Home HIPAA Requirements and Waivers HIPAA Requirements and Waivers
HIPAA Requirements and Waivers

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), also known as “The Privacy Rule,” set standards and regulations to protect patients from inappropriate disclosures of their protected health information (PHI) that could cause harm to their insurability, employability and/or their privacy.

HIPAA allows for researchers to access and use PHI when necessary to conduct research. Not all research is subject to HIPAA regulations; HIPAA only affects research that uses, creates or discloses PHI. 


What is PHI? 

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used or disclosed in the course of providing a health care service such as diagnosis or treatment.

HIPAA defines 18 specific identifiers (listed below) that create PHI when linked to health information. HIPAA regulations allow researchers to obtain approval to access and use PHI when necessary to conduct research.

Examples of studies that involve the use of PHI:

  • Studies that involve the review of existing health records, such as retrospective chart review or other studies that involve the abstraction of data from the subject’s health record for research purposes.
  • Studies that create new medical information because a health care service is being performed as part of research. For example, most studies that diagnose a health condition or involve new drugs or devices create PHI that will be entered into the medical record.


List of 18 Specific Identifiers

  1. Names;
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Phone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

                                    There are also additional standards and criteria to protect an individual's privacy from re-identification. Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, the unique code cannot include the last four digits (in sequence) of the social security number. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even though all of the 18 identifiers were removed.


                                    Research that HIPAA applies to

                                    HIPAA regulations apply to research where study data is:

                                    • Derived from a medical record
                                    • Added to the hospital or clinical medical record
                                    • Created or collected as part of health care
                                    • Used to make health care decisions
                                    HIPAA regulations DO NOT apply to research where study data are only:  

                                    • Obtained from the subject, including interviews, questionnaires
                                    • Obtained from a foreign country or countries
                                    • Obtained from records open to the public
                                    • Obtained from existing research records


                                    Approval for Use and/or Disclosure of PHI from Research Subjects (when HIPAA applies)

                                    E&I's IRB, acting in their capacity as a Privacy Board (or the Chair, when appropriate) will review the use and disclosure of PHI and determine whether you can access PHI by one or both methods:

                                    • The research subject (or legal representative, when approved) signs the HIPAA authorization for release of information, provided with the study plan materials to grant permission to use PHI for research. (As a courtesy, E&I will provide an approved HIPAA authorization form upon request.)
                                    • The E&I Board will grant a waiver of authorization for the entire study or for recruitment purposes only.


                                    E&I approval letters will identify which method(s) the board approved.


                                    Waivers of HIPAA Authorization

                                    Under the Privacy Rule, at 45 CFR Parts 160 and 164 (HIPAA), research use or disclosure of an individual’s identifiable health information requires the individual’s authorization, unless the use or disclosure is determined by the Institutional Review Board (IRB) or Privacy Board to qualify for a waiver. A waiver may apply to the entire study or just for the recruitment process.

                                    Examples of studies that may need a waiver of requirement for authorization:
                                    • Reviews of medical records for data collection (chart reviews)
                                    • Access to databases that contain PHI
                                    • Studies that access clinical databases, hospital medical records, appointment logs and other similar databases to identify potential subjects for recruitment or screening
                                    • Studies that enroll subjects with verbal consent

                                    E&I's Privacy Board may issue waivers of HIPAA authorization when the following qualifications are met:

                                    1. Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following element:  

                                    • an adequate plan presented to the Board to protect PHI identifiers from improper use and disclosure
                                    • an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and
                                    • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule.

                                    2. Research could not practicably be conducted without the waiver or alteration; and

                                    3. Research could not practicably be conducted without access to and use of PHI.

                                    Under requirement of the current human subjects protection regulations, the waiver may not adversely affect the rights and welfare of the subject and when applied all risks of the study must be reasonable in relation to the anticipated benefits of the research. Requests for waiver of authorization must be submitted to E&I and approved prior to accessing the health information. 

                                    In certain cases, the board may determine that a study qualifies for a partial waiver or a full waiver. The Board (or Chair, when appropriate) can grant a partial waiver to allow for limited information to be collected from the medical record. For example, a partial waiver must be granted in order to collect eligibility information about potential subjects from the medical record such as whether a person or persons have a specific disease. One situation in which the board might grant a full waiver is for a medical record review study that has a waiver of consent.

                                    To seek a waiver, submission of the following is required:

                                    • E&I Form 04 (Business Information)

                                    • E&I Form 26C (Request for Waiver or Alteration of HIPAA Requirement)

                                    • A copy of the protocol or written study plan including all intended activities


                                    Protecting PHI in Study Privacy and Confidentiality Plans

                                    When building the privacy and confidentiality plans within a study, protection of PHI needs to be included. Consideration should be given to how PHI will flow throughout the research project. Security policies need to exist for both electronic and hard copy PHI. Simple steps may be all that are required to accomplish this goal. We suggest:

                                    • Creation of a tracking or flow chart in the study plan, which identifies how PHI will be stored, used, and shared, to assure that PHI protections are in place throughout. 
                                    • A prepared plan that identifies how data will be recovered if you lose your primary database, for both your research and for HIPAA accountability of any PHI disclosures. 
                                    • A security plan that prevents inadvertent disclosure, loss or theft of PHI from your project is required. For example, to secure physical data, keep files in locked cabinets that are located in locked offices. To secure electronic data, include requirements for password protection, encryption, limitations on portable devices, restrictions on where data can be stored (e.g. no flash drives). IT professionals or departments are often helpful in identifying the protections already in place at your orgnanization. For more guidance, see the Electronic Data Security section of our website.


                                    Reporting a Breach

                                    A privacy breach refers to any unathorized access to PHI and commonly (but not always) is related to electronic files or devices that contain PHI. 

                                    E&I requires notification of such an unanticipated problem be reported to the board within 5 business days of the time you learned of the breach. 

                                    Common examples of breaches:

                                    • Talking to the wrong person or sending an email, letter or fax to the wrong address, person or number
                                    • Lost/stolen or improperly diposed paper documents
                                    • Lost/stolen unencrypted laptops, tablets, cell phones, media devices (video and audio recordings)
                                    • Lost/stolen encrypted CDs, flash drives, memory sticks
                                    • Breach of database



                                    Last Updated ( DATE_FORMAT_LC2 )