HIPAA Frequently Asked Questions

The HIPAA Privacy Rule, effective April 14, 2003, established national standards to safeguard the privacy of a patient's protected health information. Protected health information (PHI) includes: Information created or received by a health care provider or health plan that includes health information or health care payment information plus information that personally identifies the individual patient or plan member. Personal identifiers include: a patient's name and email, web site and home addresses; identifying numbers (including Social Security, medical records, insurance numbers, biomedical devices, vehicle identifiers and license numbers); full facial photos and other biometric identifiers; and dates (such as birth date, dates of admission and discharge, death). See below for a list of these identifiers.

The Board of Regents designated the University of California as a HIPAA hybrid covered entity and determined that UC would be a Single Health Care Component for the purposes of complying with the HIPAA Rule. All of the entities at UC covered by the HIPAA Privacy and Security Rules - medical centers, medical clinics, health care providers, health plans, student health centers - are a single entity for purposes of compliance with HIPAA. However, the research function is excluded from HIPAA coverage at UC. Accordingly, research health information that is not associated with a health care service is not subject to the HIPAA Privacy and Security Rules. Other state and federal laws govern privacy and confidentiality of personal health information obtained in research.

HIPAA affects only that research which uses, creates, or discloses PHI.

Protected or personal health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA defines 18 specific identifiers:

• Name
• Full face photographs
• Social Security Number
• Health Plan Number
• Medical Record
• Account Number
• Geographic Location*
• Biometric ID - finger, except for state voice prints
• All dates, except year**
• License Number
• Age > 89
• Vehicle Identification
• Phone Number
• Device Numbers
• Fax Number
• URL's and IP Address
• E-mail address
• Any other unique number, code
  

In addition to the required IRB approval, HIPAA authorization is required for research studies that use, create, or disclose PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or surgeries.

*Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same initial digits contains more than 20,000 people, and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

**All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death.

Some research studies use data that is person-identifiable because it includes personal identifiers such as name, address. However, it is not considered to be PHI because the data are not associated with or derived from a healthcare service event (treatment, payment, operations, medical records), not entered into the medical records, nor will the subject/patient be informed of the results. Research health information (RHI) that is kept only in the researcher's records is not subject to HIPAA but is regulated by other human subjects protection regulations.

No. Some research studies do not collect PHI for their project or for the recruitment of their research subjects. For example, anonymous surveys and observational studies that do not collect identifiers do not use PHI. Another example is non-medical studies that recruit subjects through advertisements or flyers where no PHI is accessed for recruitment or collected for the study. If your study does not use PHI, then it is not subject to HIPAA regulations. However, appropriate measures for data security still apply.

The use of PHI occurs when PHI is communicated inside of a covered entity. For example; studies that involve review of UC medical records by UC investigators as one (or the only) source of research information use PHI. Retrospective medical chart reviews also involve the use of PHI.

The disclosure of PHI occurs when PHI is communicated to another person or organization that is not part of the covered entity. The sharing of PHI with study sponsors is a disclosure of PHI. When a UC investigator contacts a participant's non-UC physician to obtain or verify some aspect of a person's health history then a disclosure of PHI occurs.

Studies that create new medical records also create PHI. If a health care service is being performed as part of the research then new medical records are created. Examples include testing of a new way of diagnosing a health condition and testing a new drug or device for treating a health condition.

HIPAA permits the use or disclosure of PHI for research under the following circumstances and conditions:

• If the subject of the PHI has granted specific written permission through an Authorization;
• If the IRB has granted a waiver of the authorization requirement;
• If the PHI has been de-identified in accordance with the standards set by HIPAA; and/or
• If the information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher and the covered entity.

If you plan to obtain subjects' authorization to use or disclose PHI as part of your research, use the standard University of California Permission to Use Personal Health Information for Research for access to any UC-held medical record.

Important Note: The UC form is written and formatted very carefully to comply with both Federal regulations and state law. Except where space is provided for fill in the blank information, neither the format nor the content of the UC form may be modified.

For access to a subject's non-UC medical records, the HIPAA research authorization form of the subject's healthcare provider should be used (if the provider does not accept the UC form).

Investigators are advised to examine the flow of PHI through their research projects and develop security policies for both electronic and hard copy PHI. Any type of physical or electronic storage may be used. Simple steps may be all that are required to accomplish the goals of tracking, recovery, and security. Additional UCLA Data Security and Policy Guidelines can be found on the UCLA Office of Compliance-Security website.

A tracking system is necessary to account for how the PHI is stored, used, and shared, e.g. flow of PHI through your project.

A recovery plan simply means having the capability to recover data if you lose your primary database for both your research and for HIPAA accountability of any PHI disclosures.

A security system that prevents inadvertent disclosure, loss or theft of PHI from your project is required. For example, acceptable security for an isolated computer system or data system could include the following:

• Data is kept in locked file cabinet
• Data is kept in locked office or suite
• Data is stored on a secure network
• Electronic data are protected with a password (computer, PDA, laptop)
• Electronic data are protected with automatic logoff (computer, PDA, laptop)
• Data is coded; data key is kept separately and securely
• Data will be de-identified per HIPAA definition

There are issues for securing electronic data transmission as almost every form of Internet, does not protect PHI. All electronic data should be scanned by anti-virus software both before sending and receiving encrypted data. Any use of the Internet to transmit data must be scrutinized very carefully as very few systems are behind firewalls or within secure zones.

A breach of security refers to any unauthorized access to PHI and usually related to electronic files or devices that contain PHI. Common examples include the use of electronic storage devices without password protection, sending email with PHI outside of the UCLA intranet or to the wrong person; a laptop/PDA/electronic storage device with PHI is stolen or lost, and other similar situations. Consult with your IT department for guidance to protect electronic devices. Investigators, staff and other individuals who are concerned that there may have been a breach of security for their research files should contact the OHRPP and the UCLA HIPAA Privacy Management Office immediately. They will work with you to assess the situation to determine who else may be notified.

Although it is almost always preferable to get permission to use an individual's PHI, HIPAA permits research using PHI without obtaining authorization. In order to do this, the research must be reviewed and approved by the IRB. HIPAA requires that IRBs review the project to be sure it meets all of the following criteria:

• The use or disclosure of PHI involves no more than minimal risk.
• Granting of the waiver will not adversely affect privacy rights and welfare of the individuals whose records will be used.
• The project could not practicably be conducted without a waiver.
• The project could not practicably be conducted without use of PHI.
• The privacy risks are reasonable relative to the anticipated benefits of research.
• An adequate plan to protect identifiers from improper use and disclosure is included in the research proposal.
• An adequate plan to destroy the identifiers at the earliest opportunity, or justification for retaining identifiers, is included in the research proposal.
• The project plan includes written assurances that PHI will not be re-used or disclosed for other purposes.
• Whenever appropriate, the subjects will be provided with additional pertinent information after participation.

Requests for waiver of HIPAA authorization must be submitted to the IRB as part of the webIRB application and be approved prior to accessing the health information.

HIPAA recognizes that health-related information is often so rich in content that it can never be made truly anonymous, but that the risk of re-identification of an individual is greatly decreased by removing certain elements from data. Health information lacking these elements is said to be de-identified and may be used or disclosed without restriction under the HIPAA Privacy Rule (the health information is no longer PHI).

To de-identify PHI, remove the following 18 identifiers of the individual and of the individual's relatives, employers, or household members:

• Name
• Full face photographs
• Social Security Number
• Health Plan Number
• Medical Record
• Account Number
• Geographic Location*
• Biometric ID - finger, except for state voice prints
• All dates, except year**
• License Number
• Age > 89
• Vehicle Identification
• Phone Number
• Device Numbers
• Fax Number
• URL's and IP Address
• E-mail address
• Any other unique number, code

*Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same initial digits contains more than 20,000 people, and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is change d to 000.

**All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death.

A limited dataset is a set of identifiable information in which most of the identifiers for the individual, the individual's relatives, employers and household members have been removed. Unlike de-identified data, PHI in limited data sets may include the following:

• 5-digit zip code (the 4-digit extension is not allowed)
• dates of birth, death, admission, discharge
• all geographic subdivisions other than street address

Important Note: Because limited data sets may contain identifiable information, they still contain PHI.

A Data Use Agreement is the means by which covered entities obtain satisfactory assurances that the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes.

To access the UCLA Data Use Agreement, follow the link to the UCLA Office of Compliance and click on Data Use Agreement under Research Forms. For questions, follow the link to Contact Info for UCLA Office of Compliance.

Yes. Even if the person requesting a limited data set from a covered entity is an employee or otherwise a member of the covered entity's workforce, a written data use agreement meeting the Privacy Rule's requirements must be in place between the covered entity and the limited data set recipient.

No. U.S. Federal laws do not apply to studies conducted overseas or in foreign countries. The standard methods of protecting confidentiality and privacy for research in human subjects still apply and you should have these in place. However, the research subjects do not need to sign an authorization to allow access to their PHI.

Yes. HIPAA allows for the creation of databases for research purposes. A research database can be created without obtaining individual authorizations but only with a IRB approved Waiver of Authorization. The proposal to the IRB must meet all of these waiver criteria, some of which you may already include as part of the confidentiality discussion in your research proposal. These criteria include:

• The study represents minimal risk to the privacy of the individual;
• The study could not practicably be done without access to PHI; and
• The study could not practicably be done without a waiver of authorization.
  

In addition, the following three provisions must also be made:

• An adequate plan to protect the identifiers from improper use and disclosure;
• An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers (or is required by law), and
• An adequate written assurance that the PHI will not be reused or disclosed to anyone else (except for research oversight, other research studies approved to use the PHI, or as required by law)
  

The PHI maintained in the research database may be disclosed for future research studies if the investigator either obtains an individual's authorization or an IRB approved Waiver of Authorization.

It depends on whether PHI will be accessed and/or whether State, county, or local death data files will be accessed, as both the Federal and State privacy laws apply. Even if PHI will not be recorded for research purposes, the following will apply:

Yes. Do not include information about HIPAA in the informed consent form. Other than referencing the HIPAA Research Authorization form, the consent form should not cover the same topics covered in the HIPAA Authorization form. This means you will need to revise the language in the sample consent form.

No. Since the UC form is standard and not modifiable it should not be submitted to the IRB for review and approval. The IRB will not issue a stamped version of the form.

Yes. There is a Spanish-language version of the UC form available on our website. See the HIPAA Authorization forms.

Yes, under limited circumstances. Access to subjects' medical records containing individually identifiable patient information may be granted to sponsors for the limited purpose of auditing data quality and monitoring the study as required under FDA regulations.

Yes, if the monitoring is required by or allowed under other laws. A company sponsor and its authorized representatives may continue to monitor or audit source documents so long as the time period is anticipated under the laws, even if the study has concluded. If the sponsor has a duty to monitor the source documents supporting the data submitted to the FDA under FDA regulations, HIPAA does not require an authorization.

Yes. UCLA requires all faculty and research staff to complete the HIPAA Research Training Certification Course for human subjects before submitting an IRB protocol to the OHRPP for approval. See the section on CITI HIPAA Online Training. After you have completed the training, you will be provided with a certificate of completion that you should retain for your records.