Human Research Protection Program

Home / Special Topics / HIPAA and Private Health Information / An In-depth Look at HIPAA, the Privacy Rule and Research

An In-depth Look at HIPAA, the Privacy Rule and Research

In 1996, the Health Insurance Portability and Accountability Act, commonly known as HIPAA, was passed with the goal of increasing the efficiency and accessibility of health insurance coverage, and establishing minimum federal standards for protecting the privacy of an individual’s identifiable health information.

The Administrative Simplification Provisions

In part a response to the technological advancements that impact the electronic standards for health data, the act was concerned with, among other things, the computerization of patient medical records and the transmission and sharing of patient information. HIPAA's administrative simplification provisions directed the U.S. Department of Health and Human Services to create privacy standards and safeguards for the use of such electronic health care information. As a response, HHS put forward five main rules:

The Unique Identifiers Rule (resulting in the Standard Unique Employer Identifier, the National Provider Identifier and the National Health Plan Identifier).
The HIPAA Privacy Rule (discussed below).
The Transactions and Code Sets Rule (for the uniformity of electronic data exchange transactions when submitting, processing and paying claims).
The HIPAA Security Rule (for the establishment of national standards for the protection of individuals' electronic personal health information* created, received, used or maintained by a covered entity**).
The Enforcement Rule (for the enforcement of the Privacy and Security Rules).

* Protected Health Information: Individually identifiable health information such as any information related to an individual's physical or mental health, health care or payment for health care (covered in more detail below).

** Covered Entities: Those entities that handle health care information and are subject to HIPAA:

Health care providers (doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.).
Health plans (health insurance companies, HMOs, company health plans, Medicare, Medicaid, VA health care programs, etc.).
Health care clearinghouses (entities that process nonstandard health information they receive from another entity into a standard electronic format or data).

Expand All

Protected Health Information

phi

HHS defines protected health information as information, including demographic information, that relates to:

The individual's past, present or future physical or mental health or condition.
The provision of health care to the individual.
The past, present or future payment for the provision of health care to the individual, and that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual.

Protected health information includes many common identifiers when they can be associated with the health information listed above:

Names (individual, employer, relatives, etc.)
Addresses (street; city; county; precinct; ZIP code – initial 3 digits if geographic unit contains more than 20,000 people; or any other geographical codes)
Telephone numbers
Fax numbers
Social Security numbers
Medical record numbers
Dates (except for years) connected to subjects, including date(s) of birth, admission, discharge, death, ages 89 and older, and all elements of dates indicative of such age (except that such age and elements may be aggregated as "Age <90")
Email addresses
Health plan beneficiary numbers
Account numbers
Certificate or license numbers
Vehicle identifiers and serial numbers (e.g., VINs, license plate number, etc.)
Device identifiers and serial numbers
Uniform resource locators (URLs)
Internet protocol (IP) address numbers
Biometric identifiers (e.g., finger or voice prints)
Full-face photographic images (and any comparable images)
Any other unique identifying numbers, characteristics or codes

Any health information by itself, without the 18 identifiers, is not considered to be protected health information (nor are the identifiers by themselves, without being linked to health information); and, if the health information can be de-identified, or the link between the health information and the 18 identifiers is broken, it is no longer considered to be protected health information.

The Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule, protects the confidentiality of a person's protected health information obtained from or through health care providers and organizations by giving the person the right to limit who may have access to it.

In accordance with the privacy rule, covered entities may not use or disclose an individual's protected health information without their consent, except under provisions set forth by the privacy rule (detailed below). In addition, the rule gives individuals the right to access and obtain their health care records as well as information regarding whether, why and how their protected health information has been shared.

HIPAA and Research

The Privacy Rule outlines ways in which protected health information may be used or disclosed by covered entities, including for research purposes. Those researchers who are not working with covered entities are not required to comply with HIPAA. However, all investigators who work with protected health information and are, or are working with, covered entities, are governed by HIPAA. This does not prohibit investigators who will not receive a subject's consent from using the subject's health information in their research; it simply puts limits on what and how their information may be used.

The HIPAA Privacy Rule balances the rights and privacy of the individual with the necessity of medical and health related research, and provides investigators with ways to have access to and use individuals’ health information for research. For example, health information may be de-identified, covered entities may enter into data use agreements with investigators, or investigators may request waivers of authorization.

De-identification of Protected Health Information

Protected health information may be de-identified using one of two methods releasing it from HIPAA restrictions. The first method is the removal of all 18 common identifiers so that the health information cannot be linked to the individual whose health information it is. When protected health information is de-identified in this manner, the covered entity may retain a random code that links the individual to his/her health information, though this code may not be shared with the investigator. Protected health information that has been de-identified in this way may later be re-identified by the covered entity, subjecting it once again to the HIPAA restrictions.

The second method for de-identification is through the use of statistical methods. In this case, a knowledgeable and experienced statistician may use statistical and scientific methods to de-identify the health information so that there is only a "very small" risk that the information may be linked to the individual whose information it is. The statistician must then certify the de-identification and document the methods used, as well as justify his/her determination of de-identification.

Data Use Agreements

A data use agreement is a formal agreement entered into by the covered entity and the investigator in need of protected health information for research purposes. When using a DUA, the covered entity agrees to provide the investigator with a limited data set, that is, protected health information that excludes the following identifiers:

Names
Postal address information, except town or city; state; and ZIP code
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web uniform resource locators (URLs)
Internet protocol (IP) addresses
Biometric identifiers
Full-face or comparable photographic images

A DUA may be entered into by the covered entity and the investigator only when the following requirements are met:

1. Specific permitted uses and disclosures of the limited data set by the investigator consistent with the purpose for which it is being disclosed.
2. Identification of who is permitted to use or receive the limited data set.
3. Stipulation that the investigator will:
  - Not use or disclose the information other than permitted by the agreement or otherwise required by law.
  - Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the investigator becomes aware.
  - Hold any agent of the investigator to the standards, restrictions and conditions stated in the DUA with respect to the information.
  - Not identify the information or contact the individuals.

Note that a limited data set differs from a de-identified data set and remains subject to HIPAA requirements.

Waivers and Alterations of Authorization

An investigator may, under certain conditions, request a waiver or alteration of authorization, that would allow the investigator to use protected health information without the individuals' permission. The following criteria must be met before such a waiver may be granted:

The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
- An adequate plan to protect health information identifiers from improper use and disclosure.
- An adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so).
- Adequate written assurances that the protected health information will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the protected health information would be permitted under the Privacy Rule.
The research could not practicably be conducted without the waiver or alteration.
The research could not practicably be conducted without access to and use of the protected health information.

The request for waiver of authorization is reviewed by a privacy board, which determines whether the requirements are met and approves or denies the request. While an institution's institutional review board often acts as that institution's privacy board, the two boards are, in fact, separate: the authority of the privacy board is limited to the review of waivers of authorization, and cannot authorize the research protocol itself. When acting as the institution's privacy board, its IRB may review all issues regarding the research protocol at one time. At Brandeis University, the Institutional Review Board acts as its privacy board.