A HIPAA Refresher for Research
What is HIPAA?
The Health Insurance Portability and Accountability Act (“HIPAA”) governs how healthcare data is shared, both in terms of research and in medical care. It has several components, which govern specific situations.
- Security Rule (45 CFR Part 164): Safeguards to ensure confidentiality, integrity, availability of electronic PHI
- HITECH: Debuted “Breach Notification Rule,” increased penalties for non-compliance
- HHS Omnibus Rule: Extended regulations directly to business associates, required subcontractor compliance
- Breach Notification Rule: Sets rules for notification to HHS and to individuals in the event of breach
Who does HIPAA apply to?
Health Plans (i.e., insurers), Clearinghouses (“billing services”), and Health Care Providers, including hospitals are considered covered entities for HIPAA. This means that they are required to follow the rules and regulations of HIPAA.
In addition, HIPAA can apply to business associates. Business associates are considered persons that create, receive, maintain, or transmit protected health information on behalf of a covered entity or another business associate. The role of business associates is to support the ability of a covered entity to execute on its ability to provided healthcare, and their access to health information is limited to what is necessary to support that work. This work can include payments/healthcare operations activities, claims processing, utilization review, quality assurance, and data analysis/aggregation. HIPAA does not consider research to be a business associate function.
HIPAA Privacy Rule
Protected Health Information is defined as “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral communication”. This data can be in the context of an individual’s past, present, or future physical or mental health condition; or provision of health care to the individual; or past, present or future payment for providing health care to the individual. It contains enough detail that there is a reasonable basis to believe that the information can be used to identify the individual.
Under HIPAA, a covered entity may not use of disclose protected heath information, except as the privacy rule permits or requires, or the individual whose protected health information it is provides written authorization.
There are specific instances where disclosure is permitted without authorization, but those are limited to:
- To the individual
- Treatment, Payment, Healthcare Operation
- Public Interest and Benefit Activities (which includes research with waiver)
- Limited Data Set (with a Data Use Agreement)
Use and Disclosure of Protected Health Information for Research
With authorization (i.e., HIPAA Authorization embedded into or separate from the Informed Consent Form), protected heath information can be used for research purposes.
If the research team does not seek authorization from individuals, protected heath information can be accessed through the following processes:
- Documented IRB/Privacy Board Approval of an alteration or waiver of the requirement to obtain an individual’s authorization.
- Representations from researcher that use or disclosure of PHI is solely for a purpose preparatory to research (i.e., preparing a protocol)
- PHI of Decedents
- Limited Data Set
De-identified data is not considered protected heath information and not regulated by the Privacy Rule.
If you have questions specific to your research, please contact our Office of Research Integrity at [email protected]. If you have questions regarding data use agreements, business associates, or other contract vehicles for research, contact our Office of Contracts and Grants Management at [email protected].