UC Home UC News Visiting UC Admission to UC Give to UC Search UC Directories Home
HIPAA University of Cincinnati Home Page.

University of Cincinnati logo.


Main Menu

- FAQs
- Authorization Form
- Waiver
- Data Use
- Glossary
- Training
- Reporting Concerns
- Useful Links


IRB

HRP

HIPAA

Animal Care & Use

LAMS

Biosafety

Radiation Safety

Contact Us

Compliance Home

Monitoring Program

Compliance Training

Research Home

The Privacy Rule and Research FAQs


Who does the Privacy Rule cover? And why does it cover me as a researcher?

HIPAA covers three types of entities:

  • Health Care Providers
  • Health Benefit Plans
  • Health Care Clearinghouses

Hospitals, physicians, and other providers are all classified as health care providers.

  • Researchers who provide health care to individuals (e.g., in a clinical trial) are directly covered as health care providers.
  • Researchers who access existing protected health information must comply with the Privacy Rule because all covered entities and affiliated individuals must protect the privacy of individually identifiable health information used or released for treatment and other purposes, including research.

How will the Privacy Rule affect me as a researcher?

The Rule will affect you in two major ways:

  1. How you access existing health information (i.e., chart reviews)
  2. How you handle identifiable information created as a part of clinical research.

Do research studies have to comply with HIPAA? What is PHI?

Yes. If research studies use or disclose private health information that is protected by HIPAA, then they must comply by April 14, 2003. PHI is specifically defined as any health information that contains 1 or more of 18 identifiers described by HIPAA. All other types of health information are not considered to be PHI unless one or more of the 18 identifiers are included in the dataset. For example, vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.

Examples of private information that could identify an individual include: name, address, phone or fax number, internet address (IP, email, URLs), as well as less obvious numbers that identify medical charts, Health plan beneficiaries, vehicle identifications, accounts, certificates and licenses.

Accessing Health Information

How can a researcher access existing health information (i.e., chart reviews)?

If the information is not identifiable (see above), the Privacy Rule does not apply. If the information is identifiable, the Privacy Rule applies, and you may access the information if:

  • you obtain written permission ("authorization") from the individuals
  • you obtain a waiver of the requirement for authorization from the IRB
  • you review the information preparatory to research and do not take information or notes out of the facility

What are the requirements for obtaining permission to access identifiable information for research?

Both the Common Rule and the Privacy Rule must be considered.

  • The Common Rule requires either an informed consent or a waiver of informed consent for any human subjects research. Records review research most always is done with an expedited review and a waiver of informed consent. The Common Rule allows a waiver only if specific criteria are met.
  • The Privacy Rule requires a written authorization or waiver of authorization for access to existing protected health information. It is assumed that most records review will be allowed with a waiver of the authorization. The Privacy Rule allows a waiver of authorization if specific criteria are met. Note: The criteria required by the Common Rule and the Privacy Rule are similar, but not the same.
  • In the rare situation in which informed consent and authorization are required for access to existing PHI, the informed consent and the authorization may be merged into a single document if all elements required by both rules are included. But, as noted above, for accessing medical records for research purposes a waiver of consent and authorization will most often be approved.

Once I have a waiver can I access all of the subjects' information?

No. The Privacy Rule permits only the minimum necessary amount of information to be accessed under a waiver for research. You will have to identify and justify what identifiable health information you will need.

Identifiable Health Information

What is identifiable health information? How can information be de-identified? What is a "limited data set?"

The Rule defines three categories of health information: identifiable information (to which the Rule applies), de-identified information (to which the Rule does not apply), and a limited data set (a middle option, to which limited parts of the Rule apply). Each of these is explained below. Identifiable information: The Privacy Rule defines identifiable by defining de-identifiable. But in general, identifiable information includes information with any personal identifiers as well as information about an individual, or his or her relatives or employer, which alone or in combination could identify the individual. For more detail, see the identifiers that must be removed to de-identify information below

De-identified information: The Privacy Rule does not apply to de-identified health information.

To de-identify health information 18 specific elements listed below must be removed, and you must ascertain there is no other available information that could be used alone or in combination to identify an individual.

  1. Names
  2. Geographic subdivisions smaller than a state
  3. All elements of dates (except year) related to an individual - including dates of admission, discharge, birth, death - and for persons >89, the year of birth cannot be used.
  4. Telephone numbers
  5. FAX numbers
  6. Electronic mail addresses
  7. SSN
  8. Medical Record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet protocol addresses
  16. Biometric identifiers, including finger and voice prints
  17. Full face photos, and comparable images
  18. Any unique identifying number, characteristic or code

Limited data set: This is a set of data that is not fully de-identified. While it excludes 15 of the 18 personal identifiers listed above for de-identification, it allows the retention of dates (e.g., date of birth, admission and discharge dates) as well as some geographic information (city, state and zip code but not street address).

  • This option is available only for research, health care operations, and public health purposes.
  • Most Privacy Rule requirements do not apply to a limited data set used internally or disclosed (for example, disclosures do not have to be tracked).
  • BUT, the following two requirements apply:
    1. the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
    2. the recipient must agree to a "data use agreement," which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals.

Is coded information identifiable?

The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified. The Privacy Rule does consider the code itself to be identifiable so it must be treated in the same way as protected health information. Of note, the Privacy Rule and the Common Rule do not agree on the issue of whether or not coded information is "identifiable." The Common Rule, in contrast to the Privacy Rule, considers coded information to be identifiable. Therefore, while access to coded information alone might not be covered by the Privacy Rule, because it is covered by the Common Rule, it would still require IRB review.

Use and Disclosure of PHI

How do I get approval to use and disclose PHI from research subjects?

PHI can be accessed by Authorization or a Waiver of Authorization.

  • Individual Authorization signed by research subject (or legal representative)
  • Waiver of Authorization (IRB approved)

Will I be able to review medical charts for research purposes? How do I get access after April 14, 2003?

You will be able to do medical chart reviews under HIPAA for research purposes as long as you have obtained some form of PHI authorization. The covered entity will require that you show proof of this authorization before they give you access to medical records. This proof can be one of the following:

  • Copy of IRB approved Waiver of Authorization
  • Copy of Authorization signed by research subject

Can databases or registries be created under HIPAA? Can I create a research database without obtaining an authorization from every single research subject?

Yes. HIPAA allows for the creation of databases for research purposes. A research database can be created without obtaining individual authorizations but only with an IRB approved Waiver of Authorization. The proposal to the IRB must meet all of these waiver criteria, some of which you may already include as part of the confidentiality discussion in your research proposal. These criteria include:

  1. The study represents minimal risk to the privacy of the individual
  2. The study could not practicably be done without access to PHI
  3. The study could not practicably be done without a waiver of authorization

The minimal risk criteria must include all of the following three elements:

  • An adequate plan to protect the identifiers from improper use and disclosure;
  • An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers (or is required by law), and
  • An adequate written assurance that the PHI will not be reused or disclosed to anyone else (except for research oversight, other research studies approved to use the PHI, or as required by law)

The PHI maintained in the research database may be disclosed for future research studies if the investigator either obtains an individual's authorization or an IRB approved Waiver of Authorization.

When do I need to get the subject's authorization to use or disclose PHI?

When you obtain consent.

Authorization/ Waiver of Authorization/ Informed Consent

How do I complete an authorization and what information must be included?

Please see the attached link to a sample authorization form and instructions for completing the form:

Sample Authorization Form

Can my HIPAA research authorization be combined with my informed consent?

Yes, but you have options. The authorization can be added to any existing or new consent document. The authorization can be a separate document or can become part of the written consent document. A separate authorization may be useful in instances where a release of information is necessary as this can be easily detached, so that details of the study are not compromised.

How do I obtain a waiver of authorization and what information must be included?

The Waiver of Authorization Form and instructions is on-line at: http://researchcompliance.uc.edu/irb/IRBFormsMedical.html

Who will be doing the review of the request for Waiver of Authorization?

The IRB.

I work with tissue samples. Am I affected by the new HIPAA rules?

Yes, if PHI is associated with the tissue sample. If it is not practicable to get the subject's authorization, apply for a Waiver of Authorization.

How can I review medical records of patients with a particular disease to identify and recruit participants for my research study?

Apply for a Waiver of Authorization to screen participants prior to consenting.

How does the Certificate of Confidentiality relate to the HIPAA changes?

HIPAA has no affect on the protections provided by a Certificate of Confidentiality.

My research collaborator is at another university. Can I share research data with him/her?

Yes, he/she is part of your research team and as long as it is so designated in the authorization, PHI may be shared with the collaborator. Other options include use of a Limited Data Set/Data Set Agreement and setting up a Business Associate Agreement.

I am performing clinical research that also involves treatment. What steps do I need to take to deal with both the clinical and research issues?

Either an Authorization or a Waiver of Authorization will cover the HIPAA aspects of the research study. It is important that your clinical authorization for each participant contains a copy of your research authorization waiver to identify the participant as a research participant as well as a clinical patient. All participants undergoing clinical treatment should be offered the Notice of Privacy Practices prior to collection of PHI.

Grandfathering Ongoing Research Studies

I am conducting a medical records study under an IRB-approved waiver of consent obtained prior to April 14, 2003. Do I need to do anything with respect to the Privacy Rule?

HIPAA contains a grandfather clause for ongoing research projects. For subjects already enrolled in studies prior to 4/14/03, no authorization is required to continue.

A new permission will not be required if PHI is created or received before April 14, 2003, even if the study has not actually begun.

For new subjects enrolled after 4/14/03 in an ongoing study, authorization will be required.

Research/subject databases that qualify may continue to collect data after 4/14/03 without authorization or waiver.

Research/subject databases began or approved after 4/14/03 will need waiver or authorization.