The Privacy Rule and Research Design Options
Research Compliance and the HIPAA Privacy Rule
When researchers seek access to Protected Health Information (PHI) to design or conduct research, they must work with HIPAA covered entities to determine how this information can be shared without violating HIPAA.
Limiting PHI Uses and Disclosures to the Minimum Necessary
A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure of PHI. In the research context, a covered entity must make reasonable efforts to disclose only the minimum amount of PHI needed by the researcher to achieve the study goal(s). Covered entities can choose to rely on researchers and IRBs to determine whether the PHI requested for research is the minimum necessary. This is determined during the IRB review process.
With the minimum necessary requirement in mind, there are six scenarios through which a HIPAA covered entity can collaborate with researchers:
1. Allow a researcher to access PHI preparatory to conducting research. Most commonly, this involves a visit by the researcher to a hospital or clinic to review health records—in person under the supervision of the HIPAA covered entity—to determine whether future research is feasible. An example would be review of a clinic’s records to determine the size and demographics of the patient population, i.e., whether it is sufficient to enable the researchers to answer specific research questions or recruit an adequate number of eligible study participants. Individually identifiable health information cannot be recorded or statistically analyzed by the researcher nor be removed from the covered entity’s site. This scenario was common before the use of electronic health records became prevalent, but it is rarely used now since most healthcare providers can query their patient database to identify individuals who meet specific inclusion/exclusion criteria. |
|
2. Obtain authorization from individuals whose PHI will be used in research. This is done during the informed consent process and is preferred when conducting new primary research in collaboration with a HIPAA covered entity. For secondary research that involves use of PHI from medical records or databases, particularly on a large scale, obtaining individual authorization may not be feasible. Highly specific authorization language is required in the confidentiality section of the informed consent document and is available here. |
|
3. Avoid disclosing PHI by only granting access to de-identified health records. If the 18 identifying variables that qualify as PHI are removed from the data set, the resulting information is considered de-identified and can be freely shared by covered entities without violating the Privacy Rule. Because de-identification of health records is subject to HIPAA standards and can involve significant time and expense for the HIPAA covered entity, they may charge a fee to researchers seeking to obtain a de-identified data set. | |
4. Limit data sharing to PHI from deceased individuals. For research involving PHI from decedents, HIPAA covered entities may require researchers to make the following affirmations before they will release PHI:
UTC IRB policy requires researchers planning to conduct studies using PHI from deceased individuals to submit an IRB application to confirm the above criteria have been satisfied, and to enable the IRB to assess whether disclosure of decedents' information has the potential to harm living family members. For example, a study that analyzes brain tissue from deceased individuals to identify genetic risk factors for dementia could cause relatives of the deceased to experience distress about health risks that are out of their control. Confidentiality protections would be appropriate and must be evaluated by the IRB. |
|
5. Disclose only a Limited Data Set. A Limited Data Set can include limited PHI such as birth dates, hospital admission/discharge dates, and ZIP codes, but cannot include any of the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
Additional criteria related to data security and confidentiality protections apply and are described on the HIPAA Security Rule webpage. |
|
6. Require a Waiver of Authorization to disclose PHI to researchers. A HIPAA covered entity may disclose PHI to researchers if an IRB or Privacy Board determines that the following conditions are met:
Additional criteria related to data security and confidentiality protections apply and are described on the HIPAA Security Rule webpage. |
Sources and additional resources:
- “Minimum Necessary Requirement.” Department of Health and Human Services.
- “Research.” Department of Health and Human Services, guidance on HIPAA Privacy Rule.
- “What Is Considered PHI Under HIPAA?” HIPAA Journal, Dec 28, 2021.
- “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.” Department of Health and Human Services.