The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains provisions to protect the confidentiality and security of personally-identifiable information that arises in the course of providing health care. In order to understand how HIPAA affects research, there are a few important terms that are defined by the law.
A covered entity is the organization that has to comply with HIPAA. The University of California is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities, it also has other organizational activities such as education and research.
The HIPAA Privacy Rule governs Protected Health Information (PHI) which is defined as information that can be linked to a particular person (ie., is person-identifiable) that arises in the course of providing a health care service.
When PHI is communicated inside of a covered entity, this is called a use of the information. When PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure. HIPAA allows both use and disclosure of PHI for research purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB).
Authorization: Under HIPAA, the granting of rights to access PHI. Authorization is required by HIPAA for disclosures or uses other than for Treatment Payment Operations (TPO), which are covered in the Notice of Privacy Practices. Treatment cannot be conditioned on granting of an authorization. An authorization is a specific, detailed document requesting patient-subject permission for the use of covered PHI.
Covered Entity: A covered entity is a health plan, a health care clearinghouse, or a health care provider transmitting health information, and is, therefore, subject to the HIPAA regulations.
Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the information. Disclosure of PHI requires a specific authorization under HIPAA except if disclosure is related to the provision of TPO (Treatment Payment Operations) of the entity responsible for the PHI or under a limited set of other circumstances, such as public health purposes.
Health Information: Any information, whether oral or recorded in any form or medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Hybrid Entity: A single legal covered entity with health care and non-health care functions, where the former are covered functions but are not its primary functions. The University of California is a hybrid entity.
Individually Identifiable Health Information is any information created, used, or received by a health care provider that relates to:
- The past, present, or future physical or mental heath or condition of an individual,
- The provision of health care to an individual, or
- The past, present, or future payment for the provision of health care to an individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual. The collection of individually-identifiable health information for research constitutes human subjects research.
Minimum Necessary Standard: The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.
Notice of Privacy Practices: The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides clear explanations of these rights and practices. The Notice of Privacy Practices is intended to focus individual on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights. Note: Sometimes the Notice of Privacy Practices is interchangeable with PHI.
Personal Health Information is used on the University of California HIPAA Authorization form in order to (1) capture the meaning of both protected health information (HIPAA term) and medical information (California Health & Safety Code: California Confidentiality of Medical Information term), (2) communicate to the research subject that information is "personal", and (3) convey information at an eighth-grade reading level.
Protected Health Information (PHI) is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.
Research Health Information (RHI) is defined as data used in research that would be personally identifiable but not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules. The key distinction between RHI and PHI is that PHI is associated with or derived from a healthcare service event, i.e. the provision of care or payment for care. RHI is covered by other state and federal laws for privacy and confidentiality of research health information.
What Kinds of Activities Are Considered Research?
The HIPAA Privacy Rule is primarily concerned with information generated in the course of providing health care services, and is not primarily concerned with research. However, HIPAA does recognize and endorse the fact that some research may create, use, and disclose Protected Health Information (PHI).
In order to understand whether HIPAA rules apply to a research project, it is first necessary to determine whether the activity would be considered research. For this, HIPAA uses the same definition as the federal Common Rule (45 CFR 46), which is a systematic investigation designed to contribute to generalizable knowledge.
In practice, the most common test of whether an activity is research is whether the results will be published. A quality improvement project that analyzes the medical records of patients who were treated with a particular procedure would not be research if the analysis is used for internal purposes only. But it is important to anticipate whether future publication is a possibility, because retroactive approval to do research with person-identifiable records cannot be given.
Research that is Covered by HIPAA
HIPAA affects only that research which uses, creates, or discloses Protected Health Information (PHI). In general, there are two ways a research study would involve PHI:
- The study involves review of medical records as one (or the only) source of research information. Retrospective studies involve PHI in this way. Prospective studies may do this also, such as when a researcher contacts a participant's physician to obtain or verify some aspect of a person's health history.
- The study creates new medical records because as part of the research a health-care service is being performed, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition.
Most sponsored clinical trials that submit data to the US Food and Drug Administration (FDA) will involve PHI because study monitors have an obligation to compare research records such as Case Report Forms (CRFs) to the medical records of the persons participating in the study, in order to verify that the information transcribed onto the CRFs is accurate.
Human biological specimen data which includes PHI is also considered clinical research.
The HIPAA Research training certificate is required prior to approval of a new or continuing review application.
CITI HIPAA Online Training
CITI: Required for all Researchers Involving Human Study: If you have taken the HIPAA Research training certification course that was offered PRIOR to 2009 and you have the actual certificate, you may upload this document into webIRB and this will meet UCLA’s HIPAA Research requirement.
If not, for human subjects, follow the link at www.citiprogram.org and log into your CITI account. On your “Main Menu” screen, click “Add a Course or Update Learner Groups.” Go to “Question #2” and click “yes” for the UCLA HIPAA course, and then click “submit.” You will then be able to begin the UCLA HIPAA course and, when completed, you will have the option to print the completion certificate.
The Investigator is responsible for identifying in his/her application to the IRB all proposed access to PHI which will occur during the course of the research, including access to paper and electronic medical records for the purpose of subject identification or screening, any intended addition of information into medical records, and any collection or use of human specimens with individually identifiable health information attached.
The Investigator is responsible for using the standard University of California Permission to Use Personal Health Information for Research form for access to any UC-held medical record. For access to a subject's non-UC medical records, the HIPAA research authorization form of the subject's health care provider should be used (if the provider does not accept the UC form).
The Investigator is responsible for identifying and complying with HIPAA policies and procedures, as well as applicable State or Federal regulations governing access to PHI outside the University of California hybrid covered entity.
List of 18 PHI Identifiers
HIPAA recognizes that health-related information is often so rich in content that it can never be made truly anonymous, but that the risk of re-identification of an individual is greatly decreased by removing certain elements from data. Health information lacking these elements is said to be de-identified and may be used or disclosed without restriction under the HIPAA Privacy Rule (the health information is no longer PHI).
To de-identify PHI, remove the following list of 18 identifiers of the individual and of the individual.s relatives, employers, or household members:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal resource locators (URLs)
- Internet protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic or code
Where only certain identifiers are needed, a covered entity may provide a researcher with a limited data set. Unlike de-identified data, PHI in limited data sets may include the following: city, state, ZIP code, date of birth, date of death, or date(s) or service. See the section "Limited Data Set with a Data Use Agreement" below for how a limited data set may be used.
RHI and PHI
The broad definition of individually identifiable information has led some to conclude that any individually-identifiable fact about a person arising out of their participation in a research study would be PHI if it had immediate or potential relevance to normal or abnormal functioning (ie., health and disease) at a molecular, physiologic, or functional level.
However, life sciences research includes activities that record person-identifiable information as part of the study and in many cases it is simply not known whether the research results will be significant, correct, and relevant to healthcare services or to the health and well being of a particular individual. A large fraction of the biomedical research involving human subjects that is sponsored by NIH and other federal and not-for-profit entities is done to characterize and better understand disease processes without an associated intervention designed to correct them.
The University of California HIPAA Task Force has defined the term Research-related Health Information (RHI) for information which shares some characteristics of HIPAA PHI, but would be governed by a different set of principles and best practices. These practices respect the rights of individuals while at the same time catalyzing progress in biomedical and behavioral sciences.
The key distinction between RHI and PHI is that PHI is associated with or derived from a healthcare service event. Thus, research studies that use medical records as a source of person-identifiable research data are using PHI, and interventional clinical studies where treatments are being compared for safety and effectiveness would create PHI. In contrast, a research study that does not include a diagnostic or therapeutic intervention, and does not acquire health-related facts about a person by copying them from a medical record, would create information that if individually identifiable would be considered RHI. See the white paper on the differences between PHI and RHI.
When participants in a research study sign an authorization to have a copy of their PHI used for research purposes, the information transcribed into the research record is subsequently governed by the terms of their authorization and is no longer PHI subject to HIPAA. Although the HIPAA Privacy Rule no longer applies to this information as it is maintained in research records, best practices for research involving human volunteers requires that its confidentiality continue to be protected.
Use and Disclosure of PHI for Research
HIPAA permits the use or disclosure of PHI for research under the following circumstances and conditions:
- If the subject of the PHI has granted specific written permission through an Authorization
- If the IRB has granted a waiver of the authorization requirement
- If the PHI has been de-identified in accordance with the standards set by HIPAA
- If the information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher and the covered entity
The principle of respect for persons means that, if it is feasible to get the consent of someone before using their PHI for research, then consent should be obtained. HIPAA refers to consent for use of information as an Authorization, and requires that the following elements be present in an Authorization to use PHI for research purposes:
- A description of information to be used or released,
- The name of person(s) or class of persons (e.g., project staff) who will use the information,
- The name of persons or organizations to whom PHI will be released. (e.g., central coordinating offices of multi-center trials),
- The expiration date or event that ends authorization to use PHI (e.g., completion of the research), or statement that authorization does not expire,
- A statement that the research participant has the right to revoke authorization (as part of withdrawal from study procedures),
- A statement that if information will be disclosed to other organizations the information may no longer be protected, and
- A statement that individuals may inspect or copy their records. The researcher may stipulate that records will not be available until after the study is complete.
UCLA has developed a standard Authorization form. To access the UCLA Authorization form, go to University of California Permission to Use Personal Health Information for Research. This is the form required for use at UCLA by UCLA investigators.
Translations of the 2013 HIPAA Authorization Form are in process and will be provided on the OHRPP website when available. In the interim, use of a translator to obtain signed HIPAA authorization from non-English speaking subjects is acceptable.
For more information, see OHRPP Guidance: Decedent Research.
Waivers of Authorization
Although it is in most cases preferable to get permission to use an individual's Protected Health Information, HIPAA permits research using PHI without obtaining consent (called Authorization by HIPAA). In order to do this, the research must be reviewed and approved by a duly established Institutional Review Board (IRB). HIPAA requires that IRBs review the project to be sure it meets all of the following criteria:
- The use or disclosure of PHI involves no more than minimal risk.
- Granting of the waiver will not adversely affect privacy rights and welfare of the individuals whose records will be used.
- The project could not practicably be conducted without a waiver.
- The project could not practicably be conducted without use of PHI.
- The privacy risks are reasonable relative to the anticipated benefits of research.
- An adequate plan to protect identifiers from improper use and disclosure is included in the research proposal.
- An adequate plan to destroy the identifiers at the earliest opportunity, or justification for retaining identifiers, is included in the research proposal.
- The project plan includes written assurances that PHI will not be re-used or disclosed for other purposes.
- Whenever appropriate, the subjects will be provided with additional pertinent information after participation.
Limited Data Set with a Data Use Agreement
Where only certain identifiers are needed, a covered entity may provide a researcher with a limited data set. Unlike de-identified data, PHI in limited data sets may include the following: city, state, ZIP code, date of birth, date of death, or date(s) of service.
Because limited data sets may contain identifiable information, they are still PHI.
A data use agreement is the means by which covered entities obtain satisfactory assurances that the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes. Even if the person requesting a limited data set from a covered entity is an employee or otherwise a member of the covered entity's workforce, a written data use agreement meeting the Privacy Rule's requirements must be in place between the covered entity and the limited data set recipient.
The HIPAA Privacy Rule requires a data use agreement to contain the following provisions:
- Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
- Identify who is permitted to use or receive the limited data set.
- Stipulations that the recipient will
- Not use or disclose the information other than permitted by the agreement or otherwise required by law.
- Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
- Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
- Not identify the information or contact the individuals.
To access the UCLA Data Use Agreement, follow the link to the UCLA Office of Compliance and click on a Data Use Agreement.
Need to Know and Minimum Necessary Access
For both healthcare and for research, HIPAA requires that Protected Health Information be communicated on a need to know and minimum necessary basis. Simply put, individually identifiable information should be made available only to persons whose job requires access to that information. And only that information that is the minimum necessary to get the job done should be provided.
These principles also apply to the disclosure of PHI to research collaborators at outside institutions. In most cases, scientific data about individuals in research studies should be shared with other researchers only in a format where it is stripped of all identifying information. De-identified data may be linked to personal identifiers via an alphanumeric code. Do not use Medical Record Number (or any other person-identifiable element) as part of the code. In most cases, the key to the code should not be available to other researchers and in all cases it should be kept secure according to UCLA Data Security in Research Guidelines.
Information such as names, addresses, phone numbers, e-mail addresses, and other contact information should not be disclosed unless it is essential to the conduct of the research.
HIPAA requires that research involving Protected Health Information use physical, technical and administrative safeguards to protect confidentiality.
Physical safeguards include storing of person-identifiable data in locked file cabinets, and restriction of access only to those project staff who have a need to access the files. Paper records should not be kept in public areas where passers-by may inadvertently see their content.
Technical safeguards apply to computer systems where PHI is stored, and include use of password-protected access, screensavers that have a timeout such that when a user walks away from the computer, access is locked after a period of time, and audit trails that record who has created or changed PHI data in the system. Wherever feasible, personal-identifiable elements of the computerized research records should be stored separately, and if feasible, in an encrypted format. Additional information is available by accessing the UCLA Data Security in Research Guidelines.
Administrative safeguards include use of signed confidentiality agreements and publication of policies regarding the confidentiality and security of research data.
HIPAA requires that certain records be maintained in both healthcare and research contexts. Authorizations for use of PHI should be kept in research records for at least six years. Though not required, a good practice would be to keep signed informed consent documents together with research authorization forms.
When disclosures of PHI occur (i.e., when information is sent outside to persons in other organizations), the principal investigator must keep a record of what information was sent, and to whom. An audit trail of disclosures should be kept, and made available on request by a study participant so that they can see what information about them was sent to an outside organization or person.
It has been a common practice for clinicians who are also doing research to use medical records they have produced, or the clinical information systems of their organization, to identify potential participants for research studies or to find cases for a retrospective chart review. HIPAA distinguishes between the use of medical records for health care--which is a HIPAA covered function--and the use of records for research purposes, which is not covered and must be done only with signed authorization or with a waiver of authorization granted by an Institutional Review Board.
The HIPAA Privacy Rule permits use of PHI for reviews preparatory to research, however, in the University of California system, this is considered part of the overall research plan and requires IRB review prior to the review activity commencing. It is not permissible to begin the research by gathering preliminary data via lookups in clinical information systems, or reviewing clinic appointment logs or other records of clinical care, prior to IRB review and approval of a study.