Something’s not right here: part 3 (or, Don't you usually ask permission to see a subject's medical records before you enroll them in a study?)

Were Dan Markingson’s privacy rights violated in the CAFÉ study?   As I pointed out in my request for an investigation by the university’s Research Ethics Consultation Service, the Health Insurance Portability and Accountability Act (HIPAA) prohibits health care providers from releasing a patient’s private health information for use in research without the express written authorization of the patient. Violation of that law is a felony.  This means that before AstraZeneca (the study sponsor) or Quintiles (the CRO managing the study) could see any of Dan Markingson’s health information, they would have needed his signed authorization.  At the time of the lawsuit by Mary Weiss against the University of Minnesota, there was no record of any such authorization in Markingson’s medical records.

Yet when Mike Howard filed his complaint about Stephen Olson to the University of Minnesota, Mark Rotenberg produced a written HIPAA authorization dated November 24, 2003.  The emergence of a HIPAA authorization at such a late date is odd.  If the University of Minnesota had a HIPAA authorization, why didn’t it produce that document when Stephen Olson was being grilled on HIPAA in his deposition?  But equally odd is the date on the authorization, which comes three days after Markingson was enrolled in the CAFÉ study.   That is three days too late.  Subjects need to provide authorization before they are enrolled, not after.  Of course, if Quintiles and AstraZeneca had not been given access to Markingson’s health information before he gave his authorization, they would not have even known if he was eligible for the study.

None of this is justified or explained in Rotenberg’s letter.  Yet University of Minnesota officials appear to have accepted it without question.  Why is Rotenberg’s response seen as an adequate explanation?