Open Menu Close Menu Open Search Close Search

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates privacy and confidentiality protections for human research subjects. There is much information on this Act regarding how it impacts patient care and human subject research and the protected health information of these persons:

Tufts Medical Center is a covered entity. All research at Tufts Medical Center is subject to HIPAA. Tufts University is a hybrid entity, which means parts of Tufts University are subject to HIPAA and parts are not. At Tufts University, HIPAA applies to Tufts University School of Dental Medicine, Student Services in the Medford/Somerville Campus, and if a researcher at Tufts University generates protected health information at a covered entity.

For all new studies submitted after April 1, 2012, if HIPAA applies, a combined ICF/RAF document must be submitted. A separate ICF and RAF will no longer be accepted.

For existing studies, at continuing review investigators can convert to the combined ICF/RAF document or continue to use a separate ICF and RAF.

Contents

HIPAA Definitions

Term Definition
HIPAA

Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Rule

HIPAA required comprehensive health information privacy regulations; the Final HIPAA Privacy Rule was issued August 14, 2002 (requiring compliance by April 14, 2003).

PHI

Protected Health Information. PHI is health information created or received by a Covered Entity or an employer that relates to past, present, or future physical or mental health condition, provision of or payment for health care. PHI is any health information that identifies an individual.

Covered Entity

Covered Entities under the HIPAA Privacy Rule are Health Care Providers, Health Plans and Health Care Clearinghouses.

TPO

TPO is treatment, payment and health care operations. The HIPAA Privacy Rule permits disclosure of PHI only for TPO or when regulatory exception applies (e.g. public health reporting).

HIPAA Research Authorization

The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:

  1. Who can use or disclose PHI
  2. To whom PHI may be disclosed
  3. What PHI may be used or disclosed
  4. The purposes of the used or disclosed PHI
  5. The duration of the authorization (expiration date or event)
De-identified Data

De-identified data excludes all eighteen HIPAA Identifiers. De-identified data is not "anonymous data" under the Common Rule.

Common Rule

Seventeen federal departments and agencies agreed to adopt basic human subject protections regulations published in 1991 as the Common Rule. The Common Rule was derived from the first of four subparts of the DHHS regulations for the protection of human subjects.

HIPAA Identifiers

The eighteen HIPAA Identifiers are:

  1. Names
  2. Geographic subdivisions smaller than a State
  3. Dates (except year) directly related to patient
  4. Telephone numbers
  5. Fax numbers
  6. E-mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code, except as permitted under HIPAA to re-identify data
Limited Data Set

A limited data set excludes specific direct identifiers of the individual and may be disclosed to a researcher through a data use agreement for research, public health or health care operations. A limited data set under the HIPAA Privacy Rule may not include:

  1. Names
  2. Postal address information (other than town or city, state, and ZIP Code)
  3. Telephone numbers
  4. Fax number
  5. Email addresses
  6. Social security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers,
  12. Device identifiers and serial numbers
  13. Web universal resource locators (URLs)
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers (finger and voice prints)
  16. Full face photographic images and any comparable images

A limited data set may include:

  • Dates such as admission, discharge, service, DOB, DOD
  • State, city, and five digit or more zip code
  • Ages in years, months, days or hours

It is important to note that this information is still protected health information (PHI) under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.

Data Use Agreement Form

The Tufts Medical Center/TUHS IRB/Privacy Board may permit the use and disclosure of PHI as a Limited Data Set under a Data Use Agreement between a Data User and Tufts Medical Center/TUHS. The PI should complete the Data Use Agreement Form to ensure that the request for Limited Data Set under a Data Use Agreement includes all of the necessary information regarding the uses and disclosures. The following elements should be included in the agreement:

  1. Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research.
  2. Limits on who can use or receive the data
  3. Requires appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement
  4. Requires reporting of unauthorized uses or disclosures to the HIPAA Privacy Officer. This information should also be reported to the IRB.
  5. Prohibits contacting subjects or identifying information of subjects
Research

The HIPAA Privacy Rule and the Common Rule have the same definition of research: Systematic investigation, including research development, testing and evaluation designed to develop or contribute to generalizable knowledge (45 CFR 64.10).

Notice of Privacy Practices

The HIPAA Privacy Rule requires that a Covered Entity must tell individuals how PHI is used and disclosed. A good faith effort must be made to obtain written acknowledgement of receipt of a Privacy Notice.

Minimum Necessary Rule

Covered Entities and their Business Associates must make all reasonable efforts to limit disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.

Waiver of HIPAA Research Authorization

Under the Final HIPAA Privacy Rule a Waiver of HIPAA Research Authorization may be granted under the following criteria:

  1. There is minimal risk to privacy.
  2. The research could not practicably be conducted without the waiver.
  3. The research could not practicably be conducted without the PHI.
Minimal Risk to Privacy

There is minimal risk to privacy under HIPPA if the following criteria are met:

  1. An adequate plan is in place to protect information from improper use or disclosure.
  2. There is an adequate plan to destroy identifiers.
  3. Written assurance is provided that the PHI will not be disclosed further than identified in the waiver.
Business Associates

The HIPAA Privacy Rule also applies Business Associates who are persons or entities that create, use, or disclose PHI to perform or assist in the functions of a Covered Entity.

GPP Good Privacy Practices

HIPAA Forms

Databases where PHI is placed, processed and stored that are used as resources for future research require a HIPAA Research Authorization or a HIPAA Waiver. Since the definition of Research is the same under HIPAA and the Common Rule, these databases also require IRB approval. Complete a Form 7 when requesting a HIPAA Authorization or a HIPAA Waiver.

This form is used to help you fulfill HIPAA accounting requirements when you are granted a research authorization waiver. I f you access 50 or fewer records, you must record the names of the records you have accessed. If you access 51 or more records, you may create a profile of the study population (e.g., men over age 70 with glaucoma and a history of hypertension). In either case, it is the responsibility of the PI to report the names or profile to his/her institution’s HIPAA Privacy Officer for Research.

This form is required when you plan to access PHI for purposes preparatory to research (such as preparing a research protocol, assessing feasibility of a research study, developing a hypothesis, or identifying prospective participants who would meet eligibility criteria for a proposed project). The PI will confirm the following on the Review Preparatory to Research Form:

  1. The use of the PHI is solely for purposes preparatory to research.
  2. The review is necessary for preparation.
  3. No PHI is removed from the covered entity during the course of the review.

This form is required if you plan to conduct research on decedents (a person who has died). The PI will confirm the following on the Research on Decedent Form:

  1. The PHI accessed is solely for research of the PHI on the decedent.
  2. The PHI accessed is necessary for research.
  3. Documentation of death is available upon request.

This form is for use when a case report may directly or indirectly identify a patient. An analysis of more than 3 clinical cases meets the definition of research that must receive IRB approval before starting. These cases also require HIPAA authorization from the patient. Please refer to the case report policy for more information.

Common Questions About HIPAA

1. What are the basics of HIPAA compliance for a researcher?

Depending on the type of study you have, you may utilize the following means to comply with HIPAA (all forms and templates are available here):

  1. Obtain authorization for the use or disclosure of protected health information (PHI) from subjects using the following:
    1. A combined ICF/Research Authorization Form (RAF)
    2. A Research Authorization Form (RAF). This is only applicable for all studies approved prior to 01 April 2012.
  2. Obtain a waiver of research authorization (certain restrictions apply)
  3. Use a limited data set and put in place a data use agreement (certain restrictions apply
  4. Use PHI from deceased subjects (please complete the Research on Decedent form)
  5. Use a completely de-identified datase

You also have limited ability to access PHI in “a review preparatory to research”. Please complete the Review Preparatory to Research form.

For information concerning HIPAA and case reports, please refer to the case report policy.

2. What responsibilities do clinical researchers have under the HIPAA Privacy Rule?

The HIPAA Privacy Rule requires:

  1. Providing mandated information to research subjects about their privacy rights and how PHI can be used.
  2. Informing subjects about the right to access and amend their PHI.
  3. Adopting clear and systematic privacy and database security procedures.
  4. Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  5. Maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI.

3. What is my responsibility under HIPAA for disclosing to subjects funding or other financial support when it is received from the sponsor?

The Privacy Rule does not require disclosure in the combined ICF/RAF or HIPAA RAF if direct or indirect remuneration is received in exchange for use or disclosure of the health information.

4. Informed Consent was obtained from participants in my study prior to April 14, 2003. Are these participants required to sign a HIPAA Research Authorization?

Consent, authorization or other legal permission obtained prior to the mandatory compliance date (April 14, 2003) allows the PHI to be used after April 14, 2003 for the research. If, after April 14, 2003, a revised informed consent is required for prior enrolled subjects, then HIPAA research authorization should be obtained from the prior enrolled subjects.

5. IRB Consent Waivers have been obtained for some of my research studies, what is the status of these studies under the HIPAA Privacy Rule?

Waivers of Informed Consent prior to April 14, 2003 by the IRB are “grandfathered” as a Waiver of HIPAA Research Authorization. After April 14, 2003 separate waivers must be obtained for Informed Consent under the Common Rule and Research Authorization under HIPAA.

6. Is the health information of normal healthy volunteers in my clinical research study considered PHI?

The HIPAA Privacy Rule does not protect the health information of healthy normal volunteers, but hospital registration for these participants creates a clinical record that is PHI.

7. How does the hospital Notice of Privacy Practice under the HIPAA Privacy Rule impact clinical research?

A research unit that is part of a Covered Entity may need to provide the Notice of Privacy Practices to a subject if participation in a clinical trial is the initial contact with the Covered Entity.

8. My research files contain PHI that has been authorized for use under a HIPAA Research Authorization. Does the HIPPA Privacy Rule have any other requirements for this data?

There are HIPAA Security Standards that require reasonable operational, technical and physical safeguards for PHI that:

  1. Ensure confidentiality and integrity of information
  2. Prevent unauthorized use or disclosure
  3. Protect against external threats and physical hazards

Contact your Information Technology office for more information about HIPAA security standards.

9. How will Revocation of Authorization by study participants permitted under the HIPAA Privacy Rule impact my studies?

A research subject has the right to revoke, in writing, his/her authorization at any time. However, research subjects cannot revoke authorization to the extent that the study is reliant on previously authorized information. You may continue to use data already collected to protect the integrity or accuracy of a study.

10. What are the penalties associated with failing to comply with HIPAA Privacy Rule regulations?

There are both civil and criminal penalties for improper use or disclosure of PHI. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.

11. Does HIPAA apply in the following situations?

Coded information used for my study The HIPAA Privacy Rule does not apply if all 18 HIPAA identifiers are removed from this information. The HIPAA Privacy Rule does apply to the code that allows re-identification of the PHI. But, the Common Rule considers coded information to be indirectly identifiable.
Studies that are NOT funded by the FDA or the NIH Yes - The HIPAA Privacy Rule applies regardless of funding source and even if FDA and HHS regulations are not applicable.
Researchers working in a hospital Yes - The HIPAA Privacy Rule covers researchers within a Covered Entity because they generate PHI (e.g. in clinical trials) and receive, access, or use PHI.

12. Is a HIPAA Research Authorization or Waiver required in the following situations?

Retrospective chart reviews. Yes - A retrospective chart review may require a HIPAA Waiver. This will be evaluated by the IRB/Privacy Board upon submission
Quality Assurance projects for health care operations. No - They are permitted under the HIPAA Privacy Rule as “health care operations” so no separate authorization or waiver is required.
Quality Assurance projects for research. Yes - a HIPAA waiver is required.
Use of PHI for Recruitment. Yes – a HIPAA waiver is required.
Databases for research containing PHI Yes - Databases where PHI is placed processed and stored that are resources for research require HIPAA Research Authorization or Waiver. Since the definition of Research is the same under HIPAA and the Common Rule these databases also require IRB approval.

HIPAA Privacy Officers Contact Information

Tufts Medical Center

Meghan Colozzo
Privacy Officer & Director of Internal Audit
Corporate Compliance
(617) 636-1203
MColozzo@tuftsmedicalcenter.org

Tufts University

Akiyo Fujii
Associate General Counsel
(617) 627-3336
Akiyo.Fujii@tufts.edu

Tufts University School of Dental Medicine

Kevin O’Dea
Director of Data and Systems Security
(617) 636-0328
Kevin.Odea@tufts.edu