The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains provisions to protect the confidentiality and security of personally-identifiable information that arises in the course of providing health care. In order to understand how HIPAA affects research, there are a few important terms that are defined by the law.
A covered entity is the organization that has to comply with HIPAA. A hospital or a University with a hospital is a Covered Entity because, in addition to providing health care at its medical facilities, it also has other organizational activities such as education and research.
The HIPAA Privacy Rule governs Protected Health Information (PHI) which is defined as information that can be linked to a particular person (ie., is person-identifiable) that arises in the course of providing a health care service.
When PHI is communicated inside of a covered entity, this is called a use of the information. When PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure. HIPAA allows both use and disclosure of PHI for research purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB).
Definitions
Authorization: Under HIPAA, the granting of rights to access PHI. Authorization is required by HIPAA for disclosures or uses other than for Treatment Payment Operations (TPO), which are covered in the Notice of Privacy Practices. Treatment cannot be conditioned on granting of an authorization. An authorization is a specific, detailed document requesting patient-subject permission for the use of covered PHI.
Covered Entity: A covered entity is a health plan, a health care clearinghouse, or a health care provider transmitting health information, and is, therefore, subject to the HIPAA regulations.
Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the information. Disclosure of PHI requires a specific authorization under HIPAA except if disclosure is related to the provision of TPO (Treatment Payment Operations) of the entity responsible for the PHI or under a limited set of other circumstances, such as public health purposes.
Health Information: Any information, whether oral or recorded in any form or medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Hybrid Entity: A single legal covered entity with health care and non-health care functions, where the former are covered functions but are not its primary functions.
Individually Identifiable Health Information is any information created, used, or received by a health care provider that relates to:
- The past, present, or future physical or mental heath or condition of an individual,
- The provision of health care to an individual, or
- The past, present, or future payment for the provision of health care to an individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual. The collection of individually-identifiable health information for research constitutes human subjects research.
Minimum Necessary Standard: The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.
Notice of Privacy Practices: The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides clear explanations of these rights and practices. The Notice of Privacy Practices is intended to focus individual on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. Note: Sometimes the Notice of Privacy Practices is interchangeable with PHI.
Protected Health Information (PHI) is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.
Research Health Information (RHI) is defined as data used in research that would be personally identifiable but not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules. The key distinction between RHI and PHI is that PHI is associated with or derived from a healthcare service event, i.e. the provision of care or payment for care. RHI is covered by other state and federal laws for privacy and confidentiality of research health information.
What Kinds of Activities Are Considered Research?
The HIPAA Privacy Rule is primarily concerned with information generated in the course of providing health care services, and is not primarily concerned with research. However, HIPAA does recognize and endorse the fact that some research may create, use, and disclose Protected Health Information (PHI).
In order to understand whether HIPAA rules apply to a research project, it is first necessary to determine whether the activity would be considered research. For this, HIPAA uses the same definition as the federal Common Rule (45 CFR 46), which is a systematic investigation designed to contribute to generalizable knowledge.
In practice, the most common test of whether an activity is research is whether the results will be published. A quality improvement project that analyzes the medical records of patients who were treated with a particular procedure would not be research if the analysis is used for internal purposes only. But it is important to anticipate whether future publication is a possibility, because retroactive approval to do research with person-identifiable records cannot be given.
Research that is Covered by HIPAA
HIPAA affects only that research which uses, creates, or discloses Protected Health Information (PHI). In general, there are two ways a research study would involve PHI:
- The study involves review of medical records as one (or the only) source of research information. Retrospective studies involve PHI in this way. Prospective studies may do this also, such as when a researcher contacts a participant's physician to obtain or verify some aspect of a person's health history.
- The study creates new medical records because as part of the research a health-care service is being performed, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition.
Most sponsored clinical trials that submit data to the US Food and Drug Administration (FDA) will involve PHI because study monitors have an obligation to compare research records such as Case Report Forms (CRFs) to the medical records of the persons participating in the study, in order to verify that the information transcribed onto the CRFs is accurate.
Human biological specimen data which includes PHI is also considered clinical research.
Information Security
HIPAA requires that research involving Protected Health Information use physical, technical and administrative safeguards to protect confidentiality.
Physical safeguards include storing of person-identifiable data in locked file cabinets, and restriction of access only to those project staff who have a need to access the files. Paper records should not be kept in public areas where passers-by may inadvertently see their content.
Technical safeguards apply to computer systems where PHI is stored, and include use of password-protected access, screensavers that have a timeout such that when a user walks away from the computer, access is locked after a period of time, and audit trails that record who has created or changed PHI data in the system. Wherever feasible, personal-identifiable elements of the computerized research records should be stored separately, and if feasible, in an encrypted format.
Administrative safeguards include use of signed confidentiality agreements and publication of policies regarding the confidentiality and security of research data.