Friday, June 15, 2012
Katherine Baicker & Amitabh Chandra, The Health Care Jobs Fallacy, NEJM
David Hyman et al, Does Tort Reform Affect Physician Supply? Evidence from Texas, SSRN
Bradley Areheart, GINA, Privacy, and Antisubordination, SSRN/Georgia L.Rev.
Jack Balkin, From Off the Wall to On the Wall: How the Mandate Challenge Went Mainstream, The Atlantic
Wednesday, June 13, 2012
Guest Blogger Leslie Francis - Approving Research with Large Sets of Patient Data: the Puzzling Use of Paradigms from Contract Law
As a long-term IRB member at my institution, I have observed many IRB members stumble over a perplexing word in the Federal Regulations governing research with human subjects: “practicably.” According to the Regulations, one of the criteria for approving a waiver or alteration of informed consent is that the research could not be “practicably” carried out if IC were required. (45 C.F.R. § 46.116(c) (2012). “Impractical,” IRB members think the word should be, and that’s how my IRB anyway tends to understand it in discussing whether proposed research studies come within the purview of the rule. But I’m a contracts professor, too—familiar with explaining to my students the difference between “impractical” and “impracticability” as a defense to contractual obligations. That keeping contractual obligations would be hard, or even very hard—very, very clearly damaging, expensive, and certainly not prudential or cost-effective—is not enough for the defense. To meet the standards for the impracticability defense, the party claiming it must show that circumstances have changed, in a manner that could not have been anticipated at the time the contract was made, and that the change goes to a fundamental assumption of the contract.
Here a typical kind of example for which IRBs are asked to consider waiver of informed consent. A researcher wishes to engage in retrospective analysis of data collected in patient care, to ascertain the comparative (or cost) effectiveness of a particular form of patient management. The research itself might be quite benign—for example, effect on patient outcome of time to the administration of an antimicrobial to a febrile infant presenting in an emergency department. Patient records are readily available—and for some reason connected with the research question (e.g. interest in linking outpatient and inpatient data), the researcher needs to use data that have not been de-identified to HIPAA standards. The data set needed for analysis may be quite large: hundreds, or even thousands of patient records. The patients themselves are not readily available: they may have moved, been lost to follow up, or even died. In any event, seeking informed consent from each of them would be very, very expensive and time-consuming—far more so than the benefits of the research seem likely to be. And studies might be biased if certain sub-groups are more difficult to contact or more likely to refuse to allow information about them to be used. The researcher describes security and confidentiality protections for the data that, if followed, would be adequate; and there is little reason to think that people might have principled reasons for opposing the research. So, the IRB reasons a waiver of IC is permissible for this research: it would not be practical for the researcher to obtain IC, and if an IC requirement were imposed, the research (which might after all yield important results) would not be carried out.
Monday, June 11, 2012
With the Supreme Court's decision on the constitutionality of the Affordable Care Act just around the corner, many of us are turning our thoughts to the different possible outcomes and what they will mean, not only to the health care reform movement, but also to the role of Congress, the Supreme Court and basic notions of federalism.
Alice Noble and Mary Ann Chirba, both of the Boston College School of Law, have posted a very helpful entry over at the Health Affairs Blog called The Supreme Court on the Affordable Care Act: What We Are Waiting For? In this post, the authors provide a very cogent summary of the cases that are pending before the Court, as well as an excellent overview of the issues, including the constitutionality of ACA's minimum coverage provision, or the "individual mandate," the severability of the other ACA provisions if the individual mandate is struck down, the Anti-Injunction Act bar, and the Medicaid expansion provisions.
What I particularly enjoy about Professors Noble and Chirba's post are the flow charts that they provide, here and here, that describe the various outcomes that are possible depending on how the Supreme Court rules on each of the above listed issues.
I do not usually tell personal stories in scholarship, but this is a blog, and I’m experimenting! I hope my story will be of more general interest, especially to those of you who are following the tsunami of enthusiasm for health information technology and exchange. I am deeply concerned about the security and privacy issues raised by many of the types of data flows that are occurring (often of identifiable information), especially under the rubric of “treatment, payment, and health care operations” (TPO). TPO uses and disclosures are permitted without patient authorization under HIPAA—and, at least until final rules are issued under the HITECH Act, do not need to be included in any required accounting to patients of uses and disclosures of their protected health information.
So here’s the story. Some of my protected health information was recently included in what is right now listed as the largest data breach (of many very large data breaches) to date so far in 2012. In March 2012, records of some 780,000 persons, including Social Security numbers of over 250,000, were downloaded from a server at the Utah Department of Health to somewhere in Eastern Europe. An employee had failed to set a password with sufficient strength, leaving the server vulnerable to outside attack. These were records of patients on Medicaid, children on the state’s CHIP program, and persons about whom a provider had made an inquiry about Medicaid eligibility. All that the public knows about where the data went—the investigation may of course have revealed more—is that it was a downloaded somewhere in Eastern Europe and the assumption is that it was done by cyber-criminals. I learned that my information—my name and Social Security number, and I don’t actually know what else—was included in the breach because I was sent a letter from the Health Department. As “compensation,” I have been offered (and accepted) one year of free credit monitoring—hardly likely to be effective if a sophisticated criminal knows to wait a year before using the downloaded information.
So how, I asked, was my protected health information on a server at Utah’s health department? Other than having chaired the state’s Health Data Committee until July 2011, I had no connection with the health Department. I am not on Medicaid, nor is there any reason for any provider to believe I might be likely to be eligible for Medicaid. If I hadn’t received the letter from the Health Department (and it was not sent certified mail, or with any indication that any special information was included in it), I never would have guessed that I was at risk in the breach.
Here’s how—at least as far as I can tell. As HIPAA permits, I have asked for accountings of disclosures of my health information from any provider I have seen during the time frame in question—from dentist to primary care physician. Only one so far has refused to give me the requested information, including information about disclosures for TPO: a hospital owned by the for-profit IASIS chain, at which I received a routine mammogram some 6 months before the breach.Any inquiries about Medicaid eligibility, they said, were TPO—so at least for now did not need to be included in a request for an accounting. So I cannot confirm that it was that facility. But by process of elimination (and there wasn’t much to eliminate; I’m pretty boring, health-wise), it looks like the only candidate. And it’s the candidate responsible for supplying the Health Department with the largest number of records involved in the breach.