We put the money that we do not spend in the bank—not under the mattress or in a hole in the back yard. We are not bankers, and neither of the authors has any special expertise in economics or bank regulation. Sometime early in childhood, however, we learned to believe that the bank would safeguard every penny, would pay a modest rate of interest, and would give our money back to us on request. Eventually (probably by watching Jimmy Stewart save the Bailey Savings and Loan each Christmas), we figured out that our money is not in the vault and that people who receive loans are being given "our" money. At some level, we recognized that by collecting and circulating the money of significant numbers of people, banks provided the critical infrastructure for a sound and fluid economy. At some level we recognized that our money is the lifeblood of the US economy. The US economy is a system in which a public good is created and sustained while protecting the very personal financial interests of the individuals whose investments are a critical component of the economy.
This chapter is not about the economy, but it is about something that is just as vital to our quality of life: the epidemiologic and outcomes research that sustains quality and fuels innovation in our health care system. Information is the lifeblood of twenty-first century health care, whether the information and analyses that researchers provide clinicians and public health officials, or information about individuals' health and health care made available to researchers for analysis. However, we lack a model or metaphor that enables ordinary citizens to appreciate the critical role played by their health information—maintained and used in confidence—for sustaining quality and innovation in our health care system.
The new US privacy regulations, promulgated by the Department of Health and Human Services,1 were authorized as part of the ''administrative
1 Department of Health and Human Services, Standards for Privacy of Individually Identifiable Health Information, 65 Federal Register 82 463 (Dec. 28, 2000) hereinafter "privacy regulations", adding parts 160 and 164 to Title 45 of the Code of Federal Regulations ("CFR").
Pharmacovigilance. Edited by R.D. Mann and E.B. Andrews © 2002 John Wiley & Sons, Ltd ISBN: 0-471-49441-0
simplification'' section of the Health Insurance Portability and Accountability Act (HIPAA).2 They establish the infrastructure for protecting individuals' personal privacy interests while "banking" their medical information to make it available for determining their course of treatment and for administration health benefits. With respect to research, however, and particularly with respect to epidemiology and outcomes research, the approach to individual privacy taken by this regulation (and by most state laws affecting research) is comparable to telling each individual to protect his or her financial interests by stuffing money in a mattress or digging a hole, and lending very, very carefully.3 The HIPAA approach to data-only research is irrevocably, and we argue, mistakenly, rooted in the authorization of each individual for each research use of his or her health information.4 The same is true of the European Union's Data Privacy Directive5 although the Directive arguably allows for more flexibility in implementation than the HIPAA regulations. The consent/authorization model is grounded in a system of ethics that values autonomy over community.6 Given the level of debate that has characterized virtually all of the public policy discussion of how to achieve the objective of both privacy and sound epidemio-logic and outcomes research, an analysis grounded in autonomy seems little more than a natural
2Pub. L. No. 104-191 (Aug. 21, 1996), amending the Social Security Act ("SSA") by adding Part C of Subchapter XI, codified at 42 U.S.C. §§ 1320d et seq. ("HIPAA").
3 By comparison, the laws for protecting our personal financial interests from banking risks appear to build on a recognition that it is possible to create something good for our society by collecting and investing money, while protecting individuals' interests by insuring deposits and establishing strong incentives for banks to comply with strict regulations.
4 As discussed more fully below, the regulation establishes specific criteria that a committee, after debating the relative value of the specific research proposal and the privacy risk to the individual, may apply to decide whether or not to waive individual consent as to the specific research project. 45 C.F.R. § 164.514(b)(1).
5 European Union Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. July 25, 1995. http:// www.ecommerce.gov/eudir.htm
6 See Barefoot (1998) (describing the argument that respect for individual autonomy demands a consent/authorization model, even when there is a societal need for access to personal health information).
outgrowth of American individualism. As discussed more fully below, with respect to archival or records research, a consent-based model is entirely unsuited to protecting individuals' privacy interests. This chapter reviews the roots of the current regulatory approach and offers preliminary thoughts regarding the parameters of a model more suited to protecting the privacy interests of individuals while encouraging the secure use of medical archives in epidemiologic and outcomes research.
Was this article helpful?