The HIPAA Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge". See 45 CFR 164.501. A covered entity (see definitions) may always use or disclose for research purposes health information which has been de-identified (in accordance with 45 CFR 164.502(d) and 164.514(a)-(c) of the Rule) without regard to the provisions below.
The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their PHI for research purposes, and their rights to access information about them held by covered entities. The Privacy Rule protects the privacy of PHI, while at the same time ensuring that researchers may have access to PHI that may be necessary to conduct research. Most research involving human subjects operate under the Common Rule 45 CFR Part 46, Subpart A (OHRP implementation), and /or the Food and Drug Administration's (FDA) human subject protection regulations (21 CFR Parts 50 and 56). These human subject regulations include protections to help insure the privacy of subjects and the confidentiality of information. The Privacy Rule adds to these existing Federal protections.
How the Rule Works
In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under very limited circumstances set forth in the Privacy Rule:
Research Use/Disclosure Without Authorization: to use or disclose protected health information without authorization by the individual whose PHI is planned for research use, a covered entity must obtain one of the following:
Documented IRB or Privacy Board Approval. Documentation that an alteration or waiver of research participant's authorization for use/disclosure of information about them for research purposes has been approved by an IRB or Privacy Board*.
For example, to conduct a records research, a waiver may be appropriate when researchers are unable to use de-identified information, and the research could not practicably be conducted if research participants' authorization were required.
*Important Note: the FSU IRB does NOT serve as any institution or organization's Privacy Board. Rather, the FSU IRB is permitted to make HIPAA Authorization waiver determinations applicable to use of only FSU PHI. Additionally, only a few FSU components are deemed HIPAA covered entities whose identifiable health information is deemed PHI for purposes of the HIPAA Privacy Rule. The FSU IRB will NOT render HIPAA Authorization waivers for researchers' use of other covered entities' PHI; researchers must obtain such HIPAA waiver documentation directly from the covered entities and provide such documentation to the FSU IRB for any studies that are reviewed by the FSU IRB.
Documentation for a waiver of authorization approved by an IRB or Privacy Board must meet all the following factors:
- Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
- A statement that the IRB or Privacy Board determined that the waiver or authorization satisfies the three criteria in the Rule;
- A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
- A statement that the waiver has been reviewed and approved under either normal or expedited review procedures; and
- The signature of the Chair or other member, as designated by the Chair, of the IRB or Privacy Board, as applicable.
The following three criteria must satisfied for an IRB or Privacy Board to approve a waiver of authorization under the Privacy Rule:
The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, the presence of the following elements:
- an adequate plan to protect the identifiers from improper use and disclosure;
- an adequate plan to destroy identifiers at the earliest opportunity consistent; with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is required by law; and
- adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by law.
The research could not practicably be conducted without the waiver or alteration; and
The research could not practicably be conducted without access to and use of the PHI.
Preparatory to Research: Representations from the researcher, that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from the covered entity, and that the PHI for which access is sought is necessary for the research purposes.
Example: This provision might be used to design a research study or to assess the feasibility of conducting a study.
Research on Protected Health Information of Decedents: Representations from the researcher that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.
Limited Data Sets with a Data Use Agreement: A data use agreement entered into by both the covered entity and the researcher, so that the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. A limited data set excludes specified direct identifiers of the individual or of relatives, employers, or household members of the individual. The agreement must:
- Establish the permitted uses and disclosures set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the Rule if done by the covered entity;
- Limit who can use or receive the data; and
- Require the recipient to agree not to use or disclose the information other than as permitted by the agreement or as otherwise required by law; use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement; report to the covered entity any use or disclosure not provided for by the data use agreement of which the recipient becomes aware; ensure than any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and not to identify the information or contact the individual.
Research Use/Disclosure With Individual Authorization: The Privacy Rule also permits covered entities to use or disclosure PHI for research purposes when a research participant authorizes the use or disclosure of information about him or herself.
Example: A research participant's authorization will be sought for clinical trials and records research.
To use or disclose the PHI with authorization by the research participant, the covered entity must obtain an authorization that satisfies the requirements of 45 CFR 164.508. Note that this authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the "end of the research study".
An authorization for the use or disclosure of PHI information for research may be combined with a consent to participate in research, or with any other legal permission related to the research study. FSU encourages that the forms be separate however, to aid the research participant to understand informed consent to research AND authorization to disclose PHI for research purposes.
Accounting for Research Disclosures: In general, the Privacy Rule gives individuals the right to receive an accounting of certain disclosures of PHI made by a covered entity. See 45 CFR 164.528. This accounting must include disclosures of PHI that occurred during the six years prior to the individual's request for an accounting in general.
Authorization- An individual's written permission (signed by the individual or his/her Personal Representative) to allow a covered entity to use/disclose specified 'protected health information' (PHI) for a particular research study. Except as otherwise permitted by the Privacy Rule, a covered entity may not use or disclose PHI for research purposes without a valid Authorization.
Accounting for Disclosures of PHI - Information that describes a covered entity's disclosure of PHI that has taken place within six (6) years of the date of the request (excluding any disclosures taking place prior to the Compliance Date). Accounting of disclosures is not required in the following situations:
- disclosures for treatment, payment, and health care operations ("TPO")
- disclosures made pursuant to valid Authorizations
- disclosure of Limited Data Sets
- disclosure of de-identified data
- disclosures of PHI prior to April 14, 2003
Compliance Date - The date by which a covered entity must comply with the requirements mandated by the Privacy Rule. Covered entities must complete implementation of, and be in compliance with, the Privacy Rule by April 14, 2003.
Covered Component - Components of a covered entity that engage in 'covered functions' and, any component that engages in activities that would make such component a 'business associate' of a component that performs covered functions if the two components were separate legal entities.
Covered Entity -
- A health plan,
- A health care clearinghouse, and
- A health care provider who transmits any health information in electronic form.
Covered Functions - Functions that make an entity a health plan, a health care provider, or a health care clearinghouse.
Data Use Agreement - An agreement that specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the individual or contact with the individuals. (This agreement may take the form of a formal contract or of a confidentiality agreement).
De-Identified Data - Data that does not identify an individual and with respect to which there is no reasonable basis to believe that information within the data can be used to identify an individual.
The Privacy Rule provides two routes by which data may be de-identified. The first route is to remove a list of eighteen (18) direct identifiers that could be used to identify the individual; a relative of the individual; employer; or household members of the individual. These identifiers are enumerated in the Privacy Rule (see below). The second route is to obtain the services of an expert who can determine and document, using generally accepted statistical and scientific principles and methods, that there is only a 'very small' risk that the information in a data set could be used to identify the subject of the information.
- All geographical subdivisions smaller than a state, including street address, city, county, precinct, Zip Code, and their equivalent geographical codes, except for the initial three digits of a Zip Code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
- The initial three digits of a ZIP Code for all such geographic units containing 20, 000 or fewer people are changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
- Telephone numbers.
- Facsimile numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health Plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal resource locators (URLs)
- Internet protocol (IP) address numbers
- Biometric identifiers, including fingerprints and voiceprints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code.
Disclosure - The release, transfer, access to, or divulging of information in any manner outside the Covered Entity holding the information.
FDA- United States Food and Drug Administration.
FDA Regulations - A set of regulations intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction.
Health Care Operations - Any of the following activities of the Covered Entity:
- Conducting quality assessment and improvement activities;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, conducting training programs, accreditation, certification, licensing, or credentialing activities;
- Medical review, legal services, auditing functions, compliance programs ;
- Business planning and development;
- Business management and general administrative activities.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) - This Act requires, among other things, under the Administrative Simplification subtitle, the adoption of standards, including standards for protecting the privacy of individually identifiable health information.
HIPAA Privacy Regulations/ 'Privacy Rule' - A set of Regulations intended to protect the privacy and confidentiality of patients and study subjects adopted by the Department of HHS in compliance with HIPAA.
Individually Identifiable Health Information - Information that includes demographic information collected from an individual, and
- is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Limited Data Set - A data set that excludes the majority of the eighteen direct identifiers of the individual, relative, employers and/or household members of the individual. In a limited data set, the city, state, ZIP code, birth date, admission date, discharge date, and other numbers/characteristics/codes that are not listed as direct identifiers can be retained.
Limited data sets can be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.
Minimum Necessary - The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request.
Minimal Risk to the Privacy of the Individual - The amount of risk, harm or discomfort, that an individual will ordinarily encounter in day to day activities.
Modified Accounting System - A system of accounting that can be utilized only in research studies that involve more than fifty records, where the covered entity must provide the individuals with just the following information:
- a list of protocols for which the individual's PHI may have been disclosed pursuant to a waiver or any other exception to seeking an individual authorization;
- the purpose of those studies and the types of PHI sought;
- the timeframes of those disclosures; and
- a researcher's name and contact information for each study.
*Non-FSU Covered Component Researcher - Researchers who are not employed by any of the 'covered components' of the University.
Payment - the activities undertaken by:
- A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
- A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and
The above activities relate to the patient to whom health care is provided.
Personal Representative - A person who is legally authorized to act on behalf of the individual in making health care related decisions.
Privacy Board - A Board that is established to review and approve requests for waivers or alterations of Authorizations in connection with a use or disclosure of PHI.
A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual's privacy rights and related interests. The Board must include at least one member who is not affiliated with either the covered component (covered entity) or with the entity that is conducting or sponsoring the research, and not related to any person who is affiliated with any such entities. Also, it must not have any member participating in a review of any project in which the member has a conflict of interest.
Privacy Regulations/HIPAA Privacy Rule - Privacy Standards for Protected Health Information set forth under the Health Insurance Portability and Accountability Act.
Protected Health Information (PHI) - Individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Education records covered by FERPA, and employment records held by a 'covered entity' in its role as an employer, are excluded from this definition.
Psychotherapy Notes - Notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group or family setting, that are separated from the rest of the patient's medical records.
Reliance Exception to Revocation of Authorization by Subject - Being able to continue to use/disclose PHI for 'preserving the integrity' of research, despite a written revocation of an individual authorization. Reliance exception would permit use/disclosure of PHI, to account for a subject's withdrawal from the study; as necessary to incorporate the information as part of a marketing application submitted to the FDA; and to conduct investigations of scientific misconduct, or to report adverse events.
Research - A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.
Researcher - FSU faculty, staff, students
Reviews Preparatory to Research - Using/reviewing of PHI for the purposes of development of a research protocol or a similar activity in preparation of formulating a research hypothesis.
TPO Exception - Being able to use and disclose PHI without an Authorization or without having to obtain a Waiver of HIPAA Authorization, but only if the use and disclosure of PHI falls within 'Treatment, Payment and/or Health Care Operations' activities.
Treatment - The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one provider to another.
Use - The sharing, application, utilization, examination, analysis, or employment of Individually Identifiable Health Information within an entity that maintains such information.
Waiver, Partial Waiver or Alteration of Authorization - The document that the covered entity (covered component, for FSU) obtains from the Privacy Board which states that the Privacy Board has waived or altered the requirements of the HIPAA Privacy Rule, that an individual must authorize the use or disclosure of an individual's PHI for research purposes.
Workforce - Employees, volunteers, trainees, and other persons whose conduct in the performance of work for a covered entity (covered component) is under the direct control of that covered entity (covered component), whether or not they are paid by that entity or component.