This has left open the question of what to do about secondary uses of de-identified data, however. HIPAA does not require patient permission if the data being used is fully de-identified, and many HIE projects are operating on the presumption that secondary uses are okay as long as they release only de-identifed data, which HIPAA allows them to do.
I've been in an increasingly large number of conversations with HIE projects around the country who are saying that even though HIPAA allows it, they're going to ask for blanket permission from patients before they release even de-identified data. And they're hoping that this "belt and suspenders" approach fully protects their activities.
Some new work sponsored by the Institute of Medicine suggests that this approach may be the minimum requirement for satisfying increasing patient demands for privacy protection (see Striking a balance between privacy and health). Of over 300 patients surveyed:
- 38% said that they'd want researchers "from each research study....to first describe the study to me and get my specific consent for such use";
- 19% would allow use of de-identified data without consent as long as the research was overseen by an IRB;
- 13% would not want their data used for research "under any circumstances";
- 8% said an upfront "general consent" would be enough for use of their data in future research projects;
- 1% said researchers could use their data without their consent
The implications are pretty startling. We have a serious disconnect between what the law allows and what patients want (and expect). Over 80% of people would NOT want their data to be used for research without their consent, even if it was de-identified and overseen by an IRB. And while it's hard to read from the survey's summary data, a large fraction may want some type of consent for each use.
There's a lot of hope that health trusts and personally controlled health records will solve all of this by giving patients ultimate control of their health information. We're a long long way off from being able to give patients that type of control, so we'll be facing these issues for a long time to come.
There's obviously no "right" or "wrong" here because it is what it is. On the other hand, we should always be cautious about surveying people about abstractions -- a little education and concrete experience may change people's perceptions dramatically. That said, the threshhold on privacy protection is clearly getting higher, and what may have seemed like conservative approaches to privacy protection yesterday may become barely adequate tomorrow.