How Research Will Adapt to HIPAA: A View from Within the Healthcare Delivery System

Abstract

While the new Health Insurance Privacy and Accountability Act (HIPAA) research rules governing privacy, confidentiality and personal health information will challenge the research and medical communities, history teaches us that the difficulty of this challenge pales in comparison to the potential harms that such regulations are designed to avoid. Although revised following broad commentary from researchers and healthcare providers around the country, the HIPAA privacy requirements will dramatically change the way healthcare researchers do their jobs in the United States. Given our reluctance to change, we risk overlooking potentially valid reasons why access to personal health information is restricted and regulated. In an environment of electronic information, public concern, genetic information and decline of public trust, regulations are ever-changing. Six categories of HIPAA requirements stand out as transformative: disclosure accounting/tracking, business associations, institutional review board (IRB) changes, minimum necessary requirements, data de-identification, and criminal and civil penalties.