What is HIPAA
HIPAA stands for the Health Insurance Portability & Accountability Act of 1996 (Public Law 104-191). This Act has provisions to protect the confidentiality and security of personally-identifiable information that an individual provides during the course of obtaining health care but is not primarily concerned with research. HIPAA does recognize the fact that some research (an in particular, IRB defined human subjects research) may create, use, and disclose Protected Health Information (PHI). HIPAA uses the same definition as the federal Common Rule (45 CFR 46), which is a systematic investigation designed to contribute to generalizable knowledge. Another test of whether an activity is research is whether the results will be published. For example, a quality improvement project that analyzes the medical records of patients who were treated with a particular procedure would not be research if the analysis is used for internal purposes only. But if future publication is a possibility, it’s important for investigators to understand the IRB review and approval process as retroactive approval to do research with person-identifiable records cannot be given. HIPAA does not replace or modify the human research protection regulations found in 45 CFR 46, but in most cases exceeds privacy provisions found in 45 CFR 46 as it extends to decedents, applies to all research, regardless of funding or activity and extends the definition of “identifiable information”.
Investigators maintain responsibility for complying with all requirements regarding use or disclosure of protected health information, including those specified by HIPAA and implemented by the covered entity (ies). The covered entity also maintains responsibility for the proper use or disclosure of protected health information for research purposes. Investigators also have the responsibility of identifying in an IRB application all proposed access to PHI during the course of the research, including access to paper and electronic medical records for the purpose of subject identification or screening, any intended addition of information into medical records, and any collection or use of human specimens with individually identifiable health information attached.
The ORPC has a link to a page of definitions to assist investigators in understanding terms and requirements for HIPAA.
How HIPAA rules impact human subjects research
Investigators may be permitted to use and disclose protected health information for research provided an individual gives written authorization to use or disclosure PHI unless such authorization is waived or excepted by an IRBs or Privacy Board. Health information is “information that relates to the past, present, or future physical or mental health or condition of the individual, or that relates to the provision of health care in the past, present or future.” Identifiable means information “that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual”.
The use of decedent’s information is protected by the Rule but authorization is not required. In other words, a covered entity will make good faith effort to tell individuals how PHI will be used & disclosed and will not share a patient’s PHI without their express permission (authorization).
HIPAA rules apply only to research which uses, creates, or discloses PHI. Two common examples of how a research study would involve PHI include:
- The study involves review of medical records as one (or the only) source of research information. Retrospective studies involve PHI in this way. Prospective studies may do this also, such as when a researcher contacts a participant’s physician to obtain or verify some aspect of a person’s health history.
- The study creates new medical records because as part of the research a health-care service is being performed, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition.
It’s important to note that human biological specimen data which includes PHI would also be research covered by HIPAA.
Examples of identifiable information include:
- Names
- Social Security Numbers
- City or state
- Zip codes
- Medical record numbers
- Web URLs
- Street address
- Health plan numbers
- IP address numbers
- Phone numbers
- Account numbers
- Biometric identifiers*
- Fax numbers
- License/Certificate numbers
- Facial Photos/Images
- E-mail address
- Vehicle ID numbers
- Birth date
* – Note that biometric Identifiers are observable biological characteristics which could be used to identify an individual, e.g., fingerprints, iris/retina patterns, and facial patterns.
Steps to take when including HIPAA in an IRB protocol
HIPAA permits the use or disclosure of PHI for research under the following circumstances and conditions:
- If the subject of the PHI has granted specific written permission through an Authorization to use and/or disclose PHI
- If the IRB has granted a Waiver of authorization requirement
- If the PHI has been de-identified in accordance with the standards set by HIPAA
- If the information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher and the covered entity
Please note a waiver of authorization is similar to the IRBs waiver of informed consent. A waiver of authorization does not mean research is exempt from HIPAA’s privacy regulations; it only means a researcher does not need signed authorization from each research subject.
HIPAA requires retrospective records review to have both an IRB approved Waiver of Informed Consent and a Waiver of Authorization.
To qualify for Waiver of Authorization, investigators should indicate that:
- The research use of the health information does not represent more than a minimal risk to privacy
- That the research could not be done without the requested health information
- That it would not be practical to obtain signed authorizations from the research subjects
- That the specific elements of health information that are requested are not more than the minimum necessary to accomplish the goals of the study.
HIPAA Authorization Templates
Authorization to use and/or disclose PHI
Investigators who have questions about how HIPAA applies to their research may contact the Office of Research Protections and Compliance at 5-2737 or compliance@umbc.edu.