Health Insurance Portability and Accountability Act (HIPAA) introduces new standards for protecting the privacy of individuals' identifiable health information.
HIPAA regulations apply to investigators who need to use, for research purposes, individually identifiable health information held by a covered entity or its business associates. Individually identifiable health information means the identity of the subject is or may readily be ascertained by the investigator or associated with the information. Covered entities are defined as: (1) health plans, (2) health care clearing houses, and (3) health care providers who electronically transmit any health information in connection with transactions, for which The Department of Health and Human Services (HHS) has adopted standards (generally, transactions concern billing and payments for insurance coverage). For example, hospitals, academic medical centers, physicians who electronically transmit claims transaction information to a health plan.
For studies, the standard IRB approval process applies. Investigation needs to check ways researchers can perform HIPAA-compliant research.
- For studies that plan to use PHI, PHI Forms will allow you to request this usage by stating that you will use it in accordance with one of four accepted methods (see 1-4 in Ways researchers can perform HIPAA-compliant research).
- For studies that plan to use de-identified data (see When is data "de-identified"?), the approval for this use should be requested using the Screening for Exemption Application Form. Along with the application form, a De-Identified Certification Form must be submitted to the IRB.
What is Protected Health Information (PHI)
PHI is health information transmitted or maintained in any form or medium that:
- identifies or could be used to identify an individual; and
- is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
- relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:
- student records maintained by an educational institution, and
- employment records maintained by an employer related to employment status.
If your study uses these kinds of records, it is not subject to HIPAA. However, existing IRB and FERPA regulations on informed consent and confidentiality still apply.
More clarification of PHI - See When is Health-related information considered PHI?
Ways researchers can perform HIPAA-compliant research with PHI :
- Obtain Subject Authorization - use of an authorization form that includes required HIPAA authorization language. (It must be approved by the IRB prior to use - similar to a consent form) - recommended
- Obtain an IRB waiver of subject authorization-if the research is minimal risk to subjects and meets criteria for waiver or alteration.
- Obtain an IRB alteration of subject authorization-if the research is minimal risk to subjects and meets criteria for waiver or alteration.
- Use a Limited Data Set - PHI that excludes direct identifiers of the individual or of relatives, employers, or household members of the individual.
- Use De-identified Data - health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. (see When is data "de-identified?)
- Use (not disclosure) PHI in work preparatory to research-feasibility review NOT pilot studies.
- Use or disclosure of decedents' PHI is acceptable without #1 or #2
Using Authorization Forms
If a study using/disclosing PHI is going to use/disclose this PHI by means of a subject authorization (the most common and recommended means), investigators should be aware of the following:
- The authorization form needs to be submitted to the IRB along with the IRB application form and Appendix H for IRB review. Use our Authorization Form Template filled in with your study specifics.
- Two authorization forms require the subject's or authorized representative's signature:
- A copy for the subject to keep, and
- A copy for the investigator's records.
- It is the responsibility of the PI to keep this authorization form in their records for 6 years and assure that it is completed correctly.
Obtaining Authorization Form Waivers or Alterations
For research uses and disclosures of PHI, an IRB may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the IRB determines that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project.
If a researcher has used or disclosed PHI for research with an IRB approval of waiver or alteration of Authorization, documentation of that approval must be retained by the researcher for 6 years from the date of the its creation or the date it was last in effect, whichever is later.
Also see: How do I qualify for a waiver of authorization? in FAQ.
Using Data that is De-Identified
Researchers may use or disclose health information that is de-identified without restriction under the Privacy Rule.