June 15, 2012
Worth Reading This Week
Katherine Baicker & Amitabh Chandra, The Health Care Jobs Fallacy, NEJM
David Hyman et al, Does Tort Reform Affect Physician Supply? Evidence from Texas, SSRN
Bradley Areheart, GINA, Privacy, and Antisubordination, SSRN/Georgia L.Rev.
Jack Balkin, From Off the Wall to On the Wall: How the Mandate Challenge Went Mainstream, The Atlantic
June 13, 2012
Guest Blogger Leslie Francis - Approving Research with Large Sets of Patient Data: the Puzzling Use of Paradigms from Contract Law
As a long-term IRB member at my institution, I have observed many IRB members stumble over a perplexing word in the Federal Regulations governing research with human subjects: “practicably.” According to the Regulations, one of the criteria for approving a waiver or alteration of informed consent is that the research could not be “practicably” carried out if IC were required. (45 C.F.R. § 46.116(c) (2012). “Impractical,” IRB members think the word should be, and that’s how my IRB anyway tends to understand it in discussing whether proposed research studies come within the purview of the rule. But I’m a contracts professor, too—familiar with explaining to my students the difference between “impractical” and “impracticability” as a defense to contractual obligations. That keeping contractual obligations would be hard, or even very hard—very, very clearly damaging, expensive, and certainly not prudential or cost-effective—is not enough for the defense. To meet the standards for the impracticability defense, the party claiming it must show that circumstances have changed, in a manner that could not have been anticipated at the time the contract was made, and that the change goes to a fundamental assumption of the contract.
Here a typical kind of example for which IRBs are asked to consider waiver of informed consent. A researcher wishes to engage in retrospective analysis of data collected in patient care, to ascertain the comparative (or cost) effectiveness of a particular form of patient management. The research itself might be quite benign—for example, effect on patient outcome of time to the administration of an antimicrobial to a febrile infant presenting in an emergency department. Patient records are readily available—and for some reason connected with the research question (e.g. interest in linking outpatient and inpatient data), the researcher needs to use data that have not been de-identified to HIPAA standards. The data set needed for analysis may be quite large: hundreds, or even thousands of patient records. The patients themselves are not readily available: they may have moved, been lost to follow up, or even died. In any event, seeking informed consent from each of them would be very, very expensive and time-consuming—far more so than the benefits of the research seem likely to be. And studies might be biased if certain sub-groups are more difficult to contact or more likely to refuse to allow information about them to be used. The researcher describes security and confidentiality protections for the data that, if followed, would be adequate; and there is little reason to think that people might have principled reasons for opposing the research. So, the IRB reasons a waiver of IC is permissible for this research: it would not be practical for the researcher to obtain IC, and if an IC requirement were imposed, the research (which might after all yield important results) would not be carried out.
This is practicality, yes—but is it “practicability”? In contract law terms, probably not. For purposes of the contract law defense, the questions put to the IRB would be quite different. They would not just be how difficult, or expensive, or time-consuming it would be to obtain IC in order for the research to take place. If contract law “impracticability” is the issue, IRBs should also be asking what the parties—patient and provider—understood about data use at the time of treatment, whether the need for use of data in research was or could have been understood at the time, whether circumstances have changed since the time of the treatment, and whether these changes go to basic assumptions of the contractual/treatment relationship. Perhaps answers to these questions would favor an impracticability finding for the use of data obtained in care many years ago, but it seems unlikely that the possibility of using data in research would not be anticipated today, at least by contemporary health care providers. At least, this is so if a relatively general understanding such as the following is sufficient: “we might wish to use information gained in your treatment for research about treatments for your condition, including comparative effectiveness or cost-effectiveness studies.” So it would seem that there will be few cases of research for which the contract law impracticability standard can be met. The most likely cases would be ones in which radically different types of research emerge, ones that could not have been anticipated at the time of treatment (and ones that challenge basic assumptions about the treatment relationship at the time it occurred). Several possible candidates come to mind: the role of genetic (and epigenetic information) and the possibilities of stem-cell research. But these are types of research given particular scrutiny on other grounds—not the ordinary types of informational research for which IC waivers are sought.
Another disanalogy with contract law is also apparent here. “Waivers” of contractual conditions or terms are for the parties themselves in the first instance. For someone else to exercise a waiver, there would need to be some basis—for example, actual, implied, or apparent authority to act on behalf of the principal. Under the Federal Regulations, however, waiver authority is given to the IRB on the theory that the IRB will adequately protect the interests of research subjects. IRBs may indeed provide such protection; my only point here is that this is not how contract law would approach the problem at all. I do not know why “practicability” was the term chosen in drafting the Federal Regulations. (I’ve thought about this as a research project, and made some preliminary inquiries without success as yet.) I do know, however, that use of the models of impracticability and waiver from contract law draws on a paradigm that is potentially significantly misleading in the context in which it is used. Contract law is, first and foremost, about individual voluntary arrangements, and the protection of expectations created therein—at least, that’s the opening line I offer my students, with many criticisms to come about the importance of protection from coercion or undue influence, the importance of reliance, and the relevance of economic inequality. If so, use of the paradigms from contract law suggests an approach to informational research in terms of the voluntary arrangements of the parties. The doctrine of waiver is initially in line with this—it rests on a background assumption of the need for individual IC—but departs from it by permitting a third party (however trustworthy) to perform the waiver on anyone’s behalf. I don’t, actually, think that the appropriate paradigm for approaching informational research is a model drawn from the law of voluntary agreements. In this, I am sympathetic to the concern in last fall’s ANPRM about the Common Rule that the current regulations are not a good fit for much informational research. The approach suggested in the ANPRM, however, of a separate review process simply emphasizing security and confidentiality protection and dispensing with IC altogether, also seems misguided. There are important ethical questions to be asked beyond security and confidentiality protections, about permissible uses of patient information, discussions with patients and patient expectations, community benefits from data use, and just distribution of these benefits, among other questions, that so far have not been fully explored in discussion of the use of large sets of patient data for informational research.
June 11, 2012
Some good writing by Nina Bernstein in the NY Times, here, weaving a story about a Brooklyn hospital around ACA inititatives; "the economic pressure to care differently for more people at lower cost is irreversible." [NPT]
The Supreme Court on the Affordable Care Act: What We Are Waiting For?
With the Supreme Court's decision on the constitutionality of the Affordable Care Act just around the corner, many of us are turning our thoughts to the different possible outcomes and what they will mean, not only to the health care reform movement, but also to the role of Congress, the Supreme Court and basic notions of federalism.
Alice Noble and Mary Ann Chirba, both of the Boston College School of Law, have posted a very helpful entry over at the Health Affairs Blog called The Supreme Court on the Affordable Care Act: What We Are Waiting For? In this post, the authors provide a very cogent summary of the cases that are pending before the Court, as well as an excellent overview of the issues, including the constitutionality of ACA's minimum coverage provision, or the "individual mandate," the severability of the other ACA provisions if the individual mandate is struck down, the Anti-Injunction Act bar, and the Medicaid expansion provisions.
What I particularly enjoy about Professors Noble and Chirba's post are the flow charts that they provide, here and here, that describe the various outcomes that are possible depending on how the Supreme Court rules on each of the above listed issues.
Guest Blogger Professor Leslie Francis: Privacy Violations from TPO Uses of Health Data
I do not usually tell personal stories in scholarship, but this is a blog, and I’m experimenting! I hope my story will be of more general interest, especially to those of you who are following the tsunami of enthusiasm for health information technology and exchange. I am deeply concerned about the security and privacy issues raised by many of the types of data flows that are occurring (often of identifiable information), especially under the rubric of “treatment, payment, and health care operations” (TPO). TPO uses and disclosures are permitted without patient authorization under HIPAA—and, at least until final rules are issued under the HITECH Act, do not need to be included in any required accounting to patients of uses and disclosures of their protected health information.
So here’s the story. Some of my protected health information was recently included in what is right now listed as the largest data breach (of many very large data breaches) to date so far in 2012. In March 2012, records of some 780,000 persons, including Social Security numbers of over 250,000, were downloaded from a server at the Utah Department of Health to somewhere in Eastern Europe. An employee had failed to set a password with sufficient strength, leaving the server vulnerable to outside attack. These were records of patients on Medicaid, children on the state’s CHIP program, and persons about whom a provider had made an inquiry about Medicaid eligibility. All that the public knows about where the data went—the investigation may of course have revealed more—is that it was a downloaded somewhere in Eastern Europe and the assumption is that it was done by cyber-criminals. I learned that my information—my name and Social Security number, and I don’t actually know what else—was included in the breach because I was sent a letter from the Health Department. As “compensation,” I have been offered (and accepted) one year of free credit monitoring—hardly likely to be effective if a sophisticated criminal knows to wait a year before using the downloaded information.
So how, I asked, was my protected health information on a server at Utah’s health department? Other than having chaired the state’s Health Data Committee until July 2011, I had no connection with the health Department. I am not on Medicaid, nor is there any reason for any provider to believe I might be likely to be eligible for Medicaid. If I hadn’t received the letter from the Health Department (and it was not sent certified mail, or with any indication that any special information was included in it), I never would have guessed that I was at risk in the breach.
Here’s how—at least as far as I can tell. As HIPAA permits, I have asked for accountings of disclosures of my health information from any provider I have seen during the time frame in question—from dentist to primary care physician. Only one so far has refused to give me the requested information, including information about disclosures for TPO: a hospital owned by the for-profit IASIS chain, at which I received a routine mammogram some 6 months before the breach.Any inquiries about Medicaid eligibility, they said, were TPO—so at least for now did not need to be included in a request for an accounting. So I cannot confirm that it was that facility. But by process of elimination (and there wasn’t much to eliminate; I’m pretty boring, health-wise), it looks like the only candidate. And it’s the candidate responsible for supplying the Health Department with the largest number of records involved in the breach.
There’s more. Apparently this hospital routinely inquires about the possibility that patients in the facility might be Medicaid-eligible. They do this, their representative told me helpfully, because they want to protect the patients from bills that they cannot pay. And they do this about patients for whom they have full payment information on file—in my case, insurance numbers indicating that I was double covered by the University of Utah, and would thus have no co-pays. Here’s what their letter to me said: “[Hospital]’s processes and procedures for querying the state for Medicaid coverage on patients who have presented with a primary insurance is comparable to other hospitals and health systems across the country. It is the Hospital’s practice to verify if certain patients, who may have private insurance, would also be eligible for supplemental coverage through the state Medicaid program. There are a significant number of Utah residents who are covered by Medicaid who are not aware they have this coverage.” Given that they knew I had both my own and my husband’s coverage, I remain mystified by why they thought I might also be Medicaid-eligible. Perhaps their practice is to routinely make this inquiry about every patient, which is why they were such a large source of the health information involved in the breach. If this is national practice, it might come as a surprise to many.
And there’s more. As they are required to do, the hospital has a Notice of Privacy Practices (NPP). Under 45 CFR 164.520(b)(1)(ii), the NPP must provide at least one example of uses and disclosures for TPO, and must "include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law." Here’s what the NPP actually says: “Treatment includes sharing information among health care providers involved with your care. For example, your physician may share information about your condition with the pharmacist to discuss appropriate medications, or with radiologists or other consultants in order to make a diagnosis. The Hospital may use your medical information as required by your insurer or HMO to obtain payment for your treatment and hospital visit. We also may use and disclose your medical information to improve the quality of care (e.g., for review and training purposes)." An inquiry about Medicaid eligibility was hardly “required by my user or HMO to obtain payment.” I think this is arguably a HIPAA violation as it does not provide anyone with sufficient detail to place them on notice that inquiries about Medicaid or for that matter any other insurance eligibility just might be hospital practice. I’m also mulling the argument that it might be sufficiently misleading—and it certainly put many at risk of harm, although of course it was the Health Department that kept the information for too long and failed to set a password with adequate trength—to constitute an unfair trade practice under the FTC Act.
I am of course reasonably sophisticated about such matters and hopefully also sensible enough to be able to protect myself from identity theft. But I am very concerned about the many others in Utah who may not have a clue that they were included in this data breach. Anyone who has moved and didn’t get the Health Department letter, for example, might easily assume the breach doesn’t apply to them. It has been publicized as a breach about Medicaid and S-CHIP patients, and about patients for whom eligibility inquiries were made. But I don’t think most people would assume that these inquiries are routine, even when they are known to have coverage. The breach is especially worrying because many of the patients involved were children, without credit histories to monitor and without perhaps even the knowledge that they might need to take protective steps at some future time. I’m complaining from a position of privilege, insurance-wise—but part of what is so offensive to me about the breach, the state’s response, and the hospital’s actions is that many of the people involved are not as privileged or as knowledgeable as I am.
For those interested in some first-rate reporting about the breach, Kirsten Stewart’s stories in the Salt Lake Tribune are well worth reading—they are on LexisNexis.