HIPAA Frequently Asked Questions

HIPPA FAQs

When is health-related information considered PHI? Am I required to get a signed Authorization Form at the time I get the signed consent form? Are any health records exempted from the definition of PHI? When is data “de-identified?" What identifiers must be removed from a limited-data set? Is a HIPAA Authorization the same as the consent form? How do I qualify for a waiver of authorization?

Do minors need to sign a separate HIPAA authorization? Do subjects receive a copy of the Authorization Form as they do a consent form? Can authorization be revoked by the subject? What happens to research studies underway or initiated before April 14, 2003? How does HIPAA define research? What about reviews preparatory to research? What does a researcher have to do to assure compliance with the new requirements?

 When is health-related information considered PHI?

Health-related information is considered PHI if (any of the following are true):

• The researcher obtains it directly from a provider, health plan, health clearinghouse or employer (other than records relating solely to employment status);
• The records were created by any of the entities in "1" and the researcher obtains the records from an intermediate source which is NOT a school record or an employer record related solely to employment status; OR
• The researcher obtains it directly from the study subject in the course of providing treatment to the subject.

Health-related information is not considered PHI if the researcher obtains it from:

• Student records maintained by a school;
• Employee records maintained by an employer related to employment status; OR
• Research subject directly, if the research does NOT involve treatment.

Am I required to get a signed Authorization Form at the time I get the signed consent form?

It is not required to get the HIPAA Authorization at the time of consent, but it is the most practical time.
 
Are any health records exempted from the definition of PHI?

The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:

   1. Student records maintained by an educational institution
   2. Employment records maintained by an employer related to employment status.

Studies that use these kinds of records are not subject to HIPAA. However, existing IRB rules on informed consent and confidentiality still apply.
 
When is data “de-identified”?

Data is considered de-identified under HIPAA when none of the following elements are present:

1. Name
2. All geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits if the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people
3. For dates directly related to the individual, all elements of dates, except year. (date of birth, admission date, discharge date, date of death)
4. All ages over 89 or dates indicating such an age
5. Telephone number
6. Fax number
7. Email address
8. Social Security Number
9. Medical Record Number
10. Health Plan Number
11. Account Numbers
12. Certificate or license numbers
13. Vehicle identification/serial numbers, including license plate numbers
14. Device identification/serial numbers
15. Universal Resource Locators (URL’s)
16. Internet Protocol addresses (IP’s)
17. Biometric Identifiers
18. Full face photographs and comparable images
19. Any other unique identifying number, characteristic or code.

What identifiers must be removed from a limited-data set?

1. Names
2. Postal address information other than town/city, state and zip.
3. Telephone number
4. Fax number
5. Email address
6. Social security number
7. Medical record number
8. Health plan number
9. Account numbers
10. Certificate or license numbers
11. Vehicle identification/serial numbers, including license plate numbers
12. Device identification/serial numbers
13. Universal resource locators (URL)
14. Internet protocol (IP) addresses
15. Biometric identifiers, including finger and voice prints
16. Full face photographs and comparable images

Is a HIPAA Authorization the same as the consent form?

No. An Authorization differs from an informed consent in that an Authorization focuses on the privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of how the confidentiality of records will be protected, among other things.

How do I qualify for a waiver of authorization?

(Approvals for waivers or alterations will be rare and in most cases researchers are advised to use an Authorization Form with their subjects to use/disclose PHI. IRB approval is required for this Authorization Form - similar to consent forms.)

The following criteria must be met to qualify for a waiver:

The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;

• An adequate plan to protect the identifiers from improper use and disclosure;
• An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
• Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
• The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;
• The research could not practicably be conducted without the alteration or waiver or alteration; and
• The research could not practicably be conducted without access to and use of the protected health information.

The IRB maintains the authority to make the final decision if a study meets the aforementioned criteria. Use PHI Forms Part 3 to apply for a waiver or alteration of authorization and include it with your application form submission to the IRB. 

Do minors need to sign a separate HIPAA authorization?

Yes. The minor's parent or legal guardian must sign a HIPAA authorization on the minor's behalf. You can use the same HIPAA authorization for minors that you would use for adults. HIPAA does NOT have an added assent requirement for minors.

Do subjects receive a copy of the Authorization Form as they do a consent form?

Yes, but subjects must receive a signed copy of the authorization.
 
Can authorization be revoked by the subject?

Yes, a subject can revoke his/her authorization at any time in writing. Data already collected under the authorization can be used to a limited extent if necessary to preserve the integrity of the research.

What happens to research studies underway or initiated before April 14, 2003?

For studies using IRB-approved consent forms: These studies may continue to collect and use data from subjects enrolled prior to April 14, 2003 without any any new documentation requirements. However, studies that will continue to enroll subjects after this date must request approval to collect and use this data.

For studies not using consent forms: If the study will enroll or reenroll subjects (have subject contact) on or after April 14, 2003, see these instructions about what is required to be submitted to the IRB before that date. If the study will not enroll or reenroll subjects on or after April 14, 2003, the study may continue without any additional documentation to the IRB.
 
How does HIPAA define research?

HIPAA defines research as “a systematic investigation, including research development, testing and evaluation, designed to Develop or contribute to generalizable knowledge.”

This definition is identical to the one used in the 45 CFR 46.

What about reviews preparatory to research?

Reviews preparatory to research and research involving the PHI of decedents are two instances that do not require subject authorization.

In addition, activities involved in preparing for research, covered entities may use or disclose PHI to a researcher without an individual’s Authorization, a waiver or an alteration, or a data use agreement. The covered entity must obtain from a researcher representations that:

• The use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research,
• The PHI will not be removed from the covered entity in the course of review, and
• The PHI for which use or access is requested is necessary for the research. The covered entity may permit the researcher to make these representations in written or oral form.

A researcher who is an employee or a member of the covered entity’s workforce could use protected health information to contact prospective research subjects, i.e. study recruitment.
 
What does a researcher have to do to assure compliance with the new requirements?

If planning to use PHI, fill out the PHI Forms as part of the IRB application submission. In the PHI Form, request to use or disclose PHI by means of one of the four following options:

• Use of a Subject Authorization Form (use of our Authorization Template Form is recommended),
• An alteration of the Authorization Form
• A Waiver of Authorization
• Use of a Data-Use Agreement

Once approved, the Subject Authorization Form must be signed by the subject or their authorized representative.