Institutional Review Board

GENERAL HIPAA GUIDANCE 


What is the HIPAA Privacy Rule?

Health Insurance Portability and Accountability Act: Standards for Privacy of Individual Identifiable Health Information
[45 CFR Parts 160 and 164]

The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities. (Because the Health Sciences Center is involved in health care delivery it is a covered entity.) By the compliance date of April 14, 2003, covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. These standards apply to human subjects research.

Is this in Addition to IRB Oversight under the Common Rule?

Yes, although there is considerable overlap in the protection provided subjects under the two programs, the Privacy Rule establishes a second mandated, compliance program, in part, directed at protecting individuals volunteering to participate in research. The Common Rule specifically protects the welfare of subjects. The Privacy Rule expands on this concept and specifically protects the use and disclosure of certain health information. An additional important difference between the two Rules is that, failure to implement and comply with the Privacy Rule standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

How Does the Rule Work with Regard to Research?

In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule. 


Definitions

Health Information

Any information, whether oral or recorded in any form or medium, that:

  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information 

Information that is a subset of health information, including demgraphic information collected from an individual, and: 

  • Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
    • That identifies the individual; or
    • With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI)

Individually identifiable health information transmitted or maintained in any form or medium, including paper records.

Research

Defined in the Privacy Rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”


How May PHI Be Used in Research?

PHI may be used and disclosed for research purposes in a number of ways:

Health information may also be used in a de-identified form not considered PHI. Note that under the Common Rule there is a group of studies that can be given an “Exempt” status as determined by the IRB. In this determination, anonymity based on lack of recording subject names and not maintaining a link to the subjects name is the deciding factor for classification as “Exempt”. Many of these studies, however, collect information that under the Privacy Rule is considered adequate to identify the subject. This makes the health information PHI and the study subject to the Privacy Rule. The following are considered identifiers under the privacy rule.

Note: The Privacy Rule states that information will be considered identifiable if the covered entity knows that the identity of the person may still be determined.


Resources

Policies & Procedures
Forms
Links