THURSDAY, Feb. 5, 2009 (HealthDay News) -- The privacy of Americans' personal health information isn't adequately protected by existing federal government regulation, according to an Institute of Medicine report.
The Health Insurance Portability and Accountability Act (HIPAA) privacy rule also hinders important health research, the report's authors said. They called on Congress to approve the development of an entirely new approach to protecting personal health information in research, separate from the privacy rule.
In a new approach, privacy, data security, and accountability standards should be applied uniformly to information used in all health-related research, regardless of who funds or conducts the research, the report found. If lawmakers decide to continue with the current rule to protect privacy, they should make changes to improve the rule and government guidance on how to comply with it.
The report also noted that security breaches of health information databases are a growing problem, and all institutions conducting health research need to strengthen their data protection. For example, encryption should be required for all laptops, flash drives, and other portable media that can be lost or stolen.
The HIPAA privacy rule regulates permitted uses and disclosures of personally identifiable health information by health plans, health care providers, and other agencies and institutions. The goal is to protect patients' health information while allowing a necessary flow of data to promote high-quality health care and research.
But the privacy rule conflicts with other federal regulations governing research involving people and their personally identifiable information. In addition, there's wide variation in how organizations that collect and use health data interpret and follow the rule, and the rule doesn't apply uniformly to all health research, said the Institute of Medicine report.
"We believe there is synergy between the goals of safeguarding privacy and enhancing health research and that it is critically important to our nation's health to strengthen privacy protections and still facilitate research," report committee chair Lawrence O. Gostin, a professor of law and director of the O'Neill Institute for National and Global Health Law, Georgetown University Law Center, Washington, D.C., said in a National Academy of Sciences news release.
"Our recommendations aim to boost regulations and practices that effectively protect personally identifiable health information, while changing provisions of the HIPAA privacy rule or its interpretation that have proved to be ineffective," Gostin said.
The U.S. National Institutes of Health has more about the use of personal health information for research.