The HIPAA Privacy Rule provides policies for the use and disclosure of Protected Health Information (PHI) by a covered entity. The Privacy Rule sets standards for de-identifying health information and applies to decedents’ information. These policies and standards are in addition to those included in the Common Rule and FDA regulations.
The Privacy Rule applies to all covered entities and organizations based in the United States, regardless of funding.
Covered entities transmit health care information electronically in connection with a transaction, for example, a physician who bills for services. Covered entities include health care providers, health plans, and insurance companies. Covered entities also include health care clearinghouses, which HIPAA defines as “public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.”
Duke University is a hybrid entity, meaning that some parts are covered by HIPAA and some parts are not. With some exceptions, the campus side of Duke is not covered. Campus researchers would receive, not disclose, PHI.
Once PHI is received, it is no longer covered by HIPAA and is considered Sensitive Health Information (SHI).
PHI and SHI
Protected Health Information (PHI) include any health-related information stored or transmitted electronically by a covered entity. PHI is identifiable or can be used to identify the individual. Researchers wishing to gather PHI will need to secure signed HIPAA authorizations from participants, in addition to consent.
Sensitive Health Information (SHI) includes health-related information that has been disclosed by a covered entity. The data need to be protected in accordance with Duke’s standards for protecting sensitive data. See Developing Data Protection Plans, developed by the Information Technology Security Office (ITSO) and the Campus IRB.
What Makes Health Information Identifiable?
Information is identifiable when it can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. The Privacy Rule has determined the following 18 data points as personal identifying information:
- Geographic information smaller than state
- All elements of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Any vehicle identifier or license number
- Any device identifiers or serial number
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image - Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual
“De-identified” vs. “Limited”
Per the Privacy Rule, a data set is considered “de-identified” only if ALL 18 identifiers, or parts of an identifier (for example, initials or month and date), are completely removed.
A data set is considered a “limited data set” if it retains only the following two identifiers:
- Geographical information, limited to city, state, ZIP Code
- Elements of date
Limited data sets can also include other numbers, characteristics, or codes that not listed as direct identifiers, such as codes for medical procedures.
HIPAA Authorization for Use and Disclosure
Before collecting PHI, researchers must secure participants’ signed permission. This signed permission is called a HIPAA authorization. Without a signed HIPAA authorization, PHI cannot be released or used for research. HIPAA authorizations can be standalone documents or combined with (layered into) an informed consent document.
HIPAA authorizations must:
- Be written in plain language
- Include authorization core elements
- Include authorization required statements
Researchers must also provide a copy of the signed authorization to the individual who signed it.
Authorization Core Elements
- A description of PHI to be used or disclosed, in a specific and meaningful way
- The names of persons authorized to make the requested use or disclosure
- The names of persons who may use the PHI
- Specific descriptions of how the PHI will be used (“future unspecified research” is not allowed)
- The authorization’s expiration date
- Signature of the individual and date
Authorization Required Statements
- An explanation that participants can revoke their authorization at any time and for any reason, and instructions on how participants can inform researchers they wish to revoke their authorization
- A notice about whether covered entities providing PHI are able or unable to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization
- An explanation that once PHI is disclosed, it is no longer protected by HIPAA. However, this information still needs to be protected.
Waiver of Written HIPAA Authorization
Members of the IRB can meet as HIPAA Privacy Board to consider a waiver of the requirements for a researcher to secure signed HIPAA authorizations to use and disclose protected health information. Before the Privacy Board can approve a request to waive an authorization, the Board must find that:
- The use or disclosure of the PHI involves no more than a minimal risk to the privacy of individuals
- The researchers have described an adequate plan to protect the identifiers from improper use and disclosure
- The researchers have described an adequate plan to destroy the identifiers at the earliest opportunity, consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law
- The researchers have provide adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law
- The research could not practicably be conducted without the waiver or alteration
- The research could not practicably be conducted without access to and use of the PHI
Exceptions to HIPAA Waiver
Activities Preparatory to Research and Recruitment
The Privacy Rule includes a provision for researchers to use or access PHI as preparatory to research. This provision might be used to design a research study or to assess the feasibility of conducting a study. The IRB office may determine that a use or disclosure of PHI is preparatory to research if:
- The intention is to review PHI solely to prepare a research protocol
- The researcher will not remove any protected health information from the covered entity
- The PHI to be accessed is necessary for research purposes
- The researcher is an employee of the covered entity