The Health Insurance Portability and Accountability Act (HIPAA) is a milestone in the federal effort to facilitate the transfer of health care data. HIPAA, passed by Congress in 1996, also mandates regulations protecting the confidentiality of health information, and in this way supplements the patchwork of state protections. Issued by the U.S. Department of Health and Human Services (HHS) in 2000 and revised in August of 2002, the HIPAA Final Privacy Rule protects oral, written and electronic Protected Health Information (PHI). PHI is any information that “relates to the past, present or future physical or mental health or condition of an individual.” The regulations went into effect April 14, 2003, for most organizations.
Many HIPAA provisions require interpretation. Institutions and their employees, IRBs and other entities need to make a series of judgment calls to determine the appropriate uses and users of personal health information for research. This CITI module should be seen as providing an introduction to some of the considerations that will guide such judgments. Because the law requires education (“workforce training”) that incorporates an institution’s privacy policies and procedures, neither this nor any generic HIPAA education program will alone be adequate to the task. Comprehensive training requires inclusion of institution-specific policies and procedures.
Protected health information is defined under HIPAA as individually identifiable health information. Identifiable refers to data explicitly linked to a particular individual as well with data that could enable individual identification.
Identifiers include obvious ones like name and Social Security number. Others are:
Under HIPAA's “safe harbor” standard, information is considered de-identified if all of the above have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person.
As an alternative to using fully de-identified information, HIPAA makes provisions for a limited data set for which direct identifiers (like name and address) have been removed, but not indirect ones (such as age). Limited data sets require data use agreements between the parties from which and to which it is provided.
Under HIPAA, the general rule is that researchers must have valid authorization for all uses and disclosures of PHI in connection with research.
A valid authorization must include specific elements:
If an actual expiration date is not provided, then a note pointing this out is required. A statement explaining an expiration event such as the end of the research project is also acceptable.
As to the right to revoke, the authorization must either explain that right or refer to the covered entity’s privacy notice, if that is applicable. A revocation must be in writing and can be made at any time, but it may not be effective if a research study has already relied on the authorization. This reliance element only affects information gathered before the revocation and does not allow the entity to disclose PHI after the revocation occurs.
The covered entity – that is, “health plans, health providers and health clearinghouses” or “any entity in the health sector that uses health information in the regular course of business” – may require the authorization as a condition of providing research-related treatment. In general, authorizations may not be combined with other documents, such as the notice of privacy practices or an optional consent, that is, a document signed by the patient agreeing to disclosure of their PHI to certain other parties. However, informed consent for participation in research and authorizations for use of PHI for research can be combined.
The Privacy Rule allows several important exceptions to the authorization requirement. An Institutional Review Board or a Privacy Board (required by HIPAA if there is no IRB), may exercise authority to waive the authorization requirement.
1. Activities preparatory to research. An investigator may tell the covered entity that the activity is solely preparatory to research, for instance for the purpose of designing a protocol; that the information requested is the minimum necessary to do the activity; and that no PHI will be removed from the covered entity’s premises.
2. Use of PHI from decedents. Under this circumstance, an investigator tells the covered entity that the research involves only the protected health information of deceased persons, that the data are essential (minimum necessary), and that it is not practical to obtain an authorization.
Note that these two exceptions do not require IRB/Privacy Board waivers, but rather a representation made to the covered entity, presumably via the privacy officer. However, state law may differ and in fact require IRB review of these two types of research. More stringent state law preempts HIPAA. This point is of the greatest importance because as a consequences of efforts to comply with HIPAA, hospitals and other entities may discover they have been in violation of pre-existing state law.
3. Research activities under a waiver of authorization. A request from an investigator to conduct research without an authorization requires the IRB or a Privacy Board to grant a waiver. In order to do so, all the following factors must be documented:
To issue a waiver, an IRB/Privacy Board must be composed of members with the background and competence to review the project, with at least one person not affiliated with the project, institution, or related to anyone affiliated with the project. The IRB / Privacy Board must take steps to assure that participating members do not have a conflict of interest.
The approach taken by the Department of Health and Human Services (HHS) is similar to that required by the Common Rule, which has long governed federally funded research. The Common Rule requires that express consent be obtained prior to engaging in research involving human subjects, but provides that a waiver may be granted by an IRB if certain conditions are met, including that there is “no more than minimal risk of harm to subjects” and “the research could not practicably be carried out without the waive” (45CFR46.116).
Researchers and IRBs should, therefore, already be familiar with some of HIPAA’s core requirements. HIPAA allows either an existing IRB or, alternatively, a newly constituted Privacy Board, to make determinations about waivers. Yet consenting to research is different than understanding the extent to which health care information will be protected – and this is the thrust of the Final Privacy Rule.
HIPAA has established that the use and disclosure of PHI in situations other than medical treatment must be kept to the minimum necessary to meet the need of the research project. In keeping with this approach, PHI collected during research under an IRB or Privacy Board waiver can only be used or disclosed to the extent that it is the minimum necessary. However, research done with patient authorization is not subject to the minimum necessary standard for use and disclosure of PHI. What counts as “minimum necessary” will require judgments; investigators unsure of whether a particular use meets this criterion should contact their IRB or Privacy Board – which, of course, should have in place some mechanism or policy for responding to such inquiries.
Note that here, too, state law or institutional policy may differ from the HIPAA standard and should be considered in making this determination. If it is stricter or more stringent, a state statute or institutional policy will pre-empt HIPAA.
Research based upon a waiver is subject to HIPAA’s disclosure accounting requirement, whereas authorization-based research is not. Research involving “decedents” and “reviews preparatory to research” and “limited data sets” also require accounting by the covered entity. This disclosure accounting requirement can be met by providing individuals with a list of all protocols for which their PHI may have been disclosed pursuant to a waiver or other HIPAA allowable exceptions to use of PHI such as reviews preparatory to research, research on decedents or use of limited data sets. The information provided would also include the researcher’s name and contact information.
As a practical and administrative matter, this means that institutions have established mechanisms, policies, and procedures for annotating records to show that information contained in them has been disclosed for research.
The Privacy Rule provides a compromise between identifiable PHI and fully de-identified PHI.
To be sure, there are questions whether and to what extent data can truly be unlinked from unique identifiers, but researchers and IRBs familiar with the challenges of banked tissue research and of chart reviews or outcomes research will find that making such determinations need not impede a balanced evaluation of protocols that include these elements.