Health Insurance Portability and Accountability Act

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and represents efforts by the Federal government to standardize and provide safeguards for the electronic transmission of health information of US citizens, including research subjects.

How does the privacy rule affect research?

Researchers come under this privacy rule and are considered covered entities when their research involves treatment. Investigators must also comply with this rule if they request protected health information (PHI) from covered entities for research purposes. In most instances, HIPAA requires an authorization before PHI can be used or disclosed for research. IRB approved authorization language can be included in the research consent form or it can be approved as a separate document.

Who or what are covered entities?

Covered entities are healthcare providers, health plans, and healthcare clearinghouses, which electronically transmit health information. HIPAA regulations only apply to uses and disclosures of protected health information by covered entities.

What is protected health information (PHI)?

Protected health information is individually identifiable health information that is maintained or transmitted in any form or medium. This includes information on paper, information discussed orally, and information transmitted electronically that could be linked to an individual. HIPAA has identified the following links that must be removed before health information is considered de-identified:
Addresses (all geographic subdivisions smaller than a state)
All elements of date related to an individual except for year
Fax numbers
E-mail address
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
Medical Device Identifiers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers
Full face photographic images
Any other unique identifying number, characteristic or code

Does HIPAA always require an authorization before a researcher can use or disclose PHI?

No. There are exceptions to the requirement for an authorization. Two important exceptions that apply to research are:  Review of records in preparation for research - PHI may be accessed to prepare a research protocol or to screen records for recruitment. However, no PHI may be removed from the covered entity for the exception to apply. If the investigator is screening records belonging to another covered entity, that investigator cannot contact potential subjects associated with those records.

Does the requirement for an authorization apply to studies that started before April 14, 2003?

HIPAA has a “grandfather” clause for studies that start before the compliance date if the subject has either signed an IRB-approved consent form or has enrolled under an IRB-approved waiver of consent. Investigators are not required to obtain an authorization for use and disclosure of health information from these subjects unless the subjects must be reconsented after HIPAA takes effect. This might occur if the protocol is amended or new risks are discovered. However, investigators must obtain a IRB approved authorization from all new subjects who enroll in open studies on or after April 14, 2003.

What must investigators do to obtain a waiver of authorization from IRB?

IRB has a Waiver of Authorization submission form to allow researchers to access PHI for recruitment. Investigators must send sufficient information to IRB for the Board to determine whether the requirements are met. The investigator must also sign the certification at the bottom of the request form.  Click here for the HIPAA Forms.