What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA), also known as “The Privacy Rule,” set standards and regulations to protect patients from inappropriate disclosures of their protected health information (PHI) that could cause harm to their insurability, employability and/or their privacy.
HIPAA allows for researchers to access and use PHI when necessary to conduct research. Not all research is subject to HIPAA regulations; HIPAA only affects research that uses, creates or discloses PHI.
What is PHI?
Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used or disclosed in the course of providing a health care service such as diagnosis or treatment.
HIPAA defines 18 specific identifiers (listed below) that create PHI when linked to health information. HIPAA regulations allow researchers to obtain approval to access and use PHI when necessary to conduct research.
List of 18 Specific Identifiers
There are also additional standards and criteria to protect an individual's privacy from re-identification. Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, the unique code cannot include the last four digits (in sequence) of the social security number. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even though all of the 18 identifiers were removed.
Research that HIPAA applies to
HIPAA regulations apply to research where study data is:
HIPAA regulations DO NOT apply to research where study data are only:
Approval for Use and/or Disclosure of PHI from Research Subjects (when HIPAA applies)
E&I's IRB, acting in their capacity as a Privacy Board (or the Chair, when appropriate) will review the use and disclosure of PHI and determine whether you can access PHI by one or both methods:
E&I approval letters will identify which method(s) the board approved.
Waivers of HIPAA Authorization
Under the Privacy Rule, at 45 CFR Parts 160 and 164 (HIPAA), research use or disclosure of an individual’s identifiable health information requires the individual’s authorization, unless the use or disclosure is determined by the Institutional Review Board (IRB) or Privacy Board to qualify for a waiver. A waiver may apply to the entire study or just for the recruitment process.
Examples of studies that may need a waiver of requirement for authorization:
E&I's Privacy Board may issue waivers of HIPAA authorization when the following qualifications are met:
1. Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following element:
3. Research could not practicably be conducted without access to and use of PHI.
Under requirement of the current human subjects protection regulations, the waiver may not adversely affect the rights and welfare of the subject and when applied all risks of the study must be reasonable in relation to the anticipated benefits of the research. Requests for waiver of authorization must be submitted to E&I and approved prior to accessing the health information.
In certain cases, the board may determine that a study qualifies for a partial waiver or a full waiver. The Board (or Chair, when appropriate) can grant a partial waiver to allow for limited information to be collected from the medical record. For example, a partial waiver must be granted in order to collect eligibility information about potential subjects from the medical record such as whether a person or persons have a specific disease. One situation in which the board might grant a full waiver is for a medical record review study that has a waiver of consent.
To seek a waiver, submission of the following is required:
Protecting PHI in Study Privacy and Confidentiality Plans
When building the privacy and confidentiality plans within a study, protection of PHI needs to be included. Consideration should be given to how PHI will flow throughout the research project. Security policies need to exist for both electronic and hard copy PHI. Simple steps may be all that are required to accomplish this goal. We suggest:
Reporting a BreachA privacy breach refers to any unathorized access to PHI and commonly (but not always) is related to electronic files or devices that contain PHI.
E&I requires notification of such an unanticipated problem be reported to the board within 5 business days of the time you learned of the breach.
Common examples of breaches:
|Last Updated ( DATE_FORMAT_LC2 )|