Research HIPAA Guidelines
Some research involves health information (medical records, patient prescription, health status, disease progression, etc.). Whenever research involves health information, HIPAA regulations come into play…
Do HIPAA regulations apply to Human Subject Research?
Health Insurance Portability Accountability Act (HIPAA) regulations were designed to protect confidentiality of individual’s medical records and protected health information. HIPAA regulations apply to human subject research under the Privacy Rule, which require investigators to request subject authorization for the use and disclosure of protected health information (PHI). HIPAA regulations define PHI as individually identifiable health information. Identifiable refers to data including demographic information as well as health information that can either link (directly or indirectly), or enable individual identification or recognition.
Therefore, investigators must include a valid HIPAA Research Authorization Template request during subject consenting if they will be collecting, using or disclosing personal identifiers that are considered PHI.
Note: In Non-Clinical Trial Human Subject Research, informed consent language needs to be customized to each circumstance. Required verbiage is offered for this purpose: Consent Language (pdf)
For more information about UNTHSC policy on HIPAA, please click here.
back to top
Which identifiers are considered Protected Health Information (PHI)?
HIPAA regulations state Protected Health Information may be but is not limited to the following:
- Name, Social Security Number
- Geographic subdivisions smaller than a state (i.e. street address, city, county, zip code and their equivalent geocodes, precinct)
- All elements of dates (except year) directly related to an individual (i.e. birth date, discharge date, death date, medical visit, screening date, etc.)
- Voice/fax phone numbers, email addresses
- Health insurance, medical record, health account numbers
- Driver License, Vehicle ID, License plate numbers
- Certificate/license numbers
- Internet Protocol (IP) addresses, Uniform Resource Locators (URLs)
- Biometric identifiers, finger/voice print
- Full face/body photo
- Medical diagnosis, screening, treatment
- Unique identifying number, characteristic, or code*
* This is considered PHI when the assigned code can potentially be linked to individually identifiable health information
back to top
What are the elements to a valid HIPAA Authorization Form?
A valid HIPAA authorization must include the following core elements:
- A description of the purpose of the requested use or disclosure of PHI
- A description of the information to be used or disclosed that identifies the information in a specific fashion
- A list of those who are authorized to use and disclose PHI
- A list of those whom may request disclosure of PHI (i.e. Institutional Review Board, Office of Human Research Protection, regulatory offices, etc.)
- Information regarding the expiration of the authorization
- Information regarding individual’s right to revoke the authorization in writing
- Signature of the individual and the date
The federal regulations regarding protected health information, allows HIPAA authorization to be combined with the consent form. At UNTHSC, HIPAA authorization can be done in two ways 1) embedded within the consent form or 2) attached separately as an addendum to the consent form. However, each IRB may differ in this requirement. Follow the link for the HIPAA Research Authorization Template.
back to top
When can protected health information not be considered individually identifiable?
HIPAA regulations state when health information DOES NOT include any identifiers (listed above) AND there is no reasonable basis to believe that the remaining information could be used to identify a person it is NOT considered protected health information (individually identifiable health information). Rather, the health information is de-identified and not subject to the Privacy Rule (HIPAA regulations).
The National Center of Health Statistics or Census Bureau is a good example of a truly de-identified data source. Therefore, public available data are not considered protected health information (PHI) as the information cannot individually identify a specific person.
Alternatively, the Institutional Review Board (IRB) may determine that health information is de-identified if a person with the appropriate knowledge and experience with generally accepted statistical and scientific principles and methods can render the information not individually identifiable. The risk should be minimal that information whether alone or in combination with other information can be used to identify a person. Investigators must indicate to the IRB the methods to which they will render the data de-identifiable.
However, investigators should not assume that by assigning a code to the data it might qualify as de-identified. Investigators must bear in mind that if there is a mere chance or manner to link the data with a personal identifier then it is not de-identified.
back to top
Use of a HIPAA Waiver or Alteration
A waiver of HIPAA authorization may be granted by the Institutional Review Board (IRB) if the research study involves the following:
1) The use of protected health information (PHI) is solely for preparatory research. This refers to activities such as designing the protocol or research questionnaire (i.e. sample size, etc.).
2) Research uses PHI from decedent’s information. This means research involves PHI from deceased individuals and it is not practical to request authorization. PHI collected must be minimal and necessary in order to carry out effectively the study.
The Institutional Review Board must be able to review and document the following information in order to grant a waiver of HIPAA authorization:
1) The use or disclosure of protected health information involves no more than minimal risk to the privacy of the individuals.
a) There must be an adequate plan to protect the identifiers from improper use and disclosure
b) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research unless there is a justification for retaining the identifiers
c) Adequate written assurances that the protected health information will not be reused or disclosed to anyone or entity, except required by the law for authorized oversight of the research study
2) The research study could not practicably be conducted without the waiver
3) The research study could not practicably be conducted without the access to and use of protected health information
It is important to note that a HIPAA waiver is not the same as a waiver of informed consent. An investigator must request either separately.
back to top
Which studies may qualify for a HIPAA waiver?
- Gathering billing information (i.e. breast cancer screening visits) from clinic records to identify prospective subjects for recruitment. NOTE: The investigator must request HIPAA waiver and IRB approval of research project before accessing protected health information.
- A minimal risk study involving a retrospective (medical) chart review of breast cancer screening behavior in Hispanic women.
- A minimal risk study involving a short anonymous questionnaire regarding healthcare plans in family clinics may qualify for a HIPAA waiver. Although subject’s name will not be included in the survey, the responses will generate protected health information making a HIPAA waiver necessary.
For questions regarding the use of these forms, please contact the North Texas Regional Institutional Review Board at 817-735-0409.