Rules designed to safeguard the privacy of patients’ medical records are not as effective as they should be and may also impede health research, according to a senior researcher at RTI International.

Wendy Visscher, Ph.D., director of Office of Research Protection at RTI International, shared those findings with an advisory committee as part of a briefing March 3, 2009.

Visscher briefed the Secretary’s Advisory Committee on Human Research Protections about possible effects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule on health research based on the findings of an Institute of Medicine (IOM) committee on which she served.

The 15-member IOM committee, called the Committee on Health Research and the Privacy of Health Information, assessed the balance between the value of privacy of health information to patients and the public and health care improvements through research.

“Our committee felt that strong privacy protections that do not hinder research are critical to the country’s ability to continue making important medical advances,” Visscher said. “However the committee concluded that the HIPAA Privacy Rule does not protect privacy as well as it should and may actually impede health research.”

The committee recommended that Congress and federal agencies develop a comprehensive new approach to protecting privacy in health research. As part of that approach, the Department of Health and Human Services (DHHS) should exempt health research from the HIPAA Privacy Rule. Under this new approach, privacy protections would be reviewed either under the existing human subjects regulations or through a new oversight system that would focus on data security concerns.

Alternatively, if a new approach is not taken, the committee recommended several areas that DHHS should consider revising in the HIPPA Privacy Rule and its guidance. These areas include recruitment procedures, de-identification standards and criteria for waivers of authorization.

The findings of the committee were released in February 2009 in an IOM report entitled Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Both the report and a four-page summary are available on the IOM Web site.