The Health Insurance Portability and Accountability Act (HIPAA) is Federal legislation that applies to covered entities, such as Northwell Health. HIPAA went into effect on April 14, 2003, designed to allow a person to go from one health insurance plan to another with continuity of care without being denied coverage for a “pre-existing condition” (portability); it details government oversight to protect fraud and finally adds protections for protected health information (PHI) that is collected (accountability). The U.S. Department of Health and Human Services (HHS) issued a Final Rule in 2013, which strengthened privacy and security protections of health information.
The Health Information Technology for Economic and Clinical Health (HITECH) Act is part of the American Recovery and Reinvestment Act (ARRA) of 2009. The HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.
If you have any questions or concerns related to HIPAA in research you can contact us below:
Research Privacy Board
The Privacy Rule requires an individual to provide signed Authorization before a covered entity can use or disclose the individual’s PHI for research purposes; however, a covered entity can use or disclose PHI for research without an Authorization by obtaining proper documentation of a waiver of the Authorization requirement by a Privacy Board.
The Reviewing IRB acts as the Research Privacy Board that reviews and approves requests for disclosure of PHI and waivers of HIPAA authorization for research purposes.
For questions contact:
The reviewing IRB or the Northwell Human Research Protection Program
Phone: (516) 321-2100
Research Compliance & Privacy Officer
Handles privacy complaints and issues related to research, including investigation of potential HIPAA breaches.
For questions contact:
Director, Office of Research Compliance
Phone: (516) 321-2108
How does HIPAA affect researchers?
HIPAA covers use and/or disclosure of PHI for research purposes pursuant to an authorization or waiver of authorization. Researchers will need to take certain steps to use, access or disclose the PHI of research subjects. Researchers also have responsibilities regarding the protection of PHI. See Northwell Health Research Policy GR094 Access Use and Disclosure of Protected Health Information for Research for more information (link accessible through a Northwell network connection only).
The following are ways in which PHI can be used or disclosed for research purposes:
|HIPAA Category||Example of Research Activity|
|Reviews Preparatory to Research, no waivers or authorizations needed||Feasibility reviews|
|Partial waiver of HIPAA authorization issued by the IRB||Recruitment purposes|
|Waiver of HIPAA authorization issued by the IRB||Chart reviews|
|HIPAA authorization obtained from subjects||Observational and interventional research studies|
Useful HIPAA Research Tools and Resources
- Guidance for Tracking and Accounting for Research Disclosures of PHI
- Tracking Form for an Individual Disclosure of PHI in Research
- Data Mining Research Guidance
- Chart Review Guidance
- Business Associate Agreement Guidance
- HIPAA & electronic PHI Security Guidance
- Public Research Education Program (PREP) Courses on HIPAA