At the Annual Scientific Session of the American College of Cardiology here, researchers from the University of Michigan Cardiovascular Center recently showed how HIPAA, the national medical privacy act, severely affected their ability to study heart attack patients after they left the hospital.
This kind of long-term "outcome" study is crucial for evaluating medical care, such as the number of patients who die or have complications after surgery or hospitalization.
But HIPAA requires written authorization from a patient before he or she can be contacted to gather personal health information for a research study. The U-M researchers had previously used a verbal privacy authorization, obtained when they called patients at home months after they left the hospital.
But when they switched from the verbal consent to a HIPAA-compliant written authorization that had to be mailed to patients and mailed back, they found a sizable drop in the percentage of patients who gave consent to be called.
The percentage participation plummeted from 96.1 percent to 38.5 percent. As a result, the consented population was not representative of the entire population of patients the researchers wanted to study. That could bias study results.
"On top of this impact on the quality of data, the costs involved in asking for this written authorization were substantially larger than those for the verbal system," says Eva Kline-Rogers, M.S., N.P., who helped lead the study. "To get consent from one patient, we calculated we'd spend $14.50 per patient in the first year of the study for computer, training, staff, administrative and mailing costs, and $7.50 each year afterward."
To avoid the mailed authorization approach, by asking patients for consent while they were still in the hospital, would be cost-prohibitive and labor-intensive, she adds.
Compliance with HIPAA, which stands for the Health Insurance Portability and Accountability Act, was mandatory as of April 14, 2003, though voluntary compliance was encouraged before that. The U-M team carried out its study during that voluntary compliance period, using guidance from U-M clinical research officials about what they would have to do to comply with HIPAA.
"The balance between protecting patient privacy, while at the same time we strive to learn about the best methods by which to treat patients after certain types of conditions and/or treatments, is delicate," says Kim Eagle, M.D., clinical director of the U-M Cardiovascular Center and senior author on the study. "If long-term patient outcomes are to be used to 'inform' current care, we must develop better ways of working with patients and regulatory agencies to define the proper balance."
Kline-Rogers and her colleagues at the U-M Cardiovascular Outcomes Research and Reporting Program set out to obtain written consent from heart patients six months after they left the U-M hospital after being treated for acute coronary syndrome – either a heart attack or unstable angina episode.
They obtained the list of patients retrospectively, by looking at the discharge diagnosis for each patient. This is allowed under HIPAA as part of preparation for a research study.
Between Sept. 1, 2001 and March 31, 2003, they sent letters and consent forms to the patients, and called those who responded to ask questions about their health.
Because the HIPAA compliance mandate was not yet fully in effect, they were also able to call those patients who didn't mail back their consent form, to try to obtain verbal consent. They could also check records to see if patients on the HIPAA-compliant lists had died.
They then compared the rates of authorization and several demographic characteristics with those from patients who had been contacted for the same purpose between May 1, 1999 and August 30, 2001, before HIPAA.
In addition to the drop in authorization from 96 percent to 38 percent, the researchers found that those who returned the HIPAA-compliant written consent were more likely to be older, to be married, or to have high blood cholesterol, than those who didn't. They were also less likely to be widowed.
There was also a significant difference in the ability to receive consent from a spouse or authorized relative to obtain information on patients who had died. Ten percent of the patients in the group where contact was made verbally or records were searched had died, versus 3.3 percent of the group contacted for written consent.
All in all, says Kline-Rogers, "HIPAA compliance will challenge researchers, institutions and ultimately patients as we try to learn about the outcomes of health care while trying to maintain patient privacy."
In addition to Eagle and Kline-Rogers, the study's authors are David Armstrong, a Cornell University student who performed much of the data gathering and analysis; Sandeep Jani, Jianming Fang, M.D., Anchal Sud, Krishna Rangarjan, Shaneen Doctor, Bruce C. Rogers, and Debra Smith.