Implementation of HIPAA and the Privacy Rule by the IRB
- What is HIPAA?
- What types of information are regulated by the Privacy and Security Rules?
- Who must comply with HIPAA?
- What Does the Privacy Rule Have To Do With Research?
- What is the IRB’s Role?
- When can an IRB waive the requirement for an authorization?
- De-identification of PHI
- The University of California HIPAA website
- NIH: Understanding the HIPAA Privacy Rule website
- Access to PHI on Decedent Information (UCDHS Compliance Program)
- Limited Datasets (UCDHS Compliance Program)
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Act requires The Department of Health and Human Services to develop regulations to protect the privacy and security of identifiable health information. Two sets of regulations, referred to as the Privacy Rule and Security Rule, outline the requirements that must be followed when entities subject to the rules use and share health information.
The rules apply to protected health information (PHI), which is defined as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.
In most instances, health information is considered individually identifiable when any of the following identifiers are included with the information:
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary
- Vehicle identifiers and serial numbers, including license plate numbers
- Account numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification
- The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
One of the main purposes of HIPAA is to require health plans to accept electronic transactions from health care providers. The Privacy and Security Rules are means to the risk to individual privacy when the electronic transactions are processed. The Rules apply to all PHI held by covered entities, which are health plans (health insurance companies), health care providers and health care clearing houses (companies that facilitate electronic transactions. UC Davis Medical Center is a health care provider and is a covered entity under HIPAA.
When research involves the use or disclosure of PHI by entities subject to the regulations, the rules will apply. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. In most instances, the Privacy Rule requires an authorization from the individual or a waiver of authorization from an IRB or Privacy Board before a covered entity can access, use or disclose PHI for research purposes. In general, there are two types of human research that would involve PHI:
- Studies involving review of medical records as a source of research information.
- Studies that create new medical information because a health care service is being performed as part of the research.
What Is Required for Research in order to access, use or disclose Protected Health Information (PHI)?
Researchers may access, use, and/or disclose PHI for research purposes from the Electronic Medical Record (EMR) once there is an approved waiver from an IRB or other applicable authority or a signed HIPAA Authorization from the patient. UC Davis Health acknowledges that all information placed into the Electronic Health Record system (EPIC) by Marshall Medical Center (MMC) is the proprietary information of MMC, and shall not be accessed, used, and/or disclosed by UC Davis Health unless MMC specifically authorizes such.
(1) Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements:
(a) An adequate plan to protect health information identifiers from improper use or disclosure.
(b) An adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them.
(c) Adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule.
(2) Research could not practicably be conducted without the waiver or alteration.
(3) Research could not practicably be conducted without access to and use of PHI.
Health Insurance Portability and Accountability Act (HIPAA) Authorization
o The Privacy Rule establishes the right of an individual, such as a research subject, to authorize a covered entity to use and disclose his/her PHI for research purposes. This requirement is in addition to the informed consent to participate in research required under the HHS Protection of Human Subjects Regulations and other applicable Federal and State law.
o HIPAA Authorization for Research (Version 2017) are available at the Office of Research website.
In most instances, researchers at UC Davis use the UC HIPAA Research Authorization (University of California Permission to Use Personal Health Information for Research) to use and share PHI for research purposes. However, in some instances, the Privacy Rule allows an IRB to waive the requirement for a signed authorization from the individual for use of PHI in research. UC Davis researchers complete the applicable section of the electronic Initial Review Application when they need access to PHI without obtaining an authorization from the individual.
It is always preferred to obtain authorization to use an individual’s PHI. In order to waive the requirement for an authorization, the IRB must determine that the study meets the following criteria:
- The use or disclosure of the identifiers involves no more than minimal risk (An adequate plan to protect identifiers from improper use and disclosure must be included in the research proposal)
- There is an adequate plan to destroy the identifiers at the earliest opportunity.
- The project could not practicably be conducted without a waiver
- The project could not practicably be conducted without use of PHI
- The IRB receives written assurances that PHI will not be re-used or disclosed for other purposes
What kind of waivers does the UC Davis IRB grant?
The UC Davis IRB will approve either:
- A full waiver of authorization to conduct all the research activities described in the research proposal; or
- A partial waiver of authorization for specific research actives such as recruitment.
In most instances, a full waiver of authorization is granted only when there is no opportunity for the researcher to obtain authorization from the individual. Partial waivers of authorization are often granted to allow researchers to access the EMR to identify potential research participants.
If a waiver of authorization is granted, the IRB will post a HIPAA Waiver Notice with the approval documents. Review the HIPAA Waiver Notice for the detailed description of the waiver.