather than research based on aggregated data alone.
Cate was responding to the broad privacy rule that the federal government adopted when the Health Insurance Portability and Accountability Act was passed in 1996. HIPAA's Privacy Rule imposes its strongest restrictions on the use of personal data in health research; in contrast, the health insurance industry has almost unlimited access to identifiable personal health data.
The Institute of Medicine reported in 2009 that "the HIPAA Privacy Rule does not protect privacy as well as it should" and "as currently implemented, the HIPAA Privacy Rule impedes important health research." The Institute of Medicine report recommended against requiring consent for research with health information, but Congress and the White House have been slow to enact these proposed changes. Insurance companies can get data for research and marketing, but researchers can't use the data without many restrictions.
Cate is co-director of Indiana University's Center for Law, Ethics and Applied Research in Health Information and principal investigator on the NIH grant, "Protecting Privacy in Health Research."