Protecting
Personal Health Information in Research: HIPAA
This site provides researchers
with a basic understanding of the "Privacy Rule" a Federal regulation
under the Health Insurance Portability and Accountability Act (HIPAA) of
1996, and how it may affect health research. For more information view the
United Stated Department of Health & Human Services, Protecting
Personal Health Information in Research: Understanding the HIPAA Privacy
Rule
- Why Should Researchers Be Aware of the HIPAA Privacy Rule?
- To Whom Does the Privacy Rule Apply and Whom Will it Affect?
- What Health Information is Protected by the Privacy Rule?
- How Can Covered Entities Use and Disclose Protected Health Information (PHI) for Research and Comply with the Privacy Rule?
- What is the Effect of the Privacy Rule on Research Started Before the Compliance Date?
- Conclusion
Why Should Researchers Be Aware of the HIPAA Privacy Rule?
Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose protected health information (PHI) for many purposes, including for research.
Researchers in medical and health-related disciplines rely on access to many sources of health information, from medical records and epidemiological databases to disease registries, hospital discharge records, and government compilations of vital and health statistics. For this reason, the Privacy Rule may impact various areas of research.
To Whom Does the Privacy Rule Apply and Whom Will it Affect?
The Privacy Rule applies only to covered entities. The Privacy Rule does not apply to research; it apples to covered entities - the rule may affect researchers because it may affect their access to information, but it does not regulate them or research, per se.
Binghamton University is part of the State University of New York. For the purposes of HIPAA, the State University of New York is considered a covered entity. As such, it must ensure that its operations are in compliance with the HIPAA requirements.
The State University of New York has designated itself as a hybrid entity. A hybrid entity performs both covered and non covered functions as part of its business operations. A covered function is any function the performance of which makes the performer a health plan, a health care provider, or a health care clearinghouse.
To gain access for research purposes to PHI created or maintained by covered entities, the researcher may have to provide supporting documentation on which the covered entity may rely in meeting the requirements, conditions, and limitations of the Privacy Rule.
What Health Information is Protected by the Privacy Rule?
With certain exceptions, the Privacy Rule protects a subset of indiviudally identifiable health information, known as protected health information or PHI, that is held or maintained by covered entities or their business associates acting for the covered entity.
Below is a list of 18 elements that could be used to identify the individual or the individuals' relatives, employers, or household members;
1. Names
|
2. All geographic subdivisions smaller than a state, including street address, city, county,precinct, ZIP code, and their equivalent. |
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates indicative of such age. |
| 4. Telephone numbers | 5. Facsimile numbers | 6. Electronic mail addresses |
| 7. Social Security numbers | 8. Medical record numbers | 9. Health plan beneficiary numbers |
| 10. Certificate/license numbers | 11. Account numbers | 12. Vehicle identifiers, serial numbers including license plate numbers |
| 13. Device identifiers and serial numbers | 14. Web universal resource locators (URLs) | 15. Internet Protocol (IP) address numbers |
| 16. Biometric identifiers, including fingerprints and voiceprints | 17. Full-face photographic images and any comparable images | 18. Any other unique identifying number, characteristic, or code |
How Can Covered Entities Use and Disclose Protected Health Information (PHI) for Research and Comply with the Privacy Rule?
- The Privacy Rule allows covered entities to use and disclose PHI for research if authorized to do so by the subject in accordance with the Privacy Rule. In addition, in certain circumstances, the Rule permits covered entities to use and disclose PHI without Authorization for certain types of research activities. For example, PHI can be used or disclosed for research if a covered entity obtains documentation that the Human Subjects Research Review Committee (HSRRC) or Privacy Board (Binghamton University has designated the HSRRC as the Privacy Board) has waived the requirement for Authorization or allowed an alteration. The Rule also allows a covered entity to enter into a data use agreement for sharing a limited data set. There are also separate provisions for how PHI can be used or disclosed for activities preparatory to research and for research on decedents' information.
-
-
De-identifying PHI under the Privacy Rule
Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule. Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification or by removing certain pieces of information from each record as specified in the Rule.
- The Privacy Rule allows a covered entity to de-identify data by removing all 18 elements. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information.
Covered entities may also use statistical methods to establish de-identification instead of removing all 18 identifiers. The covered entity may obtain certification by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable". The person certifying statistical de-identification must document the methods as well as the result of the analysis that justifies the determination. A covered entity is required to keep such certification, in written or electronic format, for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later.
Authorization for Research Use and Disclosures
A valid Privacy Rule Authorization is an individual's signed permission that allows a covered entity to use or disclose the individual's PHI for the purposes, and to the recipient or recipients, as stated in the Authorization.
- A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
- The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.
- The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure.
- Signature of the individual and date. If the individual's legally authorized representative signs the Authorization, a description of the representative's authority to act for the individual must also be provided.
Auhorization Required Statements
- A statement of the individual's right to revoke his/her Authorization and how to do so, and, if applicable the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity's notice of privacy practices.
- Whether treatment, payment, enrollment or eligibilty of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.
- A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.
Many health research projects and protocols cannot be undertaken using health information that has been de-identified. Also, it may not be feasible for a researcher to obtain a signed Authorization for all PHI the researcher needs to obtain for the research study.
To address this and other situations that may arise in the course of a research project or protocol, the Privacy Rule contains criteria for waiver or alterations of Authorizations by a Privacy Board. Authorization documentation of that approval must be retained by the covered entity for 6 years from the date of its creation or the date it was last in effect, whichever is last.
For research uses and disclosures of PHI, a Privacy Board may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the Privacy Board determines that no Authorzation will be required for a covered entity to use and disclose PHI for a particular research project.
Limited Data Set and Data Use Agreement
The Privacy Rule permits a covered entity, without obtaining an Authorization or documentation of a waiver, to use and disclose personal health information included in a limited data set (data set excludes 18 categories of direct identifiers). A covered entity may use and disclose a limited data set for research activities conducted by itself, another covered entity, or a researcher who is not a covered entity if the disclosing covered entity and the limited data set recipient enter into a data use agreement.
Data Use Agreement is an agreement that establishes the ways in which the information in the limited data set may be used and how it will be protected.
The Privacy Rule requires a data use agreement to contain the following provisions:
- Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed.
- Identify who is permitted to use or receive the limited data set.
- Stipulations that the recipient
will
- Not use or disclose the information other than permitted by the agreement or otherwise required by law.
- Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement.
- Hold any agent of the recipient to the standards, restrictions, and conditions stated in the data use agreement.
- Not identify the information or contact the individuals.
What is the Effect of the Privacy Rule on Research Started Before the Compliance Date?
Research that is ongoing before the applicable compliance date (April 14, 2003) is covered by the Privacy Rule's transition provision if the research participant's informed consent, other legal permission for the research use and disclosure, or an HSRRC's waiver of informed consent was obtained by the covered entity before the applicable compliance date for the Privacy Rule.
The Privacy Rule was not intended to impede research. Rather, it provides ways to access vital information needed for research in a manner that protects the privacy of the research subject. The Privacy Rule describes methods to de-identify health information such that it is no longer PHI or goverened by the Rule. If de-identified health information cannot be used for research, covered entities can obtain the individuals's written permission for research in an Authorization document describing the research uses and disclosures of PHI and the rights of the research subject. When obtaining the Authorization form is not practicable, the HSRRC/Privacy Board could waive or alter the Authorization requirement. The Privacy Rule also provides alternatives to obtaining an Authorization or a waiver or an alteration of this requirement. The Privacy Rule also provides alternatives to obtaining an Authorization or a waiver or an alteration of this requirement, such as limited data sets or with representations provided for certain research activities. The Privacy Rule also contains a provision that "grandfathers" research that is ongoing before the compliance date to facilitate compliance with the Rule.
Because the Privacy Rule is new and introduces new standards for how PHI is handled by covered entities, researchers may have questions about the Rule. Researchers are encouraged to contact Dr. Gary D. James, Chair of the Privacy Board to learn more about how the Privacy Rule affects Binghamton University.