HIPAA Frequently Asked Questions (FAQs)
HIPAA stands for the Health Insurance Portability & Accountability Act of 1996. HIPAA is also known as the Kennedy-Kassebaum Act.
It calls for:
- Standardization of electronic patient health, administrative and financial data;
- Unique identifiers for individuals, employers, health plans and health acre providers;
- Security standards protecting the confidentiality and integrity of health information.
No. HIPAA does not override IRB requirements. After April 14, 2003 you will need to comply with both the Common Rule and the Privacy Rule. Here is a summary of their requirements.
- The Common Rule requires either an informed consent or a waiver of informed consent for any human subjects research. Records review research is usually approved via an expedited review and a waiver of informed consent. The common rule allows a waiver only if specific criteria are met.
- The Privacy Rule requires a written authorization or waiver of authorization for access to existing protected health information. It is assumed that most records review will be allowed with a waiver of the authorization. The Privacy Rule allows a waiver of authorization if specific criteria are met.
Not quite. HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA primarily addressed issues of insurance overage, but, in addition, it required the development of a law that would provide protections for health information. If Congress was unable to enact such a law, the Secretary of the Department of Health and Human Services (DHHS) was required to write the regulation. Congress did not pass a law and the Privacy Rule was written by DHHS. For more information, see the complete regulations.
The rule protects access to individually identifiable health information that is:
- Created or received by a "covered entity" including a health care provider, health plan, or health care clearing house
- That relates to the past, present or future physical or mental health or condition of the individual, or
- That relates to the provision of health care in the past, present or future.
The Privacy Rule gives all individuals, and hence research subjects, a number of new rights. Items 3, 4 and 6 are of particular relevance to research. Under HIPAA everybody can:
- Request access to their health care information
- Request that their health care information be amended
- Receive, upon request, an accounting of all disclosures of their medical information, if they haven't specifically authorized the disclosures (or another exception does not apply)
- Revoke authorization for the use/disclosure of identifiable health information, to the extent the researchers have not already relied on it.
- Request alternative means or places of being contacted (e.g. home vs. work)
- Request restrictions on uses or disclosures (but a covered entity or researcher is not required to agree).
If you are not doing research that requires access to protected health information (PHI), HIPAA and the Privacy rule will not impact your research. UMass Amherst researchers who need access to their subject's PHI for research purposes should understand the structure of UMass Amherst as an organization under HIPAA. Under HIPAA, UMass Amherst is a hybrid entity. University Health Services (UHS) is a covered entity i.e. covered by HIPAA; the rest of the University is not. Researchers within a covered entity may use PHI generated and stored in that entity for their research. Researchers outside a covered entity (like most UMass Amherst PIs) must request the covered entity, via a signed authorization from the subject, to "disclose" the subject's PHI to them. This includes requests for review of medical records except where a waiver has been obtained. Once a covered entity discloses PHI to a researcher outside the covered entity, HIPAA and the Privacy rule no longer cover those records. However, a researcher outside the covered entity should expect to follow the spirit of the Privacy rule, as well as the Common Rule, and protect a subject's PHI by providing assurance to the subject in the informed consent document that the PHI will only be used for the purposes described in the informed consent document. The PHI should not be disclosed to any third parties not mentioned in the consent document without prior approval by the subject.
A covered entity is a healthcare provider, health plan, payer, clearing house or any other entity that processes health data electronically. Because of the kind of health information it processes, and the way it is processed, a covered entity must comply with HIPAA and the Privacy Rule. UMass Amherst as an institution is not a covered entity. It is, however, a hybrid entity because there is a covered entity within UMass Amherst, University Health Services (UHS). Most investigators at UMass Amherst (i.e. everyone who is not part of UHS) will need authorization from their subjects to allow a covered entity like UHS that stores their protected health information (PHS) to disclose the information to them. A covered entity must limit the amount of PHI disclosed to recipients to the "minimum necessary".
The Privacy Rule (HIPAA) classifies organizations that generate, use, or need access to protected health information (PHI) into several different organizational formats. These include:
- Hybrid entity
- Affiliated covered entity
- Organized health care arrangement (covered entity)
A "hybrid entity" is an organization that includes one or more "covered entities" (i.e. entities covered by HIPAA) plus has other parts of the organization that are not healthcare providers, health plans, payers, clearing houses, and do not process health data electronically and thus are not covered by HIPAA. UMass Amherst as a whole is a hybrid entity because University Health Services is a covered entity.
The Privacy rule defines three categories of protected health information (PHI): identifiable information (to which the rule applies), de-identified information (to which the rule does not apply), and a limited data set (a middle option, to which limited parts of the rule apply). Each is explained below.
Identifiable information. The Privacy Rule defines "identifiable" information as information with any personal identifiers, as well as information about an individual, or his or her relatives, household members, or employer that alone or in combination could identify the individual. For more detail, see the list of 18 identifiers that must be removed to de-identify the information.
De-identified information. PHI that has been de-identified may be used without authorization and is not covered by the Privacy rule. Click here for a Fact sheet on De-Identification.
Limited data set. This is a data set that is not fully de-identified according to the Privacy rule regulations. While it excludes 15 of the 18 personal identifiers listed for de-identification, it allows the retention of :
Dates (e.g., date of birth, admission and discharge date)
Some geographic information (city, state and zip code but not street address) and other unique codes and characteristics that are not expressly excluded. Most Privacy Rule requirements do not apply to a limited data set used internally or disclosed (for example, disclosures do not have to be tracked). There are restrictions on the use of limited data sets including:
- The limited data set option is available only for research, health care operations, and public health purposes.
- AND, the following two requirements apply:
- the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
- the recipient must agree to a "data use agreement" which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals. A data use agreement is an agreement between the covered entity (perhaps via the Privacy Officer) and the recipient of the data. Note, a data use agreement is required for recipients that are both internal and external to the covered entity.
The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified. The Privacy Rule does consider the code itself to be identifiable and hence, protected health information. Note, the Common Rule, in contrast to the Privacy rule, considers coded information to be identifiable. So while access to the coded information alone is not covered by the Privacy rule it is covered by the common rule and requires IRB review.
The Privacy Notice is a document that describes how the covered entity will use, disclose, and protect a person's health information. Everyone entering the covered entity should receive a copy of this notice, and a good faith effort must be made to have each recipient sign a form attesting to receipt of the notice. An Authorization is a document signed by a person to allow disclosure of their protected health information (PHI) to somebody outside the covered entity that stores the PHI. If you need access to your subjects' PHI you will need a signed Authorization from each subject that explains clearly to the subject what PHI you need to access, how you will use it, and who will see this information. Under the Privacy Rule, the authorization wording may be included in the informed consent document.
- Specific and meaningful description of what information will be used or disclosed.
- Identification of who may use or disclose the PHI.
- Identification of to whom the PHI will be disclosed.
- Why the use or disclosure is being made - each purpose must be included.
- Statement regarding how long the use or disclosure will continue. For research purposes no expiration date is required but this must be stated in the authorization.
- Notice that the authorization may be revoked by the subject.
- Notice that the information may be disclosed to others who are not subject to the Privacy Rule.
- Notice that the covered entity may or may not condition treatment or payment on the individual's signature of the authorization.
- Individual's signature and date.
Research subjects have had a longstanding right to revoke their consent to participate in research. In addition, the Privacy Rule permits a subject to revoke permission for researchers to use or disclose his or her identifiable information for research. The researchers must honor this request, except to the extent they have already relied on the permission. For example, if a researcher has already included a person's protected health information (PHI) in an analysis, the analysis can be maintained but the researcher should consult with the IRB regarding the individual's request. In addition, HHS guidance specifies that researchers may "continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study". Researchers may also use or disclose PHI already gathered for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.
Authorization of disclosure for research purposes is not generally required if:
- a waiver of authorization has been approved
- the research is on decedents
- the activity is preparatory to research
- the research involves a limited data set or de-identified health care information
An Authorization (i.e. written agreement obtained from a potential subject to allow a covered entity to disclose his/her protected health information, PHI) must normally be obtained by a covered entity before the information can be disclosed to someone outside that entity. An exception to this rule is when the information is first "de-identified". Criteria that must be satisfied to determine whether a waiver of authorization is permitted include:
- The use or disclosure of the identifiable protected information involves no more that minimal risk to the privacy of the individual.
- The use or disclosure includes a plan to protect the information from improper use and/or disclosure.
- All uses and disclosures must be covered by a plan to destroy the identifiers at the earliest opportunity consistent with the conduct of research unless there is a health or research justification for retaining the identifiers, or such retention is required by law.
- The researcher needs to assure in writing that the protected information will not be reused or disclosed to 3rd parties unless required by the law for authorized oversight of the research study.
- The research could not practicably be conducted without the waiver.
- The research could not be practicably conducted without access to and use of the health information.
The Privacy Rule permits only the minimum necessary amount of information to be accessed under a waiver for research. You will have to identify and justify the specific identifiable health information you will need to the IRB and the waiver will only apply to this information.
Yes for studies that require access the subjects' protected health information. The Common Rule already requires the informed consent process to address how confidentiality will be protected. The Privacy Rule imposes a more specific requirement. In addition to informed consent, investigators must obtain written authorization for the use and disclosure of subjects' identifiable health information. This authorization must include several details. Although the Privacy Rule allows an authorization to be incorporated into the informed consent form the UMass Amherst IRB will require a separate authorization form. In addition, the informed consent document should contain wording that states that the investigator plans to access the subject's existing protected health information (PHI), and that the subject's authorization to access this information will be obtained. Although the Privacy rule does not cover PHI once it has left a covered entity, the informed consent should also include information about how the researcher will use and disclose information generated in the course of the research.
The Privacy rule only addresses access to protected health information (PHI) so if your study does not require access to PHI you can continue to use the current informed consent templates.
If you need access to your subjects' PHI, whether you need to create a new consent form and obtain authorization to access your subjects' PHI depends on whether or not you will be recruiting subjects after April 14, 2003. Decide which of the following timelines fits your research program:
- Your study started before April 14, 2003 and you enrolled all your subjects before that date and they signed a Common Rule compliant consent form before that date. Your study is grandfathered and you do not need a new informed consent document nor do you need to obtain authorization retroactively.
- Your study started prior to April 14, 2003 but you will be recruiting subjects after that date. The subjects you enrolled before April 14, 2003 are grandfathered but subjects recruited on and after April 14 are not. For these subjects you will need to create a new informed consent form with HIPAA-compliant wording and obtain authorization for disclosure of PHI that is compliant with the Privacy Rule. You may not recruit subjects after April 14 2003 until you receive approval from the IRB for the new version of your informed consent form plus a copy of the authorization form. These can be submitted to the IRB for review as a modification to your existing protocol. You do not need to resubmit the entire protocol.
- You received IRB approval for your study before April 14, 2003 under the old rules but you will not start recruiting your subjects until after that date. The IRB will need to review your new informed consent document and authorization form as a modification of your protocol.
Where a researcher needs to access protected health information (PHI) the informed consent document for use on or after April 14, 2003 should contain wording that includes the Privacy rule provisions. The IRB will have a new template on the web for such studies by early April.
A section of the Privacy Rule allows researchers to have access to protected health information (PHI) to prepare for a research study without requiring an authorization or a waiver. However, although the Privacy Rule allows access to PHI for these purposes at UMass Amherst the IRB must review and approve these activities. A written or oral "representation" to the IRB for approval of this activity must address the following points:
- the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research and
- the researcher will not remove any PHI from the covered entity and
- the PHI sought is necessary for preparing the research.
This provision can be helpful for designing a research study, assessing the feasibility of doing a particular study, and planning recruitment activities.
Since UMass Amherst is a hybrid entity under the Privacy rule you will need to comply with the requirements of any covered entities that are the source of your study subjects' protected health information (PHI). University Health Services (UHS) and Baystate Medical Center (BMC) are both covered entities. As background, the Common Rule requires research in which an individual is contacted or recruited for enrollment to be reviewed and approved by the IRB. The Privacy Rule adds a new privacy focus to this review for institutions such as hospital-based systems that apply the Privacy Rule to their human subjects research. The December 4, 2002 Office of Civil Rights (OCR) guidance document explains "a researcher who is an employee or a member of a covered entity's workforce can use protected health information to contact prospective research subjects." It goes on to say "however, a researcher who is not a part of the covered entity may not use the preparatory research provision to contact information through a partial waiver of individual authorization by an IRB or privacy board as permitted at 45CFR164.512(i)(1)(i)." As a result, the Privacy Rule draws distinctions between recruiting strategies depending on whether the recruiter is or is not within the covered entity, as described below
- if an individual self-refers himself to a study there are no new Privacy rule requirements. Example of such recruitment strategies are:
- an individual responds to an advertised research study
- a treating physician discusses a research study with her patient and provides the contact information of the principal investigator.
- A researcher employed by covered entity may identify and contact prospective research subjects without an authorization or waiver. Please note that the Common Rule and many institutions' policies demand a higher privacy standard for this scenario, including an IRB review of the recruitment scheme as part of the protocol review.
- A researcher not employed by the covered entity generally may not contact prospective research subjects covered by the Privacy rule except with an authorization. OCR suggests IRBs grant "partial waivers" of authorization just for the purposes of recruitment. Hence although ultimately the protocol will require an informed consent and authorization, the IRB may approve a waiver of authorization specifically for the recruitment of subjects.