Module: Research and HIPAA Privacy Protections (7-18-11)
HIPAA's protections focus on individually identifiable health information HIPAA defines identifiable health information as (1) any form or medium" that "relates to the past, present, or future physical or mental health or condition of an individual; (2)the provision of health care to an individual; or (3) the past, present, or future payment for the provision of health care to an individual."
HIPAA's protections reach only a subset of individually-identifiable health information formally called protected health information or simply "PHI" created in or by what HIPAA calls covered entities. Covered entities include: individual health providers health provider organizations health plans health information clearinghouses that engage in electronic health care transactions.
HIPAA's regulations set requirements for use and disclosure of PHI by covered entities, and by extension on all members of a covered entity's workforce that have contact with PHI. Covered entities must also establish contractual requirements for data protection on business associates (and by extension on the workforce of business associates) that perform functions using PHI on the covered entity's behalf.
HIPAA defines research as any "systematic investigation, including research development, testing, and evaluation, designed to develop and contribute to generalizable knowledge." Not all kinds of research-like activity are included in this definition.
A covered entity may choose to rely on: An IRB to assess compliance with both the FDA/Common Rule requirements and the HIPAA research requirements. A Privacy Board to handle some research-related issues. determinations about eligibility for waivers alterations and exemptions from authorization processes. A designated Privacy Officer.
1. Waiver or alteration of the authorization requirement is granted by an IRB/Privacy Board because of minimal risk, and other criteria are met. 2. Research is used solely for activities preparatory to research, and certain representations are obtained from the researcher. 3. Only deceased persons information is used, and certain representations are obtained.
4. Only de-identified data is involved, by meeting set criteria or with independent validation of de-identification (a.k.a., anonymization ). 5. Research is conducted with limited data set under an approved data use agreement. 6. It is grandfathered research where all legal permissions were in place before HIPAA took effect.
Use or disclosure of the PHI involves no more than minimal risk to the privacy of the research subjects, based on the following elements: An adequate plan to protect any data identifiers from improper use and disclosure. An adequate plan to destroy data identifiers at the earliest opportunity consistent with conduct of the research (unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law).
Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project or for other research for which the use or disclosure of PHI would be permitted by HIPPA. The research could not practicably be conducted without the PHI. The research could not practicably be conducted without the waiver.
HIPAA provides for two more exceptions to the authorization requirement for identifiable data: Where the PHI will be used solely for reviews preparatory to research (e.g., for protocol development) and will not leave the covered entity. Where the PHI refers solely to deceased persons (the covered entity may ask for documentation of death of all data subjects).
A researcher may use fully de-identified information without any authorization. De-identified information is no longer considered PHI, because it is no longer individually identifiable.
A limited data use set must have all direct identifiers removed; however, it may still include information that could "indirectly" identify the subject using statistical methods.
If all informed consents and other legal permissions required at the time were in place before HIPAA took effect (April 2003 in most cases), and have not changed since, no new HIPAA authorization is required.
The minimum necessary standard states that the uses/disclosures must be no more than the minimum required for the described research purpose. Uses and disclosures of data for research that are allowed to bypass the authorization requirement are still subject to the minimum necessary standard.
Where the study involves more than 50 subjects records, the disclosure accounting requirement can be met by the covered entity providing data subjects with: A list of all protocols for which their PHI may have been disclosed, along with the timeframe for those disclosures. The purpose of those protocols, and the types of PHI sought. The researcher's name and contact information for each study.
If a research activity meets none of the bypassing criteria, an authorization is required. When they are required, authorizations must be: In "plain language" so that individuals can understand the information contained in the form, and thus able to make an informed decision. Executed in writing, and signed by the research subject.
Like other kinds of HIPAA authorizations, those for research may be revoked by the subject at any time, provided that the revocation is in writing.
It is still permissible under HIPAA to discuss recruitment into research with patients for whom such involvement might be appropriate. This common practice is considered to fall within the definition of treatment, at least when the conversation is undertaken by one of the patient's health care providers.
HHS has reiterated in its guidance that use or disclosure of PHI for retrospective research studies may be done only with (1) patient authorization or a waiver, (2) alteration or exception determination from an IRB or Privacy Board.
HIPAA privacy protections supplement those of other federal regulations (e.g., the Common Rule and FDA), state law, and certification/accreditation requirements. HIPAA only protects identifiable health information from covered entities. Not all identifiable health information is protected health information (PHI).
Under HIPAA, research activity using PHI generally requires authorization. However, there are several alternatives that allow bypassing the authorization requirement. Minimum necessary standards, disclosure accounting requirements, and the characteristics of authorizations (when required) must be understood by researchers when HIPAA applies.