Impact of HIPAA on US Medical / Public Health Research

Interesting article in Science this week reporting on a study in JAMA on the impact of the HIPAA Privacy Rule on Epidemiological researchers:

About 68% said the Privacy Rule has made research a great deal more difficult; half reported major delays; and nearly 40% faced much higher costs (see table). Only one-quarter said the rule has greatly improved confidentiality. Of those who modified a protocol to comply with HIPAA, two-thirds said it was much harder to recruit subjects.

The article goes on to talk about how the impacts come not just from the actual rule, but from uncertainty about how to apply the rule and, of course, cautiousness (risk-aversion).

For those who follow the micro-level of cyber security policy, this is not surprising but is always worth paying attention to. The impact of cyber security policy is not just felt in the rule itself, but in uncertainty regarding how far to take it and the over-cautiousness some rules and organizational relationships seem to impart.

Obviously, we want end users and developers to be aware of the risks they face, but in a research environment, the impact of this kind of uncertainty can lead to direct impacts on innovation and effective research.