Health Insurance Portability & Accountability Act | HIPAA

What is...?

Is my research subject to HIPAA?

If my research is subject to HIPAA, what do I as a researcher have to do to comply?

How does HIPAA affect language in Informed Consent documents?

Does the IRB need to review my project's HIPAA Authorization?

Where can I get training on Research aspects of HIPAA?

Where can I get more information on HIPAA and Research?

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996.  This federal law has an "Administrative Simplification" title within it that includes provisions for Privacy and Security of Personal Health Information (PHI), electronic standards for communicating claims data and unique identifiers for healthcare providers and organizations.  The provisions of HIPAA that most affect research are the Privacy Rule and a corresponding Security Rule.  Compliance was required as of April 14, 2003.  Newly enrolled participants in research studies affected by HIPAA will need to sign a separate HIPAA authorization form.  Permissions and authorizations executed prior to April 14, 2003 remain in place, and there is no need to re-consent participants already enrolled in studies as of that date. ^

What is a HIPAA Covered Entity?

A covered entity is an organization that, by virtue of providing healthcare services and billing for them using electronic means, is subject to the provisions of HIPAA.  The University of California is a "hybrid covered entity" meaning that provides healthcare services but also has other functions, such as education and research. ^

What is Protected Health Information (PHI)?

Protected Health Information (PHI) is a type of individually-identifiable information that arises out of a healthcare service context.  The protections of the HIPAA Privacy Rule apply to PHI.  However, not all individually identifiable information is PHI.  A study only uses or produces PHI if it is using medical records as a source of information or is providing a healthcare service to the research participant. ^

What is de-identified information?

De-identified information is the term used for personal health information that has had identifying characteristics removed.  This form of data was historically called "anonymous" but the authors of HIPAA recognized that health information is so rich in potentially identifying characteristics that it can never be truly anonymous; there will always be some potential for re-identification of an individual.  HIPAA contains a "safe harbor" provision that states information is not subject to HIPAA restrictions on PHI if 18 different elements are removed.  A listing of these elements is available as part of the UCSD HRPP Factsheet on Deidentified Health Information. ^

Is my research subject to HIPAA?

If the research involves review of person-identifiable medical records, or the study results in new information that is added to medical records (such a test of a new diagnostic or therapeutic agent or device), then it is using or creating PHI and is subject to HIPAA Privacy Rule provisions.  However, not all person-identifiable information acquired in a research setting is PHI.  For more information on this, see the University of California's HIPAA Task Force paper on the topic of when research data is and is not PHI.  When in doubt, contact the HRPP program office for assistance. ^

If my research is subject to HIPAA, what do I as a researcher have to do to comply?

Research projects that are subject to HIPAA will require the following:

a. A signed HIPAA authorization will be required for newly consented study participants starting April 14, 2003, or the project must have a Waiver of Authorization approved by the IRB.  Participants who signed consents prior to April 14, 2003 do not need to be reconsented. Although federal regulations allow the HIPAA language to be included in the consent, California law requires a separate "stand-alone" HIPAA authorization form, which is also available in a Spanish language version.
b.  Confidentiality of the information must be protected by physical security, access controls such as password-protected computer applications, and by the general principles of "minimum necessary" and "need to know".
c. When PHI created de novo in a research setting, such as by a clinical trial of a new treatment, is disclosed outside of the University of California, an audit trail log of what information was sent and to whom it was sent needs to be maintained, and an accounting of disclosures must be available to a research participant upon request, of disclosures that included their data. Note that this is not the case if medical records information is used for research pursuant to an authorization. The authorization essentially converts PHI into RHI as the information moves from the medical record into the research record, and subsequent use of the RHI is governed by the terms of the authorization, not by HIPAA. ^





How does HIPAA affect language in Informed Consent documents?

For research studies that use or create PHI, HIPAA mandates that 7 additional elements be explained in a separately signed authorization for use of personal health information:

1.  Description of information to be used
2. Name of person(s) or class of persons (e.g., project staff) who will use the information
3. Name of persons or organizations to whom PHI information will be released (e.g., study staff, project sponsors and the central coordinating offices of multi-center trials)
4. Expiration date or event that ends authorization to use PHI (e.g., completion of the research) - OR - statement that authorization does not expire
5. Statement of right to revoke authorization (part of withdrawal from study procedures)
6. A statement that information may no longer be protected if information will be disclosed to other organizations
7. A statement that individual may inspect or copy the records (note: The researcher may stipulate records are not available until after study complete) ^

What is a minimum data set?

A minimum data set is a partially de-identified dataset that has 8 elements removed rather than 18.  Because a minimum data set retains information that could be used to relatively easily re-identify an individual (such as medical record numbers and dates of hospital admissions), research involving use or disclosure of a minimum data set has to be accompanied by a Data Use Agreement specifying the researcher's agreement to use the data only for approved research purposes, and that the researcher will not attempt to re-identify individuals.  Although HIPAA does not require IRB review of research that uses HIPAA minimum data sets, at UCSD researchers should submit an application for Expedited Review to receive documentation of project approval for presentation to the Medical Records Department. ^

Does the IRB need to review my project's HIPAA authorization?

As noted in the application instructions, item 11, a copy of the HIPAA authorization(s) that will be used on the study must be provided to the IRB. The IRB reviews the authorization to ensure information outlined as being collected in the Research Plan is appropriately requested on the authorization. Note that the authorization cannot be revised and is not stamped approved by the IRB because the authorization is a institutional document. ^

Where can I get training on Research aspects of HIPAA?
UCSD's HRPP has developed an online tutorial assessment on Research Aspects of HIPAA that covers about a dozen different HIPAA-related topics. Upon successful completion a personalized certificate of completion is generated. Register online for the tutorial here. ^

Where can I get more information on HIPAA and Research?
A good source is the HIPAA website maintained by the US Office of Civil Rights.  If you are a faculty, staff or student of UCSD, you can also call or e-mail the HRPP office with your HIPAA-related questions. ^

Last updated: 20 Mar 2019