Open Menu Close Menu Open Search Close Search

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates privacy and confidentiality protections for human research subjects. There is much information on this Act regarding how it impacts patient care and human subject research and the protected health information of these persons:

Tufts Medical Center is a covered entity. All research at Tufts Medical Center is subject to HIPAA. Tufts University is a hybrid entity, which means parts of Tufts University are subject to HIPAA and parts are not. At Tufts University, HIPAA applies to Tufts University School of Dental Medicine, Student Services in the Medford/Somerville Campus, and if a researcher at Tufts University generates protected health information at a covered entity.

For all new studies submitted after April 1, 2012, if HIPAA applies, a combined ICF/RAF document must be submitted. A separate ICF and RAF will no longer be accepted.

For existing studies, at continuing review investigators can convert to the combined ICF/RAF document or continue to use a separate ICF and RAF.


HIPAA Definitions

Health Insurance Portability and Accountability Act of 1996.


HIPAA Privacy Rule

HIPAA required comprehensive health information privacy regulations; the Final HIPAA Privacy Rule was issued August 14, 2002 (requiring compliance by April 14, 2003).



Protected Health Information. PHI is health information created or received by a Covered Entity or an employer that relates to past, present, or future physical or mental health condition, provision of or payment for health care. PHI is any health information that identifies an individual.


Covered Entity

Covered Entities under the HIPAA Privacy Rule are Health Care Providers, Health Plans and Health Care Clearinghouses.



TPO is treatment, payment and health care operations. The HIPAA Privacy Rule permits disclosure of PHI only for TPO or when regulatory exception applies (e.g. public health reporting).


HIPAA Research Authorization

The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:

  1. Who can use or disclose PHI
  2. To whom PHI may be disclosed
  3. What PHI may be used or disclosed
  4. The purposes of the used or disclosed PHI
  5. The duration of the authorization (expiration date or event)
De-identified Data

De-identified data excludes all eighteen HIPAA Identifiers. De-identified data is not "anonymous data" under the Common Rule.


Common Rule

Seventeen federal departments and agencies agreed to adopt basic human subject protections regulations published in 1991 as the Common Rule. The Common Rule was derived from the first of four subparts of the DHHS regulations for the protection of human subjects.


HIPAA Identifiers

The eighteen HIPAA Identifiers are:

  1. Names
  2. Geographic subdivisions smaller than a State
  3. Dates (except year) directly related to patient
  4. Telephone numbers
  5. Fax numbers
  6. E-mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code, except as permitted under HIPAA to re-identify data


Limited Data Set

A limited data set excludes specific direct identifiers of the individual and may be disclosed to a researcher through a data use agreement for research, public health or health care operations. A limited data set under the HIPAA Privacy Rule may not include:

  1. Names
  2. Postal address information (other than town or city, state, and ZIP Code)
  3. Telephone numbers
  4. Fax number
  5. Email addresses
  6. Social security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers,
  12. Device identifiers and serial numbers
  13. Web universal resource locators (URLs)
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers (finger and voice prints)
  16. Full face photographic images and any comparable images

A limited data set may include:

  • Dates such as admission, discharge, service, DOB, DOD
  • State, city, and five digit or more zip code
  • Ages in years, months, days or hours

It is important to note that this information is still protected health information (PHI) under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.



The HIPAA Privacy Rule and the Common Rule have the same definition of research: Systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge (45 CFR 64.10).


Notice of Privacy Practices

The HIPAA Privacy Rule requires that a Covered Entity must tell individuals how PHI is used and disclosed. A good faith effort must be made to obtain written acknowledgement of receipt of a Privacy Notice.


Minimum Necessary Rule

Covered Entities and their Business Associates must make all reasonable efforts to limit disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.


Waiver of HIPAA Research Authorization

Under the Final HIPAA Privacy Rule a Waiver of HIPAA Research Authorization may be granted under the following criteria:

  1. There is minimal risk to privacy.
  2. The research could not practicably be conducted without the waiver.
  3. The research could not practicably be conducted without the PHI.


Minimal Risk to Privacy

There is minimal risk to privacy under HIPPA if the following criteria are met:

  1. An adequate plan is in place to protect information from improper use or disclosure.
  2. There is an adequate plan to destroy identifiers.
  3. Written assurance is provided that the PHI will not be disclosed further than identified in the waiver.


Business Associates

The HIPAA Privacy Rule also applies Business Associates who are persons or entities that create, use, or disclose PHI to perform or assist in the functions of a Covered Entity.


GPPGood Privacy Practices
Research Authorization Form (RAF) 

Databases where PHI is placed, processed and stored that are used as resources for future research require a HIPAA Research Authorization or a HIPAA Waiver. Since the definition of Research is the same under HIPAA and the Common Rule, these databases also require IRB approval. Complete a Form 7 when requesting a HIPAA Authorization or a HIPAA Waiver.

This form is used to help you fulfill HIPAA accounting requirements when you are granted a research authorization waiver. I f you access 50 or fewer records, you must record the names of the records you have accessed. If you access 51 or more records, you may create a profile of the study population (e.g., men over age 70 with glaucoma and a history of hypertension). In either case, it is the responsibility of the PI to report the names or profile to his/her institution’s HIPAA Privacy Officer for Research.

The Tufts Medical Center/TUHS IRB/Privacy Board may permit the use and disclosure of PHI as a Limited Data Set under a Data Use Agreement between a Data User and Tufts Medical Center/TUHS. The PI should complete the Data Use Agreement Form to ensure that the request for Limited Data Set under a Data Use Agreement includes all of the necessary information regarding the uses and disclosures. The following elements should be included in the agreement:

  1. Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research.
  2. Limits on who can use or receive the data
  3. Requires appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement
  4. Requires reporting of unauthorized uses or disclosures to the HIPAA Privacy Officer. This information should also be reported to the IRB.
  5. Prohibits contacting subjects or identifying information of subjects

This form is required when you plan to access PHI for purposes preparatory to research (such as preparing a research protocol, assessing feasibility of a research study, developing a hypothesis, or identifying prospective participants who would meet eligibility criteria for a proposed project). The PI will confirm the following on the Review Preparatory to Research Form:

  1. The use of the PHI is solely for purposes preparatory to research.
  2. The review is necessary for preparation.
  3. No PHI is removed from the covered entity during the course of the review.

This form is required if you plan to conduct research on decedents (a person who has died). The PI will confirm the following on the Research on Decedent Form:

  1. The PHI accessed is solely for research of the PHI on the decedent.
  2. The PHI accessed is necessary for research.
  3. Documentation of death is available upon request.

This form is for use when a case report may directly or indirectly identify a patient. An analysis of more than 3 clinical cases meets the definition of research that must receive IRB approval before starting. These cases also require HIPAA authorization from the patient. Please refer to the case report policy for more information.

HIPAA Privacy Officers Contact Information

Tufts Medical Center

Meghan Colozzo
Privacy Officer & Director of Internal Audit
Corporate Compliance
(617) 636-1203

Tufts University

Akiyo Fujii
Associate General Counsel
(617) 627-3336

Tufts University School of Dental Medicine

Kevin O’Dea
Director of Data and Systems Security
(617) 636-0328