Privacy’s death toll

A new look at the Vioxx debacle suggests that HIPAA’s privacy regime may have contributed to 90 thousand unnecessary heart attacks and 25 thousand premature deaths.

Vioxx, the non-steroidal anti-inflammatory drug once prescribed for arthritis, was on the market for over five years before it was withdrawn from the market in 2004. Though a group of small-scale studies had found a correlation between Vioxx and increased risk of heart attack, the FDA did not have convincing evidence until it completed its own analysis of 1.4 million Kaiser Permanente HMO members.  By the time Vioxx was pulled, it had caused between 88,000 and 139,000 unnecessary heart attacks, and27,000-55,000 avoidable deaths.

The Vioxx debacle is a haunting illustration of the importance of large-scale data research….If researchers had had access to 7 million longitudinal patient record, a statistically significant relationship between Vioxx and heart attack would have been revealed in under three years. If researchers had had access to 100 million longitudinal patient records, the relationship would have been discovered in just three months….

These are the consequences of HIPAA’s overcautious privacy rules. HIPAA allows health providers and insurers to release patient health information for research use only if the researcher enters into contractual agreements with each individual data-holder or if the data complies with HIPAA’s deidentification standards.

Read the whole thing at Info/Law.  It’s got the full privacy regulatory cock-up, including policymaking driven by publicity stunt and unintended regulatory consequences that are as serious as a heart attack.  Literally.

Still, I suppose it’s nice to know that medical humor is so easily updated: “The privacy regime was successful; unfortunately it killed the beneficiaries.”