Institutional Review Board

HIPAA Regulations

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996. HIPAA established, among other things, mandatory rules governing the privacy of all patient identifiable health information (also referred to as “protected health information” or “PHI”) regardless of form. Subsequent regulations implementing the HIPAA privacy rule must be complied with by April, 2003, for all health care providers, health plans, and health care clearinghouses and third parties who have access to identifiable health information.

HIPAA specifies that a covered entity may not use or disclose identifiable health information for research purposes unless the patient has provided, in advance, his/her written authorization for such use or disclosure.

Note that when researchers collect health or mental health related information from participants, this specific form of data collection and use must be addressed in the consent form. Alternatively, researchers may use a separate HIPAA authorization/consent form.

Certain provisions of HIPAA address the use and disclosure of identifiable health information for research purposes. In this regard, HIPAA is generally consistent with the applicable provisions of the current Federal Policy regulations (45 CFR 46) governing human research subject protections, although there are some important differences. Together, these regulations will have an enormous impact primarily on two aspects of human subject research: 1) access to and the use of identifiable health information to facilitate research subject recruitment; and 2) retrospective research studies involving the use of existing, identifiable, health information.

1. Access to and the use of identifiable health information to facilitate research subject recruitment.

Researchers may access health records of potential study participants if they submit a research agreement that contains the following information A research agreement containing the following information must be signed by both the researcher and the medical center.

(a)Such use or disclosure is solely for purposes of reviewing the protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research (e.g., to design a study or to assess the feasibility of conducting a study).

Investigator must describe the purpose of your desired record review.

(b)The PHI being sought to be disclosed is limited to the minimum necessary to achieve the purpose(s) of the review.

Investigator must describe the nature of the data requested and indicate why each of the data elements being requested is necessary to achieve the purpose of the review.

(c)The PHI being sought to be disclosed is necessary for the research project.

Investigator must indicate why the PHI that you are requesting for review is necessary in order to prepare a research protocol.

2.Retrospective research studies involving the use of existing, identifiable, health information

Both the federal policy and HIPAA regulations mandate that retrospective research studies involving the collection and use of identifiable health information require the prior written informed consent/authorization of the involved patients-subjects or an IRB waiver of this informed consent/authorization requirement.

3.Retrospective research studies involving the use of existing, de-identified, health information

Consistent with the HIPAA Privacy Rule, deidentified data must not contain any of the following identifiers:

1.Names

2.Postal address information (other than town or city, state and zip code)

3.Telephone numbers

4.Fax numbers

5.E-mail addresses

6.Social security numbers

7.Medical record numbers

8.Health plan beneficiary numbers

9.Account numbers

10.Certificate/license numbers

11.Vehicle identifiers & serial numbers, including license plate numbers

12.Device identifiers & serial numbers

13.Web Universal Resource Locators (URL’s)

14.Internet Protocol (IP) address numbers

15.Biometric identifiers, including finger and voice prints

16.Full face photographic images and any comparable images

 

Authorization for use of PHI:

 

Authorization Core Elements:

•A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.

•The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.

•The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.

•A description of each purpose of the requested use or disclosure.

•Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure ("end of the research study" or "none" are permissible for research, including for the creation and maintenance of a research database or repository).

•Signature of the individual and date. If the individual's legally authorized representative signs the Authorization, a description of the representative's authority to act for the individual must also be provided.

Authorization Required Statements:

•A statement of the individual's right to revoke his/her Authorization and how to do so, and, if applicable, the exceptions to the right to revoke his/her Authorization or reference to the corresponding section of the covered entity's notice of privacy practices.

•Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.

•A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.

Back to IRB home