HIPAA FAQs

Federal Regulations and Guidance
There are multiple federal regulations governing human subject protections in research activities. The majority of research is covered by three sets of regulations: the Health and Human Services, the Food and Drug Administration, and the Department of Education. There is a great deal of overlap in the relevant regulations, but they are not identical and in a limited range of cases important differences exist among them. The main federal office for providing guidance on the regulations is the Office of Human Research Protections (OHRP)   

Why Should Researchers Be Aware of the HIPAA Privacy Rule?
The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, handle the individually identifiable health information known as protected health information (PHI). Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research. Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.
It is important to understand that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because they will not be covered entities. The Privacy Rule will not directly regulate researchers who are engaged in research within organizations that are not covered entities even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.
http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf (NIH publication)

For additional information on how to comply with the HIPAA regulations see the following FAQs


What is Protected Health Information (PHI)?
PHI is health information transmitted or maintained in any form or medium that:

  1. identifies or could be used to identify an individual; and
  2. is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
  3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

Top of page

Exempt Records
The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:

  1. student records maintained by an educational institution, and
  2. employment records maintained by an employer related to employment status.

If your study uses these kinds of records, it is not subject to HIPAA. However, existing HRRC rules on informed consent and confidentiality still apply.

Top of page
 


Ways researchers can perform HIPAA-compliant research with PHI

  1. Obtain the research participant's authorization — use of an authorization form that includes required HIPAA authorization language. (It must be approved by the IRB prior to use - similar to a consent form) - recommended
  2. Obtain an HRRC waiver or alteration of subject authorization—if the research is minimal risk to subjects and meets criteria for waiver or alteration.
  3. Use a Limited Data Set — PHI that excludes direct identifiers of the individual or of relatives, employers, or household members of the individual.
  4. Use De-identified Data — health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. De-identified data
  5. Use (not disclosure) PHI in work preparatory to research—feasibility review only; NOT pilot studies.
  6. Use or disclosure of decedents' PHI is acceptable without #1 or #2

Top of page


Using Authorization Forms
If a study using/disclosing PHI is going to use/disclose this PHI by means of a subject authorization (the most common and recommended means), you should be aware of the following:

  • The authorization form needs to be submitted to the HRRC along with the HRRC application form and Appendix H for HRRC review. Use our Authorization Form Template filled in with your study specifics.
  • Two authorization forms require the subject's or authorized representative's signature:
    1. A copy for the subject to keep, and
    2. A copy for the investigator's records.
  • It is the responsibility of the researcher to keep this authorization form in their records for 3 years and assure that it is completed correctly.

Top of page
 


Obtaining Authorization Form Waivers or Alterations
For research uses and disclosures of PHI, the HRRC may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the IRB determines that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project.
If a researcher has used or disclosed PHI for research with an IRB approval of waiver or alteration of Authorization, documentation of that approval must be retained by the researcher for 3 years from the date of the closure of the study.

Also see: How do I qualify for a waiver of authorization?

Top of page
 


Using Data that is De-Identified
Researchers may use or disclose health information that is de-identified without restriction under the Privacy Rule.
Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification OR by removing the 19 identifiers from each record as specified in the Rule.

Top of page
 


When is health-related information considered PHI?
Health-related information is considered PHI if any of the following are true:

  1. The researcher obtains it directly from a provider, health plan, health clearinghouse or employer(other than records relating solely to employment status);
  2. The records were created by any of the entities in "1" and the researcher obtains the records from an intermediate source which is NOT a school record or an employer record related solely to employment status; OR
  3. The researcher obtains it directly from the study subject in the course of providing treatment to the subject.

Health-related information is not considered PHI if the researcher obtains it from:

  1. student records maintained by a school;
  2. employee records maintained by an employer related to employment status; OR
  3. the research subject directly, if the research does NOT involve treatment.

 

Am I required to get a signed Authorization Form at the time I get the signed consent form?

It is not required to get the HIPAA Authorization at the time of consent, but it is the most practical time.

Top of page
 


Are any health records exempted from the definition of PHI?
The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:

  1. student records maintained by an educational institution
  2. employment records maintained by an employer related to employment status.

Studies that use these kinds of records are not subject to HIPAA. However, existing IRB rules on informed consent and confidentiality still apply.

Top of page
 


When is data “de-identified”?
Data is considered de-identified under HIPAA when none of the following elements are present:

  1. Name
  2. All geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits if the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people
  3. For dates directly related to the individual, all elements of dates, except year. (date of birth, admission date, discharge date, date of death)
  4. All ages over 89 or dates indicating such an age
  5. Telephone number
  6. Fax number
  7. Email address
  8. Social Security Number
  9. Medical Record Number
  10. Health Plan Number
  11. Account Numbers
  12. Certificate or license numbers
  13. Vehicle identification/serial numbers, including license plate numbers
  14. Device identification/serial numbers
  15. Universal Resource Locators (URL’s)
  16. Internet Protocol addresses (IP’s)
  17. Biometric Identifiers
  18. Full face photographs and comparable images
  19. Any other unique identifying number, characteristic or code

Top of page
 


What identifiers must be removed from a limited-data set?

  1. Names
  2. Postal address information other than town/city, state and zip.
  3. Telephone number
  4. Fax number
  5. Email address
  6. Social security number
  7. Medical record number
  8. Health plan number
  9. Account numbers
  10. Certificate or license numbers
  11. Vehicle identification/serial numbers, including license plate numbers
  12. Device identification/serial numbers
  13. Universal resource locators (URL)
  14. Internet protocol (IP) addresses
  15. Biometric identifiers, including finger and voice prints
  16. Full face photographs and comparable images

Top of page
 


Is a HIPAA Authorization the same as the consent form?
No. An Authorization differs from an informed consent in that an Authorization focuses on the privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of how the confidentiality of records will be protected, among other things.

Top of page
 


How do I qualify for a waiver of authorization?
(Approvals for waivers or alterations will be rare and in most cases researchers are advised to use an Authorization Form with their subjects to use/disclose PHI. HRRC approval is required for this Authorization Form - similar to consent forms.)
The following criteria must be met to qualify for a waiver:
The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;

  • An adequate plan to protect the identifiers from improper use and disclosure;
  • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  • Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
  • The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;
  • The research could not practicably be conducted without the alteration or waiver or alteration; and
  • The research could not practicably be conducted without access to and use of the protected health information.

The HRRC maintains the authority to make the final decision if a study meets the aforementioned criteria.

Top of page
 


Do minors need to sign a separate HIPAA authorization?
Yes. The minor's parent or legal guardian must sign a HIPAA authorization on the minor's behalf. You can use the same HIPAA authorization for minors that you would use for adults. HIPAA does NOT have an added assent requirement for minors.

Top of page
 


Do subjects receive a copy of the Authorization Form as they do a consent form?
Yes, but subjects must receive a signed copy of the authorization.

Top of page
 


Can authorization be revoked by the subject?
Yes, a subject can revoke his/her authorization at any time in writing. Data already collected under the authorization can be used to a limited extent if necessary to preserve the integrity of the research.

Top of page

Page last modified August 17, 2010