Research and HIPAA Privacy Protections

 

Author

 

Reid Cushman, Ph.D.

University of Miami Ethics Programs and UM-Miller School of Medicine

 

Acknowledgments

The author would like to thank the following persons for their editorial and content review of this module, and for work on prior versions: Evelyn Bital (UM), Anita Cava (UM/CITI), Joey Casanova (UM), Amanda Coltes-Rojas (UM), Ken Goodman (UM/CITI), Karen Hansen (UW/CITI) and Sally Mann (CITI).

 

Introduction

Protections for health information are required by Federal laws and regulations. Every state also has its own requirements. So do private certification organizations, such as the Joint Commission [http://www.jointcommission.org/]. If you have access to persons’ identifiable health information for any purpose, it is required that you know how to protect it. If you use such health information for human subjects research, you need to know the specific limitations that apply to that activity, notably those imposed by HIPAA.

 

Researchers have long been acquainted with meeting federal standards for the protection of human subjects, since these rules have been in place for many decades. As discussed in other modules, most biomedical and behavioral research in the US is subject to the DHHS-codified "Common Rule" (45 CFR 46) and/or the analogous regulations of the FDA (21 CFR 50, 56). The Common Rule and FDA protections focus on the rights, safety and welfare of research subjects, including such matters as informed consent and appropriateness of risks relative to benefits. They also include attention to research subjects' privacy and the confidentiality of research information.

 

HIPAA's relatively new data-focused protections, which took effect starting in 2003, supplement the Common Rule and FDA protections; they are not a replacement. Protocol reviews using Common Rule/FDA criteria by IRBs remain as before, including aspects related to data protection. As will be discussed, IRBs may have the responsibility of addressing HIPAA’s additional requirements in their reviews when those apply; or some responsibilities may be given to another kind of body that HIPAA permits (a Privacy Board) or to an institutional official that HIPAA requires (a Privacy Officer).

 

Where a state’s data protection laws and regulations extend to research subjects’ data, these too generally remain in effect. HIPAA for the most part defers to state data protections that are more stringent than its own. HIPAA also generally leaves unaffected the data protection requirements that may be imposed by institutional certification bodies, such as the Joint Commission. Data protection requirements from these various sources are generally congruent in their focus on assuring the confidentiality, integrity and availability of data for treatment, payment, health care operations and other legitimate purposes such as research. HIPAA sets the federal floor for such data protections.

 

Learning objectives

By the end of this module you should be able to describe or explain:

 

•HIPAA’s additional privacy protections for individually identifiable health data that is used for human subjects research, including authorizations, accountings of disclosures, etc.

•Situations where full HIPAA privacy protections are required, and those which can qualify for waivers, alterations or exemptions with more limited requirements.

•The responsibilities of investigators and institutions for meeting these privacy requirements, and for appropriate data security protections that are necessary to protect privacy.

 

HIPAA’S REGULATORY SCOPE

HIPAA’s protections focus on individually identifiable health information, which HIPAA defines as information in “any form or medium” that “[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”

 

HIPAA’s protections reach only a subset of individually-identifiable health information – formally called protected health information or simply “PHI” – created in or by what HIPAA calls covered entities. Covered entities include individual health providers, health provider organizations, health plans, and health information clearinghouses that engage in electronic health care transactions. (Sometimes determining covered entity status is easy; sometimes it’s complex. See these HHS decision tools. [https://www.cms.gov/apps/hipaa2decisionsupport/]) HIPAA’s protections for PHI extend to non-U.S. citizens’ information as well.

 

Some identifiable health information obviously arises outside of covered entities, and so is not covered by HIPAA. But you must check with your organization’s privacy authorities before you assuming your situation falls outside HIPAA’s scope. More on that below.

 

What kinds of users and uses are covered?

HIPAA’s regulations set requirements for use and disclosure of PHI by covered entities, and by extension on all members of a covered entity’s workforce that have contact with PHI. Covered entities must also establish contractual requirements for data protection on business associates (and by extension on the workforce of business associates) that perform functions using PHI on the covered entity’s behalf.

 

Researchers may be covered entities if they are also health care providers, or be part of the workforce of a covered entity otherwise. If so, they are directly affected by the HIPAA’s research rules. Researchers who meet neither of these conditions are still indirectly affected by HIPAA rules if a covered entity is the source of their data and that data meets the definition of PHI.

 

HIPAA’s rules on use and disclosure are generally “purpose-based” – that is, the intended use sets the rules more than the type of data itself. The research rules discussed here are different than those for, say, treatment or payment for treatment (relatively liberal), or for marketing or fundraising (relatively strict). A few types of data, such as psychotherapy notes do receive special protection under HIPAA. State laws often have many categories of data with special protections, with which you should be familiar (or be in contact with an organizational official who has that knowledge).

 

What constitutes “research”?

HIPAA defines research as any “systematic investigation, including research development, testing, and evaluation, designed to develop and contribute to generalizable knowledge.” Not all kinds of research-like activity are included in this definition. For example:

 

•Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines or protocols, fall under the category of health care operations under HIPAA – provided the primary aim is not obtaining generalizable knowledge.

•Activities that aim primarily for generalizable knowledge of population health can fall into the category of public health activity under HIPAA.

 

As with the covered entity status, a determination by an organization's IRB, privacy official or legal counsel is usually required to designate an activity as "not research" and therefore subject to different HIPAA rules. It’s always a good idea to check with one of these authorities before you assume anything about what requirements apply. (And remember what HIPAA excludes may not be excluded under Common Rule/FDA rules, nor under your state’s laws.)

 

Who enforces HIPAA's protections?

A covered entity may choose to rely on an IRB to assess compliance with both the FDA/Common Rule requirements and the HIPAA research requirements. Alternatively, HIPAA provides that covered entities may create a Privacy Board to handle some research-related issues, notably determinations about eligibility for waivers, alterations and exemptions from authorization processes (about which more below). A covered entity may also leave some decisions about compliance with the research provisions of HIPAA to its designated Privacy Officer. An example might be a determination about whether a particular use or disclosure application needs Privacy Board/IRB review.

 

Research subjects, like patients generally, have recourse to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the event they are not satisfied with an institution’s protective efforts. OCR can levy fines or leverage the federal court system for serious violations. Recent changes in HIPAA by the HITECH Act also permit states’ Attorneys General to pursue HIPAA violations in state courts. It should be noted that the already substantial civil and criminal penalties for HIPAA violations were increased by the HITECH Act, and can be applied against both organizations and individuals.

 

As with any other planned activity related to health data, research must be mentioned in the Privacy Notices that HIPAA requires be provided by covered entities to their patients/customers. The Notice must include the ways in which data subjects may register complaints and report problems, either locally or with federal authorities.

 

HIPAA RESEARCH RULES

If the data in question meet the definition of PHI and are being used for purposes that fall within its definition of research, HIPAA generally requires explicit written authorization from the data subject for research uses. However, HIPAA provides several alternatives that can bypass such authorizations:

 

•Waiver or alteration of the authorization requirement is granted by an IRB/Privacy Board because of minimal risk, and other criteria are met.

•Research is used solely for activities preparatory to research, and certain representations are obtained from the researcher.

•Only deceased persons’ information is used, and certain representations are obtained.

•Only de-identified data is involved, by meeting set criteria or with independent validation of de-identification (a.k.a., “anonymization”).

•Research is conducted with limited data set under an approved data use agreement.

•It is “grandfathered” research where all legal permissions were in place before HIPAA took effect.

 

Each of these is described in the sections below.

 

Waivers and alterations of authorization requirement

An organization's IRB or a Privacy Board may determine that a waiver or alteration of the authorization requirement is appropriate, if the following criteria are met. These conditions are modeled on the conditions for a waiver of informed consent in the Common Rule.

 

Use or disclosure of the PHI involves no more than minimal risk to the privacy of the research subjects, based on the following elements:

 

•An adequate plan to protect any data identifiers from improper use and disclosure.

•An adequate plan to destroy data identifiers at the earliest opportunity consistent with conduct of the research (unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law).

•Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project or for other research for which the use or disclosure of PHI would be permitted by HIPAA.

•The research could not practicably be conducted without the PHI.

•The research could not practicably be conducted without the waiver.

 

More about what counts as a "data identifier" is provided in the sections below on limited data sets and de-identified data.

 

Activities preparatory to research, decedents’ information exceptions

HIPAA provides for two more exceptions to the authorization requirement for identifiable data:

 

•Where the PHI will be used solely for reviews preparatory to research (e.g., for protocol development) and will not leave the covered entity.

•Where the PHI refers solely to deceased persons (the covered entity may ask for documentation of death of all data subjects).

 

In each case, the researcher must make a written or oral representation to the IRB or Privacy Board that such access is necessary for the research purposes.

 

Covered entities may determine their own processes for approval of the "representations" related to waivers, alterations and exceptions. The process may be analogous to "expedited review" under the FDA/Common Rule, and not require a full IRB or Privacy Board approval. It is not, however, a determination a researcher can (or should) make on his or her own. Aside from the HIPAA issues, preparatory research activities involving human subjects must be reviewed as research unless otherwise exempt under Common Rule criteria.

 

De-identified data

A researcher may use fully de-identified information without any authorization. As the name implies, de-identified information must have all direct and indirect identifiers removed, to eliminate – or at least make highly improbable – re-identification using statistical techniques. De-identified information is no longer considered PHI, because it is no longer individually identifiable. (Under the Common Rule, use of de-identified data is no longer considered human subjects research.) De-identification may be asserted on the basis of certification by a “person with appropriate knowledge” of statistical techniques who has analyzed the data set. Or a researcher may use the “safe harbor” method of removing 18 types of identifying element specified in the HIPAA regulations. In either case, the covered entity must have no actual knowledge that re-identification is possible by linking to other known data sets.

 

Limited data sets and data use agreements

Alternatively, a covered entity may disclose PHI in a limited data set (LDS) to a researcher who has entered into an appropriate “data use agreement.” An LDS must have all direct identifiers removed; however, it may still include information that could “indirectly” identify the subject using statistical methods. As you’d expect, the identifying elements that must be removed are similar to those for de-identified data, but with less restrictiveness on geographic specificity (addresses), data subject age and other dates, and other types of identifiers (16 instead of 18 types must be removed).

 

The data use agreement for an LDS must delineate the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research; limit the persons that can use or receive the data; and require the recipient to agree not to re-identify the data or contact the individuals. (For more details, see the LDS link above.)

 

Grandfathered research

If all informed consents and other legal permissions required at the time were in place before HIPAA took effect (April 2003 in most cases), and have not changed since, no new HIPAA authorization is required. Obviously, this is no longer a commonly used pathway to bypass authorizations.

 

Minimum necessary uses and disclosures

Uses and disclosures of data for research that are allowed to bypass the authorization requirement are still subject to the minimum necessary standard – that is, the uses/disclosures must be no more than the minimum required for the described research purpose. A covered entity may rely on a researcher's documentation – or the assessment of an IRB or Privacy Board – that the information requested is the minimum necessary for the research purpose.

 

By contrast, research information obtained using an authorization is not bound by the minimum necessary standard – on the theory that the data subject has given explicit permission for whatever information access the research team deems to be necessary. But be aware that while HIPAA may not require a minimum necessary justification at all times, the IRB’s evaluation of risks and burdens on human subjects arguably does.

 

Disclosure accounting

Among the rights that HIPAA confers on data subjects is the right to an accounting of disclosures made by the covered entity. Disclosures for research that are allowed to bypass authorization, with the exception of those in an LDS, are subject to this accounting requirement. (Formally, under HIPAA: A “disclosure” occurs only when PHI is communicated to an outside person or entity, including another covered entity. By contrast, a “use” occurs when the data does not leave the covered entity.)

 

Where the study involves more than 50 subjects’ records, the disclosure accounting requirement can be met by the covered entity providing data subjects with:

 

•A list of all protocols for which their PHI may have been disclosed, along with the timeframe for those disclosures.

•The purpose of those protocols, and the types of PHI sought.

•The researcher's name and contact information for each study.

 

Covered entities must assist subjects in contacting investigators when they have questions about a disclosure or any other aspects of the protocol.

 

Where fewer than 50 records are involved, the listing must be more specific and detailed, commensurate with the requirements for other kinds of PHI disclosure accounting. Covered entities may still choose to impose more detailed reporting requirements for research, even on larger studies. (DHHS “encourages” providing more detail, but does not require it.)

 

Disclosure accounting is not required for disclosures made under authority of an authorization on the theory that the data subjects are aware of what they have authorized. Neither is accounting required for disclosures to the data subject directly about him/herself. Nor, as noted, is it required for an LDS disclosure. De-identified information isn’t PHI anymore, so disclosing it isn’t a “disclosure.”

 

While HIPAA may not require it, many organizations will require that investigators maintain logs of all disclosures from research data collections as a security measure, even “disclosures” to other persons within the covered entity. Electronic data storage will increasingly offer this capability cheaply and automatically; older collections will require manual logging.

 

Characteristics of authorizations

If a research activity meets none of the bypassing criteria above, an authorization is required. When they are required, authorizations must be:

 

•In "plain language" so that individuals can understand the information contained in the form, and thus able to make an informed decision.

•Executed in writing, and signed by the research subject.

 

HIPAA authorizations are normally required to have an explicit expiration date. In the context of research, it is sufficient to specify an expiration “event” – such as “the end of the study.” Or a research authorization can have no expiration date at all, though this absence must be clearly indicated.

 

As with FDA/Common Rule requirements for informed consent, there are many format and content specifications for a HIPAA research authorization. Researchers are strongly urged to rely on standard models rather than creating their own authorization form. Most organizations will already have a standard document available; check with your IRB, Privacy Board or Privacy Officer.

 

HIPAA authorizations cannot normally be combined with other types of documents (such as a Privacy Notice). However HIPAA research authorizations can be combined with any other legal permission related to the study, including another authorization or a Common Rule/FDA informed consent, provided one does not mix authorizations where treatment is conditioned on signing the authorization with ones where it is not. (HHS is currently considering whether to change this last restriction, to allow “compound” authorizations of any kind.) If there are multiple documents that limit information use or disclosure, the most restrictive one applies.

 

DHHS has noted that it may be advisable – though not required – for a research authorization to include:

 

•How PHI obtained for a research study may be used and disclosed for treatment, payment and health care operations. (Note that research-related treatment can be conditioned on provision of a research authorization. However, treatment unrelated to the research cannot.)

•Information about sources of funding for the study and payment arrangements for investigators. Consistent with general recommendations about informed consent, any information that might be "material to the potential subject's decision-making" should be included.

 

Revocations of authorizations

Like other kinds of HIPAA authorizations, those for research may be revoked by the subject at any time, provided that the revocation is in writing. Revocation of an authorization is not valid to the extent that the covered entity has taken actions relying on it, such as in the provision of prior treatment. And such revocations may be limited “as necessary to maintain the integrity of the research study.” This last qualification would, for example, permit the continued use and disclosure of already-gathered data (e.g., for subsequent statistical analyses, adverse event reporting, or any disclosures required by law). It would not, however, allow new data to be collected or used.

 

Recruiting into research

It is still permissible under HIPAA to discuss recruitment into research with patients for whom such involvement might be appropriate. This common practice is considered to fall within the definition of treatment, at least when the conversation is undertaken by one of the patient's health care providers.

 

Remember, however, that a data subject’s information cannot generally be disclosed to a third party (even another care provider) without an authorization from the individual or an approved waiver, alteration or exception to authorization. HHS guidance on HIPAA has reaffirmed that recruitment activities can qualify as a “preparatory to research” activity that would allow a researcher to identify prospective research participants and then contact them for purposes of seeking their authorization. However, the PHI used for this purpose should not leave the covered entity during this activity.

 

As noted previously, preparatory activities are considered research and subject to IRB review unless exempt. And the “preparatory to research” exception itself must be approved prior to using it. Most IRBs have policies and procedures about recruitment contacts, pre-screening, enrollment, post-enrollment screening and dis-enrollment that stem from a mix of Common Rule, FDA and HIPAA requirements. You must contact appropriate authorities at your organization to determine what’s required for your circumstances. Don’t assume.

 

"Retrospective" research

As electronic health data collections grow in scale and scope it is an increasingly common practice to “browse” them, looking for interesting patterns that could translate into research possibilities. Indeed, bio-repositories of tissue and data created just for this purpose are increasingly common, and the scope and scale of such repositories grows every day. (Retrospective analysis of paper charts hasn’t gone away either.) HHS has reiterated in its guidance that use or disclosure of PHI for retrospective research studies may be done only with patient authorization or a waiver, alteration or exception determination from an IRB or Privacy Board. It shouldn't be difficult to meet one of the criteria for most efforts of this kind. For example, initial in-house examinations may be qualified as “preparatory to research,” and subsequent waivers of authorization requested on grounds of minimal risk with the required protection of any identifiers. (HHS is now considering whether to make it easier to construct HIPAA authorizations, and Common Rule informed consents, that include permission for collection of data into repositories for unspecified future research.) But this sort of data mining is considered research, even if you are “just looking around” in a casual way. You cannot proceed on your own without the approval of an IRB, Privacy Board or other designated governing entity.

 

SUMMARY

Although the specifics are lengthy, the net administrative burden that HIPAA adds to existing Common Rule/FDA regulations is generally not a large one. Compared to protocol approval generally – and the details of informed consent particularly – a HIPAA authorization is relatively easy. And, as noted, there are several pathways around the authorization requirement. To approve a study under the Common Rule/FDA requirements, IRBs have long been required to determine that there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. Where investigators are meeting those requirements, HIPAA should change very little beyond the additional “paperwork.”

 

As noted, HIPAA applies to covered entities and the PHI that originates in or by them. Research conducted by organizations that do not qualify as such, using data that does not derive from any covered entity source, are not reached by HIPAA. In such cases, the requirements of the Common Rule/FDA remain as protections for human subjects’ privacy and other interests. The issue then is not “PHI” but what the Common rule defines as identifiable “private information.”

 

Efforts to meet the Common Rule/FDA and HIPAA regulations' privacy requirements are only part of the researcher’s task. HIPAA also has a Security Rule that complements its Privacy Rule. The Security Rule requires that PHI collections receive appropriate information security protections for as long as they exist. Clinical data more typically enjoy the security of an organized medical records system, particularly with the growing commonality of integrated electronic systems. Research data are too often stored in hodge-podges of computer- and paper-based records with inadequate attention to security. Hence all persons involved in a research protocol who have access to the associated data must be competent in the basic information security practices appropriate for the context. Devices and media on which research data are stored must be appropriately protected while in production, and appropriately cleaned or destroyed when no longer needed. If you don’t know how to do that, find a resource at your organization that does. In addition to a Privacy Officer, HIPAA requires designation of a security official, who should be able to help.

 

Here are the key points:

 

•HIPAA privacy protections supplement those of other federal regulations (viz., the Common Rule and FDA), state law, and certification/accreditation requirements.

•HIPAA protects identifiable health information from covered entities. Not all identifiable health information is protected health information (PHI).

•Under HIPAA, research activity using PHI generally requires authorization. However, there are several alternatives that allow bypassing the authorization requirement.

•Minimum necessary standards, disclosure accounting requirements, and the characteristics of authorizations (when required) must be understood by researchers when HIPAA applies.

•If you're unsure about the particulars at your organization or have questions, consult with your organization's IRB, Privacy Board or privacy official. For data security issues, consult with your organization’s security official.

 

ADDITIONAL READING

The Department of Health and Human Services has created a series of excellent “fact sheets” that focus of different aspects of HIPAA’s impact on research. Most are available in HTML, PDF and RTF formats.

 

•Clinical Research and the HIPAA Privacy Rule (June 2004) [http://privacyruleandresearch.nih.gov/clin_research.asp]

•Health Services Research and the HIPAA Privacy Rule (May 2005) [http://privacyruleandresearch.nih.gov/healthservicesprivacy.asp]

•Institutional Review Boards and the HIPAA Privacy Rule (July 2004) [http://privacyruleandresearch.nih.gov/irbandprivacyrule.asp]

•Privacy Boards and the HIPAA Privacy Rule (September 2003) [http://privacyruleandresearch.nih.gov/privacy_boards_hipaa_privacy_rule.asp]

•Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (July 2004) [http://privacyruleandresearch.nih.gov/pr_02.asp]

•Research Repositories, Databases, and the HIPAA Privacy Rule (January 2004) [http://privacyruleandresearch.nih.gov/research_repositories.asp]

 

The University of Miami has a Privacy/Data Protection web site includes materials on HIPAA in a glossary of HIPAA terms [http://privacy.med.miami.edu/glossary/index_hipaa.htm].

 

REFERENCES

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 21 August 1996. Regulations promulgated under HIPAA are grouped into Rules, the most prominent of which is the Privacy Rule. See Standards for the Privacy of Individually Identifiable Health Information, which became effective on 14 April 2001. For most individuals and organizations covered by the Privacy Rule (“covered entities”) the effective date was 14 April 2003. Smaller entities were given an additional year to comply. Of equal importance is the so-called Security Rule, which specifies administrative, physical and technical safeguards for protected health information (PHI) in electronic form. The Privacy Rule and Security Rule regulations are codified in the Code of Federal Regulations at 45 CFR 160 and 164.

 

The American Recovery and Reinvestment Act of 2009 (ARRA, a.k.a., “the Stimulus Bill”), Public Law 111-5, 17 February 2009. Title XIII of ARRA has the subtitle Health Information Technology for Economic and Clinical Health Act (HITECH Act); this part of ARRA contains most of the provisions related to electronic health care information. See sections 13401ff.

 

See 45 CFR 164.514(b). In addition to removal of the specified identifiers, the covered entity must have no actual knowledge that the information could be used alone or in combination with other data to determine individuals’ identity. The 18 are:

 

1.Names

2.All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(a)The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(b)The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

3.All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

4.Telephone numbers;

5.Fax numbers;

6.Electronic mail addresses;

7.Social security numbers;

8.Medical record numbers;

9.Health plan beneficiary numbers;

10.Account numbers;

11.Certificate/license numbers;

12.Vehicle identifiers and serial numbers, including license plate numbers;

13.Device identifiers and serial numbers;

14.Web Universal Resource Locators (URLs);

15.Internet Protocol (IP) address numbers;

16.Biometric identifiers, including finger and voice prints;

17.Full face photographic images and any comparable images; and

18.Any other unique identifying number, characteristic, or code.

 

See 45 CFR 164.514(e). For a limited data set, relative to a de-identified data set, the no. 2 restriction on geographic information is relaxed to require removal of street addresses and PO boxes numbers, but not town or city, state, or zip code; the no. 3 restriction on dates is eliminated, as is the no. 18 restriction on unique identifiers not otherwise listed.