Implementation of HIPAA and the Privacy Rule by the IRB
- What is HIPAA?
- What types of information are regulated by the Privacy and Security Rules?
- Limited Data Sets
- Who must comply with HIPAA?
- What Does the Privacy Rule Have To Do With Research?
- What is the IRB’s Role?
- When can an IRB waive the requirement for an authorization?
- De-identification of PHI
- The University of California HIPAA website
- NIH: Understanding the HIPAA Privacy Rule website
- Access to PHI on Decedent Information (UCDHS Compliance Program)
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Act requires The Department of Health and Human Services to develop regulations to protect the privacy and security of identifiable health information. Two sets of regulations, referred to as the Privacy Rule and Security Rule, outline the requirements that must be followed when entities subject to the rules use and share health information.
The rules apply to protected health information (PHI), which is defined as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.
In most instances, health information is considered individually identifiable when any of the following identifiers are included with the information:
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary
- Vehicle identifiers and serial numbers, including license plate numbers
- Account numbers
- Certificate/license numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification
- The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
One of the main purposes of HIPAA is to require health plans to accept electronic transactions from health care providers. The Privacy and Security Rules are means to the risk to individual privacy when the electronic transactions are processed. The Rules apply to all PHI held by covered entities, which are health plans (health insurance companies), health care providers and health care clearing houses (companies that facilitate electronic transactions. UC Davis Medical Center is a health care provider and is a covered entity under HIPAA.
When research involves the use or disclosure of PHI by entities subject to the regulations, the rules will apply. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. In most instances, the Privacy Rule requires an authorization from the individual or a waiver of authorization from an IRB or Privacy Board before a covered entity can access, use or disclose PHI for research purposes. In general, there are two types of human research that would involve PHI:
- Studies involving review of medical records as a source of research information.
- Studies that create new medical information because a health care service is being performed as part of the research.
What Is Required for Research in order to access, use or disclose Protected Health Information (PHI)?
Researchers may access, use, and/or disclose PHI for research purposes from the Electronic Medical Record (EMR) once there is an approved waiver from an IRB or other applicable authority or a signed HIPAA Authorization from the patient. UC Davis Health acknowledges that all information placed into the Electronic Health Record system (EPIC) by Marshall Medical Center (MMC) is the proprietary information of MMC, and shall not be accessed, used, and/or disclosed by UC Davis Health unless MMC specifically authorizes such.
(1) Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements:
(a) An adequate plan to protect health information identifiers from improper use or disclosure.
(b) An adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them.
(c) Adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule.
(2) Research could not practicably be conducted without the waiver or alteration.
(3) Research could not practicably be conducted without access to and use of PHI.
Health Insurance Portability and Accountability Act (HIPAA) Authorization
o The Privacy Rule establishes the right of an individual, such as a research subject, to authorize a covered entity to use and disclose his/her PHI for research purposes. This requirement is in addition to the informed consent to participate in research required under the HHS Protection of Human Subjects Regulations and other applicable Federal and State law.
o HIPAA Authorization for Research (Version 2017) are available at the Office of Research website.
In most instances, researchers at UC Davis use the UC HIPAA Research Authorization (University of California Permission to Use Personal Health Information for Research) to use and share PHI for research purposes. However, in some instances, the Privacy Rule allows an IRB to waive the requirement for a signed authorization from the individual for use of PHI in research. UC Davis researchers complete the applicable section of the electronic Initial Review Application when they need access to PHI without obtaining an authorization from the individual.
It is always preferred to obtain authorization to use an individual’s PHI. In order to waive the requirement for an authorization, the IRB must determine that the study meets the following criteria:
- The use or disclosure of the identifiers involves no more than minimal risk (An adequate plan to protect identifiers from improper use and disclosure must be included in the research proposal)
- There is an adequate plan to destroy the identifiers at the earliest opportunity.
- The project could not practicably be conducted without a waiver
- The project could not practicably be conducted without use of PHI
- The IRB receives written assurances that PHI will not be re-used or disclosed for other purposes
What kind of waivers does the UC Davis IRB grant?
The UC Davis IRB will approve either:
- A full waiver of authorization to conduct all the research activities described in the research proposal; or
- A partial waiver of authorization for specific research actives such as recruitment.
In most instances, a full waiver of authorization is granted only when there is no opportunity for the researcher to obtain authorization from the individual. Partial waivers of authorization are often granted to allow researchers to access the EMR to identify potential research participants.
If a waiver of authorization is granted, the IRB will post a HIPAA Waiver Notice with the approval documents. Review the HIPAA Waiver Notice for the detailed description of the waiver.
The Privacy Rule allows a covered entity to use and disclose a limited data set for research activities if the covered entity and the data recipient enter into what is called a Data Use Agreement. This is permitted without the need to obtain an Authorization or documentation of a waiver or an alteration of Authorization to use and disclose the PHI in the limited data set.
What is a Limited Data Set?
- A limited data set refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual’s Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.
There is a list of direct identifiers that must be removed from health information if the data is to qualify as a limited data set:
- Postal address information, other than town or city, state, and ZIP Code.
- Telephone numbers.
- Fax numbers.
- Electronic mail addresses.
- Social security numbers.
- Medical record numbers.
- Health plan beneficiary numbers.
- Account numbers.
- Certificate/license numbers.
- Vehicle identifiers and serial numbers, including license plate numbers.
- Device identifiers and serial numbers.
- Web universal resource locators (URLs).
- Internet protocol (IP) address numbers.
- Biometric identifiers, including fingerprints and voiceprints.
- Full-face photographic images and any comparable images.
What is a Data Use Agreement?
- A Data Use Agreement is an agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected.
The Data Use Agreement must contain the following provisions:
- The permitted use of the limited data set must be consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
- Identify who is permitted to use or receive the limited data set.
- Stipulations that the recipient will
- Not use or disclose the information other than permitted by the agreement or otherwise required by law.
- Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
- Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
- Not identify the information or contact the individuals.
Violations of the Data Use Agreement
If the recipient of the limited data set is a covered entity who violates the data use agreement, it is deemed a violation of the Privacy Rule. If the covered entity providing the limited data to a recipient notices patterns of a breach or violations of the agreement, the covered entity must take steps to correct the inappropriate activity. If steps taken by the covered entity are unsuccessful, the covered entity must discontinue disclosing the PHI to the recipient and notify the HHS.
Section 164.512 of the Privacy Rule also establishes specific PHI uses and disclosures that a covered entity is permitted to make for research without an Authorization, a waiver or an alteration of Authorization, or a data use agreement. These limited activities are the use or disclosure of PHI preparatory to research and the use or disclosure of PHI pertaining to decedents for research.