Think of the archetype Western movie. Beleaguered town folk out of desperation ask a nefarious character to restore law and order. While a few residents have concerns about the new sheriff, most are satisfied with getting somebody, anybody for protection. What inevitably happens is that the peacekeeper ends up accruing power until he’s created a fiefdom of fear. Enter Clint Eastwood, Gary Cooper, or some other hip sharpshooter to clean things up before riding away into the sunset.

The U.S. Congress created the Health Insurance Portability and Protection Act (HIPAA) in 1996. It had two major auspices: to extend health insurance availability and to bring stability to the increasingly vulnerable asset of health care data security. The second charge for HIPAA emanated from the advent and subsequent growth of the internet, which created numerous problems in how health information was kept private. Hence the clarion calls for Congress to do something, anything to provide protection. Sure enough in time HIPAA’s scope grew well beyond its original purposes and gave birth to a new cottage industry for compliance to all of the myriad interpretations of that law.

More and More Constraints

So what are we left with? Aside from the mounds of additional paperwork, and a new acronym (PHI), HIPAA has resulted in a vise-like grip on how research data are utilized. Nowhere is the absurdity more apparent than in studies using observational data from a large population. How can there be a serious security problem with a data set of 100,000 patients that contains no names, SSNs, or hospital identifiers?

The steps that must be taken to appease internal regulators such as IRBs include jiggering all dates, truncating age at 90, and eliminating virtually any information that would allow researchers to link their data with a second source of information, among myriad other rules. This makes linking data from acute care studies with information on outcomes post-discharge from the hospital exceptionally difficult. Worst, the smallest infraction can lead to criminal charges.

Like the villain in a Western movie, HIPAA promised security but ended up morphing into something radically different. But unlike the Western movie, there is no hero willing to come in and clean things up.