The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates privacy and confidentiality protections for human research subjects. There is much information on this Act regarding how it impacts patient care and human subject research and the protected health information of these persons:
Tufts Medical Center is a covered entity. All research at Tufts Medical Center is subject to HIPAA. Tufts University is a hybrid entity, which means parts of Tufts University are subject to HIPAA and parts are not. At Tufts University, HIPAA applies to Tufts University School of Dental Medicine, Student Services in the Medford/Somerville Campus, and if a researcher at Tufts University generates protected health information at a covered entity.
For all new studies submitted after April 1, 2012, if HIPAA applies, a combined ICF/RAF document must be submitted. A separate ICF and RAF will no longer be accepted.
For existing studies, at continuing review investigators can convert to the combined ICF/RAF document or continue to use a separate ICF and RAF.
|HIPAA||Health Insurance Portability and Accountability Act of 1996.|
|HIPAA Privacy Rule||HIPAA required comprehensive health information privacy regulations; the Final HIPAA Privacy Rule was issued August 14, 2002 (requiring compliance by April 14, 2003).|
|PHI||Protected Health Information. PHI is health information created or received by a Covered Entity or an employer that relates to past, present, or future physical or mental health condition, provision of or payment for health care. PHI is any health information that identifies an individual.|
|Covered Entity||Covered Entities under the HIPAA Privacy Rule are Health Care Providers, Health Plans and Health Care Clearinghouses.|
|TPO||TPO is treatment, payment and health care operations. The HIPAA Privacy Rule permits disclosure of PHI only for TPO or when regulatory exception applies (e.g. public health reporting).|
HIPAA Research Authorization
|The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:
|De-identified Data||De-identified data excludes all eighteen HIPAA Identifiers. De-identified data is not "anonymous data" under the Common Rule.|
|Common Rule||Seventeen federal departments and agencies agreed to adopt basic human subject protections regulations published in 1991 as the Common Rule. The Common Rule was derived from the first of four subparts of the DHHS regulations for the protection of human subjects.|
|HIPAA Identifiers||The eighteen HIPAA Identifiers are:
|Limited Data Set||A limited data set excludes specific direct identifiers of the individual and may be disclosed to a researcher through a data use agreement for research, public health or health care operations. A limited data set under the HIPAA Privacy Rule may not include:
A limited data set may include:
It is important to note that this information is still protected health information (PHI) under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.
|Data Use Agreement Form||The Tufts Medical Center/TUHS IRB/Privacy Board may permit the use and disclosure of PHI as a Limited Data Set under a Data Use Agreement between a Data User and Tufts Medical Center/TUHS. The PI should complete the Data Use Agreement Form to ensure that the request for Limited Data Set under a Data Use Agreement includes all of the necessary information regarding the uses and disclosures. The following elements should be included in the agreement:
|Research||The HIPAA Privacy Rule and the Common Rule have the same definition of research: Systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge (45 CFR 64.10).|
|Notice of Privacy Practices||The HIPAA Privacy Rule requires that a Covered Entity must tell individuals how PHI is used and disclosed. A good faith effort must be made to obtain written acknowledgement of receipt of a Privacy Notice.|
|Minimum Necessary Rule||Covered Entities and their Business Associates must make all reasonable efforts to limit disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.|
|Waiver of HIPAA Research Authorization||Under the Final HIPAA Privacy Rule a Waiver of HIPAA Research Authorization may be granted under the following criteria:
|Minimal Risk to Privacy||There is minimal risk to privacy under HIPPA if the following criteria are met:
|Business Associates||The HIPAA Privacy Rule also applies Business Associates who are persons or entities that create, use, or disclose PHI to perform or assist in the functions of a Covered Entity.|
|GPP||Good Privacy Practices|
Databases where PHI is placed, processed and stored that are used as resources for future research require a HIPAA Research Authorization or a HIPAA Waiver. Since the definition of Research is the same under HIPAA and the Common Rule, these databases also require IRB approval. Complete a Form 7 when requesting a HIPAA Authorization or a HIPAA Waiver.
This form is used to help you fulfill HIPAA accounting requirements when you are granted a research authorization waiver. I f you access 50 or fewer records, you must record the names of the records you have accessed. If you access 51 or more records, you may create a profile of the study population (e.g., men over age 70 with glaucoma and a history of hypertension). In either case, it is the responsibility of the PI to report the names or profile to his/her institution’s HIPAA Privacy Officer for Research.
This form is required when you plan to access PHI for purposes preparatory to research (such as preparing a research protocol, assessing feasibility of a research study, developing a hypothesis, or identifying prospective participants who would meet eligibility criteria for a proposed project). The PI will confirm the following on the Review Preparatory to Research Form:
This form is required if you plan to conduct research on decedents (a person who has died). The PI will confirm the following on the Research on Decedent Form:
This form is for use when a case report may directly or indirectly identify a patient. An analysis of more than 3 clinical cases meets the definition of research that must receive IRB approval before starting. These cases also require HIPAA authorization from the patient. Please refer to the case report policy for more information.
Depending on the type of study you have, you may utilize the following means to comply with HIPAA (all forms and templates are available here):
You also have limited ability to access PHI in “a review preparatory to research”. Please complete the Review Preparatory to Research form.
For information concerning HIPAA and case reports, please refer to the case report policy.
The HIPAA Privacy Rule requires:
The Privacy Rule does not require disclosure in the combined ICF/RAF or HIPAA RAF if direct or indirect remuneration is received in exchange for use or disclosure of the health information.
Consent, authorization or other legal permission obtained prior to the mandatory compliance date (April 14, 2003) allows the PHI to be used after April 14, 2003 for the research. If, after April 14, 2003, a revised informed consent is required for prior enrolled subjects, then HIPAA research authorization should be obtained from the prior enrolled subjects.
Waivers of Informed Consent prior to April 14, 2003 by the IRB are “grandfathered” as a Waiver of HIPAA Research Authorization. After April 14, 2003 separate waivers must be obtained for Informed Consent under the Common Rule and Research Authorization under HIPAA.
The HIPAA Privacy Rule does not protect the health information of healthy normal volunteers, but hospital registration for these participants creates a clinical record that is PHI.
A research unit that is part of a Covered Entity may need to provide the Notice of Privacy Practices to a subject if participation in a clinical trial is the initial contact with the Covered Entity.
There are HIPAA Security Standards that require reasonable operational, technical and physical safeguards for PHI that:
Contact your Information Technology office for more information about HIPAA security standards.
A research subject has the right to revoke, in writing, his/her authorization at any time. However, research subjects cannot revoke authorization to the extent that the study is reliant on previously authorized information. You may continue to use data already collected to protect the integrity or accuracy of a study.
There are both civil and criminal penalties for improper use or disclosure of PHI. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
|Coded information used for my study||The HIPAA Privacy Rule does not apply if all 18 HIPAA identifiers are removed from this information. The HIPAA Privacy Rule does apply to the code that allows re-identification of the PHI. But, the Common Rule considers coded information to be indirectly identifiable.|
|Studies that are NOT funded by the FDA or the NIH||Yes - The HIPAA Privacy Rule applies regardless of funding source and even if FDA and HHS regulations are not applicable.|
|Researchers working in a hospital||Yes - The HIPAA Privacy Rule covers researchers within a Covered Entity because they generate PHI (e.g. in clinical trials) and receive, access, or use PHI.|
|Retrospective chart reviews.||Yes - A retrospective chart review may require a HIPAA Waiver. This will be evaluated by the IRB/Privacy Board upon submission|
|Quality Assurance projects for health care operations.||No - They are permitted under the HIPAA Privacy Rule as “health care operations” so no separate authorization or waiver is required.|
|Quality Assurance projects for research.||Yes - a HIPAA waiver is required.|
|Use of PHI for Recruitment.||Yes – a HIPAA waiver is required.|
|Databases for research containing PHI||Yes - Databases where PHI is placed processed and stored that are resources for research require HIPAA Research Authorization or Waiver. Since the definition of Research is the same under HIPAA and the Common Rule these databases also require IRB approval.|
Privacy Officer & Director of Internal Audit
Associate General Counsel
Director of Data and Systems Security