Frequently Asked Questions


What is protected health information (PHI)?
What are the 18 items that render PHI identifiable?
What is the difference between HIPAA Privacy and Security?
What is authorization?
What is the difference between “use” and “disclosure”?
What does “tracking disclosures” mean?
What is the difference between “consent” to participate in research and “authorization”)?
What does the term “minimum necessary standard” mean)?
Are there any circumstances under which you could use identifiable information without an authorization?
What does “Review Preparatory to Research” mean?
What does “limited data set” under a “Data Use Agreement for Research” mean?
How will the HIPAA regulation be enforced?
What if HIM receives medical record requests for research?

 

What is protected health information (PHI)?

Protected health information (PHI) is individually identifiable health information that is collected for treatment, diagnosis or research purposes.
back to top

 

What are the 18 items that render PHI identifiable?

  1. Names
  2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code in certain situations.
  3. All elements of date (except year) for dates directly related to an individual, including birth date, discharge data, date of death; and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Medical Device Identifiers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

Note that PHI that is stripped of all of the eighteen identifiers is not regulated by HIPAA; it is considered “de-identified”. PHI can be “de-identified” for research purposes by removing the 18 identifiers and using a linked code for which access is extremely limited and well protected. PHI can be released with identifiers for treatment, payment and operation purposes but cannot for research purposes without authorization.
back to top
 

What is the difference between HIPAA Privacy and Security?

The HIPAA Privacy and Security rules are separate, but similar in nature regarding protections for PHI. The key difference is the Security rule only applies to electronic PHI. The Privacy rule applies to all other communications (e.g. paper, oral, etc.).
back to top

 

What is authorization?

Authorization is written permission from an individual (research subject) to use and/or disclose their PHI. For research, the authorization can be included in the research consent document.

What needs to be detailed in an authorization?

  • The information that will be used or disclosed
  • The people/organizations that will use or disclose the information
  • The people/organizations who will receive the information
  • The purpose of the use or disclosure
  • An expiration date or event for the use or disclosure of the information
  • The right to refuse to provide the authorization (this will eliminate participation in the research)
  • The right to revoke authorization including the method to do so (in writing)
  • The potential for PHI to be re-disclosed by the recipient and no longer protected by federal law

back to top

 

What is the difference between “use” and “disclosure”?

In general, the use of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity outside the covered entity.
back to top

 

What does “tracking disclosures” mean?

Tracking disclosures means accounting for any disclosures of PHI made without the written authorization of the research subject. This includes studies conducted under a waiver of authorization, as well as situations where consent/authorization was obtained but the recipient of the PHI is not listed on the consent/authorization form.
back to top

 

What is the difference between “consent” to participate in research and “authorization”?

Consent to participate in research has always detailed the level to which confidentiality of the participants information will be maintained. Authorization from the patient is similar but based upon the privacy rules of HIPAA, requires more specific details about all possible use and disclosure of PHI. When the research requires use and/or disclosure of PHI, research participants must give authorization. Otherwise, they may not participate in the research.

NOTE: At Northwell Health the authorization is part of the consent form for research.
back to top

 

What does the term “minimum necessary standard” mean?

A covered entity must always try to limit the PHI it uses, discloses or requests to the minimum necessary to achieve the purpose as per HIPAA regulations. For example, if you are doing a medical record chart review study, you cannot collect more information than you need and were approved to collect by the IRB. Any changes to your data collection plan should be submitted to the IRB prior to gathering additional data.
back to top

 

Are there any circumstances under which you could use identifiable information without an authorization?

There are situations in which the IRB can waive the requirement that subjects sign an authorization form. In general, a Waiver of Authorization could be granted under similar circumstances that the IRB grants a Waiver of Informed Consent (e.g., for retrospective chart reviews, etc.).

Any study granted a waiver of informed consent and approved by the IRB must also have a Waiver of Authorization. A Waiver of Authorization does not mean the research is exempt from HIPAA privacy rules. It only means the investigator does not need to obtain signed authorization from each research subject.

In order to qualify for a Waiver of Authorization, an investigator must represent the following:

  • The use of PHI for research does not represent more than a minimal risk to privacy
  • The research could not be done without the requested PHI
  • It would not be practical to obtain signed authorization from research subjects.

back to top

 

What does “Review Preparatory to Research” mean?

Review preparatory to research is the mechanism by which an investigator may access PHI for the purpose of designing a research study, generating a research hypothesis, or to assess the feasibility of conducting a study (e.g. to see if there are enough potential subjects, etc.). In order to review PHI preparatory to research, the PI must be able to establish that:

  • PHI is necessary for the research activity PHI will not be used for any other purpose
  • PHI will not be removed from the covered entity

 

An investigator who is a member of the work force of a covered entity may review medical records of subjects at that covered entity preparatory to research without any specific authorization. Northwell Health is an organized health care arrangement (OHCA).

If an investigator is NOT a member of the workforce of a covered entity and wishes to review medical records of subjects at that covered entity preparatory to research, he/she must apply for a partial waiver of authorization by submitting a request for Review Preparatory to Research (RPR). Please contact the HRPP Office at 516-321-2100.

Note: Institutional policy prohibits any contact of potential research participants without IRB approval. Therefore, a researcher may not contact individuals identified during review preparatory to research activity. If a researcher wishes to contact potential participants, s/he must submit a protocol to the IRB requesting approval, including the intent to recruit subjects through use of PHI. See Recruitment of Study Subjects.
back to top

 

What does “limited data set” under a “Data Use Agreement for Research” mean?

A limited data set (used in conjunction with a Data Use Agreement) refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, without obtaining either an individual’s authorization OR a waiver (or an alteration) of authorization for its use and disclosure.

The following identifiers must be removed from health information if the data are to qualify as a limited data set:
1. Names 9. Certification/license numbers
2. Postal address information, other than town or city, state and ZIP code 10. Device identifiers and serial numbers
3. Telephone numbers 11. Vehicle identifiers and serial numbers including license plate numbers
4. Fax numbers 12. Web universal resource locators (URLs)
5. Electronic mail addresses 13. Internet protocol (IP) address numbers
6. Social security numbers 14. Biometric identifiers, including fingerprints and voice prints
7. Medical record numbers 15. Full-face photographic images and any comparable images
8. Account Numbers 16. Health plan beneficiary numbers

 

Only the following identifiers may be used in a limited data set:

  • Dates
  • Geographic information (except for street address)
  • Other unique identifying numbers, characteristics, or codes that are not expressly excluded

 

When a limited data set is used, there is no requirement to track disclosures. The minimum necessary standard does apply (see below). The recipient of the limited data set must sign a data use agreement.

A data use agreement is an agreement into which the covered entity enters with the intended recipient of a limited data set that generally describes the permitted uses and disclosures of the PHI in a limited data set and how the data will be protected.

If an investigator plans to use a limited data set for research AND will not obtain a waiver of HIPAA Authorization, s/he must submit a data use agreement with his/her IRB protocol submission. Please contact the HRPP Office (516-321-2100) to obtain a copy of the agreement to use.
back to top

 
 

How will the HIPAA regulation be enforced?

The Office for Civil Rights (OCR) is responsible for enforcing HIPAA and can issue civil or criminal penalties including fines to individuals for noncompliance. The Office of Research Compliance conducts regular reviews of HIPAA compliance in research, and should be contacted for any potential HIPAA violations or concerns.
back to top

 

 

What if HIM receives medical record requests for research?

Health Information Management (HIM) should contact the HRPP Office or Research Privacy Officer for assistance with any requests for medical records from external individuals or entities pursuant to a research study. Documentation of a research subject HIPAA authorization or waiver of HIPAA authorization by the reviewing IRB and IRB approval of a research study will be required prior to release of records for research purposes.
back to top