HIPAA Learning Shots:
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.
The intention of HIPAA is to protect patients from inappropriate disclosures of "Protected Health Information" (PHI) that can cause harm to a person's insurability, employability, etc.
The privacy provisions of HIPAA found in the Privacy Rule apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.
PHI is information that can be linked to a particular person and that is created, used, or disclosed in the course of providing a health care service (i.e., diagnosis or treatment).
HIPAA affects only that research which uses, creates, or discloses PHI.
Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies.
The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research.
In general, there are two types of human research that would involve PHI:
- Studies involving review of existing medical records as a source of research information. Retrospective studies, such as chart reviews, often do this. Sometimes prospective studies do it also, for example, when they contact a participant's physician to obtain or verify some aspect of the participant's health history.
- Studies that create new medical information because a health care service is being performed as part of the research, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition. Virtually all sponsored clinical trials that submit data to the U.S. Food and Drug Administration (FDA) will involve PHI.
The IRB-HSR acts as the Privacy Board at UVA to review the use/disclosure of PHI and to determine whether the subjects should sign an "Authorization" (Adds additional language to the consent template) or if a Waiver of Authorization (roughly analogous to a Waiver of Consent under the Common Rule) may be granted. At UVA the requirements for a HIPAA Authorization have been incorporated into the research consent form to eliminate the need for multiple forms. If for some reason a research consent will not be obtained, the IRB-HSR provides a template for a Stand-alone HIPAA Authorization.
- UVA Health also has information regarding HIPAA available on the Health System HIPAA Initiatives website.
- UVA Stand Alone HIPAA Authorization
- Notice of Privacy Practices
- HIPAA Privacy Rule: Information for Researchers (DHHS/NIH)
- HIPAA Regulations- 45CFR164, Standards for Privacy of Individually Identifiable Health Information; Security Standards for the Protection of Electronic Protected Health Information (HIPAA Privacy and Security Rules)
Version Date: 6-25-20