Search tips
Search criteria 


Logo of jopHomeThis ArticleASCO JOPSearchSubmitASCO JOP Homepage
J Oncol Pract. 2009 September; 5(5): 259–260.
PMCID: PMC2790655

The Health Insurance Portability and Accountability Act Privacy Rule and Its Impact on Cancer Research

Increasing reliance on electronic health records by health care providers over the past decade has heightened public sensitivity to the security of identifiable health information. With this in mind, the US Department of Health and Human Services (HHS) implemented the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003. Members of ASCO had similar concerns for the privacy of their patients but also worried that the new regulations would interfere with conduct of cancer research.

Five years later, ASCO's Cancer Research Committee revisited implementation of the Privacy Rule. Committee members had experienced substantial changes in research conduct over the tenure of the Privacy Rule. They struggled with understanding the breadth of the intended directives of the rule and noted similar debates among researchers and compliance officers at their own institutions. Under the guidance of the committee, ASCO conducted a series of interviews to develop qualitative data concerning impact of the Privacy Rule requirements on research. Results of the study,1 detailed in the August 20, 2009, issue of Journal of Clinical Oncology, verify concerns posited by the committee and offer advice to the HHS Office of Civil Rights (OCR) as it considers revisions to regulation and guidance documents. Richard L. Schilsky, MD, immediate past president of ASCO and member of the study team, said, “The findings are particularly important regarding our ability to conduct the biospecimen-based research that is critical for advancing research to develop personalized cancer care.” The ASCO study provides data to guide efforts to promote ethical research and advocate for patient privacy. This work has led to recognition of ASCO as a leader in the national discussion on the Privacy Rule.

Context of the ASCO Study

The Privacy Rule adds privacy requirements to those specified under the US Common Rule, which applies to federally funded research.2 In a recent commentary, Sharyl Nass, PhD, coordinator of Institute of Medicine (IOM) Privacy Rule efforts, noted, “Marked differences between the Privacy Rule and the Common Rule are confusing and lead to inconsistent oversight of research.”3 Despite strong public expressions of concern about impact on research, HHS implemented this rule in April 2003. In spring 2006, the ASCO Board of Directors, at the recommendation of its Translational Research Task Force, directed the Cancer Research Committee to collect data to measure impact of HIPAA on clinical cancer research. Schilsky was incoming chair of the Cancer Research Committee and worked to shape the study that led to the JCO report.1

ASCO Study

Schilsky and Sandra Horning, MD, past president of ASCO, chaired a roundtable meeting in February 2007 to identify Privacy Rule concerns particular to cancer research. The results of that discussion informed development of ASCO's qualitative interview study. Three final scenarios involving studies of cancer survivors, familial cancer syndromes, and creation and use of data and biospecimen repositories were chosen for distribution to interviewees. In spring 2008, ASCO conducted structured interviews with investigators and compliance officials in 13 research settings to ascertain differences in approach to Privacy Rule compliance. The settings differed in size, environment (eg, academic institution, physician office, and so on), and geography. Results confirmed that the scenarios yielded difficult implementation concerns, and participants' understanding of HIPAA requirements varied widely, both between investigators and compliance officials and across research sites. In her August 20, 2009, editorial in JCO, Horning expressed her concerns about striking inconsistencies in institutional approaches to HIPAA implementation and the impact on multisite research.4

The study conclusions shed light on ways that ASCO could help its members overcome barriers in HIPAA compliance. Researchers and compliance officials alike requested additional guidance in scenario areas: patient and family contact for genetic studies, data and biospecimen repository use and creation, and survivorship study participation. Additionally, participants recognized opportunities for improvement in compliance education, consultation with compliance officials in early stages of trial development, and documentation of best practices.1 Moving forward, ASCO intends to help foster effective approaches to Privacy Rule implementation. Regarding tissue repository creation, Schilsky recognizes room for improvement in developing protocols. “It is preferable to ask patients for consent to use their specimens for ‘future cancer research’ so that we can have flexibility to pursue the science wherever it leads. My institution is comfortable including such language in authorization forms; however, some institutions and practices approach compliance more conservatively. It is important for ASCO to work with the regulatory and research communities to ensure that we can facilitate research through appropriate informed patient consent.”

IOM Report

Concurrent with ASCO's research, the IOM convened a committee to initiate a study documenting effects of HIPAA on research. It commissioned studies and focus groups in a broad range of research areas to complement existing literature. ASCO provided financial support for the project and contributed findings from its own qualitative, evidence-based investigation. Horning participated on the IOM study committee and provided a perspective unique to the field of cancer research. The IOM report5 was released in February 2009. It concludes that the Privacy Rule fails to protect patients' health information and harms integrity of research by inflicting unnecessary financial and time burdens on institutions, causing selection bias in trial participation and substantially slowing or altogether barring approval of new studies. It also notes the Privacy Rule's failure “to reassure the public that privacy protections are being met … causes harm to research, since clinical trial participation is largely reliant on public confidence in the existence of protected privacy and confidentiality.”

The IOM report5 provides two sets of recommendations. First, it proposes the adoption of a new framework for protecting privacy, under which research activities are exempt from the Privacy Rule. Instead, interventional, patient-oriented clinical research would be governed by institutional review boards (IRBs) according to Common Rule requirements, regardless of funding source. Information-based health research (analysis of medical records and stored biologic samples) would be governed locally by federally certified ethical review boards. If policymakers opt to preserve Privacy Rule requirements for research, the alternate recommendations include opportunities to revise the Privacy Rule, expand and revise federally issued guidance documents, resolve inconsistencies between the Privacy and Common Rules, and highlight best practices in compliance.

ASCO Regulatory and Legislative Activities

A portion of the Obama administration's focus on health care reform is devoted to federal promotion of health information technology (HIT) and comparative effectiveness research. The allocation of $20 billion to HIT in the 2009 stimulus package includes a provision to tighten protected health information security by extending organizations that must comply with HIPAA.3,6 As a result, OCR must revise HIPAA regulations. Although the provisions in the stimulus bill do not address Privacy Rule implementation issues uncovered by the ASCO study1 and IOM committee,5 they create opportunity for regulatory revisions and general discussion.

The Secretary's Advisory Committee on Human Research Protections discussed the IOM report5 at its March 2009 meeting. Committee members approved a motion to recommend that HHS harmonize “those aspects of the Common Rule, FDA regulations, and the provisions of the HIPAA privacy rule that govern access to and use of individualized health information and data.”7 Members introduced the possibility that OCR could defer to IRB review for research involving biospecimens stored in biorepositories. ASCO submitted a follow-up letter encouraging OCR to adopt this policy, noting importance of biospecimen access for discoveries in targeted cancer therapies. ASCO has also been working with Senators Edward Kennedy (D-MA) and Kay Bailey Hutchison (R-TX) on a provision in their 21st Century Cancer ALERT (Access to Life-Saving Early Detection, Research, and Treatment) Act8 that would direct HHS to harmonize HIPAA and the Common Rule. While pursing changes to HIPAA, ASCO is engaging with regulatory agencies and research organizations to promote effective approaches to Privacy Rule implementation. The timely confluence of study publications and policy debates in 2009 has allowed ASCO to engage regulatory agencies, Congress, and the research community in multifaceted discussions. Safeguarding patient privacy and advancing cancer care through ethical research are at the forefront of ASCO's agenda. ASCO is proud to be a national leader in regulatory and legislative activities related to improving implementation of the Privacy Rule and the efficiency and effectiveness of research.

Amid struggles with HIPAA compliance, cancer researchers and research advocates can find comfort in the strength and generosity of patients opting to participate in clinical research. Michael Link, MD, member of the ASCO Cancer Research Committee, said, “In my experience, patients and families generally want to participate in research because they realize the potential benefits for them and future cancer patients. It is very frustrating that inefficient and ineffective policies get in the way of a genuine willingness to be involved. That is why it is so important for ASCO to be engaged in this effort.”


1. Goss E, Link MP, Bruinooge SS, et al: The impact of the Privacy Rule on cancer research: Variations in attitudes and application of regulatory standards. J Clin Oncol 27:4014-4020, 2009. [PubMed]
2. Public Welfare: Department of Health and Human Serivces—Protection of Human Subjects, 45 USC, §46.101-46.124 (1999)
3. Gostin LO, Nass S: Reforming the HIPAA Privacy Rule: Safeguarding privacy and promoting research. JAMA 301:1373-1375, 2009. [PubMed]
4. Horning SJ: Cancer research and privacy: The problem with being joined at the hip. J Clin Oncol 27:3879-3880, 2009. [PubMed]
5. Institute of Medicine: Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, DC, National Academies Press, 2009 [PubMed]
6. Pub L No. 111-5, 123 Stat 115
7. Office for Human Research Protections: SACHRP March 3-4, 2009, meeting minutes.
8. 21st Century Cancer ALERT (Access to Life-Saving Early Detection, Research, and Treatment) Act, S 717, 111 Cong (2009-2010)

Articles from Journal of Oncology Practice are provided here courtesy of American Society of Clinical Oncology