The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates privacy and confidentiality protections for human research subjects. There is much information on this Act regarding how it impacts patient care and human subject research and the protected health information of these persons:
Tufts Medical Center is a covered entity. All research at Tufts Medical Center is subject to HIPAA. Tufts University is a hybrid entity, which means parts of Tufts University are subject to HIPAA and parts are not. At Tufts University, HIPAA applies to Tufts University School of Dental Medicine, Student Services in the Medford/Somerville Campus, and if a researcher at Tufts University generates protected health information at a covered entity.
For all new studies submitted after April 1, 2012, if HIPAA applies, a combined ICF/RAF document must be submitted. A separate ICF and RAF will no longer be accepted.
For existing studies, at continuing review investigators can convert to the combined ICF/RAF document or continue to use a separate ICF and RAF.
Health Insurance Portability and Accountability Act of 1996.
|HIPAA Privacy Rule|
HIPAA required comprehensive health information privacy regulations; the Final HIPAA Privacy Rule was issued August 14, 2002 (requiring compliance by April 14, 2003).
Protected Health Information. PHI is health information created or received by a Covered Entity or an employer that relates to past, present, or future physical or mental health condition, provision of or payment for health care. PHI is any health information that identifies an individual.
Covered Entities under the HIPAA Privacy Rule are Health Care Providers, Health Plans and Health Care Clearinghouses.
TPO is treatment, payment and health care operations. The HIPAA Privacy Rule permits disclosure of PHI only for TPO or when regulatory exception applies (e.g. public health reporting).
HIPAA Research Authorization
The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:
De-identified data excludes all eighteen HIPAA Identifiers. De-identified data is not "anonymous data" under the Common Rule.
Seventeen federal departments and agencies agreed to adopt basic human subject protections regulations published in 1991 as the Common Rule. The Common Rule was derived from the first of four subparts of the DHHS regulations for the protection of human subjects.
The eighteen HIPAA Identifiers are:
|Limited Data Set|
A limited data set excludes specific direct identifiers of the individual and may be disclosed to a researcher through a data use agreement for research, public health or health care operations. A limited data set under the HIPAA Privacy Rule may not include:
A limited data set may include:
It is important to note that this information is still protected health information (PHI) under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.
The HIPAA Privacy Rule and the Common Rule have the same definition of research: Systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge (45 CFR 64.10).
|Notice of Privacy Practices|
The HIPAA Privacy Rule requires that a Covered Entity must tell individuals how PHI is used and disclosed. A good faith effort must be made to obtain written acknowledgement of receipt of a Privacy Notice.
|Minimum Necessary Rule|
Covered Entities and their Business Associates must make all reasonable efforts to limit disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.
|Waiver of HIPAA Research Authorization|
Under the Final HIPAA Privacy Rule a Waiver of HIPAA Research Authorization may be granted under the following criteria:
|Minimal Risk to Privacy|
There is minimal risk to privacy under HIPPA if the following criteria are met:
The HIPAA Privacy Rule also applies Business Associates who are persons or entities that create, use, or disclose PHI to perform or assist in the functions of a Covered Entity.
|GPP||Good Privacy Practices|
|Research Authorization Form (RAF)|
Databases where PHI is placed, processed and stored that are used as resources for future research require a HIPAA Research Authorization or a HIPAA Waiver. Since the definition of Research is the same under HIPAA and the Common Rule, these databases also require IRB approval. Complete a Form 7 when requesting a HIPAA Authorization or a HIPAA Waiver.
This form is used to help you fulfill HIPAA accounting requirements when you are granted a research authorization waiver. I f you access 50 or fewer records, you must record the names of the records you have accessed. If you access 51 or more records, you may create a profile of the study population (e.g., men over age 70 with glaucoma and a history of hypertension). In either case, it is the responsibility of the PI to report the names or profile to his/her institution’s HIPAA Privacy Officer for Research.
The Tufts Medical Center/TUHS IRB/Privacy Board may permit the use and disclosure of PHI as a Limited Data Set under a Data Use Agreement between a Data User and Tufts Medical Center/TUHS. The PI should complete the Data Use Agreement Form to ensure that the request for Limited Data Set under a Data Use Agreement includes all of the necessary information regarding the uses and disclosures. The following elements should be included in the agreement:
This form is required when you plan to access PHI for purposes preparatory to research (such as preparing a research protocol, assessing feasibility of a research study, developing a hypothesis, or identifying prospective participants who would meet eligibility criteria for a proposed project). The PI will confirm the following on the Review Preparatory to Research Form:
This form is required if you plan to conduct research on decedents (a person who has died). The PI will confirm the following on the Research on Decedent Form:
This form is for use when a case report may directly or indirectly identify a patient. An analysis of more than 3 clinical cases meets the definition of research that must receive IRB approval before starting. These cases also require HIPAA authorization from the patient. Please refer to the case report policy for more information.
Privacy Officer & Director of Internal Audit
Associate General Counsel
Director of Data and Systems Security