Protected Health Information (HIPAA) Regulations and Research

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. 

The intention of HIPAA is to protect patients from inappropriate disclosures of "Protected Health Information" (PHI) that can cause harm to a person's insurability, employability, etc. 

The privacy provisions of HIPAA found in the Privacy Rule apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. 

What is PHI?

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA applies only to research that uses, creates, or discloses PHI that enters the medical record or is used for healthcare services, such as treatment, payment, or operations.

For example, PHI is used in studies involving review of existing medical records for research information, such as retrospective chart review. Also, PHI is created in studies that produce new medical information in the course of the research, such as diagnosing a health condition or evaluating a new drug or health device, and that information will be entered into the medical record. For example, sponsored clinical trials that submit data to the U.S. Food and Drug Administration involve PHI and are therefore subject to HIPAA regulations.

What is not PHI?

In contrast, some research studies may use health-related information that is personally identifiable because it includes personal identifiers such as name or address, but it is not considered to be PHI because the data are not associated with or derived from a healthcare service event (treatment, payment, operations, medical records) and the data are not entered into the medical records. HIPAA does not apply to “research health information” (RHI) that is kept only in the researcher’s records; however, other human subjects’ protection regulations still apply.

Examples of research using only RHI and thus not subject to HIPAA include use of aggregated (non-individual) data; diagnostic tests from which results are not entered into the medical record and are not disclosed to the subject; and testing conducted without any PHI identifiers. Some genetic basic research can fall into this category, such as the search for potential genetic markers, promoter control elements, and other exploratory genetic research. In contrast, genetic testing for a known disease, as part of diagnosis, treatment, and health care, would be considered a use of PHI and therefore subject to HIPAA regulations.

Also note, health information by itself without the 18 identifiers is not considered to be PHI. For example, a data set of vital signs by themselves does not constitute protected health information. However, if the vital signs data set includes medical record numbers, then the entire data set is considered PHI and must be protected since it contains an identifier.

List of 18 Identifiers

1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

There are also additional standards and criteria to protect individuals from re-identification. Any code used to replace the identifiers in data sets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed. For example, a subject's initials cannot be used to code their data because the initials are derived from their name. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even though all of the 18 identifiers were removed.

What is the IRB's Role? 

The IRB-HSR acts as the Privacy Board at UVA to review the use/disclosure of PHI and to determine whether the subjects should grant  "Authorization" via the informed consent or if a Waiver of Authorization (roughly analogous to a Waiver of Consent under the Common Rule) may be granted. At UVA the requirements for a HIPAA Authorization have been incorporated into the research consent form to eliminate the need for multiple forms.  If for some reason a research consent will not be obtained, the IRB-HSR provides a template for a Stand-alone HIPAA Authorization.  

Resources