HIPAA Frequently Asked Questions

1. What is the HIPAA Privacy Rule?  

2. To whom does the Privacy Rule apply? Who are covered entities?  

3. When is a researcher considered a covered (entity) health care provider?  

4. What is protected health information (PHI)?  

5. Does the Privacy Rule apply to de-identified health information?  

6. How can individually identifiable health Information be de-identified?  

7. Can an investigator obtain PHI from a covered entity for research purposes?  

8. Can a covered entity allow an investigator to access PHI for recruiting research participants or preparing a research protocol?  

9. Is a waiver needed for activities preparatory to research, for research on the PHI of decedents, or access to a limited data set with a data use agreement?  

10. When does a covered entity have discretion to determine whether a research component of the entity is part of their covered functions, and therefore, subject to the HIPAA Privacy Rule?  

11. Is the creation of a database for research purposes permissible with an IRB/PB waiver?  

12. Can researchers continue to use previously existing databanks or repositories?  

13. If the research participants' consent was obtained before the compliance date, but the IRB subsequently modifies the informed consent document after the HIPAA compliance date and requires that participants be reconsented, is authorization now required from these previously enrolled research participants under the HIPAA privacy rule?  

14. Do the HIPAA privacy rule's requirements for authorization and the common rule's requirements for informed consent differ?  

15. Does the HIPAA Privacy Rule modify the Common Rule (45CFR46 Subpart A)?

The Privacy Rule, or Standards for the Privacy of Individually Identifiable Health Information, issued by the Department of Health and Human Services implements the requirement of the Health Insurance Portability and Accountability Act of 1996. It establishes a set of national standards for the protection of certain health information. The standards address the use and disclosure of individuals' health information – called protected health information (PHI) – by organizations subject to the Privacy Rule – called covered entities – for various purposes including research. It also sets standards for individuals' privacy rights to gain access to, be informed of, and control how their health information is used.

The Privacy Rule applies to health plans, health care clearinghouses, and any health care provider who electronically transmits health information in connection with certain transactions, which include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which DHHS has established standards under the HIPAA Transactions Rule.

It is important to note that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because are not considered covered entities. The Privacy Rule will not directly regulate researchers who are engaged in research within such organizations even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities. (Adapted from NIH booklet).

A researcher is a covered health care provider if he or she furnishes health care services to individuals, including research participants, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule. For example, a researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third party payer for payment, would be a covered health care provider under the Privacy Rule. Researchers who provide health care to research participants or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf.

Protected health information (PHI) is individually identifiable health information that is held or transmitted by a covered entity (or its business associate) in any form or media, whether electronic, paper, or oral. Individually identifiable health information includes common identifiers such as name, address, social security number, date of birth, or any other information that can be used to identify the individual.

No, the Privacy Rule does not apply to de-identified information since it neither identifies nor provides a reasonable basis to identify an individual.

Under the Privacy Rule, information can be de-identified in two ways:

1. A formal determination is made by a qualified statistician; or, 

2. By using the Safe Harbor Method, which involves the removal of 18 specified identifiers of the individual, or of relatives, employers or household members of the individual. The specific identifiers are: (i) Names; (ii) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census (a) the geographic units formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (b) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; (iii) All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (iv) Telephone numbers; (v) Fax numbers; (vi) Electronic mail addresses: (vii) Social security numbers; (viii) Medical record numbers; (ix) Health plan beneficiary numbers; (x) Account numbers; (xi) Certificate/license numbers; (xii) Vehicle identifiers and serial numbers, including license plate numbers; (xiii) Device identifiers and serial numbers; (xiv) Web Universal Resource Locators (URLs); (xv) Internet Protocol (xvi) address numbers; (xvii) Biometric identifiers, including finger and voice prints; (xviii) Full face photographic images and any comparable images; and ® any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met. In addition to the removal of the above-stated identifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject of the information. 45 CFR §164.514(b).

Yes, under the Privacy Rule, covered entities are permitted to use and disclose PHI for research either:

I. With individual authorization; or

II. Without individual authorization under limited circumstances

A. The data requestor/recipient provides documentation that an alteration or a waiver of the requirement for participants' authorization has been approved by an IRB or Privacy Board (PB). In addition to a statement that the alteration/waiver has been approved by an IRB or PB that was constituted as stipulated in the Rule, the documentation should include other specific information:

1. Identity of the IRB/PB;

2. Date the alteration/waiver was approved;

3. Statement that the alteration/waiver satisfies the following 3 criteria:

a. The use/disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on at least the following elements:

i. An adequate plan has been proposed to protect the identifiers from improper use and disclosure;

ii. An adequate plan has been proposed to destroy identifiers at the earliest possible opportunity, unless there is a health or research justification for retaining it, or is required by law; and,

iii. There is adequate written assurance that the PHI will not be reused or disclosed

b. The research could not practicably be conducted without the alteration/waiver

c. The research could not practicably be conducted without access to and use of the PHI

B. Limited Data Sets -- Covered entities may use or disclose limited data sets, i.e., a data set that excludes direct identifiers (16 specific identifiers, including name, street address, tel./FAX numbers, VIN, SSN, e-mail address, full face photographs, etc.), after obtaining from the recipient a data use agreement that specifies permitted uses and disclosures of the PHI, limits who can use or receive the data, and requires the recipient to agree not to re-identify the data or contact the individuals.

When a covered entity discloses PHI in a limited data set to a researcher who has entered into an appropriate data use agreement, then documentation of IRB/PB approval of waiver of individual authorization is not required.

(The following Q&A were adapted from OCR website)

Yes, under the Privacy Rule, a covered may allow a researcher to review PHI for purposes of preparing the research protocol and/or recruiting research participants provided the researcher affirms, either in writing or orally that:

1. The use or disclosure of PHI is solely to prepare a research protocol or for similar purposes preparatory to research; and 

2. No PHI will be removed from the covered entity's premises.

The preparatory research provision allows a researcher to identify prospective research participants for purposes of seeking their authorization to use their PHI for a research study. However, a researcher who is not a part of the covered entity may not use the preparatory research provision to contact prospective research subjects. Rather, the outside researcher could obtain contact information through a partial waiver of individual authorization by an IRB or Privacy Board as permitted at 45 CFR §164.512(i)(1)(i). The IRB/PB waiver of authorization permits the partial waiver of authorization for the purposes of allowing a researcher to obtain PHI as necessary to recruit potential research subjects. For example, even if an IRB does not waive informed consent and individual authorization for the study itself, it may waive such authorization to permit the disclosure of protected health information as necessary for the researcher to be able to contact and recruit individuals into the study.

No, documentation of IRB/PB approval of an alteration or waiver of individual authorization is not needed for any of the above-mentioned activities.

A covered entity that qualifies as a hybrid entity, i. e, the entity is a single legal entity that performs both covered and non-covered functions may choose whether it wants to be a hybrid entity. If such a covered entity decides not to be a hybrid entity then it, and all of its components, are subject to the Privacy Rule in its entirety. Therefore, if a researcher is an employee or workforce member of a covered entity that has decided not to be a hybrid entity, the researcher is part of the covered entity and is, therefore, subject to the Privacy Rule.

If a covered entity decides to be a hybrid entity, it must define and designate as its health care component(s) those parts of the entity that engage in covered functions. “Covered functions” are those functions of a covered entity that make the entity a health plan, a health care provider, or a health care clearinghouse. Thus, research components of a hybrid entity that function as health care providers and engage in standard electronic transactions must be included in the hybrid entity's health care component(s), and be subject to the Privacy Rule.

However, research components that function as health care providers, but do not engage in standard electronic transactions may, but are not required to, be included in the health care component(s) of the hybrid entity. For example, a hybrid entity, such as a university, has the option to include or exclude a research laboratory, that functions as a health care provider but does not engage in electronic transactions, as part of the hybrid entity's health care component. If such a research laboratory is included in the hybrid entity's health care component, then the employees or workforce members of the laboratory must comply with the Privacy Rule. But if the research laboratory is excluded from the hybrid entity's health care component, the employees or workforce members of the laboratory are not subject to the Privacy Rule.

Yes, a covered entity may use or disclose protected health information without individuals' authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule – that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.

Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose PHI from existing databases or repositories for research purposes either with individual authorization, or with a waiver of individual authorization.

Yes. If informed consent or reconsent (i.e., participants are asked to sign another or a revised consent form) is obtained from research participants after the compliance date, the covered entity must obtain individual authorization for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research. The revised informed consent document may be combined with the authorization elements.

Yes. Under the Privacy Rule, an individual's authorization is for the use and disclosure of PHI for research purposes. In contrast, an individual's informed consent, as required by the Common Rule, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of his or her PHI.

For this reason, there are important differences between the Privacy Rule's requirements for individual authorization, and the Common Rule's requirements for informed consent. However, the Privacy Rule's authorization elements are compatible with the Common Rule's informed consent elements. Thus, both sets of requirements can be met by use of a single, combined form, which is permitted by the Privacy Rule. For example, the Privacy Rule allows the research authorization to state that the authorization will be valid until the conclusion of the research study, or to state that the authorization will not have an expiration date or event. This is compatible with the Common Rule's requirement for an explanation of the expected duration of the research subject's participation in the study. It should be noted that where the Privacy Rule, and/or the Common Rule human subjects regulations are applicable, each of the applicable regulations would need to be followed.

No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing PHI for research purposes.