|
General Guidance
The HIPAA Privacy Rule
as It Relates to Research
The Office of Research Services
has collected this information to assist the research community at our
institution in complying with the Health Insurance Portability and
Accountability Act. If you need any additional assistance, please
contact our office at (504) 568-4970. What is
the HIPAA Privacy Rule?
Health Insurance Portability and Accountability Act: Standards for
Privacy of Individual
Identifiable Health Information
[45 CFR Parts 160 and 164] The HIPAA Privacy Rule establishes the
conditions under which protected health information may be used or disclosed
by covered entities. (Because the Health Sciences Center is involved in
health care delivery it is a covered entity.) By the compliance date of
April 14, 2003, covered entities must implement standards to protect and
guard against the misuse of individually identifiable health information.
These standards apply to human subjects research.
Is this in Addition to IRB
Oversight under the Common Rule?
Yes, although there is considerable overlap in the protection provided
subjects under the two programs, the Privacy Rule establishes a second
mandated, compliance program, in part, directed at protecting individuals
volunteering to participate in research. The Common Rule specifically
protects the welfare of subjects. The Privacy Rule expands on this concept
and specifically protects the use and disclosure of certain health
information. An additional important difference between the two Rules is
that, failure to implement and comply with the Privacy Rule standards may,
under certain circumstances, trigger the imposition of civil or criminal
penalties.
How
Does the Rule Work with Regard to Research?
In the course of conducting research, researchers may obtain, create, use,
and/or disclose individually identifiable health information. Under the
Privacy Rule, covered entities are permitted to use and disclose protected
health information for research with individual authorization, or without
individual authorization under limited circumstances set forth in the
Privacy Rule. More detailed explanations of the Privacy Rule and how the
Privacy Rule relates to research can be seen at the following websites:
Office of Civil Rights Guidance on the Privacy Rule:
Definitions
Health Information►
Any information, whether oral or recorded in any form or
medium, that:
-
Is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university, or
health care clearinghouse; and
-
Relates to the past, present, or future physical or mental health
or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of
health care to an individual.
Individually Identifiable Health Information►
Information that is a subset of health information, including demographic
information collected from an individual, and:
-
Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
-
Relates to the past, present, or future physical or mental health
or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of
health care to an individual; and
·
That identifies the individual; or
·
With respect to which there is a reasonable basis to believe the
information can be used to identify the individual.
Protected Health Information (PHI)►
Individually identifiable health information transmitted or maintained in
any form or medium, including paper records.
Research► Defined in the Privacy Rule as “a systematic investigation,
including research development, testing, and evaluation, designed to develop
or contribute to generalizable knowledge.”
How
PHI May Be Used in Research?
PHI may be used and disclosed for research purposes in a number of ways:
Health information may also be used in a de-identified form not considered
PHI. Note that under the Common Rule there is a group of studies that can
be given an “Exempt” status as determined by the IRB. In this
determination, anonymity based on lack of recording subject names and not
maintaining a link to the subjects name is the deciding factor for
classification as “Exempt”. Many of these studies, however, collect
information that under the Privacy Rule is considered adequate to identify
the subject. This makes the health information PHI and the study subject to
the Privacy Rule. The following are considered identifiers under the privacy
rule.
[The IRB requires
completion of the Certification
of Use of De-Identified Information Form.]
-
Names
-
Address
– (All geographic subdivisions smaller than a State including street
address, city, county, precinct, zip code, and their equivalent geocodes,
except for the initial three digits of a zip code if, according to the
current publicly available data from the Bureau of the Census: (initial
3 digits if geographic unit contains less than 20,000 people, or any
other geographical codes).
-
Dates (except
for years)
-
Birth Dates
-
Admission
Dates
-
Discharge Dates
-
Date of Death
-
Ages >89 and
all elements of dates (including year) indicative of such age, EXCEPT
that such ages and elements may be aggregated into a single category of
>90
-
Telephone
Numbers / Fax Numbers
-
E-mail
Addresses / Web Universal Resource Locators (URLs) / Internet Protocol
(IP) Address Numbers
-
Social Security
Numbers
-
Medical Record
Numbers
-
Health Plan
Beneficiary Numbers
-
Account
Numbers
-
Certificate /
License Numbers
-
Vehicle
Identifiers and Serial Numbers
-
Device
Identifiers and Serial Numbers
-
Biometric
Identifiers (e.g. finger or voice prints)
-
Full face
photographic images and any comparable images
-
Any
other unique identifying number, characteristic, or code or any other
information used alone or in combination that could allow identification
of an individual who is subject of the information
Note ► The Privacy Rule states that information will be considered
identifiable if the covered entity knows that the identity of the person may
still be determined.
|
