Abstract
PURPOSE We wanted to explore potential effects of the Health Insurance Portability and Accountability Act (HIPAA) on research activities of practice-based research networks (PBRNs).
METHODS To understand the approaches PBRNs are using to advance their research while adhering to HIPAA standards, we combined a literature review, our experiences, and discussions with local HIPAA officers, PBRN researchers in the United States, and individuals involved in drafting HIPAA.
RESULTS HIPAA requires researchers to pay special attention to how they handle patients’ protected health information (PHI). For researchers working within PBRNs, which collect information from patients and health care professionals in multiple institutions, the HIPAA Privacy Rule presents additional challenges. PBRN researchers can obtain patient authorization to use PHI, but this process is difficult and may taint the findings of some research studies. Some institutions may allow patients to provide a blanket authorization for study recruitment. PBRNs additionally can collect only “de-identified” data (data with identifying information removed) or, with a data use agreement, can work with a limited data set. PBRNs that blend quality improvement and research can work with PHI, but the researcher and practices must enter into a business agreement. PBRN researchers may need to play active, educational roles in institutional privacy boards to facilitate their research.
CONCLUSIONS There are a number of ways for PBRN researchers to comply with HIPAA short of obtaining patient consent and authorization for every study. Careful planning and consideration of HIPAA issues during study design can go a long way toward reducing frustration later.
- Practice-based research network
- Health Insurance Portability and Accountability Act
- informed consent
- health services research
INTRODUCTION
The Health Insurance Portability and Accountability Act (HIPAA) was intended to improve and simplify the movement of individual patients’ protected health information (PHI) between health care professionals as well as to other entities that require the information, such as insurance companies. The act was written to accelerate the development of data standards for the transmission of health information, but it was quickly apparent that transmitting health information electronically presented hazards that required special attention. A pair of rules guide the implementation of HIPPA. The Health Insurance Reform: Security Standards, known as the Security Rule, describes standards for the security of electronic PHI. The Standards for Privacy of Individually Identifiable Health Information, generally known as the Privacy Rule, lays out specific processes to prevent potential abuse of electronically stored data, and especially abuse of easily linked PHI repositories. The requirements of the Privacy Rule have dominated the discussions of the legislation since its initial drafting and are the focus of this article.
Other authors have described some of the implications the HIPAA Privacy Rule has for general health services researchers1 and specialist researchers.2,3 These authors acknowledge that data collection schemes that provide valid data while meeting HIPAA privacy requirements can be challenging to develop. For researchers working within the complex environment of practice-based research networks (PBRNs), who intend to collect data from patients and health care professionals across multiple institutions, the Privacy Rule presents additional challenges.
Many PBRN studies are more like health services research than intervention-oriented randomized controlled trials because of the way in which PBRNs move research and data collection into the hands of practicing clinicians, at the point of care, and include all patients who meet selected criteria, not just those who consent to participate in a study. Such data collection plans require careful attention to comply with the Privacy Rule. PBRN researchers face additional challenges when they try to collect data about interventions at the practice level, often without individual patient consent—a design typical of translational research. Likewise, PBRN researchers must consider HIPAA concerns when designing approaches to patient recruitment. Although HIPAA was not intended to limit research, it does require special attention and compliance. In this article, we use several PBRNs’ experiences to explore ways in which the rules implementing HIPAA affect research conducted in PBRNs. We explain who needs to consider HIPAA, options for legally collecting and using PHI for research, and how a PBRN can determine its options in completing projects.
WHO NEEDS TO CONSIDER HIPAA?
The Privacy Rule applies to health care professionals and ancillary support operations that are considered “covered entities.” Covered entities are health care clearinghouses, health plans, and health care professionals who transmit or receive PHI in electronic form. For the purposes of this discussion, we assume that all practices or institutions within a PBRN, including the research core group, are covered entities. As we explain below, researchers may or may not be covered entities.
According to the Privacy Rule, covered entities must handle health information according to the 5 principles of fair information practices:
-
Notice: individuals (patients) have the right to know the existence and purpose of record-keeping systems.
-
Choice: patient information is (1) collected only with knowledge and permission of the individual, (2) used only in ways relevant to the purpose for which the data were collected, and (3) disclosed only with permission or overriding legal authority.
-
Access: individuals have the right to see their health records and to request adjustments in the record to ensure accuracy, completeness, and timeliness (this adjustment may be through changes to the record or additions to the record, based on the covered entities’ choice).
-
Security: individuals can expect that reasonable safeguards are in place for ensuring confidentiality, integrity, and availability of information.
-
Enforcement: violations may result in reasonable penalties and mitigation.
HIPAA does not prevent the use of PHI for quality improvement (QI) activities within the institution and its business partners. It does prevent the use of PHI for other purposes, even within a single institution, if patients have not authorized the use. Some examples of excluded activities are providing patient diagnoses and contact information to researchers for recruitment calls, even if the researchers are within the same institution, and sending date of birth, and gender linked to diagnoses and dates of care to a PBRN central office for development of an age/sex/morbidity registry. HIPAA does not preclude informing individuals or their guardians of available services or even research projects as long as no PHI leaves the covered entity. For example, a primary care physician (not the research staff) can notify potentially eligible patients of a study involving free colorectal cancer screening. The regulations are designed to prevent the use of PHI for activities unrelated to clinical care without the patient’s expressed interest and consent. HIPAA thus places restrictions on the use of PHI that extends to research, unless the patient expressly agreed to a research use at the time the PHI was collected.
Receiving health information for the purposes of research does not, per se, make a researcher or the organization performing the research a covered entity under the Privacy Rule. As long as an organization’s sole use of PHI is for research and no clinical, billing, or administrative communications emanate from the research organization, the organization does not have to be considered a covered entity. In practicality, many research activities are tightly linked to other clinical care, and thus research organizations, such as universities or research arms of health maintenance organizations (HMOs), have elected to act like and consider themselves covered entities. HIPAA has established methods by which data may be obtained by researchers, but the HIPAA Privacy Rule does not specifically cover research and was not intended to interfere with research.
COLLECTING PHI FOR RESEARCH
All unauthorized disclosures of PHI are prohibited unless they are specifically permitted within the language of the Privacy Rule. This reverse approach to legislation—prohibited unless expressly permitted—creates fertile ground for varying interpretations of permissible approaches to research data collection. This variety of interpretation is a major concern for PBRNs that deal with multiple institutional review boards (IRBs) and corporate attorneys, each of whom may have their own interpretation of acceptable research protocols. Often PBRNs have to develop study protocols that can gain approval across multiple IRBs without substantive changes that could potentially lead to serious compromises in subject recruitment and data collection. As part of an IRB application, researchers should engage in proactive discussions of how a proposed research activity meets all HIPAA requirements; these discussion can be helpful in overcoming more restrictive interpretations of the legislation.
Before further exploring HIPAA’s implications for PBRNs, it is useful to discuss the permitted choices researchers have for using PHI. There are 3 main options for collecting PHI for research: obtaining patients’ authorization (part of the consent process), using PHI without authorization (through a limited data set agreement or via data safety board [DSB] approval), and using de-identified data.
Option 1: Obtain Patients’ Authorization
Not considering the costs and trouble of obtaining patient consent, the straightforward way to collect and analyze PHI is with patient consent. When possible, obtaining patient consent is always the preferred method for collecting patient-level data. Even when patients have authorized the disclosure of their PHI for research, research organizations must still collect and store the data according to the requirements outlined by the Security Rule (not described here, but see Garner4). Specific authorizations are now required by HIPAA, adding complexity to the basic consent process as discussed in detail below.
HIPAA Authorization
The Privacy Rule requires patients to provide specific, written authorization to disclose PHI. The patient must be fully informed about the use of the data to be collected and who will have access to the data. The following information concerning the collection and handling of PHI must be included as part of the authorization process:
-
What types of data will be collected (eg, blood and urine test results, PRIME-MD [Primary Care Evaluation of Mental Disorders] survey data for psychological concerns, or results of specific imaging studies)
-
The purpose of collecting the data (eg, to better understand approaches parents take to limit tobacco smoke exposure of their children or to evaluate this research project)
-
Who will receive the data and the purpose for which the recipient will receive the data (eg, ABC Data Management Company for the purpose of data entry. Note that all recipients must be listed, and this listing is best done by role or group rather than by individual, in case specific individuals leave the study team. You do not have to list persons within your project team.)
-
The length of time the data will be used, although it may be indefinite
Patients may revoke their authorization at any time. An example of an authorization form to disclose PHI for research is available online only as supplementary data in Appendix 1 at http://www.annfammed.org/cgi/content/full/3/Suppl_1/S38/DC1. Appendix 2, also available online only at http://www.annfammed.org/cgi/content/full/3/Suppl_1/S38/DC1, is an example of an authorization form to disclose PHI for recruitment into studies.
Obtaining Blanket Authorization for Study Recruitment
Many IRBs have created standardized forms to document patient authorization of 2 different types: authorization to disclose PHI for recruitment into studies and authorization to use or disclose PHI for participation in a research study.
When patients sign an authorization for patient recruitment, they are authorizing disclosure of specific information to researchers for the purpose of study recruitment and are granting permission to be contacted about that study. These forms were likely intended to provide authorization for a single research study and are used frequently in this manner by PBRN researchers. Researchers may instead want to develop more general authorizations, because authorizations can cover an extended or indefinite period of time. For a form to be used in this way, it must be written with more general terms so that the permission is not specific for 1 study. Individuals who agree to this global or blanket authorization must be provided with information on how to terminate the authorization.
Blanket authorization must be confined to a specific type of research, although the nature of this specificity is left up to each IRB. Disease-specific research fits easily within this framework (eg, authorization for future studies involving patients with hypertension, breast cancer, asthma, or back pain). The nature of primary care research makes such a blanket authorization difficult. A blanket recruitment authorization likely will not work for PBRN research that is not specific to 1 diagnosis, such as studies of practice process improvements that apply to multiple chronic diseases.
Option 2: Use PHI Without Authorization
In some instances the consent process can, in and of itself, invalidate the research outcomes.5 The Privacy Rule offers several other approaches to obtain PHI in these situations. Use of PHI without patient authorization may be granted by IRBs or DSBs if obtaining consent is not practicable, risk to privacy is minimal, and the research cannot proceed without PHI. Practicable means capable of being done, or feasible; thus, situations wherein obtaining authorization is practicable may be considered not practical by many researchers. Obviously, the case for the potential benefit of the research versus the potential loss of privacy would need to be clearly stated to the reviewing authority. On occasion, a strong case that the consent process may change the research outcome and that benefits outweigh risks may be part of the “not practicable” argument as long as the criteria for using PHI without authorization are met. Widespread IRB acceptance of this argument is untested at this time.
PHI can also be used without patient authorization for protocol development, which means collecting information necessary to develop a grant application or research protocol. Most IRBs now require that a researcher submit a formal request to carry out this type of inquiry. (For an example of this type of form, see Appendix 3, available online only at http://www.annfammed.org/cgi/content/full/3/Suppl_1/S38/DC1.) Preliminary findings based on PHI obtained in this manner cannot be published. Finally, PHI of deceased people can be used without consent.
Option 3: Use De-identified Data
A final option, appropriate for many PBRN cross-sectional studies, is to create a “de-identified” data set. For a data set to be considered de-identified, all 18 identifiers listed in Table 1⇓ must first be removed. In some instances, this removal process may not be adequate, such as in the case of extremely rare diagnoses where even at the state level, identification of the 1 or few patients with that diagnosis may be possible. In those instances, that piece of information could be removed from the data set or could be aggregated to a level where it is no longer identifiable to a specific person. It is unlikely that the loss of data at this level would adversely impact a PBRN study.
When collecting de-identified data, dates are the most commonly used data elements that create concerns. The Privacy Rule allows a date of birth to be recorded as a year, an age, or an age range. Year of birth or actual age cannot be used if the patient is older than 89 years; all patients older than this cutoff age must be grouped. The use of age ranges would appear to be an easy solution to this problem but can result in problematic data loss unless previous work has indicated the relationship of age to the study outcomes in question. In general, it is preferable to collect a year of birth or an actual age in years with a way, such as a check box, to indicate that a patient is older than 89 years. Although this solution appears straightforward, during clinical care, it can be difficult for clinicians or staff to write down a year of birth for some patients and to check a box for others. Electronic data collection systems can help in this regard.6 Dates of care are also a restricted data element and can cause considerable difficulty in longitudinal studies. We discuss options for addressing this problem below.
A data set that does not fit the Table 1⇑ method of de-identification may also be used if a statistician certifies that the data could not be used to reidentify individuals. We discuss this approach further below.
The final approach to using de-identified data is the use of a limited data set, which includes dates. Collecting limited data sets requires that researchers have a data use agreement with the entity supplying the data, in this case, each practice or institution that owns the practice(s). This agreement must include wording that indicates that the researchers will not use the data to identify any study subject or contact any study subject. Although this approach is an enticing option under HIPAA, it can be time-consuming to get institutional HIPAA officers and lawyers to agree to supply limited data sets at this time, as the effects of the regulation are still being explored. Hopefully, with time, this option will become easier to invoke.
APPROACHES FOR HIPAA COMPLIANCE IN PBRN RESEARCH
In dealing with HIPAA regulations, PBRN researchers have a number of decisions and approaches to consider when designing a study. We present some general issues to consider when determining which approach works best for a given PBRN.
Consent and Authorization Issues to Consider
If patient consent is obtained, there are no restrictions on data elements that can be collected. HIPAA authorization forms, which describe what PHI will be collected and how it will be used, often run 3 pages in length, further burdening the already complex consent process. Attempts by IRBs to standardize HIPAA authorization may further complicate the process. For instance, some IRBs require the use of preprinted HIPAA authorization forms, on which the PHI to be collected and its use are selected from a long list. Our experience with these forms has been troublesome, as patients have difficulty understanding what parts of a lengthy HIPAA form are relevant to them; furthermore, because the HIPAA form is separate from the informed consent form, many people appear to have a difficult time relating the 2 forms to each other. We believe including PHI disclosure authorization as part of the study consent form is superior to using separate HIPAA authorization and consent forms. Combining these forms is clearly acceptable within the law but is not preferred by many IRBs and DSBs. We have not been successful at convincing all the IRBs and DSBs we work with that this approach is a superior one. Research concerning patients’ comprehension using the 2 options would be helpful.
Even without the extra burden of the HIPAA authorization, many PBRN directors believe clinicians and office staff cannot be expected to obtain patient consent within the regular work flow of a primary care office. The combination of potential ethical conflicts of patients’ primary care physicians asking them to participate in a study, the training requirements for individuals who obtain consent, and the time requirements to obtain full consent make obtaining consent an onerous task to add to a typical office visit.7 The additional burden of HIPAA authorization, which can add considerably to an already complex research consent form, appears to further confirm this point.
Although obtaining patient consent and authorization solves data restriction problems, this process is time-consuming (and therefore costly) and more importantly dramatically changes which patients participate in a study. We found a large “consent bias” when consent was required for a survey similar to the National Ambulatory Medical Care Survey (NAMCS) within PBRN practices (unpublished data), as have others.7
Obtaining consent and authorization also changes the flow of care. Frequently, the process of care or the effectiveness of an intervention for an entire population is the research question of interest (see Glasgow et al8 for an example of such an intervention). Obtaining patient consent thus actually invalidates the results of the research by either creating a false care process or limiting potential participants. This phenomenon is true for cross-sectional studies using data collection at the point of care, such as the card studies popularized by the Ambulatory Sentinel Practice Network (ASPN),9 as well as many translation of research into practice (TRIP) activities wherein randomization often occurs at the practice level while outcomes are collected in a nested model at the patient level. HIPAA limits the nature and types of identifying data that can be attached to PHI in these types of studies, but with care, they are still feasible.
Obtaining a Waiver of Patient Authorization
PBRN studies are often epidemiologic in nature, and in epidemiologic studies, the consent process has been shown to markedly alter the research findings.5 Some PBRN studies might thus qualify for the waiver process. (An application for use of PHI through the waiver process is available in Appendix 4, available online only as supplementary data at http://www.annfammed.org/cgi/content/full/3/Suppl_1/S38/DC1.) This route has been successfully used by a number of researchers outside the PBRN arena, although it is likely to lengthen the IRB approval process. Researchers can furthermore expect a request of this nature to result in considerable variability in responses from one IRB to the next. These differing responses not only slow the research process, but may result in substantive changes in the research process from site to site,10 given the known variability among IRBs.11,12
Obtaining Authorization for Recruitment
Although obtaining patient authorization for study recruitment can be costly, it can pay off in the long term if the authorization is general enough (see blanket authorization, discussed above). The level of detail that must be communicated to patients about the potential research projects will vary from IRB to IRB. Researchers who have worked with this type of blanket authorization have generally found very high acceptance rates among patients, with only the occasional individual not granting this permission (personal communication, Mary Croughan, PhD, University of San Francisco, July 2, 2004).
If a PBRN considers this option, the practice or the network must develop a process for determining how to identify those individuals who provide their authorization to be contacted and must be able to update records for any individuals who rescind their authorization. These tracking requirements may make large health care organizations nervous about the time and expense involved. The advantage of this type of consent is that truly randomized patient recruitment, blinded to the treating physician, can be carried out. Additionally, the authorization needs to be obtained only once or infrequently, while many research projects will benefit from the access to potential subjects.
Another option for patient recruitment that is allowed within HIPAA is to have PBRN staff work on-site to identify patients who may be eligible. Recruitment materials must be sent from the patient’s clinician or office, and no PHI may leave the institution. Although this approach is legal, many institutions are leery of allowing researchers to assist in this manner. A final option would be to assign a tracking number (note: not the patient’s medical record number) to each patient that only the office can link to that patient. The PBRN office can select patients to be recruited, but the practice office identifies the patients and sends out the recruitment material. This approach is more labor-intensive for the practice office.
Creating Business Agreements for Research
Another unique way to meet HIPAA requirements while still assisting practices in the research process is for the PBRN to sign a business agreement with the practice. This relationship is atypical for classic research models and may not have even been considered when HIPAA and the Privacy Rule were drafted. Given the long-term relationship between a PBRN and its practices, and the blending between QI and research (see Mold and Peterson13 in this supplement), this step is nonetheless a logical and appropriate step for many PBRNs.
A business relationship can take the form of a QI process. With a business agreement, PBRN staff can collect data within the practice that can be used for both practice QI and research. The research data set that leaves the office’s or business partner’s control must meet all HIPAA guidelines (ie, must either be de-identified, or be a limited data set with use agreements), but the QI data set is exempt from HIPAA. This process can make longitudinal data collection easier and allows the removal of PHI from the practice for the QI or patient care process. We and others have taken this approach with studies that focus on TRIP at the practice level. TRIP activities are QI activities, and we have used the QI characteristics to facilitate PHI exchange within these TRIP research projects. The expectation that the clinical activity supported by the business associate will continue beyond the specific research project is useful when considering this approach.14
With this approach, a data use agreement for the research data should also be developed, and the PBRN should establish fire walls between any data held in the 2 databases. Our protocols require 2 completely separate teams of personnel from the PBRN: a data management team that helps practices implement a QI intervention, and a research team that receives de-identified data from the data management team for final evaluation and outcomes analysis (research). The practice and the data management team establish a business use agreement, and thus the data management team is a business associate of the practice. Sample language describing this system from a recent application is given in Table 2⇓. A diagram of this separation, similar to that shown in Figure 1⇓, may help communicate the clear distinction between the 2 teams. A similar 2-tiered system has been proposed to protect the usefulness of disease registries and the privacy of people listed therein.15
Another approach to this process is for a third party, such as an Electronic Health Record vendor, to establish a business agreement with the PBRN practices, and for the vendor to then establish a research arrangement with the PBRN. The business partner may retain the linking number allowing a limited data set to be updated for research purposes over time. The PBRN thus obtains data at the practice level that it can use for outcomes studies without being able to track any data to a specific patient. Typically, the PBRN will work with the practices and vendor to establish study interventions, often supported by the Electronic Health Record. These interventions may include practice- or clinician-level feedback, patient-level reminders, case management activities, or other interventions (see Practice Partner Research Network [PPRNet]16).
For an example of a service agreement, adapted from the Pediatric Practice Research Group and Helen Binns, see Appendix 5, available online only as supplementary data at http://www.annfammed.org/cgi/content/full/3/Suppl_1/S38/DC1.14 A sample business agreement is available at the Web site of the Office for Civil Rights.17 If a PBRN is considering this option, it is wise to draft business use agreements for possible use and present the agreements to practices (or more specifically their legal counsel) for review long before study implementation.
Working With De-Identified Data
Tracking patient data for cleaning and verification, a frequent problem in all research, is made more problematic by HIPAA. No identifying number from the practice, such as a medical record number, may be transmitted without patient consent. HIPAA does however allow use of a reidentification tracking number. This method permits a number to be attached to the research data that only the practice can link back to the patient. Ensuring that practices maintain this linking number until a project is completed can be problematic. Electronic data collection can help alleviate the need for data cleaning if entry screens are programmed to guarantee complete data collection (see the article on electronic data collection by Pace and Staton6 in this supplement). Unfortunately, it can be difficult to create practice-specific short-term tracking numbers within some electronic systems, particularly for data collection with a personal data assistant (PDA). Solutions to this problem are beyond the scope of this article.
When collecting de-identified data that require treatment intervals, it is acceptable to collect relative dates, such as the number of days between visits. This is not a practical solution for many PBRN studies wherein clinicians or office staff are collecting data and do not have time to convert dates to intervals. There are no easy solutions to this problem, although it may suffice for some IRBs or DSBs to shift dates forward or backward by a random number selected by the practice and unknown to the researchers. Once again, electronic systems may be helpful, as they can convert dates to intervals.
There is a common belief that HIPAA prohibits research personnel from performing chart reviews without patient consent. This belief is not correct, although whenever possible, it is wise to use office personnel for this activity. If the information collected during a chart review contains none of the identifiers listed in Table 1⇑ and the practice allows research personnel access to records, data abstraction by research personnel is still allowed. This can be particularly important for practice-based interventions for which patient-level data are required and only available in the medical record, for instance, from control practices not using a disease-specific registry. Selecting a sample of patients’ charts to review requires care as the practice may not transfer any PHI out of the office to the research team to assist with the randomization process. Once again, the use of a reidentification number as discussed above can assist with this activity.
As previously stated, a data set that does not fit the Table 1⇑ method of de-identification may also be used if a statistician certifies that the data could not be used to reidentify individuals. It is unclear if any researchers have invoked this method. A PBRN would have trouble supporting this method at the practice level, as it is highly likely that combinations of age, sex, and diagnoses could be uniquely matched within a practice population. Given the need to deal with the statistical concerns caused by clustering of data (ie, patients seen by individual clinicians within selected practices) that is typical of PBRN research,18 this method appears to offer little to PBRN researchers.
PBRN research is certainly more challenging in the era of HIPAA. Many tools and techniques used to help practices with the research process and ensure data accuracy must be carefully reviewed or revised. Patient consent has become more involved, and HIPAA authorization is now required for research designs that previously did not require consent. Even so, there are a number of ways for PBRN researchers to comply with HIPAA short of obtaining patient consent and authorization for every study. Careful planning and consideration of HIPAA issues during study design can go a long way toward reducing frustration later.
Covered health entities, IRBs and DSBs, and researchers may feel threatened and confused by alternative interpretations of the Privacy Rule. Some institutions have cited HIPAA as the reason for blocking particular activities outside the scope of this legislation, for instance, patient recruitment by study personnel located within the office. When this happens, it is often helpful to ask why the institution believes this activity is prohibited and to either educate individuals or find alternatives acceptable to both parties.
How a researcher presents planned data collection can influence how a protocol is viewed and whether it receives a favorable IRB review. Indicating how a data collection method is permitted within HIPAA guidelines, with appropriate references to the act, may be received differently than asking if a method is approved within HIPAA guidelines. For instance, chart abstraction by PBRN personnel on random patients within an office, without consent, will typically be considered a HIPAA violation, although it is permitted with appropriate safeguards. Face-to-face discussions with IRB and DSB personnel and the HIPAA officer of the PBRN’s host institution are valuable to explore options that meet the requirements of local authorities. Given the varied interpretations of HIPAA by institutional privacy boards, there is obviously no one best approach for PBRN research.
It is unclear whether over time PBRN practices and their host institutions will grow comfortable with HIPAA so that a new set of standard research-oriented activities can become routine, or whether the fear of patient complaints about privacy violations will further ensconce restrictive policies.
Acknowledgments
We thank Debbi Main for use of verbiage and a diagram from her grant application, submitted to Agency for Healthcare Research and Quality (grant 1R21HS014871-01, Evaluating a Patient-Centered Diabetes Registry), Helen Binns for sharing the service agreement used by the Pediatric Practice Research Group, and Ester Henry and William Braithwaite, MD, PhD, for discussions of the intent and interpretation of the legislation.
Footnotes
-
Conflicts of interest: none reported
- Received for publication July 20, 2004.
- Revision received October 22, 2004.
- Accepted for publication November 29, 2004.
- © 2005 Annals of Family Medicine, Inc.