HIPAA Definitions for Research

Term Definition
HIPAA Health Insurance Portability and Accountability Act of 1996.
HIPAA Privacy Rule HIPAA required comprehensive health information privacy regulations; the Final HIPAA Privacy Rule was issued August 14, 2002 (requiring compliance by April 14, 2003).
PHI Protected Health Information. PHI is health information created or received by a Covered Entity or an employer that relates to past, present, or future physical or mental health condition, provision of or payment for health care. PHI is any health information that identifies an individual.
Covered Entity Covered Entities under the HIPAA Privacy Rule are Health Care Providers, Health Plans and Health Care Clearinghouses.
TPO TPO is treatment, payment and health care operations. The HIPAA Privacy Rule permits disclosure of PHI only for TPO or when regulatory exception applies (e.g. public health reporting).

HIPAA Research Authorization

The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:>

  1. Who can use or disclose PHI
  2. To whom PHI may be disclosed
  3. What PHI may be used or disclosed
  4. The purposes of the used or disclosed PHI
  5. The duration of the authorization (expiration date or event)
De-identified Data De-identified data excludes all eighteen HIPAA Identifiers. De-identified data is not “anonymous data” under the Common Rule.
Common Rule Seventeen federal departments and agencies agreed to adopt basic human subject protections regulations published in 1991 as the Common Rule. The Common Rule was derived from the first of four subparts of the DHHS regulations for the protection of human subjects.
HIPAA Identifiers The eighteen HIPAA Identifiers are:

  1. Names
  2. Geographic subdivisions smaller than a State
  3. Dates (except year) directly related to patient
  4. Telephone numbers
  5. Fax numbers
  6. E-mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code, except as permitted under HIPAA to re-identify data
Limited Data Set A limited data set under HIPAA Privacy Rule may not include:

  1. Birth Date
  2. Dates of treatment/admission/discharge
  3. Address (but not specific street addresses) and must excluded direct identifiers:
    a) Names
    b) Address (other than city, state and zip code)
    c) Telephone numbers
  4. Fax numbers
  5. Email addresses
  6. Social security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers
  12. Device identifiers and serial numbers
  13. Web URLs
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers (finger and voice prints)
  16. Full face photographic images and any comparable images
Research The HIPAA Privacy Rule and the Common Rule have the same definition of research: Systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge (45 CFR 64.10).
Notice of Privacy Practices The HIPAA Privacy Rule requires that a Covered Entity must tell individuals how PHI is used and disclosed. A good faith effort must be made to obtain written acknowledgement of receipt of a Privacy Notice.
Minimum Necessary Rule Covered Entities and their Business Associates must make all reasonable efforts to limit disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.
Waiver of HIPAA Research Authorization Under the Final HIPAA Privacy Rule a Waiver of HIPAA Research Authorization may be granted under the following criteria:

  1. There is minimal risk to privacy.
  2. The research could not practicably be conducted without the waiver.
  3. The research could not practicably be conducted without the PHI.
Minimal Risk to Privacy There is minimal risk to privacy under HIPPA if the following criteria are met:

  1. An adequate plan is in place to protect information from improper use or disclosure.
  2. There is an adequate plan to destroy identifiers.
  3. Written assurance is provided that the PHI will not be disclosed further than identified in the waiver.
Business Associates The HIPAA Privacy Rule also applies Business Associates who are persons or entities that create, use, or disclose PHI to perform or assist in the functions of a Covered Entity.
GPP Good Privacy Practices
Research Authorization Form (RAF)