HIPAA Application in Research
The HIPAA Privacy Rule applies when one or more of the following are true while doing research involving human subjects:
- You use, receive, and/or disclose Protected Health Information (PHI) from a Covered Entity
- You maintain PHI within a Covered Entity
- You are a Covered Entity
FSU is a hybrid entity comprised of covered and non-covered components. The covered components are: FSU Thagard Student Health Center, and the FSU Speech and Hearing Clinic.
If you are using PHI in your research, you must comply with the HIPAA procedures of the Covered Entity where the PHI will be obtained.
What is a Covered Entity?
The following are Covered Entities under HIPAA:
- Hospitals
- Physicians and other health care providers who transmit PHI electronically to process health care claims and billing. Providers may include community clinics, social service agencies, and practitioners in psychology, psychotherapy, and social work.
- Health insurers, HMOs, health plans, and health care clearinghouses
If you are not within an FSU Covered Component and you are unsure if the source of your data is a Covered Entity, please request clarification from that source.
What is PHI?
Protected Health Information (PHI) is any "individually identifiable health information" that is created or maintained by a Covered Entity.
- PHI is health information plus identifiers. It is health information that includes or is able to be linked to the identity of the subject.
- The sources of PHI may be living participants, deceased persons, human tissue samples, databases, or repositories.
- All forms of PHI are protected (i.e., electronic transmissions and media, paper, verbal, tissue samples, photographs, audio/visual recordings).
What is not PHI?
- If the individually identifiable health information is not being created or maintained by a Covered Entity, it is not PHI.
- If data does not contain both 1) health information and 2) identifiers, it is not PHI. A good example is de-identified data that is being used and stored by a Covered Entity.
- PHI that has been disclosed to any entity that is not a Covered Entity is no longer PHI.
- Individually identifiable health information that is stored in school records is not PHI.
- Individually identifiable health information that is stored in employee records by a Covered Entity acting in its role as an employer is not PHI.
Regardless of the relationship of the FSU researcher to FSU (i.e., faculty, adjunct, staff, student, resident) and to the Covered Entity (i.e., full-time or part-time employee, consultant, outside research investigator, or student in a field placement), the FSU researcher must follow the procedures of the Covered Entity where the PHI will be obtained.
Examples that are PHI:
- Within an FSU Covered Entity: The FSU researcher wants to obtain individually identifiable health information from an FSU Covered Entity for the purpose of conducting research. Because the information originates within a Covered Entity, such information is PHI. Because this is a FSU Covered Entity, the researcher must follow FSU procedures to obtain an authorization or a waiver of authorization before using the PHI.
- Within a non-FSU Covered Entity: The FSU researcher wants to obtain individually identifiable health information from a non-FSU Covered Entity for the purpose of conducting research. Because the information originates within a Covered Entity, such information is PHI. Because this is not an FSU Covered Entity, the researcher must follow that Covered Entity's procedures and ensure that the proper Authorizations or Waivers are in place before using the PHI. Note that this is the most common occurrence for FSU's researchers to date.
Examples that are not PHI:
- Non-treatment data obtained directly from subjects within a Covered Entity: The FSU researcher is not a Covered Entity and is not providing treatment to the subjects. The researcher wants to obtain individually identifiable health information directly from research subjects located within a Covered Entity using methods that are not part of the subject's treatment (e.g., through interviews, surveys, or scales) and the information obtained will not become part of the medical/treatment records. For example, a study recruits patients from the waiting room of a hospital and the researcher interviews them about specific health practices. The researcher is not part of the covered entity and the researcher has no plans to maintain this data within the covered entity. Although this study collects health related information, and it occurs within a Covered Entity, it is not PHI because it is not going to be maintained within the covered entity and it does not result from treatment or come from medical charts maintained by the Covered Entity but is provided directly to the interviewer by the research participant. Because it is not PHI, the researcher may use or disclose it without regard to the Privacy Rule (note that if this is IRB approved research, the researcher will still have to maintain confidentiality, etc., as required in the consent document).
- Data obtained from a non-FSU Covered Entity: The FSU researcher wants to obtain individually identifiable health information from a source at an HMO. The researcher is not a Covered Entity and is not an employee of the Covered Entity (HMO) where the data will be obtained. Because the source of the data is a Covered Entity, the information starts out as PHI. The researcher must follow the HIPAA procedures of that Covered Entity (the HMO) and ensure that the proper Authorizations or Waivers are in place before using the PHI. However, once the researcher has received the PHI from the Covered Entity, it is no longer PHI and the researcher may use or disclose it without regard to the Privacy Rule. This is the most common situation where FSU researchers interface with HIPAA to date.
- Data obtained from a source that is not a Covered Entity: The researcher is not a Covered Entity and obtains individually identifiable health information directly from the research subject (e.g., through interviews, surveys, or scales). For example, a study recruits chronically ill individuals from a support group and the researcher interviews them about their pain tolerance. Although this study collects health related information, it is not PHI because it does not come from a Covered Entity. Because it is not PHI, the researcher may use or disclose it without regard to the Privacy Rule. However, if the researcher will use or maintain this individually identifiable health information within a Covered Entity, then it is PHI and the researcher must follow the Covered Entity's procedures and ensure that the proper Authorizations or Waivers are in place before using the PHI.
If HIPAA applies to my research, what do I need to do?
If the HIPAA Privacy Rule applies to your research, you must obtain an Authorization to use/disclose PHI or a Waiver of Authorization in accord with the procedures required by the Covered Entity where the PHI will be obtained. For more details about what procedures you need to follow, please refer to the FSU HIPAA and Research section for more information.