Protected Health Information (HIPAA) Regulations and Research

HIPAA Learning Shots: 

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. 

The intention of HIPAA is to protect patients from inappropriate disclosures of "Protected Health Information" (PHI) that can cause harm to a person's insurability, employability, etc. 

The privacy provisions of HIPAA found in the Privacy Rule apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. 

What is PHI?

PHI is information that can be linked to a particular person and that is created, used, or disclosed in the course of providing a health care service (i.e., diagnosis or treatment). 

What Does the Privacy Rule Have To Do With Research? 

HIPAA affects only that research which uses, creates, or discloses PHI. 

Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. 

The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research. 

In general, there are two types of human research that would involve PHI: 

  • Studies involving review of existing medical records as a source of research information. Retrospective studies, such as chart reviews, often do this. Sometimes prospective studies do it also, for example, when they contact a participant's physician to obtain or verify some aspect of the participant's health history. 
  • Studies that create new medical information because a health care service is being performed as part of the research, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition. Virtually all sponsored clinical trials that submit data to the U.S. Food and Drug Administration (FDA) will involve PHI. 

What is the IRB's Role? 

The IRB-HSR acts as the Privacy Board at UVA  to review the use/disclosure of PHI and to determine whether the subjects should sign an "Authorization" (Adds additional language to the consent template) or if a Waiver of Authorization (roughly analogous to a Waiver of Consent under the Common Rule) may be granted. At UVA the requirements for a HIPAA Authorization have been incorporated into the research consent form to eliminate the need for multiple forms.  If for some reason a research consent will not be obtained, the IRB-HSR provides a template for a Stand-alone HIPAA Authorization.  




Version Date: 6-25-20