Site Map. Text Size. Search MU Research.
Research Funding.

Compliance Home

Forms

Policies

Choosing The Right IRB

Animal Care Quality Assurance

HIPAA and Research

Conflict of Interest

Export Controls

Research Integrity

Newsletters

Get Acrobat Reader

Research Calendar

 

HIPAA Frequently Asked Questions

If you have additional questions, please contect:

Health Sciences Institutional Review Board

FH 125 Dockery-Folk Hall
One Hospital Drive
Columbia, MO 65212
(mail distribution code Dc074.00)

573 882-3181 phone
573 884-4401 fax

irb@missouri.edu

Questions & Answers: HIPAA Privacy Regulations and Human Subject Research

(Last updated: February 17, 2002)

The Health Insurance Portability and Accountability Act, ("HIPAA"), and its implementing regulations govern the use and disclosure of individually identifiable health information by "covered entities." A covered entity under HIPAA is a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction within the scope of HIPAA. These transactions generally are health claims information and related transactions. Although HIPAA was enacted in 1996, its final implementing regulations have only more recently become effective, with an enforcement deadline for the final privacy regulations on April 14, 2003. Other regulations are expected, along with additional policy guidance from the federal Department of Health and Human Services.

The purpose of these questions and answers is to highlight the basic implications for research of the HIPAA privacy regulations. After each answer you will find hypertext links that will display the actual text of the statute or regulation that was discussed.

These questions and answers were intended to acquaint the reader with the basic structure of the new HIPAA privacy regulations and the implications for research. To further assist you in understanding these new regulations you are invited to attend one of the upcoming live presentations on HIPAA implications for human subject research. You may also wish to consult the the Internet resources which are listed on the HIPAA page.

What are the implications of failing to comply with the HIPAA privacy regulations?

HIPAA carries with it two potential sanctions for noncompliance. HIPAA imposes criminal penalties for the knowing and wrongful disclosure of individually identifiable health information. The penalties range from a fine of not more than $50,000, imprisonment for not more than one year, or both. If the offense is committed for personal gain or for a malicious purpose penalties become more severe and may include a fine of not more than $250,000, imprisonment of not more than 10 years, or both.

The statutes and regulations provides that the Secretary of the Department of Health and Human Services may also impose a civil monetary penalty of no more than $100 for each violation up to a calendar year maximum monetary ceiling of $25,000.

Additional Information:

Who must comply with these new HIPAA regulations apply to?

Those who are subject to the new HIPAA privacy regulation are frequently referred to as "covered entities." Covered entities are, health plans, health care clearinghouses and health care providers who transmit any health information electronically in connection with a HIPAA a list of specified transaction. These transactions include making health care claims; seeking health care payment and remittance advice; determining health care claim status; determining eligibility for a particular health plan; and, seeking referral certification and treatment authorizations.

Additional Information

How do these regulations apply to diverse organizations like the University?

The privacy regulations recognize that there are organizations that perform multiple functions, only one or a few of which would be covered by the new privacy regulations. Therefore, the regulations offer this type of organization the option of being treated as a "hybrid entity." This means that it is the responsibility of the single organization to designate in writing the identities of its "covered components." Theses covered components are essentially nothing more than those parts of the single organization that are health plans, health care clearinghouses and health care providers who transmit any health information electronically in connection with the list of specified transaction. The advantage of the hybrid entity approach is that it permits us to focus our HIPAA compliance efforts.

The University asked its auditors, PriceWaterhouseCoopers ("PWC"), to assist with the task of identifying the University's covered components. To date, the following components have been identified as being covered components on the Columbia campus:

Additional Information

How does HIPAA impact research activities?

In general, subject to the exceptions noted below, HIPAA requires that when "protected health information" ("PHI") is used for human subject research, that the subject must authorize the use or disclosure of the PHI. The HIPAA regulations are specific about what must be included in the authorization. The HIPAA authorization may be included in the research consent document as a visually distinct element or it may take the form of a separate document.

Additional Information

How does HIPAA define research?

HIPAA defines research as any "systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge" and involving human subjects. Note, that unlike the Common Rule, HIPAA protections do extend to protected healthcare information of decedents.

Additional Information

What is protected health information?

Protected health information is essentially any health information about a person that relates to an individual's past, present, or future physical or mental health or condition, health care or payment for health care which is in the hands of a person or entity that is subject to the HIPAA privacy regulations. In the case of the University this means that the PHI is in the hands of a covered component of the hybrid entity. The HIPAA privacy regulations govern the way in which PHI may be used or disclosed.

Additional Information

What do the HIPAA privacy regulations require in order to use PHI for research?

The general rule under the privacy regulations is that in order to use PHI for research a HIPAA compliant authorization must be obtained from the subject. These authorizations may be combined with any other type of written permission for the same research study, including consents to participate in such research and covered health care providers may condition the provision of research-related treatment on receipt of a prior authorization for the use or disclosure of PHI.

What is in a HIPAA compliant authorization?

The HIPAA privacy regulations specify the required elements for a valid authorization. The required elements include:

  • A description of the information which will be used or disclosed;
  • The identity of the person or class of persons who are being authorized to use or disclose the PHI;
  • The identity of the desired recipient of the PHI;
  • A description of the purpose of the use or disclosure;
  • An expiration date or event (for research this may be simply be "end of the research study" or "none";
  • The subject's signature and date.

There are also four additional issues that must be addressed in the authorization. HIPAA authorizations are generally revocable except to the extent that action has been taken in reliance on the authorization. Therefore the authorization must include a statement about the subject's revocation rights and how that right may be exercised.

The authorization must also include a statement about the consequences of refusing to sign the authorization. For research, which involves the provision of health care, such a statement may provide that the delivery of the care is conditioned on signing the authorization. The authorization must also include a statement describing the potential for the information to be subject to redisclosure by the recipient and not longer protected by the privacy regulations. Finally, a copy of the signed authorization must be provided to the subject.

Additional Information

Are there exceptions to the general rule requiring an authorization for research?

Yes, there are three exceptions to the general rule. These exceptions are:

  • Reviews preparatory to research. There is an exception that permits limited use or disclosure of PHI for reviews preparatory to research. This exception applies: (1) if the uses or disclosure of PHI is for the sole purpose of developing a research protocol or for similar purposes; (2) where the PHI will not leave the source; and, (3) the researcher represents to the covered entity that the access is necessary for research purposes.
  • Research on decedent's information. Research on decedent's information is permitted without an authorization if: (1) the researcher represents that the use or disclosure of the PHI is solely for research on the PHI of decedents; (2) the covered entity has the right to request documentation establishing the subjects death; and, (3) the researcher represents that access to the PHI is necessary for the research purposes.
  • Waiver. When an Institutional Review Board (IRB) determines that a waiver of the HIPAA authorization requirement is appropriate. To grant a waiver the IRB must determine that the use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; (1) an adequate plan to protect the identifiers from improper use and disclosure; (2) an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and, (3) adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted under the HIPAA privacy regulations. The IRB must also determine that the research could not practicably be conducted without the waiver and that the research could not practicably be conducted without access to and use of the protected health information. Finally the waiver may be reviewed and approved by the IRB under either normal or expedited review procedures and the IRB will be required to provide a written description of the protected health information for which use or access has been determined to be necessary by the IRB.

Additional Information

What is de-identified information and how may it be used?

As indicated above, the protection of the HIPAA privacy regulations extends to health information that is individually identifiable with respect to the subject of the information. When information is stripped of its individual identifiers it ceases to be protected information under the privacy regulations. The regulations permit the de-identification to occur in either of two ways.

First, there is a regulatory "safe harbor" method that specifically instructs that eighteen specified identifiers be removed. The eighteen specified identifiers include:

  1. Names
  2. Social Security numbers
  3. Telephone numbers
  4. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combing all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  5. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  6. Fax numbers
  7. Electronic mail addresses
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the research data)

Note however, that even under the HIPAA "safe harbor" standard, information is considered de-identified if all of the 18 identifiers have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person.

The alternative to the "safe harbor" is to remove selected identifiers and then employ a person trained in statistical and scientific principles and methods for rendering information not individually identifiable, to determine that the risk is "very small" that the information could be used, alone or in combination with other reasonably available information to identify an individual who is a subject of the information. The statistician must then document the methods and results of the analysis that justify the determination.

Additional Information

What is a limited data set?

The amendments to the final HIPAA privacy regulations in August of 2002 permitted a variation on strict de-identified of data. The August amendments created the concept of a "limited data set" that could be used for research subject to a "data use agreement" between the covered entity and the limited data set recipient (researcher). A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

  1. Names;
  2. Postal address information, other than town or city, State, and zip code;
  3. Telephone numbers;
  4. Fax numbers;
  5. Electronic mail addresses;
  6. Social security numbers;
  7. Medical record numbers;
  8. Health plan beneficiary numbers;
  9. Account numbers;
  10. Certificate/license numbers;
  11. Vehicle identifiers and serial numbers, including license plate numbers;
  12. Device identifiers and serial numbers;
  13. Web Universal Resource Locators (URLs);
  14. Internet Protocol (IP) address numbers;
  15. Biometric identifiers, including finger and voice prints; and
  16. Full face photographic images and any comparable images.

Thus, a limited data set could include the following (potentially identifying) information:

  1. Admission, discharge, and service dates;
  2. Dates of birth and, if applicable, death;
  3. Age (including age 90 or over); and
  4. Five-digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes (except street address).

As stated above, in order to receive a limited data set the researcher must sign a data use agreement. Under the privacy regulations the agreement must:

  1. Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity;
  2. Establish who is permitted to use or receive the limited data set; and
  3. Provide that the limited data set recipient will:
    • Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
    • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
    • Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
    • Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
    • Not identify the information or contact the individuals.

Additional Information

How will these new privacy regulations impact existing research projects?

The HIPAA privacy regulations contain explicit provisions that address how the new regulations will be phased into effect. The regulations provide that, notwithstanding the new authorization requirements and the new HIPAA research provisions, a covered entity may to the extent allowed by one of the following permissions continue to use or disclose for research PHI that it created or received either before or after the applicable compliance date subject to the following conditions:

  • That there is no agreed-to restriction between the covered entity and the subject;
  • The covered entity has obtained, prior to April 14, 2003, either:
  1. An authorization or other express legal permission from an individual to use or disclose protected health information for the research;
  2. The informed consent of the individual to participate in the research; or
  3. waiver, by an IRB, of informed consent for the research; and,
  • Provided, that a covered entity must obtain authorization in accordance with § 164.508 if, after the compliance date, informed consent is sought from an individual participating in the research.

Additional Information

 

    

© 2008 Curators of the University of Missouri

DMCA and other copyright information

All rights reserved

An equal opportunity / ADA institution

Office of Research

205 Jesse Hall

573 882-9500

email the Webmaster
University of Missouri - Columbia.

Last update: 04.10.08