23 HIPAA (Health Insurance Portability and Accountability...

HIPAA (Health Insurance Portability and Accountability Act)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the creation of
a Privacy Rule for identifiable health information. The resulting Privacy Rule, finalized in August
2002, set a compliance date of April 14, 2003. While the main impact of the Privacy Rule is on
the routine provision of and billing for health care, the Rule also affects the conduct and
oversight of research. Researchers, COMIRB staff and members as well as research
administration must be aware of these regulations.
23.1 Historical Background
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an expansive
federal law, only part of which is intended to protect the privacy of health care
information. HIPAA required Congress to enact a health information privacy law by
August 1999 and stated that if it did not act by then, which it did not, the U. S.
Department of Health and Human Services (DHHS) must develop privacy regulations.
The final Privacy Rule was published on August 14, 2002
The objective of the rule is to protect the privacy of an individual’s health care
information. It creates a federal “floor” of protection so that every person in this country
has at least the same basic rights and protections, though some may have additional
rights depending on state law.
23.2 Effects of HIPAA on Research
The final Privacy Rule published on August 14, 2002 included a number of changes in
how the Rule applies to research. See the NIH HIPAA Privacy Rule Booklet for Research
and the NIH fact sheet on Institutional Review Boards and HIPAA for more information on
how HIPAA applies to research. See also Impact of the Privacy Rule on Academic
Research, a white paper published by the American Council on Education.
23.3 Patient Rights and Research
Under HIPAA, patients have certain rights. Those that may affect research include the
right to receive a Notice of Privacy Practices, the right to access, inspect, and receive a
copy of one’s own PHI, the right to request an amendment to one’s own PHI, and the right
to an accounting of certain disclosures of PHI that occur outside the scope of treatment,
payment and health care operations that have not been authorized.
23.4 Research under HIPAA Regulations
Investigators that are part of a covered entity conducting research using “Protected
Health Information” (PHI) must comply with HIPAA regulations.
23.5 Covered Entities
The majority of healthcare schools, centers, and departments within UCD and its affiliates
function as covered entities under HIPAA.
The UCD - Downtown Campus is not a covered entity under HIPAA
Covered entities are health plans (e.g. health insurance issuers), health care
clearinghouses (e.g. healthcare billing company), and healthcare providers who
electronically transmit health information in connection with eight transactions. Generally,
these transactions concern DHHS billing and payment for services or insurance coverage.
Covered entities can be institutions, organizations, or persons.
23.6 HIPAA Definitions
Research - systematic investigation, including research development, testing and
evaluation, designed to develop or contribute to generalizable knowledge. This definition is
identical with the one used in the DHHS “Common Rule”, separate federal legislation
designed to protect human subjects involved in research. HIPAA describes privacy
standards for protecting PHI and so applies to research that involves humans’ health
PHI – Protected Health Information. Health information – any information recorded
about past, present, or future physical or mental health or condition of an individual, or the
past, present, or future payment for the provision of healthcare to an individual. Health
information may be oral, print or electronic.
Individually identifiable information:
o Name
o Postal address (geographic subdivisions smaller than state)
o All elements of dates, except year (birth date, if over 89, must be
o Phone number
o Fax number
o Email address
o Social security number
o Medical record number
o Health plan number
o Account numbers
o Certificate/license numbers
o IP addresses
o Vehicle identifiers
o Device ID
o Biometric ID
o Full face/identifying photo
o Any other unique identifying number, characteristic, or code
PHI does not include de-identified health information. De-identified information is
information that does not identify an individual and for which there is no reasonable basis to
believe that information could be used to identify an individual.
PHI does not include individually identifiable health information found in education records
covered by FERPA (“Family Educational Rights and Privacy Act”), records described at 20
U.S.C. 1232g(a)(4)(B)(iv) (higher education student medical records) and employment
records held by the University in its role as employer.
Unlike the “Common Rule” regulations, HIPAA regulations also cover research involving
deceased individuals. Decedent research involving PHI must be cleared through UCD’s
Privacy Officer prior to implementation. The researcher must certify that the access/use of
PHI is solely for research involving deceased individuals, all individuals are deceased, and
the PHI is necessary for the conduct of the research through a Deceased Research
Certification Form.
23.7 HIPAA and Existing Studies
Human subject research protocols that were approved after April 14, 2003, must have
HIPAA authorizations, a HIPAA waiver, or Data Use Agreement in place. Individuals
consented or re-consented into a human subject research protocol after April 14, 2003 must
sign an authorization.
Any research subject enrolled in a human subject research protocol that uses PHI from a
covered entity must sign a HIPAA-compliant authorization form, unless a waiver has been
obtained. This form is in addition to the existing Informed Consent document and is federally
required. In some cases, the Informed Consent document may be combined with the HIPAA
23.8 HIPAA Documentation
HIPAA documents include HIPAA Authorization Forms, a HIPAA Waiver Form, PreResearch Certification, Data Use Agreement, and Notice of Privacy Practices.
23.9 HIPAA Language / Authorization Forms
Note: for VA regulated research only, the HIPAA authorization form must be separate from
the informed consent document.
Use and disclosure of PHI requires a valid authorization. Authorizations must contain the
following elements:
Description of PHI to be used or disclosed (identifying the information in a
specific and meaningful manner)
The name(s) or other specific identification of person(s) or class of
persons authorized to make the requested use or disclosure.
The name(s) or other specific identification of the person(s) or class of
persons who may use the PHI or to whom the covered entity may make
the requested disclosure.
Description of each purpose of the requested use or disclosure. NOTE:
Researchers should note that this element must be research study
specific, not for future unspecified research.
Authorization expiration date or event that relates to the individual
or to the purpose of the use or disclosure (the terms “end of the
research study” or “none” may be used for research, including for the
creation and maintenance of a research database or repository).
Signature of the individual and date. If the Authorization is signed
by an individual’s personal representative, a description of the
representative’ authority to act for the individual.
The Authorization must include the following required statements:
Notice of the covered entity’s ability to deny research-related treatment or
limit enrollment in a study unless an authorization is provided to use or
disclose the PHI for the research;
A statement that the potential exists for information disclosed
via the authorization to be subject to redisclosure by the recipient of the
information and therefore no longer protected by HIPAA.
The Authorization must be written in plain language. A copy of the signed
Authorization must be provided to the individual signing it.
A research subject may revoke an authorization at any time, provided
that the revocation is in writing, except to the extent that the covered
entity has taken action based on the authorization and prior to notice of
revocation. If revoked, the authorization is not valid and may not be
COMIRB is responsible for reviewing the HIPAA Authorization Forms prepared by the
investigator. The wording on the HIPAA Authorization Form must contain all of the
required elements and meet all other requirements as described in this section. If the
language on the HIPAA authorization template has been altered, COMIRB should
consult the Privacy Officer to ensure that the authorization meets all the UCD
requirements. If the HIPAA authorization is revised during the protocol approval period,
COMIRB must review the revised document at least by the time of the subsequent
continuing review.
HIPAA Waiver
In some cases COMIRB may approve a waiver to use of the HIPAA authorization
form. This may occur when COMIRB finds that the research could not be practically
done without the waiver, and not without access to and use of the PHI, and that
disclosure poses minimal risk to privacy. HIPAA waiver must be reviewed and
approved COMIRB as having met the criteria described in this section.
Documentation of the panel or chair determination for HIPAA Waiver must be
documented using the HIPAA Waiver checklist either as a separate document or as
incorporated in another checklist. In whichever format, the signature of the panel
Chair or qualified voting member of the COMIRB designated by the Chair must be
used to document approval of the request.
For VA research only: A copy of the HIPAA Waiver checklist must be sent to the VA
Research Office with the approved documents as part of the packet for R&D review.
Pre-Research Certification
Researchers who need access to UCD or an affiliated hospital or research center’s
medical records, databases or tissue repositories to use PHI of individuals to assess
the feasibility of conducting a study, to design a research study, or to formulate a
research hypothesis must submit the Pre-research Certification Form to custodian of
the information to be accessed and to the Privacy Officer. PHI accessed in this
manner may not be used to recruit subjects.
Data Use Agreement
Researchers may use specific indirect identifiers, also known as a limited data set,
through a Data Use Agreement.
A limited data set removes the following identifiers of the individual, or of the
relatives, employers, or household members of the individual have been removed:
a) Names;
b) Postal address information, other than town and city, State, and zip code;
c) Telephone numbers;
d) Fax numbers;
e) Electronic mail addresses;
f) Social security numbers;
g) Medical record numbers;
h) Health plan beneficiary numbers;
i) Account numbers;
j) Certificate/license numbers;
k) Vehicle identifiers and serial numbers, including license plate numbers
l) Device identifiers and serial numbers;
m) Web Universal Resource Locators (URLs);
n) Internet Protocol (IP) address numbers;
o) Biometric identifiers, including finger and voice prints; and,
p) Full face photographic images and any comparable images.
A formal agreement known as a Data Use Agreement must be in place between the
covered entity that holds the information and the recipient of the information. The
data use agreement must identify who will receive the limited data set, establish how
the data may be used and disclosed by the recipient, and provide assurances that
the data will be protected. The Privacy Officer should be contacted to ensure that an
appropriate document is put in place. The Assistant Vice Chancellor for Regulatory
Compliance is designated signature authority for UCD. If the covered entity learns
that the researcher has violated this agreement, the entity must take reasonable
steps to end or repair the violation and, if such steps are unsuccessful, stop
disclosing PHI to the researcher and report the problem to the Privacy Officer and as
needed to DHHS Office of Civil Rights.
No Authorization or Waiver of Authorization is required for the covered entity to use
or disclose a limited data set.
Notice of Privacy Practices
UCD and/or the affiliated hospital or research center must provide its Notice of
Privacy Practices to all individuals who are patients, human research participants, or
enrollees in a group health plan of UCD. The principal investigator is responsible for
ensuring that research subjects have received, at some time, the Notice of Privacy
Practices as applicable under HIPAA. Inmates may be given the Notice of Privacy
Practices document but there is no requirement under HIPAA to provide inmates with
this document.