HIPAA

HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA requires many things, including the standardization of electronic patient health, administrative and financial data. It also establishes security and privacy standards for the use and disclosure of "protected health information" (PHI).


The HIPAA Privacy Rule:

  • Establishes conditions under which PHI can be used within an institution and disclosed to others outside it;
  • Grants individuals certain rights regarding their PHI;
  • Requires that institutions maintain the privacy and security of PHI.

This guide addresses HIPAA's requirements related to uses and disclosures of PHI for research purposes. It does not cover HIPAA's requirements related to uses and disclosures of PHI for other purposes (such as treatment, payment, or health care operations).

HIPAA’s regulatory provisions apply to the use and disclosure of protected health information (PHI). PHI is defined as individually identifiable health information that is created or received by a HIPAA “covered entity” (see definition below).

Health information includes any information, whether oral or recorded in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for health care to an individual.

PHI is considered individually identifiable if it includes one or more of the following identifiers:
  1. Names
  2. All geographic subdivisions smaller than a State, including:
    • street address
    • city
    • county
    • precinct
    • zip codes and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly-available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. Telephone numbers
  4. Fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. All elements of dates (except year) for dates related to an individual, including:
    • birth date
    • admission date
    • discharge date
    • date of death
    • all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying numbers, characteristics, or codes

The Research Authorization Form should be carefully prepared by the Principal Investigator to ensure that the form is complete and covers the necessary uses and disclosures of “Protected Health Information”. The Research Authorization form must be presented to the IRB office along with the protocol submission.

“Who will disclose, receive, and/or use the information?”  Please list every person, class of persons, or organization (including government agencies, companies, etc.) who might create, disclose, receive, and/or use the information in connection with the particular study listed on the form. Check the boxes on the form, as appropriate. If a person or organization is not included on this authorization form, that person or organization may not receive PHI or create or use PHI in connection with this Study, and that person or organization may be unable to disclose a subject’s PHI to any other party in connection with the Study.

“What information will be used or disclosed?” Describe the PHI in a way that allows both the prospective subject, and any person or organization that must use or disclose information pursuant to this authorization, to understand what information may be used or disclosed

For example, acceptable descriptions would be “laboratory results from July 2002,” “all laboratory results,” or “results of MRI performed in July 2002.” The language used should be clear to any reader, including the research subject.

Investigators may access PHI in activities that are "preparatory to research." This type of access is limited to a review of data to assist in formulating a hypothesis, determining the feasibility of conducting the study, or other similar uses that precede the development of an actual protocol.

While an investigator may review PHI during the course of a review preparatory to research, he or she may not remove, copy, or include any PHI in notes. Investigators may not use PHI to identify potential research subjects by name or by any other HIPAA identifier. However, investigators may write down and remove summary data (e.g., number of individuals with a certain disease).

Before accessing PHI for a review preparatory to research, a researcher must provide written assurances to the holder of the PHI that the review of the PHI is necessary to prepare a research protocol and that the PHI will not be removed by the researcher from the entity. No further review or approval is required.

Researchers wishing to conduct activities preparatory to research using Bridgeport Hospital medical records, imaging studies, pathology information, lab information, etc., must do so through helix.ynhh.org.
If the research study involves PHI and certain other conditions exist, the researcher may request, and the IRB may grant, a waiver of HIPAA authorization.

A waiver of HIPAA authorization is permitted only when all of the following exist:

  • The research could not be practicably conducted without the waiver.
  • The research could not be practicably conducted without access to and use of PHI.
  • The researcher provides written assurance to the IRB that the PHI will not be re-used or disclosed (except as required by law, or for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by the HIPAA Privacy Rule).
  • The use(s) and/or disclosure(s) of PHI will be limited to the minimum necessary standard.
  • The use(s) and/or disclosure(s) involve no more than minimal privacy risk to the subjects.
  • The IRB has reviewed and approved the proposed use(s) and disclosure(s) of PHI.
Researchers can request a waiver by submitting the request completing the request for HIPAA Waiver and submitting to the IRB for review and approval. The following must be clearly articulated in the waiver application:

  • A description of the plan to destroy the identifiers as quickly as possible.
  • A description of the plan to track disclosures.
De-identified data are data that contain none of the 18 HIPAA identifiers listed in the "What is PHI?" section. If all of the 18 identifiers are removed, the information is no longer (1) individually identifiable, (2) PHI, and (3) subject to HIPAA's requirements. A de-identified data set may be coded with a unique identifier that cannot be traced back to the individual for the purpose of being re-identified by the recipient at a later date. De-identified data may include gender, age, race, or relevant information regarding disease or tissue source and can later be re-identified, by the original holder of the data, if necessary, by means of a unique, non identifiable, code for purposes of carrying out research. It is important to remember that re-identification will subject the information to HIPAA's requirements. A researcher must resubmit the protocol to the IRB for approval when re-identification of the data is desired.

A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data present a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.

"Anonymous" data are not necessarily considered de-identified under HIPAA. Anonymity under the federal Common Rule requires that individuals cannot be readily ascertained by the investigator and cannot be associated with the data. According to the Common Rule standard, anonymous data may retain dates of treatment. Under HIPAA's more stringent requirements, however, such data would be considered identifiable data.
Some studies may need to retain a limited number of identifiers and, thus, not meet the strict HIPAA definition of "de-identified data." However, these studies may present only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a "Limited Data Set" for research purposes. A Limited Data Set is PHI that excludes "direct identifiers" of the individual, relatives of the individual, employers, or household members.

A limited data set must exclude:

  1. Names
  2. Street Addresses
  3. Phone and Fax Numbers
  4. Email Addresses
  5. Social Security Numbers
  6. Medical Record Numbers
  7. Health Plan Numbers
  8. Account Numbers
  9. Certificate/Licenses Numbers
  10. Vehicle Identifiers/License Plates
  11. Device Identifiers
  12. Web URLS
  13. Internet Protocols (IP)
  14. Full Face Photos
A limited data set may include one or more of the following:

  1. Towns
  2. Cities
  3. States
  4. Zip Code and their equivalent geocodes. (Note that a zip code cannot be used if the area composing the zip code has less than 20,000 citizens.)
  5. Dates including birth and death
  6. Other unique identifying numbers, characteristics, or codes that are not expressly excluded. (Medical record numbers and pathology numbers are excluded.)
  7. Relevant medical information
    The investigator, the holder of the PHI, and their respective institutions, must sign Data Use Agreements, either for access to a Limited Data Set or for the release of a Limited Data Set. The use of a Limited Data Set in a protocol should be specified in the research plan and confidentiality sections. The IRB will acknowledge the use of the Limited Data Set in the letter of IRB Common Rule approval sent to the principal investigator. The letter will state that the research activity cannot begin until the principal investigator has an authorized Data Use Agreement in place.
The collection or maintenance of PHI in databanks or repositories for future research purposes requires an IRB-approved protocol. In addition, research using data from these databanks and repositories must be conducted under an IRB-approved protocol. Since databanks and tissue repositories frequently survive beyond the lifespan of the initial IRB protocol in which the data/tissue is collected, researchers should normally submit the proposed data/tissue banking activities to the IRB in a separate protocol.

The HIPAA Privacy Rule affects activities such as research using identifiable or coded data or biological specimens such as human tissue, DNA, and blood where the researcher controls the coding. The HIPAA Privacy Rule requires an authorization from the subject about whom information is stored or a HIPAA Waiver of Authorization approved by an IRB for the collection of PHI and prior to conducting subsequent studies using PHI. The IRB must review and approve all proposed uses of stored tissues, irrespective of whether or not the secondary use(s) of the banked tissues will include use of HIPAA identifiers.