HIPAA

 

SUMMARY OF HIPAA'S IMPACT ON RESEARCH AT UM

The federal Health Insurance Portability and Accountability Act (HIPAA) provides privacy protections for medical records and other individually identifiable health information (“protected health information” or “PHI”) created or maintained by a HIPAA “covered entity.” The HIPAA “Privacy Rule” is intended to enhance the rights of individuals by providing them with greater access to their PHI and more control over its uses and disclosure. This summary generally describes HIPAA requirements regarding covered research, is for informational purposes only, and does not constitute legal advice. Additional HIPAA information is posted on the University's HIPAA website at http://hipaa.umd.edu/ and the IRB website. HIPAA's privacy requirements are in addition to existing humans subjects research protection requirements.

  1. HIPAA RESEARCH COVERAGE

In the research context, HIPAA establishes the conditions under which PHI may be created, obtained, used or disclosed by covered entities for research purposes. As defined by HIPAA, the term “covered entity” includes (among other things 1) health care providers who engage in certain financial or administrative transactions electronically. Because the University's activities include both HIPAA covered and non-covered functions, the University has declared its status as a “hybrid” HIPAA entity, with a designated HIPAA covered “Health Care Component” that initially includes the University Health Center and certain administrative units that provide the Health Center with operational support. Other units may, however, be added to the covered Health Care Component in the future. 2)

Given its status as a hybrid entity, HIPAA generally will cover research conducted by personnel in the University's designated HIPAA covered Health Care Component, as well as other research involving the creation, use and/or disclosure of PHI maintained by the Health Care Component. University researchers who are not directly covered by HIPAA may also need to comply with certain HIPAA requirements if they seek access to PHI maintained by other HIPAA covered entities.

  1. ACCESS TO PHI FOR RESEARCH PURPOSES

Under HIPAA, researchers may obtain, create, use, disclose and/or otherwise access PHI for research purposes though one of the following methods: 1) by obtaining individual authorization; 2) by obtaining IRB waiver or alteration of the authorization requirement; 3) by using de-identified information; 4) by using limited data sets with a data use agreement; 5) by using only decedents' information, with certain assurances; and 6) by using PHI for purposes preparatory to research, with certain assurances. Each of these methods has its own requirements, which are summarized below.

    1. INDIVIDUAL AUTHORIZATION

An Authorization is basically an individual's written permission or consent to use his or her PHI for research purposes. HIPAA requires that an Authorization be written in plain language and contain certain “core” elements. Research authorizations may be combined with an informed consent form or set forth in a separate Authorization document. Researchers must give a copy of the Authorization to the individual and retain the original for six years after signing.

Core Elements of an Authorization

Note: All elements must be described or identified in a sufficiently specific and meaningful fashion.

                  §   The information to be used/disclosed.

                  §   The person(s) or class of persons authorized to make the requested use or disclosure.

                  §   The person(s) or class of persons authorized to receive the PHI.

                  §   The purpose of the use/disclosure.

                  §   An expiration date or event that relates to the individual or purpose of the use/disclosure. For research purposes, statements like “none” or “end of the research study” are permitted.

                  §   Signature, date, and, if applicable, a description of the authority of a person signing on behalf of an individual (parent, guardian, etc.).

Additional Required Statements in Authorization

                  §   Right to revoke the Authorization - including method and exceptions, if any. In general, an Authorization may be revoked to the extent an entity has not acted in reliance on it. In the research context, continued use/disclosure of PHI obtained prior to revocation is generally permitted to maintain the integrity of the research project.

                  §   Effect, if any, of refusing to sign (or revoking) an Authorization on the ability to receive research-related treatment. With the exception of research -related treatment, HIPAA prohibits covered entities from conditioning treatment and other benefits on receiving an Authorization.

                  §   Potential for PHI to be re-disclosed by the researcher and no longer covered by HIPAA's privacy requirements.

    1. DOCUMENTED IRB WAIVER OR ALTERATION OF AUTHORIZATION

A covered entity may use/disclose PHI without valid authorization by the research participant if it obtains documentation that an alteration or waiver of such authorization for research purposes has been approved by an IRB.

Criteria for IRB Waiver or Alteration

To approve a request for a waiver or alteration of HIPAA's authorization requirements, an IRB must determine that the following three criteria are satisfied.

                  §   The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

             ·            an adequate plan to protect the identifiers from improper use and disclosure;

                                                                                                         ·            an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

                                                                                                         ·            adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by the Privacy Rule.

                  §   The research could not practicably be conducted without the waiver or alteration.

                  §   The research could not practicably be conducted without access to and use of the PHI.

Documentation Requirements for IRB Waiver or Alteration

                  §   Identification of the IRB and the date on which the alteration or waiver of authorization was approved.

                  §   A statement that the IRB has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Privacy Rule (see, above).

                  §   A brief description of the PHI for which use or access has been determined to be necessary by the IRB.

                  §   A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures.

                  §   The signature of the chair or other member (as designated by the chair) of the IRB, as applicable.

    1. DE-IDENTIFIED PHI

If health Information does not identify an individual and there is no reasonable basis to believe the information can be used to identify an individual, it is not considered PHI under HIPAA. Therefore, health information that has been “de-identified” in the manner required by HIPAA may be used/disclosed for research purposes without individual authorization. HIPAA prescribes two alternative ways to de-identify health information.

                  §   A person with appropriate knowledge and experience with statistical and scientific principles and methods for rendering information unidentifiable must determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, to identify the subject of the information. OR

                  §   The following “identifiers” specified in HIPAA are removed from the health information: names; telephone & fax numbers; all geographic designators; email addresses; all elements of dates; social security numbers; all ages over 89; URLs & IP numbers; medical records numbers; full face photographic images; health plan beneficiary numbers; biometric identifiers; account numbers; certificate/license numbers; vehicle identifiers & serial numbers; license numbers; and any other unique identifying number, characteristic or code.

    1. LIMITED DATA SET

HIPAA permits a covered entity to use/disclose health information contained in a “limited data set” for research, public health or health care operations purposes without authorization. A limited data set requires the removal of fewer identifiers than de-identified information. All direct or facial identifiers (e.g., names, street addresses, telephone and other identification numbers) must still be removed from a limited data set; only indirect potential identifiers (e.g., cities, states, zip codes, and certain dates) may be included in a limited data set.

A limited data set may only be used/disclosed only in conjunction with a written “data use agreement” that provides satisfactory assurances that the recipient of the data will only use the information for the purposes for which it was received.

A data use agreement must:

                  §   Establish the permitted uses/disclosures consistent with the purposes of the research and HIPAA;

                  §   Prohibit the recipient from further uses/disclosures not permitted by HIPAA.

                  §   Limit who may use or receive the data; and

                  §   Require the recipient to agree:

                                                                                                         ·            not to use/disclose the information other than as permitted by the agreement or required by law;

                                                                                                         ·            use appropriate safeguards to prevent further use/disclosure other than as permitted by the agreement or required by law;

                                                                                                         ·            report any unauthorized use/disclosure;

                                                                                                         ·            ensure that its agents that access the limited data set agree to the same conditions and restrictions regarding the information; and

                                                                                                         ·            not identify the information or contact the subjects of it.

    1. DECEDENTS' PHI

HIPAA permits a covered entity to use/disclose the PHI of decedents for research purposes without authorization if the researcher provides certain assurances and, if requested, documentation.

The researcher must provide the following representations, orally or in writing:

                  §   The use/disclosure being sought is solely for research on the PHI of decedents;

                  §   The PHI being sought is necessary for the research; and

                  §   At the request of the covered entity, documentation of the death of the individuals about whom information is being sought.

    1. REVIEWS OF PHI PREPARATORY TO RESEARCH

HIPAA permits a covered entity to use/disclose PHI without individual authorization for reviews preparatory to research (e.g., to design or assess the feasibility of a study), if the researcher provides certain assurances.

The researcher must provide the following representations, orally or in writing:

                  §   The use/disclosure of PHI is solely to prepare a research protocol or for similar purposes preparatory to research;

                  §   The researcher will not remove any protected health information from the covered entity (physically or electronically); and

                  §   The PHI for which access is sought is necessary for the research purpose.

  1. MINIMUM NECESSARY REQUIREMENT IN RESEARCH

HIPAA generally requires that covered entities make reasonable efforts to use or disclose only the minimum PHI (in terms of type and amount) necessary to accomplish the intended purpose of the use or disclosure. The minimum necessary standard generally does not apply to a use/disclosure for treatment purposes or pursuant to an individual's authorization. In the research context, the minimum necessary requirement also does not apply to de- identified information. 3)

  1. ACCOUNTING FOR RESEARCH DISCLOSURES OF PHI

HIPAA generally gives individuals the right to receive an accounting of the disclosures of their PHI by a covered entity within a six year period. Certain research disclosures are exempt from this accounting requirement; others require only a limited accounting. No accounting is required for research disclosures made pursuant to an individual's authorization or a data use agreement for a limited data set. For research disclosures made pursuant to a documented IRB waiver, a simplified accounting is sometimes permitted.

To qualify for a simplified accounting, the research must involve at least 50 individuals' PHI; and the accounting must provide:

o    a list of all protocols for which the individual's PHI may have been disclosed;

o    the researcher's name and contact information;

o    the name and purpose of the study; and the type of PHI sought.

If requested, assistance must be provided in contacting the researcher(s) to whom it is likely an individual's PHI was actually disclosed.

  1. RESEARCH TRANSITION RULES

All HIPAA covered research that begins on or after April 14, 2003 must comply with HIPAA privacy requirements for PHI. Research that began prior to April 14 is subject to HIPAA transition provisions. The transition provisions permit a covered researcher to use/disclose PHI that was created or received for research, either before or after the April 14 compliance date, if the researcher obtained any one of the following before April 14:

o    An authorization or other express legal permission from an individual to use/disclose PHI for the research;

o    The informed consent of the individual to participate in the research; or

o    A waiver of informed consent by an IRB in accordance with the Common Rule or an exception under FDA's human subject protection regulations at 21 CFR 50.24.

Under the these rules, researchers may rely on express legal permission, informed consent, or IRB-approved waiver of informed consent, which they receive before April 14, to use and disclose PHI for specific research studies, as well as for future unspecified research that may be included in any such permission. This basically means that HIPAA Authorizations for ongoing research studies do not have to be obtained from subjects who enrolled in a study before April 14.

However, a HIPAA Authorization (or HIPAA waiver) is required for new subjects who enroll in any study (i.e., give informed consent) on or after April 14, 2003. Also, if an IRB waiver of informed consent was obtained before April 14, but informed consent is subsequently sought on or after that date, Authorization is required along with the informed consent. Similarly, if previously enrolled study participants are “re-consented” after April 13, HIPAA Authorization is also required.

Footnotes:

1. HIPAA also covers health plans and health clearinghouses.
2. The University's HIPAA designations are posted on its HIPAA website at http://hipaa.umd.edu/ 
3. The minimum necessary standard does not apply to uses/disclosures required by law or for HIPAA compliance, or to disclosures to the subject of the PHI.


 

Download HIPAA Authorization Application Form(Word)

Download Forms

Quick Links



External Links

UM HOME | UM Directories| UM Graduate School | UM Research