skip page navigationOregon State University
OFFICE OF RESEARCH INTEGRITY
Research Office » Research Integrity

What HIPAA Means To Researchers & IRBs

University of Kentucky/Office of Research Integrity
Joe R. Brown, MHS, RHIA & Ada Sue Selwitz, MA

WHAT IS HIPAA?

HIPAA stands for the Health Insurance Portability & Accountability Act of 1996. HIPAA is also known as the Kennedy-Kassebaum Act. 1

HIPAA calls for:

  1. Standardization of electronic patient health, administrative and financial data;
  2. Unique identifiers for individuals, employers, health plans and health care providers;
  3. Security standards protecting the confidentiality and integrity of health information. 1

HIPAA & Privacy Rule:

The Privacy Rule for HIPAA was published on August 14, 2002 and the regulations effect researchers and IRBs. The Privacy Rule establishes privacy standards to protect a person's health information. 1

Privacy Standards:

  • Limits the use and disclosure of health information;
  • Gives patients the right to access their medical records and to receive an accounting of who accessed their health information;
  • Allows patients to requests amendments to their medical records and place restrictions on uses and disclosures;
  • Restricts most disclosures of health information to the minimum intended purpose;
  • Establishes criminal and civil penalties for improper use or disclosure;
  • Establishes new requirements for access to records by researchers. 1

Penalties For Improper Disclosure:

The Privacy Rule restricts disclosure of health information for specific purposes and establishes criminal and civil penalties for improper disclosure and/or use. Fines can go as high as:

  • $25,000 for multiple violations in the same year;
  • $250,000 and/or up to 10 years imprisonment for knowingly misusing a person's protected health information. 1

Compliance Date:

The Privacy Rule became effective on April 14, 2003; however, federal regulations allow an additional year for business associates contracts, a contract where one party performs a function or activity involving the use of protected health information (PHI). Business associate contracts must meet the HIPAA requirements before April 14, 2004.

HOW DO RESEARCHERS ACCESS PATIENT INFORMATION?

Researchers who want access to protected health information (PHI) must request the information from and meet the requirements of the covered entity, which in this case is the University of Kentucky. The Privacy Rule allows for the PHI information to be released if the request meets one of the following six conditions:

  1. A patient authorization is obtained;
  2. Authorization requirement is waived by IRB/Privacy Board;
  3. Information is collected only for preparatory work for research;
  4. Only a limited data set is collected and accompanied with a data use agreement;
  5. Only decedent PHI is being collected;
  6. Information requested is “de-identified.”

Each of these six conditions are discussed below.

1. Accessing Information through Patient Authorization (Section 164.508)

A researcher may use or disclose protected health information with a valid authorization. A valid authorization must have the following elements:

A. Core Elements and Required Statements

  • A description that identifies the information in a specific and meaningful fashion; and
  • The name of the person(s) authorized to make the requested use or disclosure; and
  • The name of the person(s) to whom the covered entity may make the requested use or disclosure; and
  • A description for every requested use or disclosure; and
  • An expiration date or an expiration event that relates to the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is research; and
  • A description of how the individual may revoke the authorization and the exceptions to the revocation; or a copy of the Privacy Notice which explains how to revoke the authorization and the exceptions to the revocation; and
  • Statement that a subject's treatment, payment or enrollment in any health plan or their eligibility for benefits will not be effected if they refused to sign the authorization; and
  • The subject may not participate in a research study if they refuse to sign the authorization; and
  • Explanation that information disclosed for the authorization may no longer be protected when redisclosed by the recipient.
  • Signature of the individual and date. If a personal representative signs the authorization, a description of the representative's authority must be provided.

B. Additional Authorization Requirements

  • The authorization must be written in plain language.
  • The subject must be given a copy of the signed authorization.

C. Combining the Authorization with the Consent Form

  • The revised Privacy Rule allows an authorization to be combined with a research
    • consent form.

D. Research Uses/Disclosures Where An Authorization Is Not Required (164.512) FDA-regulated research does NOT require an authorization for the following activities:

  • Collecting and reporting adverse events; or
  • Tracking FDA-regulated products; or
  • Enabling product recalls, repairs, replacement, and look-backs; or
  • Conducting post marketing surveillance;

2. Accessing Information Through A Privacy Board/IRB Approved Waiver (Section 164.12)

A researcher may access PHI though a wavier but the waiver must satisfy the following criteria:

  1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals; and
  2. The use or disclosure must include a plan to protect PHI from improper use/disclosure; and
  3. The use or disclosure must include a plan to destroy PHI at the earliest opportunity unless there is justification for retaining the information; and
  4. The researcher must submit written assurances that PHI will not be reused or disclosed to 3rd parties unless required by the research study or law enforcement agencies; and
  5. The research could not practicably be conducted without the waiver; and
  6. The research could not practicably be conducted without access to and use of PHI.

3. Accessing Information for Preparatory Work for Research (Section 164.512)

A researcher may review PHI for preparatory work for research without an authorization. In order to view PHI, the researcher must submit a request to the entity documenting that:

  • reviewing protected health information is necessary to prepare a research protocol; and
  • information will not be removed by the researcher during the review; and
  • the information is necessary for research purposes.

4. Accessing Information through Limited Data Sets (Section 164.514)

A. A covered entity may use or disclose a limited data set only if the covered entity obtains satisfactory assurance, in the form of a data use agreement, that the information will only be:

  • used for research, public health, or health care operations;
  • disclosed to business associates;
  • used/disclosed for limited purposes by the recipient.

B. A limited data set is protected health information that excludes the following direct identifiers:

  1. Names;
  2. Postal address information, other than town or city, State, and zip code;
  3. Telephone numbers;
  4. Fax numbers;
  5. Electronic mail addresses;
  6. Social security numbers;
  7. Medical record numbers;
  8. Health plan beneficiary numbers;
  9. Account numbers;
  10. Certificate/license numbers;
  11. Vehicle identifiers and serial numbers, including license plate numbers;
  12. Device identifiers and serial numbers;
  13. Web Universal Resource Locators (URLs);
  14. Internet Protocol (IP) address numbers;
  15. Biometric identifiers, including finger and voice prints; and
  16. Full face photographic images and any comparable images.

C. Data use agreements must:

  • Establish the permitted uses and disclosures by the recipient;
  • Establish who is permitted to use or receive the limited data set; and
  • Provide that the limited data set recipient will:
    • Not use/disclose the information other than as permitted by the data use agreement or required by law;
    • Use appropriate safeguards to prevent use/disclosure other than as provided for by the data use agreement;
    • Report to the covered entity any use/disclosure not stated in the data use agreement;
    • Ensure that any agents, including subcontractors, agrees to the same restrictions and conditions that apply to the limited data set recipient; and
    • Not identify the information or contact the individuals.

    5. Accessing Information on Deceased Persons (Section 164.512)

    A researcher may review PHI from deceased persons without authorization. For this information, the researcher must submit a request to the entity stating that:

    • the use/disclosure of PHI is for research purposes only; and
    • the information is necessary for research purposes; and
    • the person is deceased and providing documentation that the person is deceased.

    6. Accessing Information though De-identification (Section 164.514)

    De-identified health information may be released without an authorization and exempts the release from HIPAA requirements. De-identification is defined as health information that does not contain any information that allows a researcher to identify a person. A covered entity may de-identify PHI only if:

    A. A statistician, or other qualified expert, de-identifies PHI through generally accepted statistical and scientific methods and determines that:

  • the risk of re-identifying the information is very small; and
  • documents the methods and results of the analysis that justify such determination; or

    • B. De-identifying PHI by removing all of the 18 identifiers listed below:

    1. Names;
    2. All geographic subdivisions smaller than a State, including street address, city, county,
      3. precinct, zip code, and their equivalent geocodes;
    3. All elements of dates (except year) for dates directly related to an individual, including
      4. birth date, admission date, discharge date, date of death;
    4. Telephone numbers;
    5. Fax numbers;
    6. Electronic mail addresses;
    7. Social security numbers;
    8. Medical record numbers;
    9. Health plan beneficiary numbers;
    10. Account numbers;
    11. Certificate/license numbers;
    12. Vehicle identifiers and serial numbers, including license plate numbers;
    13. Device identifiers and serial numbers;
    14. Web Universal Resource Locators (URLs);
    15. Internet Protocol (IP) address numbers;
    16. Biometric identifiers, including finger and voice prints;
    17. Full face photographic images and any comparable images;
    18. Any other unique identifying number, characteristic, or code.

    C. To release any information without a patient authorization, the entity cannot have actual knowledge that the de-identified information could be used to identify an individual.

    D. A covered entity may assign a code to allow re-identification of PHI, provided that:

    • The code or other means of record identification is not derived from or related to information about the individual and can not be used to identify the individual; and
    • The entity does not use/disclose the code for any other purpose; and
    • The covered entity does not disclose the re-identification code.

    Please note that de-identification only satisfies the HIPAA requirements and not the IRB requirements. At the University of Kentucky, IRB review is required for research projects even when the protocol does not require identifiers.

    ADDITIONAL INFORMATION THAT RESEARCHERS SHOULD KNOW

    HIPAA also affects the following areas:

    Specimens And Tissue Samples Which Include PHI:

    Research involving specimens and tissues that include accompanying PHI are covered under HIPAA.

    Business Associate Contracts (Section 164.504)

    A business associate contract is a contract between 2 parties where one party performs a function or activity involving the use or disclosure of PHI. The University of Kentucky's legal counsel must approve all business associate contacts. Please contact Ned Benson at 323- 1161 for additional information.

    Accounting of Disclosures (Section 164.528):

    The Privacy Rule allows an individual the right to receive an accounting of disclosures of PHI made by an entity with the exception of certain disclosures. The accounting of disclosure applies to waiver of authorization, preparatory research, research on decedent data, disclosure to public health authorities, and disclosures mandated by law.

    Minimum Use Disclosures (Section 165.514):

    An entity must limit the amount of PHI disclosed to recipients to the “minimum necessary” to achieve the purposes desired. The minimum necessary standards apply pursuant to a waiver of authorization, use/disclosure of decedent's data, uses preparatory to research and limited data sets.

    HIPAA & IRB Human Protection Regulations:

    HIPAA does not override IRB requirements. When HIPAA and human subject protection regulations apply, both sets of requirements must be followed.

    Additional Information about HIPAA can be found at:

    • UKCMC's HIPAA web site: http://www.mc.uky.edu/compliance/HIPAA/HIPAA.htm
    • UKCMC's HIPAA listserv: UKCMC-HIPAA@lsv.uky.edu
    • Privacy Rule (http://www.hhs.gov/ocr/combinedregtext.pdf)

    References

    1. HIPAA Primer (http://www.hipaadvisory.com/regs/HIPAAprimer1.htm)
    2. Privacy Rule (http://www.hhs.gov/ocr/combinedregtext.pdf)