General Guidance

The HIPAA Privacy Rule as It Relates to Research

The Office of Research Services has collected this information to assist the research community at our institution in complying with the Health Insurance Portability and Accountability Act. If you need any additional assistance, please contact our office at (504) 568-4970.

What is the HIPAA Privacy Rule?

Health Insurance Portability and Accountability Act: Standards for Privacy of Individual Identifiable Health Information
[45 CFR Parts 160 and 164]

The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities. (Because the Health Sciences Center is involved in health care delivery it is a covered entity.) By the compliance date of April 14, 2003, covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. These standards apply to human subjects research.

Is this in Addition to IRB Oversight under the Common Rule?

Yes, although there is considerable overlap in the protection provided subjects under the two programs, the Privacy Rule establishes a second mandated, compliance program, in part, directed at protecting individuals volunteering to participate in research. The Common Rule specifically protects the welfare of subjects. The Privacy Rule expands on this concept and specifically protects the use and disclosure of certain health information. An additional important difference between the two Rules is that, failure to implement and comply with the Privacy Rule standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

How Does the Rule Work with Regard to Research?

In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule. More detailed explanations of the Privacy Rule and how the Privacy Rule relates to research can be seen at the following websites:

Office of Civil Rights Guidance on the Privacy Rule:

Definitions

Health Information► Any information, whether oral or recorded in any form or medium, that:

  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information► Information that is a subset of health information, including demographic information collected from an individual, and:

  • Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

  • That identifies the individual; or
  • With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI)► Individually identifiable health information transmitted or maintained in any form or medium, including paper records.

Research Defined in the Privacy Rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

How PHI May Be Used in Research?

PHI may be used and disclosed for research purposes in a number of ways:

Health information may also be used in a de-identified form not considered PHI. Note that under the Common Rule there is a group of studies that can be given an “Exempt” status as determined by the IRB. In this determination, anonymity based on lack of recording subject names and not maintaining a link to the subjects name is the deciding factor for classification as “Exempt”. Many of these studies, however, collect information that under the Privacy Rule is considered adequate to identify the subject. This makes the health information PHI and the study subject to the Privacy Rule. The following are considered identifiers under the privacy rule. [The IRB requires completion of the Certification of Use of De-Identified Information Form.]

  • Names

  • Address – (All geographic subdivisions smaller than a State including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (initial 3 digits if geographic unit contains less than 20,000 people, or any other geographical codes).

  • Dates (except for years)

  • Birth Dates

  • Admission Dates

  • Discharge Dates

  • Date of Death

  • Ages >89 and all elements of dates (including year) indicative of such age, EXCEPT that such ages and elements may be aggregated into a single category of >90

  • Telephone Numbers / Fax Numbers

  • E-mail Addresses / Web Universal Resource Locators (URLs) / Internet Protocol (IP) Address Numbers

  • Social Security Numbers

  • Medical Record Numbers

  • Health Plan Beneficiary Numbers

  • Account Numbers

  • Certificate / License Numbers

  • Vehicle Identifiers and Serial Numbers

  • Device Identifiers and Serial Numbers

  • Biometric Identifiers (e.g. finger or voice prints)

  • Full face photographic images and any comparable images

  • Any other unique identifying number, characteristic, or code or any other information used alone or in combination that could allow identification of an individual who is subject of the information

Note ► The Privacy Rule states that information will be considered identifiable if the covered entity knows that the identity of the person may still be determined.