Striking a balance between privacy and health

Part two of a two-part series (Access part one here):

In the first of this two-part series on a study for the Institute of Medicine by researcher Alan Westin, emeritus professor of public law and government at Columbia University, we reported that many Americans will allow their heath records to be used for medical research, but privacy is a big issue. Many patients also want to be informed by researchers of the nature of the research project for which their personal information will be used. And, for many, they want to be asked for permission by researchers every time their medical records are used, according to a presentation by Westin earlier this month of preliminary findings from a survey conducted in September in conjunction with Harris Interactive.

Obtaining patient consent, at least in some form, was a threshold requirement for research project participation in which personal information was disclosed, according to an overwhelming majority of participants in Westin's survey.

Only 1% of participants agreed that researchers would be free to use their health information without their consent while just 8% indicated an initial, "general consent" given in advance would suffice to have researchers use their information in future research projects without having to contact them.

In addition, just 19% would agree to have their personal information used without their consent "as long as the study never revealed my personal identity, and it was supervised by an institutional review board."

Meanwhile, a plurality, 38% of survey respondents, would want researchers from "each research study to first describe the study to me and get my specific consent for such use."

And while respondent demographics were not a factor in many other survey areas, they mattered here. The survey found that higher-than-average percentages of respondents who insisted on researchers obtaining their consent for each use of their healthcare data included respondents who were: black (45%); college graduates (46%); in the working-class income bracket of $35,000 to $49,000 (45%); the pre-Medicare age group of 50-64 (43%); single women (43%); those with long-term health conditions (45%); those with a "sexual" condition (49%); mental health-service users (44%); and genetic-test takers (48%).

Another 20% were unsure about research participation and 13% would not want researchers to use their information or even contact them about a study "under any circumstances."

"We have for 349 respondents detailed accounts of their participation in healthcare research," Westin said. "When you ask people who have participated in healthcare information research, they come out even higher than the (general) public in saying they want notice and consent. They believe that expressed consent is the right thing.

"I think the value of the question is that it really presents the issue that the policymakers are going to have to wrestle with, that is, how are you going to have to structure the consent provision?" Westin said. "On the one hand, there is high confirmation of the sensitivity of healthcare information and sharp concern about privacy laws. The real challenge is going to be to build the right policy and protections into those health information systems."

Only 8% of those surveyed responded that they had been asked to participate in a health research project but decided against it.

Asked why, and choosing from a list of answers, 30% indicated concern their information would not be kept confidential; 24% expressed worries that their participation would be risky, painful or unpleasant; 22% didn't trust the researchers; 16% thought it wouldn't help their health condition; and another 6% thought it wouldn't help present or future family members. Another 6% indicated they thought the research was unimportant, while 5% thought it would be too costly to participate.

Westin said he doesn't see either the Bush administration or the current Congress doing much to change the status quo regarding healthcare privacy policy or law, but after the 2008 election, "I think in the next Congress we will come to grips with major legislation with regard to privacy," Westin said.

One scenario is that instead of amending the Health Insurance Portability and Accountability Act of 1996, Congress may choose to start over with new privacy legislation.

"It might give us a fresh opportunity to write better rules," he said. "People forget that HIPAA was passed, but they never hashed out the privacy priorities. They handed it off to HHS" to write the privacy rule and, according to Westin, that may not have been the best approach to reach a national consensus on privacy.

"When you punt like that, you lower the visibility of what you've done," he said. "And so when it comes out, it doesn't resonate very much with the public. The people who were involved were intensely interested, but it was a bureaucratic submarine."

Another way to deal with patients' fears about the misuse of their information would be to put someone, a highly visible person, as the point person on privacy, Westin said.

"To the extent that this is going to go into congressional legislation, this is going to have to be spelled out," Westin said. "If this were Canada, that's what the privacy commissioner is there for. She (Jennifer Stoddart) is balanced. Unfortunately, we don't have an agency like that, but as we get deeper into this, there could be a good argument for having one."

Some researchers argue that when the balance is struck between privacy and health, health should win.

Don Detmer is president and chief executive officer of the American Medical Informatics Association, whose membership includes medical researchers. In an e-mail response to a request for comment about Westin's preliminary findings, Detmer sent a copy of an opinion piece published in 2000 in the International Journal for Quality in Health Care. "While the privacy of individuals is highly desirable and worthy of substantial protection, health considerations must prevail despite some risk of personal exposure," he said. At the time, legislation was pending in Congress that would have included "opt-out" provisions allowing the patient to decide whether their personal information could be used and shared for treatment, but not for research or quality improvement. Such provisions "would harm important health-services quality research and clinical and basic medical research as well."

Also, in an e-mail response, Detmer wrote: "I think we should offer citizens an option when they get their driver's license and allow them to change their position whenever they wished, if the fee would not be excessive.

"The organ donor choice option is well-known to the public," he said, adding that to his knowledge, it is "the only option out there other than institution-by-institution and/or case-by-case permissions, which I don't think will serve the legitimate needs for access to data for medical research and progress in this nation. Just today a prominent scientist at IBM told me that AMIA and IBM should seek to work with India and China since access to data in the USA will not work in the future due to the very active privacy advocacy community, particularly at the national level.

"I now believe that each choice should be opt-out, particularly since the majority will opt-in," Detmer said. "It will be interesting to see what the IOM comes up with. The issue strikes directly at the future of biomedical research progress in this nation and not because Americans don't wish to see research happen, but rather because very costly and burdensome procedures will be adopted, like the HIPAA paper forms, that irritate most Americans and the overcautionary stance of many legal advisers to healthcare institutions.

"Perception can drive reality and the privacy community and much of Congress believe(s) that even more controls are needed," he said. "Having said this, the American research community and disease advocacy groups have done a very bad job 'informing the public's discretion.' "

Currently, the Office for Civil Rights at HHS has been assigned enforcement responsibility over the HIPAA privacy rule. Since the rule went into effect on April 14, 2003, that office has received nearly 31,000 complaints of alleged privacy violations through Sept. 30 of this year. Thus far, it has not fined a single violator, a record, according to privacy advocates, that may be as much a testimony to the weakness of the privacy rule as it is to the Bush administration's kid-gloves approach to enforcement.

According to a recent presentation by Christina Heide, senior health-information-privacy policy specialist at the Civil Rights Office, providers who allegedly misuse or improperly disclose protected healthcare information are the most common targets of HIPAA complaints, but researchers are not above question. Most research-related complaints come from patients upset over receiving recruitment calls from unknown researchers, Heide reported.

According to Roger Herdman, M.D., director of the National Cancer Policy Forum at the IOM, the IOM's privacy committee is following up on a workshop last year on research and the privacy issue. The call for a more formal inquiry into the issue came at the request of the National Cancer Institute and a member of the president's cancer panel, Margaret Kripke, executive vice president and chief academic officer at the M.D. Anderson Cancer Center at the University of Texas, Houston.

In an e-mail, Herdman said the committee's recommendations will be made to the sponsors of its work, which includes the NIH, the National Cancer Institute, the American Cancer Society and government and the private sector organizations headed by former President George H.W. Bush and former first lady Barbara Bush. The report will be released to the public, "so the recommendations are available for action to any interested entity," Herdman said.

What do you think? Write us with your comments at Please include your name, title and hometown.