HIPAA Basics for Researchers
What does HIPAA stand for?
How does HIPAA affect researchers?
When did it go into effect?
Who needs to comply with HIPAA regulations?
How is research defined under HIPAA?
How is "privacy" under HIPAA different from "confidentiality" under the Common Rule?
What is protected health information (PHI)?
What is authorization?
What needs to be detailed in an authorization?
What is the difference between consent to participate in research and authorization?
What if you have obtained a Certificate of Confidentiality for your study?
Do you need to re-consent participants who enrolled prior to April 14, 2003?
What does the term "minimum necessary standard" refer to in the HIPAA regulations?
What is the difference between "use" and "disclosure"?
What does "tracking disclosures" mean?
Are there any circumstances under which you could use identifiable information without an authorization?
What does the term "Review Preparatory to Research" refer to with respect to in the HIPAA regulations?
What does "limited data set" under a "Data Use Agreement for Research" mean?
How will the HIPAA regulation be enforced?
What is a research privacy officer?
What is a research privacy board?
HIPAA stands for the Health Insurance Portability and Accountability Act. It is Federal legislation designed to enable a person to go from one health insurance plan to another with continuity of care and not be denied coverage for a "pre-existing condition" (portability); it details government oversight to protect fraud and finally adds protections for confidentiality of protected health information (PHI) that is collected (accountability).
back to top
How does HIPAA affect researchers?
Researchers will now have added responsibilities regarding the protection of the confidentiality of a subject's protected health information (PHI). It will also affect methods of recruitment for research. However, HIPAA regulations do not replace previous federal regulations governing human subjects research
back to top
When did it go into effect?
The deadline for compliance was April 14, 2003.
Who needs to comply with HIPAA regulations?
Anyone employed by a "covered entity" needs to comply. Each of our hospitals and facilities are considered covered entities.
back to top
How is research defined under HIPAA?
Research is defined under HIPAA regulations similar to the way it is defined under the Common Rule. (The Common Rule refers to the federal regulations that have governed human subjects research and the IRB processes since 1981.) The HIPAA definition is "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge". It is applicable to all research, regardless of funding and includes research on decedents.
back to top
How is "privacy" under HIPAA different from "confidentiality" under the Common Rule?
As a researcher, you have always needed to be concerned about the confidentiality of a research participant's data. HIPAA adds some additional points regarding privacy and PHI that need to be described to a research participant. The research participant must then authorize the use and disclosure of the PHI for the purposes described. HIPAA also details rights that individuals have regarding their PHI which need to be described to the subject.
back to top
What is protected health information (PHI)?
Protected health information (PHI) is individually identifiable health information that is collected for treatment, diagnosis or research purposes.
back to top
HIPAA details eighteen items that render PHI identifiable:
- Names
- Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code in certain situations.
- All elements of date (except year) for dates directly related to an individual, including birth date, discharge data,date of death; and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Medical Device Identifiers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Note that PHI that is stripped of all of the eighteen identifiers is not regulated by HIPAA; it is considered "de-identified".PHI can be "de-identified" for research purposes by removing the 18 identifiers and using a linked code for which access is extremely limited and well protected. PHI can be released with identifiers for treatment, payment and operation purposes but certainly not for research purposes without authorization.
back to top
Authorization is written permission from an individual (research subject) to use and/or disclose their PHI. For research, the authorization can be included in the research consent document.
What needs to be detailed in an authorization?
- The information that will be used or disclosed
- The people/organizations that will use or disclose the information
- The people/organizations who will receive the information
- The purpose of the use or disclosure
- An expiration date or event for the use or disclosure of the information
- The right to refuse to provide the authorization (this will eliminate participation in the research)
- The right to revoke authorization including the method to do so (in writing)
What is the difference between "use" and "disclosure"?
In general, the use of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity outside the covered entity.
back to top
What does "tracking disclosures" mean?
Tracking disclosures means accounting for any disclosures of PHI made without the written authorization of the research subject. This includes studies conducted under a waiver of authorization, as well as situations where consent/authorization was obtained but the recipient of the PHI is not listed on the consent/authorization form.
back to top
What is the difference between consent to participate in research and authorization?
Consent to participate in research has always detailed the level to which confidentiality of the participants information will be maintained. Authorization from the patient is similar but based upon the privacy rules of HIPAA, requires more specific details about all possible use and disclosure of PHI. When the research requires use and/or disclosure of PHI, research participants must give authorization. Otherwise, they may not participate in the research.
NOTE: At our health system we have decided to make the authorization part of the consent form for research. Revised consent form guidelines on this website provide suggested language for the confidentiality section of a research consent form.
back to top
What if you have obtained a Certificate of Confidentiality for your study?
If you have a Certificate of Confidentiality (COC) for your study, the Office of the IRB has prepared a revised confidentiality section for consent forms that includes the information regarding the COC and is in compliance with the authorization language for HIPAA. (See "If you have a Certificate of Confidentiality")
Note:A COC is a document issued for a specific study by the Federal Department of Health and Human Services that provides additional levels of protection to sensitive subject data that could be damaging to the subject if disclosed.
back to top
Do you need to re-consent participants who enrolled prior to April 14, 2003?
No. The privacy rules have provided an exception for all IRB approvals prior to the compliance date. The protocols, enrolled subjects and IRB decisions are considered "grandfathered" in and do not fall under HIPAA requirements. There is one caveat, however. Authorization is required for any subjects who need to be re-consented for any reason after April 14th. That would require use a the consent form that includes HIPAA authorization language.
back to top
What does the term "minimum necessary standard" refer to in the HIPAA regulations?
A covered entity must always try to limit the PHI it uses, discloses or requests to the minimum necessary to achieve the purpose. The standard applies pursuant to a waiver of authorization, for uses preparatory to research and for limited data sets.
back to top
Are there any circumstances under which you could use identifiable information without an authorization?
There are situations in which the IRB can waive the requirement that subjects sign an authorization form. In general, a Waiver of Authorization could be granted under similar circumstances that the IRB grants a Waiver of Informed Consent (e.g., for retrospective chart reviews, etc.).
Any study granted a waiver of informed consent and approved by the IRB on or after April 14, 2003, must also have a Waiver of Authorization. Any study approved with a Waiver of Informed Consent before April 14,2003, does not need a Waiver of Authorization.
A Waiver of Authorization does not mean the research is exempt from HIPAA privacy rules. It only means the investigator does not need to obtain signed authorization from each research subject.
In order to qualify for a Waiver of Authorization, an investigator must represent the following:
- The use of PHI for research does not represent more than a minimal risk to privacy
- The research could not be done without the requested PHI
- It would not be practical to obtain signed authorization from research subjects.
What does the term "Review Preparatory to Research" refer to with respect to in the HIPAA regulations?
"Review preparatory to research" is the mechanism by which an investigator may access PHI for the purpose of designing a research study, generating a research hypothesis, or to assess the feasibility of conducting a study (e.g. to see if there are enough potential subjects, etc.). In order to review PHI preparatory to research, the PI must be able to establish that:
- PHI is necessary for the research activity PHI will not be used for any other purpose
- PHI will not be removed from the covered entity
See Review Preparatory to Research Guidance Map.
An investigator who is a member of the work force of a covered entity may review medical records of subjects at that covered entity preparatory to research without any specific authorization.
However, if an investigator is NOT a member of the workforce of a covered entity and wishes to review medical records of subjects at that covered entity preparatory to research, he/she must apply for a partial waiver of authorization by submitting a request for Review Preparatory to Research (RPR). Please contact the Research Privacy Officer at 516-562-2018.
Institutional policy prohibits any contact without IRB approval. Therefore,a researcher may not contact individuals identified during this activity.
If a researcher wishes to contact potential participants, he must submit a protocol to the IRB requesting approval, including the intent to recruit subjects through use of PHI. See Policy 4: Recruitment of Study Subjects.
back to top
What does "limited data set" under a "Data Use Agreement for Research" mean?
A limited data set (used in conjunction with a data use agreement) refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, without obtaining either an individual's authorization or a waiver (or an alteration)of authorization for its use and disclosure.
| The following identifiers must be removed from health information if the data are to qualify as a limited data set: | |||
| 1. | Names | 9. | Certification/license numbers |
| 2. | Postal address information, other than town or city, state and ZIP code | 10. | Device identifiers and serial numbers |
| 3. | Telephone numbers | 11. | Vehicle identifiers and serial numbers including license plate numbers |
| 4. | Fax numbers | 12. | Web universal resource locators (URLs) |
| 5. | Electronic mail addresses | 13. | Internet protocol (IP) address numbers |
| 6. | Social security numbers | 14. | Biometric identifiers, including fingerprints and voice prints |
| 7. | Medical record numbers | 15. | Full-face photographic images and any comparable images |
| 8. | Account Numbers | 16. | Health plan beneficiary numbers |
Only the following identifiers may be used in a limited data set:
- Dates
- Geographic information (except for street address)
- Other unique identifying numbers, characteristics, or codes that are not expressly excluded
When a limited data set is used, there is no requirement to track disclosures. The minimum necessary standard does apply (see below).The recipient of the limited data set must sign a data use agreement.
A data use agreement is an agreement into which the covered entity enters with the intended recipient of a limited data set that generally describes the permitted uses and disclosures of the PHI in a limited data set and how the data will be protected.
If an investigator plans to use a limited data set for research, he/she must submit a data use agreement with his/her IRB protocol submission.**
back to top
How will the HIPAA regulation be enforced?
The legislation includes the ability for the government to issue civil or criminal penalties including fines to individuals for noncompliance.
back to top
What is a research privacy officer?
A person designated by the covered entity to oversee HIPAA compliance specific to research. Responsibilities include handling patients privacy complaints, and training and auditing for HIPAA compliance. The Research Privacy Officer for the Health System can be contacted at516-562-2018.
back to top
What is a research privacy board?
A privacy board is a group of individuals responsible for the review and approval of requests for the disclosure of PHI for research purposes. At our Health System, the IRB will serve as the Research Privacy Board.
back to top