HIPAA Frequently Asked Questions
What is HIPAA and how does it apply to research?
The Health Insurance Portability and Accountability Act (HIPAA) establishes conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes [45 CFR 164.501, 164.508(f), 164.512(i) ]. The Privacy Rule outlined in HIPAA defines the means by which individuals/human research subjects are informed of how medical information about them will be used or disclosed, and their rights with regard to gaining access to information about them when such information is held by covered entities. In the course of conducting research, researchers may create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose PHI for research with individual authorization, or without individual authorization under limited circumstances.
The Privacy Rule permits researchers to use and disclose PHI for research when participants authorize the use or disclosure of information about themselves. Typically, a research participant's authorization will be sought for clinical trials and some research involving records. In these instances, specific elements must be included in the informed consent form (see UTC IRB Policy). There also are four circumstances that allow researchers to use and disclose PHI for research purposes without authorization by research subjects. These are:
waiver of authorization;
review of PHI preparatory to research;
research involving a decedent's information; and
studies involving limited data sets.
All of these situations require IRB approval. Submit a Form H.
HIPAA regulations are quite complex. Researchers using health information should consult the full UTC IRB policy for additional guidance.
Do HIPAA regulations apply to data sets with health information?
Yes. Regulations permit covered entities (usually the agency providing the data) to disclosure health information for research purposes without authorization by the research subject if the use or disclosure involves a "limited data set" and the covered entity enters into a data use agreement with the researcher. A "limited data set" is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual subjects:
a) names b) postal address information, other than town or city, state and zip code c) telephone numbers d) fax numbers e) email addresses f) social security numbers g) health plan beneficiary numbers h) account numbers i) certificate/license numbers j) vehicle identifiers and serial numbers k) device identifiers and serial numbers l) web universal resources locators (URLs) m) Internet protocol (IP) address numbers n) biometrics identifiers, including finger and voice prints o) full face photographic images and any comparable images p) A limited data set may, however include other indirect identifiers, especially dates of birth, treatment, discharge, or death.
Investigators may use a limited data set for research without subject authorization if they have completed a Limited Data Use Agreement with the entity releasing the data. Investigators in this situation should complete a Form K and email the Form and the Limited Data Use Agreement to the IRB Chair. (Normally, the entity releasing the data should provide the Limited Data Use Agreement; however, if the entity does not have such a form the investigator should contact the IRB Chair for examples of acceptable forms.).
PHI can be released freely if it does not contain "individually identifiable information" as defined in the section above. PHI is not individually identified if the subject is not identified, directly or indirectly, and if the subject has no reasonable basis to believe that the information can be used to identify them.
What if you collected data that includes protected health information (PHI)?
If a investigator maintains a database containing PHI, then the investigator has an obligation to insure that the use and disclosure of PHI is in compliance with federal guidelines and UTC policy. The investigator is responsible for:
Maintaining applicable security for the database, including physical security and access control;
Control and manage the access, use and disclosure of PHI, including verifying appropriate IRB approvals and patient authorizations; and
Any PHI in the database used for treatment or payment purposes must be a duplicate and the original must be included in the patient's medical record.
Databases created prior to April 14, 2003 are grandfathered in and do not have to meet the Privacy Act policies. Studies involving subjects that have enrolled prior to April 14, 2003 will not be required to re-consent. Investigators may continue to collect and use data gathered from these subjects and no new documentation is required.
If my research involves protected health information (PHI), what forms should I submit to the IRB?
Certain organizations and individuals are considered "covered entitities" in the Administrative Simplification regulations adopted by HHS under HIPAA, and must comply with special requirements. For guidance on how to determine whether an organization or individual is considered a covered entity, please see the Covered Entity Chart.
To see additional web links on frequently asked questions, please go to the U.S. Department of Heath & Human Services at: www.hhs.gov/hiappfaq/ or the American Psychological Association at: www.apa.org/science/research/hipaa.html.