The Health Insurance Portability and Accountability Act (HIPAA) is inadequate for protecting privacy and also stymies research, as access to patient health information is vital for making medical advances, according to a new report from the National Academy of Sciences' Institute of Medicine (IOM).
The report, titled “Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research,” suggests that privacy protection in research should not be governed by current HIPAA privacy rules. Rather, a new approach should be tried, one involving improved privacy, data security and accountability standards for all health research, regardless of who pays for it or conducts the research.
“We believe there is synergy between the goals of safeguarding privacy and enhancing health research and that it is critically important to our nation's health to strengthen privacy protections and still facilitate research," said Lawrence Gostin, professor of law at Georgetown University in Washington, D.C., in a statement. "Our recommendations aim to boost regulations and practices that effectively protect personally identifiable health information, while changing provisions of the HIPAA Privacy Rule or its interpretations that have proved to be ineffective."
The IOM report recommends that Congress authorize the U.S. Department of Health and Human Services and other relevant federal agencies to develop a unique framework applicable to all health research in the United States, apart from the HIPAA rules.
In addition, the report urges all institutions conducting health research to strengthen their data protection. Security breaches are a growing concern as the United States shifts to building health information systems and databases. Among other recommendations, the IOM also said that encryption should be required for all laptops, flash drives, and other portable media containing health records.