On April 12, US Department of Health and Human Services (HHS) Secretary Tommy Thompson released a patient privacy rule to protect public medical records from abuse by employers and insurance companies. But industry representatives think the difficulty of complying with the stringent requirements could impede medical research by discouraging health institutions from sharing information. For instance, as well as name and social security number, “any unique identifying number or code” will have to be removed from records. “You can't keep your files organized in any way if you can't have a number on there somewhere,” says Alan Mertz, executive vice president of the Healthcare Leadership Council (HLC; Washington, DC), which represents health insurers and hospitals. HHS has “set up all these hurdles. . .that don't belong in a privacy regulation,” he adds. Another requirement, he says, is a “cost-benefit analysis of the future value of the research compared to the risk of privacy to the individual.” He points out that in the early stages of research it is often difficult to assign value for an individual who is going to receive placebo, for example. Data houses have two years to comply with the new rules, which HLC is trying to re-work with Thompson.