HIPAA | Human Subject Research Office | University of Miami

• What is HIPAA?
• What information is protected?
• How is this information protected?
• Which data elements are considered Protected Health Information?
• Who must follow these laws?
• Who is not required to follow these laws?
• What Does the Privacy Rule Have To Do With Research?
• What is the IRB’s Role?
• Limited Data Set
• De-identification of PHI
• The University of Miami HIPAA website
• Access to PHI on Decedent Information 
• Definitions

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996, also known as “HIPAA,” is the most significant development in U.S. health care in recent history.

Two sets of regulations, referred to as the Privacy Rule and Security Rule, outline the requirements that must be followed when entities subject to the rules use and share health information.

The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

What information is protected?

HIPAA defines “protected health information” as individually identifiable health information that is:

1. Transmitted by electronic media;
2. Maintained in electronic media; or
3. Transmitted or maintained in any other form or medium

How is this information protected?

• Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
• Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
• Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
• Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

Which data elements are considered Protected Health Information (PHI)?

The following individually identifiable data elements, when combined with health information about that individual, make such information protected health information (PHI):

• Names
• All geographic subdivisions smaller than a State
• All elements of dates (except year) for dates directly related to an individual including birth date, admission date, discharge date, date of death
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/License numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images; and
• Any other unique identifying number, characteristic, code, or combination that allows identification of an individual.

Examples of information that is protected:

• Information your doctors, nurses, and other health care providers put in your medical record
• Conversations your doctor has about your care or treatment with nurses and others
• Information about you in your health insurer’s computer system
• Billing information about you at your clinic
• Most other health information about you held by those who must follow these laws

Who must follow these laws?

We call the entities that must follow the HIPAA regulations "covered entities."

Covered entities include:

• Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
• Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
• Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

• Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
• Companies that help administer health plans
• People like outside lawyers, accountants, and IT specialists
• Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.

Who is not required to follow these laws?

Many organizations that have health information about you do not have to follow these laws.

Examples of organizations that do not have to follow the Privacy and Security Rules include:

• Life insurers
• Employers
• Workers compensation carriers
• Most schools and school districts
• Many state agencies like child protective service agencies
• Most law enforcement agencies
• Many municipal offices

What Does the Privacy Rule Have To Do With Research?

When research involves the use or disclosure of PHI by entities subject to the regulations, the rules will apply. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. In most instances, the Privacy Rule requires an authorization from the individual or a waiver of authorization from an IRB or Privacy Board before a covered entity can access, use or disclose PHI for research purposes. In general, there are two types of human research that would involve PHI:

• Studies involving review of medical records as a source of research information.

• Studies that create new medical information because a health care service is being performed as part of the research.

What Is Required for Research in order to access, use or disclose Protected Health Information (PHI)?

Researchers may access, use, and/or disclose PHI for research purposes from the Electronic Medical Record (EMR) if they have one of the following:

• Written authorization for use and disclosure of protected health information form the subject or the subject’s legally authorized representative.
• A waiver of authorization from an IRB or Privacy Board.
• Certification from the HSRO for access to PHI for purposes preparatory to research. A request for this certification can be obtained by submitting an  Investigator’s Certification for Reviews Preparatory to Research (UM Form E) to the HSRO via email.

What is the IRB’s Role?

In most instances, researchers at UM/JHS use the UM/JHS HIPAA Research Authorization to use and share PHI for research purposes. However, in some instances, the Privacy Rule allows an IRB to waive the requirement for a signed authorization from the individual for use of PHI in research.

When can an IRB waive the requirement for an authorization?

It is always preferred to obtain authorization to use an individual’s PHI.  In order to waive the requirement for an authorization, the IRB must determine that the study meets the following criteria:

• The use or disclosure of the identifiers involves no more than minimal risk (An adequate plan to protect identifiers from improper use and disclosure must be included in the research proposal)
• There is an adequate plan to destroy the identifiers at the earliest opportunity.
• The project could not practicably be conducted without a waiver
• The project could not practicably be conducted without use of PHI
• The IRB receives written assurances that PHI will not be re-used or disclosed for other purposes

What kind of waivers does the IRB grant:

• A full waiver of authorization to conduct all the research activities described in the research proposal; or
• A partial waiver of authorization for specific research actives such as recruitment.

In most instances, a full waiver of authorization is granted only when there is no opportunity for the researcher to obtain authorization from the individual.  Partial waivers of authorization are often granted to allow researchers to access the EMR to identify potential research participants.

If you need a waiver of authorization to conduct your research, use one of the protocol templates for your protocol to ensure the HSRO receives the information necessary to approve the waiver.  You can find the protocol templates on the HSRO Website.  The IRB will include the results of the review of your request in the  IRB determination letter.

Limited Data Set

The requirements for de-identifying information are so extensive that often the data is of limited value to researchers. 

 The Privacy Rule permits the use and disclosure of PHI via a “limited data set” with a “data use agreement”.  A limited data set is a limited set of identifiers to be used for research, public health, and health care operations purposes.

It permits use of some identifiable health information:

• Five-Digit Zip Codes
• City, State
• Dates of Birth
• Age Expressed in Years, Months, Days or Hours
• Dates of Death
• Dates of Admission/Discharge/Service

Data Use Agreement is required for the use of a Limited Data Set. A data use agreement does the following:

• Defines who can use or receive data;
• Defines for what purpose the data may be used;
  
• Provides that PI will not re-identify the data or contact the subject;
• Provides that data will be safeguarded & not used for unauthorized purposes;
  
• Provides that researcher will report improper uses & disclosures;
• Provides that researcher will “push down” privacy protection obligations to subcontractors.

Access to PHI on Decedent Information

The HIPAA Rule protects individually identifiable health information about a decedent for 50 years following the date of death of the individual. University of Miami may use or disclose PHI to the researcher, if the researcher provides that:

• Access to PHI is solely for research of the PHI on Decedents;
• The PHI for which use or access is sought is necessary for the research purpose;
• Only PHI of Decedents, not of living persons, will be accessed and reviewed; and
• No PHI will be removed or retained.

A researcher seeking to access to PHI for decedent research must use the Investigator’s Certification for Research with Decedents’ Information (Form D).

Definitions

Terms common to documents or discussions of privacy, security, confidentiality and HIPAA are included below.  

Confidentiality: the condition in which information is shared or released in a controlled manner.  Information considered confidential should be protected against theft or improper use and should not be made available or disclosed to unauthorized individuals, entities or processes without express permission from the appropriate party

Covered Entity:  a health plan, a healthcare clearinghouse or a healthcare provider who is required to comply with HIPAA regulations regarding the use and disclosure of Protected Health Information (PHI). 

Data Use Agreement: An investigator-submitted agreement required for the disclosure of a limited data set by a covered entity to the investigator.  The agreement must specify the permitted uses of the limited data set and who may use or receive the data set.  The agreement restricts further use and disclosure and restricts re-identification of the data or contact with subjects. 

De-Identified Information:  health information is considered de-identified (and therefore, not PHI) if the following apply:

• it does not identify an individual
• the covered entity has no reasonable basis to believe that the information can be used to identify an individual
• if the HIPAA-defined, 18 standard identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject

note – the 18 standard identifiers which must be removed for data to be     considered “de-identified” are:

1. names
2. geographic subdivisions smaller than a state
3. dates including birth date, admission date, discharge date, date of death, and all ages over 89,
4. telephone numbers
5. fax numbers
6. electronic mail addresses
7. Social Security numbers
8. medical record numbers
9. health plan beneficiary numbers
10. account numbers
11. certificate/license numbers
12. vehicle identifiers and serial numbers, including license plate numbers
13. device identifiers and serial numbers
14. Web Universal Resource Locator (URL)
15. biometric identifiers, including finger or voice prints
16. full face photographic images and any comparable images
17. Internet Protocol address numbers
18. any other unique identifying number characteristic or code

ePHI: electronic PHI (i.e. a subset of PHI)

HIPAA: the federal Health Insurance Portability and Accountability Act.  This act regulates, among other things, the maintenance and disclosure of protected health information (“PHI”), which includes ePHI, about patients treated by “covered entities”.  In addition, this act prescribes a process through which researchers may obtain or create PHI about patients who are also research participants or potential research participants

Hybrid Entity:  a single, legal entity that uses or discloses PHI for only a part of its business operations.  The Privacy Rule applies only to the healthcare components of a hybrid entity that use or disclose PHI. 

Limited Data Set:  health information that a covered entity may disclose (pursuant to a data use agreement) to an investigator for research purposes based on the fact that certain direct identifiers have been removed.  The investigator receiving the limited data set must submit the data use agreement signed by an authorized UM official and obtain IRB approval before obtaining the limited data set for use in his/her study

Note – direct identifiers that must be removed in order for data to be included in   a limited data set are

• names
• address information (other than city, state and zip code)
• telephone and fax numbers
• e-mail address  
• Social Security number
• certificate/license numbers
• vehicle identifiers and serial numbers
• URLs and IP addresses
• full face photos and other comparable images
• medical record numbers, health plan beneficiary numbers and other account numbers
• device identifiers and serial numbers

Note – the following are allowed in a limited data set:

• admission, discharge and service dates
• birth date
• date of death
• age (including age 90 or over)
• geographical subdivisions such as state, county, city, precinct and five digit zip code

Privacy: an individual’s right to be free from unauthorized or unreasonable intrusion into his/her private life and the right to control access to personal information.  The term “privacy” applies to persons whereas the term “confidentiality” refers to the treatment of personal information. 

Privacy and Security Rule: standards for Privacy of Individually Identifiable Health Information, promulgated by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and codified at part 160 and part 164 , subpart C (Security Standards for the Protection of ePHI) and subpart E of Title 45 of the U.S. Code of Federal Regulations (as amended from time to time)

Protected Health Information (PHI): identifiable information about the past, present, or future physical or mental health or condition (including the provision of his/her health care, insurance, payment status etc) of an individual obtained or managed by a covered entity.  PHI may be information that is recorded electronically, on paper or orally.  PHI must be protected from unauthorized use or disclosure by the Covered Entity under HIPAA regulations. 

Note -- PHI must be identifiable information or information that may be linked to an identifier.  PHI does not include de-identified information

Research Related Health Information—RHI:  personally identifiable information used in research that is distinct from PHI by not being associated with, or derived from, the provision of health care or payment for care.

Security:  the safeguards placed upon the availability, integrity, and confidentiality of information to protect information from unauthorized access, disclosure, misuse and accidental damage.  Safeguards may be physical, electronic, or administrative and they may control access, training, computer systems, policies and procedures, physical environment, and behaviors.

Sensitive Information: private and/or health care information including information relating to an identifiable individual’s private activities or practices (e.g. sexual preferences or practices; drug or alcohol treatment history; mental health or treatment history; HIV status; diagnosis information; financial information including social security numbers or health insurance data; criminal history or background etc).