HIPAA Frequently Asked Questions (FAQs)
HIPAA stands for the Health Insurance Portability & Accountability Act of 1996. HIPAA is also known as the Kennedy-Kassebaum Act.
It calls for:
- Standardization of electronic patient health, administrative and financial data;
- Unique identifiers for individuals, employers, health plans and health acre providers;
- Security standards protecting the confidentiality and integrity of health information.
No. HIPAA does not override IRB requirements. After April 14, 2003 you will need to comply with both the Common Rule and the Privacy Rule. Here is a summary of their requirements.
- The Common Rule requires either an informed consent or a waiver of informed consent for any human subjects research. Records review research is usually approved via an expedited review and a waiver of informed consent. The common rule allows a waiver only if specific criteria are met.
- The Privacy Rule requires a written authorization or waiver of authorization for access to existing protected health information. It is assumed that most records review will be allowed with a waiver of the authorization. The Privacy Rule allows a waiver of authorization if specific criteria are met.
The rule protects access to individually identifiable health information that is:
- Created or received by a "covered entity" including a health care provider, health plan, or health care clearing house
- That relates to the past, present or future physical or mental health or condition of the individual, or
- That relates to the provision of health care in the past, present or future.
The Privacy Rule gives all individuals, and hence research subjects, a number of new rights. Items 3, 4 and 6 are of particular relevance to research. Under HIPAA everybody can:
- Request access to their health care information
- Request that their health care information be amended
- Receive, upon request, an accounting of all disclosures of their medical information, if they haven't specifically authorized the disclosures (or another exception does not apply)
- Revoke authorization for the use/disclosure of identifiable health information, to the extent the researchers have not already relied on it.
- Request alternative means or places of being contacted (e.g. home vs. work)
- Request restrictions on uses or disclosures (but a covered entity or researcher is not required to agree).
If you are not doing research that requires access to protected health information (PHI), HIPAA and the Privacy rule will not impact your research. UMass Amherst researchers who need access to their subject's PHI for research purposes should understand the structure of UMass Amherst as an organization under HIPAA. Under HIPAA, UMass Amherst is a hybrid entity. Researchers outside a covered entity (like most UMass Amherst PIs) must request the covered entity, via a signed authorization from the subject, to "disclose" the subject's PHI to them. This includes requests for review of medical records except where a waiver has been obtained. Once a covered entity discloses PHI to a researcher outside the covered entity, HIPAA and the Privacy rule no longer cover those records. However, a researcher outside the covered entity should expect to follow the spirit of the Privacy rule, as well as the Common Rule, and protect a subject's PHI by providing assurance to the subject in the informed consent document that the PHI will only be used for the purposes described in the informed consent document. The PHI should not be disclosed to any third parties not mentioned in the consent document without prior approval by the subject.
A covered entity is a healthcare provider, health plan, payer, clearing house or any other entity that processes health data electronically. Because of the kind of health information it processes, and the way it is processed, a covered entity must comply with HIPAA and the Privacy Rule. UMass Amherst as an institution is not a covered entity but is considered a hybrid entity. This means that it performs both covered and noncovered functions as part of its business operation, for example the activities of University Health Services (UHS) would be considered covered. Most investigators at UMass Amherst will need authorization from their subjects to allow a covered entity like UHS or Baystate Health to disclose protected health information (PHI) to them. A covered entity must limit the amount of PHI disclosed to recipients to the "minimum necessary."
The Privacy Rule (HIPAA) classifies organizations that generate, use, or need access to protected health information (PHI) into several different organizational formats. These include:
- Hybrid entity
- Affiliated covered entity
- Organized health care arrangement (covered entity)
A "hybrid entity" is an organization that includes one or more "covered entities" (i.e. entities covered by HIPAA) plus has other parts of the organization that are not healthcare providers, health plans, payers, clearing houses, and do not process health data electronically and thus are not covered by HIPAA. UMass Amherst as a whole is a hybrid entity.
The Privacy rule defines three categories of protected health information (PHI): identifiable information (to which the rule applies), de-identified information (to which the rule does not apply), and a limited data set (a middle option, to which limited parts of the rule apply). Each is explained below.
Identifiable information. The Privacy Rule defines "identifiable" information as information with any personal identifiers, as well as information about an individual, or his or her relatives, household members, or employer that alone or in combination could identify the individual. For more detail, see the list of 18 identifiers that must be removed to de-identify the information.
De-identified information. PHI that has been de-identified may be used without authorization and is not covered by the Privacy rule. Click here for a Fact sheet on De-Identification.
Limited data set. This is a data set that is not fully de-identified according to the Privacy rule regulations. While it excludes 15 of the 18 personal identifiers listed for de-identification, it allows the retention of :
Dates (e.g., date of birth, admission and discharge date)
Some geographic information (city, state and zip code but not street address) and other unique codes and characteristics that are not expressly excluded. Most Privacy Rule requirements do not apply to a limited data set used internally or disclosed (for example, disclosures do not have to be tracked). There are restrictions on the use of limited data sets including:
- The limited data set option is available only for research, health care operations, and public health purposes.
- AND, the following two requirements apply:
- the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
- the recipient must agree to a "data use agreement" which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals. A data use agreement is an agreement between the covered entity (perhaps via the Privacy Officer) and the recipient of the data. Note, a data use agreement is required for recipients that are both internal and external to the covered entity.
The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified. The Privacy Rule does consider the code itself to be identifiable and hence, protected health information. Note, the Common Rule, in contrast to the Privacy rule, considers coded information to be identifiable. So while access to the coded information alone is not covered by the Privacy rule it is covered by the common rule and requires IRB review.
The Privacy Notice is a document that describes how the covered entity will use, disclose, and protect a person's health information. Everyone entering the covered entity should receive a copy of this notice, and a good faith effort must be made to have each recipient sign a form attesting to receipt of the notice. An Authorization is a document signed by a person to allow disclosure of their protected health information (PHI) to somebody outside the covered entity that stores the PHI. If you need access to your subjects' PHI you will need a signed Authorization from each subject that explains clearly to the subject what PHI you need to access, how you will use it, and who will see this information. Authorization agreements must be secured from the covered entity providing access to the information.
- Specific and meaningful description of what information will be used or disclosed.
- Identification of who may use or disclose the PHI.
- Identification of to whom the PHI will be disclosed.
- Why the use or disclosure is being made - each purpose must be included.
- Statement regarding how long the use or disclosure will continue. For research purposes no expiration date is required but this must be stated in the authorization.
- Notice that the authorization may be revoked by the subject.
- Notice that the information may be disclosed to others who are not subject to the Privacy Rule.
- Notice that the covered entity may or may not condition treatment or payment on the individual's signature of the authorization.
- Individual's signature and date.
Research subjects have had a longstanding right to revoke their consent to participate in research. In addition, the Privacy Rule permits a subject to revoke permission for researchers to use or disclose his or her identifiable information for research. The researchers must honor this request, except to the extent they have already relied on the permission. For example, if a researcher has already included a person's protected health information (PHI) in an analysis, the analysis can be maintained but the researcher should consult with the IRB regarding the individual's request. In addition, HHS guidance specifies that researchers may "continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study". Researchers may also use or disclose PHI already gathered for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.
Authorization of disclosure for research purposes is not generally required if:
- a waiver of authorization has been approved
- the research is on decedents
- the activity is preparatory to research
- the research involves a limited data set or de-identified health care information
The Privacy Rule permits only the minimum necessary amount of information to be accessed under a waiver for research. You will have to identify and justify the specific identifiable health information you will need to the IRB and the waiver will only apply to this information.
Yes for studies that require access the subjects' protected health information. The Common Rule already requires the informed consent process to address how confidentiality will be protected. The Privacy Rule imposes a more specific requirement. In addition to informed consent, investigators must obtain written authorization for the use and disclosure of subjects' identifiable health information. This authorization must include several details. Although the Privacy Rule allows an authorization to be incorporated into the informed consent form the UMass Amherst IRB will require a separate authorization form. In addition, the informed consent document should contain wording that states that the investigator plans to access the subject's existing protected health information (PHI), and that the subject's authorization to access this information will be obtained. Although the Privacy rule does not cover PHI once it has left a covered entity, the informed consent should also include information about how the researcher will use and disclose information generated in the course of the research.