The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that standardizes the electronic exchange of administrative and financial data related to health care (HIPAA, 1996). To achieve its primary purpose-administrative simplification of electronic health care transactions-the U.S. Congress authorized the U.S. Department of Health and Human Services (DHHS) to write standards to protect the privacy of individually identifiable health information, so-called protected health information (PHI). The standards are collectively referred to as the "Standards for Privacy of Individually Identifiable Health Information"-in short, the "Privacy Rule." The Privacy Rule is intended to prevent individuals from using or disclosing "individually identifiable health information" without patients' or research participants' authorization (consent) or other legal authority.
Research involving the use of PHI must adhere to both HIPAA's privacy rule and DHHS's Common Rule, both of which can be found in the U.S. Code of Federal Regulations (CFR). Some institutions have an independent Privacy Board (PB); others delegate HIPAA implementation to the Institutional Review Board (IRB). The purpose of this article is to explain the relationship between the Privacy Rule and the Common Rule, and to offer guidance to researchers.
HIPAA Concepts Governing Research
To understand the law as it applies to the use or disclosure of PHI for research purposes, it is important to understand how HIPAA defines "covered entity," "protected health information," "research," and "use."
- "Covered entity": a health plan, a health care clearinghouse, or a health care provider that transmits any health information electronically in connection with a covered transaction (45 CFR 160.102).
- "Protected health information": PHI is information about an individual, including demographic information (45 CFR 164.501, 160.103), that relates to the individual's past, present, or future health or condition, the care provided, or the payment history of the individual (45 CFR 160.103). PHI is individually identifiable health information that is transmitted or maintained in any form or medium. Individually identifiable health information is PHI whether you create it or receive it (45 CFR 164.501).
- "Research": "…a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge" (45 CFR 164.501).
- "Use": "the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information" (45 CFR 164.501).
Thus, if you are a covered entity-or, if you are a researcher within a covered entity-HIPAA's Privacy Rule applies to you. For further details, see our companion article in the Sept. 6 issue of The ASHA Leader on "HIPAA: Impact on Clinical Practice".
The Common Rule Governing Research
Institutions that receive federal funds for research purposes are governed by the Federal Policy for the Protection of Human Subjects (45 CFR part 46, subpart A), the so-called "Common Rule." HIPAA and the Common Rule share the same definition of research (see above and 45 CFR 164.501, 46.102[d]). Whereas these laws share some common ground, the purpose of the Common Rule is to protect the rights and welfare of every human research participant, who is defined as: "…a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual or (2) identifiable private information…" (45 CFR 46.102[f]).
Under the Common Rule governing human research, DHHS defines "private information" as behavior that is observed or recorded for a specific purpose, that is, individually identifiable information about which the individual has a reasonable expectation of privacy, such as information contained in medical records (45 CFR 46.102[f]). The Common Rule requires a written informed consent from an individual regarding the purpose of the research, the nature of the experience and risks of participation (including observation, testing, recording, and use of individually identifiable information), and how the research data will be safeguarded.
Privacy Rule and Common Rule
While the Common Rule governs research and the Privacy Rule governs the use of PHI for treatment, payment, and health care operations, these legal rules overlap when researchers are interested in using PHI. The sidebar on the right ("Privacy Rule and Common Rule" [PDF format]) outlines the differences between the HIPAA Privacy Rule and the Common Rule's requirements.
The Privacy Rule is enforced by DHHS's Office of Civil Rights (OCR); the informed consent regulation of the Common Rule, by DHHS's Office of Human Research Protections (OHRP). The Privacy Rule is governed by an institution's Privacy Officer or Privacy Board (PB), whereas the process of obtaining informed consent for research is governed by the Institutional Review Board (IRB), although many institutions have consolidated these overlapping roles.
The IRB, using HIPAA as a guide, oversees the research use or disclosure of PHI. Researchers are required to disclose the following information to every research participant:
- a description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner
- the names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure
- the names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure
- a description of each purpose of the requested use or disclosure
- authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure ("end of the research study" or "none" are permissible for research including for the creation and maintenance of a research database or repository)
- signature of the individual and date. If the individual's legally authorized representative signs the Authorization, a description of the representative's authority to act for the individual must also be provided (45 CFR 164.508[c]; NIH, 2004, pp. 2-3).
In addition, researchers are required to inform potential research participants that there is a risk of redisclosure, that is, the Privacy Rule might not protect PHI once it leaves the covered entity. Researchers are permitted to condition enrollment in the study (including research-related treatment) on the participant's signing the authorization. Finally, researchers must inform potential participants that they have a right to revoke their authorization (45 CFR 164.508[b]). However, if agreed upon in advance, the researcher may override the participant's wishes temporarily if the integrity of the research is at stake (45 CFR 164.524[a][iii]).
Other HIPAA Research Standards
In some research projects, it is desirable to de-identify the health information. De-identified health information refers to medical or research records in which all individually identifiable information (personal identifiers) are removed. As an alternative to removing all 18 identifiers, a researcher may use statistical methods to reduce the risk that the information, alone or in combination with other reasonably available information, will identify the patient/research participant. Using either method, de-identified health information is referred to as a "safe harbor." De-identified health information is no longer PHI, and therefore, the requirements of the HIPAA Privacy rule no longer apply (45 CFR 164.502[d], 164.514[a]).
Another alternative for researchers is to use a Limited Data Set (LDS). An LDS is PHI with 16 direct identifiers removed (45 CFR 164.514[e] ). An LDS may be used for research, public health, or health care operations. An individual's authorization is not needed to use or disclose an LDS, but using an LDS for research purposes requires IRB approval. In addition, disclosure of the LDS to an external entity requires a Data Use Agreement. This Data Use Agreement establishes the conditions that are required to protect and use the PHI contained in the LDS (45 CFR 165.514[e]).
Both HIPAA regulations and IRB regulations under the Common Rule allow researchers to use PHI in preparation for research, for example, to prepare a research protocol, to determine if an adequate subject population exists, and to determine study feasibility. The IRB may grant a waiver of authorization (164.512[i])-that is, may allow a researcher to access PHI without patient consent-if the researcher satisfies the IRB that: 1) use or disclosure of the PHI is solely to prepare a research protocol or other similar purpose; 2) the PHI will not be removed from the covered entity's premises; and 3) access to the PHI is necessary for the research (45 CFR 164.512[i][ii]; NIH, 2004, p. 5).
Finally, it is permissible for a researcher who is a member of the covered entity's workforce to identify and contact patients for the purposes of seeking their consent for participation in a research study (NIH, 2004, pp. 4, 6). Researchers should note that any preparatory research activities involving human subjects research as defined by HHS Protection of Human Subjects Regulations, which are not otherwise exempt, must be reviewed and approved by the IRB (NIH, 2003, p. 17). Other waivers of the consent requirement may be authorized if either the IRB or the Privacy Board determines that "the use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals" (164.512[i][i] & [i]).
Research Transition Standards
HIPAA's compliance date was April 14, 2003. A researcher can use information without a post-compliance date authorization from the patient if: 1) an authorization to use or disclose PHI was obtained before the Privacy Rule compliance date; 2) if an informed consent was obtained before the compliance date; or 3) if a waiver of informed consent was obtained from the IRB before the compliance date. In other words, the Privacy Rule's transition standard allows a covered entity/researcher to use or disclose the "old data" for research purposes. As always, the PHI must be de-identified prior to publication. However, if a researcher desires to conduct a new analysis on the "old data" (i.e., an analysis that is outside the scope of the original IRB-approved protocol), two rules apply: 1) If the old IRB-approved protocol is active, the researcher must amend the protocol and obtain IRB approval; 2) If the old IRB-approved protocol has lapsed, the researcher must submit a new protocol and obtain IRB approval (45 CFR 164.532[c]; NIH, 2004, p. 2). When in doubt about the status of your research data or whether your IRB protocol is HIPAA-compliant, consult your Privacy Board or IRB official.
HIPAA's Privacy Rule is intended to protect the privacy of health information; in turn, the Common Rule is intended to safeguard the interests of research participants, including their privacy. These two sets of regulations are linked by a common underlying goal, namely to safeguard PHI.