HIPAA & Research

The Security Rule

The Security Rule, an important part of HIPAA, goes into effect April 20. The rule's intention is to protect the confidentiality, integrity, and availability of electronic protected health information, which the University creates, accesses, transmits, or receives in both research and patient care settings. It sets forth specific requirements for the adoption of administrative, physical, and technical safeguards for the protection of electronic protected health information. Changes to existing University policies and procedures have been made to incorporate the new requirements. Of particular significance is the policy located at http://www1.umn.edu/oit/security/privatedata.html. For more information, call 612-624-7447 or write privacy@umn.edu.

HIPAA's impact on research with human subjects and the IRB

Starting April 14, 2003 all research that will enroll subjects (including existing studies) AND obtain subjects' PHI will need to comply with HIPAA regulations.

For existing studies (approved prior to April 14, 2003)

If enrolling or reenrolling subjects AND obtaining PHI, subjects are required to sign an IRB-approved authorization form. Use our Authorization Form Template and submit it to the IRB for review.

If using existing data (gathered before April 14, 2003), this data is acceptable for use as long as the research study met with IRB approval.

For New Studies

The standard IRB approval process applies. IRB application forms have been updated to reflect new HIPAA requirements and should be submitted as usual along with Appendix H if the study will be using PHI.

• For studies that plan to use PHI, Appendix H will allow you to request this usage by stating that you will use it in accordance with one of four accepted methods (see 1-4 in Ways researchers can perform HIPAA-compliant research with PHI).
• For studies that plan to use de-identified data (see When is data “de-identified”?), the approval for this use should be requested using the Exempt Screening Application Form.
  Along with the application form, a De-Identified Certification Form must be submitted to the IRB.

---

What is Protected Health Information (PHI)?

PHI is health information transmitted or maintained in any form or medium that:

1. identifies or could be used to identify an individual;and
2. is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

Exempt Records

The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:

1. student records maintained by an educational institution, and
2. employment records maintained by an employer related to employment status.

If your study uses these kinds of records, it is not subject to HIPAA. However, existing IRB rules on informed consent and confidentiality still apply.

More clarification of PHI - See When is Health-related information considered PHI?

---

Ways researchers can perform HIPAA-compliant research with PHI

1. Obtain Subject Authorization — use of an authorization form that includes required HIPAA authorization language. (It must be approved by the IRB prior to use - similar to a consent form) - recommended
2. Obtain an IRB waiver of subject authorization—if the research is minimal risk to subjects and meets criteria for waiver or alteration.
3. Obtain an IRB alteration of subject authorization—if the research is minimal risk to subjects and meets criteria for waiver or alteration.
4. Use a Limited Data Set — PHI that excludes direct identifiers of the individual or of relatives, employers, or household members of the individual.
5. Use De-identified Data — health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. (see When is data “de-identified”?)
6. Use (not disclosure) PHI in work preparatory to research—feasibility review NOT pilot studies.
7. Use or disclosure of decedents' PHI is acceptable without #1 or #2

---

Using Authorization Forms

If a study using/disclosing PHI is going to use/disclose this PHI by means of a subject authorization(the most common and recommended means), investigators should be aware of the following:

• The authorization form needs to be submitted to the IRB along with the IRB application form and Appendix H for IRB review. Use our Authorization Form Template filled in with your study specifics.
• Two authorization forms require the subject's or authorized representative's signature:
  1. A copy for the subject to keep, and
  2. A copy for the investigator's records.
• It is the responsibility of the PI to keep this authorization form in their records for 6 years and assure that it is completed correctly.

---

Obtaining Authorization Form Waivers or Alterations

For research uses and disclosures of PHI, an IRB may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the IRB determines that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project.

If a researcher has used or disclosed PHI for research with an IRB approval of waiver or alteration of Authorization, documentation of that approval must be retained by the researcher for 6 years from the date of the its creation or the date it was last in effect, whichever is later.

Also see: How do I qualify for a waiver of authorization?

---

Using Data that is De-Identified

Researchers may use or disclose health information that is de-identified without restriction under the Privacy Rule.

Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification OR by removing the 19 identifiers from each record as specified in the Rule.

top of page