Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates privacy and confidentiality protections for human research subjects. There is much information on this Act regarding how it impacts patient care and human subject research and the protected health information of these persons:

Tufts Medicine institutions (Tufts Medical Center, Lowell General Hospital, MelroseWakefield Healthcare) are covered entities. All research at Tufts Medicine is subject to HIPAA. Tufts University is a hybrid entity, which means parts of Tufts University are subject to HIPAA and parts are not. At Tufts University, HIPAA applies to Tufts University School of Dental Medicine, Student Services in the Medford/Somerville Campus, and if a researcher at Tufts University generates protected health information at a covered entity.

For all new studies submitted after April 1, 2012, if HIPAA applies, the required Authorization language must be included in the ICF. Tufts Health Sciences IRB does not accept separate Research Authorization Forms (RAFs).

For existing studies, at continuing review investigators can convert to the combined ICF/RAF document or continue to use a separate ICF and RAF.

HIPAA forms are available in the eIRB Library and in the HIPAA Forms section of the Forms page.


HIPAA Definitions

HIPAA: Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Rule: HIPAA required comprehensive health information privacy regulations; the Final HIPAA Privacy Rule was issued August 14, 2002 (requiring compliance by April 14, 2003).

PHI: Protected Health Information. PHI is health information created or received by a Covered Entity or an employer that relates to past, present, or future physical or mental health condition, provision of or payment for health care. PHI is any health information that identifies an individual.

Covered Entity: Covered Entities under the HIPAA Privacy Rule are Health Care Providers, Health Plans and Health Care Clearinghouses.

TPO: TPO is treatment, payment, and health care operations. The HIPAA Privacy Rule permits disclosure of PHI only for TPO or when a regulatory exception applies (e.g. public health reporting).

HIPAA Research Authorization: The Research Authorization required under the HIPAA Privacy Rule is a written patient authorization that must specify:

  1. Who can use or disclose PHI
  2. To whom PHI may be disclosed
  3. What PHI may be used or disclosed
  4. The purposes of the used or disclosed PHI
  5. The duration of the authorization (expiration date or event)

De-identified Data: De-identified data excludes all eighteen HIPAA Identifiers. De-identified data is not "anonymous data" under the Common Rule.

Common Rule: Seventeen federal departments and agencies agreed to adopt basic human subject protections regulations published in 1991 as the Common Rule. The Common Rule was derived from the first of four subparts of the DHHS regulations for the protection of human subjects.

HIPAA Identifiers: The eighteen HIPAA Identifiers are:

  1. Names
  2. Geographic subdivisions smaller than a State
  3. Dates (except year) directly related to patient/subject
  4. Telephone numbers
  5. Fax numbers
  6. E-mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code, except as permitted under HIPAA to re-identify data

Limited Data Set: A limited data set excludes specific direct identifiers of the individual and may be disclosed to a researcher through a data use agreement for research, public health, or health care operations. A limited data set under the HIPAA Privacy Rule may not include:

  1. Names
  2. Postal address information (other than town or city, state, and ZIP Code)
  3. Telephone numbers
  4. Fax number
  5. Email addresses
  6. Social security numbers
  7. Medical record numbers
  8. Health plan beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers and serial numbers,
  12. Device identifiers and serial numbers
  13. Web universal resource locators (URLs)
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers (finger and voice prints)
  16. Full face photographic images and any comparable images

A limited data set may include:

  • Dates such as admission, discharge, service, DOB, DOD
  • State, city, and five digit or more zip code
  • Ages in years, months, days, or hours

It is important to note that this information is still protected health information (PHI) under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.

Data Use Agreements: The Tufts Health Sciences IRB/Privacy Board may permit the use and disclosure of PHI as a Limited Data Set under a Data Use Agreement (DUA) between a Data User and Tufts Medicine/Tufts University. See Data and/or Specimen Transfer Agreements for instructions on requesting a DUA. The following elements should be included in the agreement:

  1. Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research.
  2. Limits on who can use or receive the data
  3. Requires appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement
  4. Requires reporting of unauthorized uses or disclosures to the HIPAA Privacy Officer. This information should also be reported to the IRB.
  5. Prohibits contacting subjects or identifying information of subjects

Research: The HIPAA Privacy Rule and the Common Rule have the same definition of research: Systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge (45 CFR 165.501 / 45 CFR 46.102(l)).

Notice of Privacy Practices: The HIPAA Privacy Rule requires that a Covered Entity must tell individuals how PHI is used and disclosed. A good faith effort must be made to obtain written acknowledgement of receipt of a Privacy Notice.

Minimum Necessary Rule: Covered Entities and their Business Associates must make all reasonable efforts to limit disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.

Waiver of HIPAA Research Authorization: Under the Final HIPAA Privacy Rule a Waiver of HIPAA Research Authorization may be granted under the following criteria:

  1. There is minimal risk to privacy.
  2. The research could not practicably be conducted without the waiver of authorization.
  3. The research could not practicably be conducted without access to and use of PHI.

Minimal Risk to Privacy: There is minimal risk to privacy under HIPPA if the following criteria are met:

  1. An adequate plan is in place to protect identifiers from improper use or disclosure.
  2. There is an adequate plan to destroy identifiers at the earliest opportunity consistent with the research.
  3. Written assurance is provided that the PHI will not be disclosed further than identified in the waiver.

Business Associates: The HIPAA Privacy Rule also applies to Business Associates who are persons or entities that create, use, or disclose PHI to perform or assist in the functions of a Covered Entity.

GPP: Good Privacy Practices

Common Questions About HIPAA

1. What are the basics of HIPAA compliance for a researcher?

Depending on the type of study you have, you may utilize the following means to comply with HIPAA (all forms and templates are available here):

  1. Obtain authorization for the use or disclosure of protected health information (PHI) from subjects using the following:
    1. A combined ICF/Research Authorization Form (RAF)
    2. A Research Authorization Form (RAF). This is only applicable for all studies approved prior to 01 April 2012, or studies for which a full ICF is not required (e.g. Exempt studies).
  2. Obtain a waiver of research authorization (certain restrictions apply)
  3. Use a limited data set and put in place a data use agreement (certain restrictions apply)
  4. Use PHI from deceased subjects (please complete and submit the Research on Decedent form)
  5. Use a completely de-identified dataset

You also have limited ability to access PHI in “a review preparatory to research.” Please complete and submit the Review Preparatory to Research form.

For information concerning HIPAA and case reports, please refer to the case report policy.

2. What responsibilities do clinical researchers have under the HIPAA Privacy Rule?

The HIPAA Privacy Rule requires:

  1. Providing mandated information to research subjects about their privacy rights and how PHI can be used.
  2. Informing subjects about the right to access and amend their PHI.
  3. Adopting clear and systematic privacy and database security procedures.
  4. Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  5. Maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI.

3. What is my responsibility under HIPAA for disclosing to subjects funding or other financial support when it is received from the sponsor?

The Privacy Rule does not require disclosure in the combined ICF/RAF or HIPAA RAF if direct or indirect remuneration is received in exchange for use or disclosure of the health information.

​​​​​​​4. Informed Consent was obtained from participants in my study prior to April 14, 2003. Are these participants required to sign a HIPAA Research Authorization?

Consent, authorization, or other legal permission obtained prior to the mandatory compliance date (April 14, 2003) allows the PHI to be used after April 14, 2003 for the research. If, after April 14, 2003, a revised informed consent is required for prior enrolled subjects, then HIPAA research authorization should be obtained from the prior enrolled subjects.

​​​​​​​​​​​​​​5. IRB Consent Waivers have been obtained for some of my research studies, what is the status of these studies under the HIPAA Privacy Rule?

Waivers of Informed Consent prior to April 14, 2003 by the IRB are “grandfathered” as a Waiver of HIPAA Research Authorization. After April 14, 2003 separate waivers must be obtained for Informed Consent under the Common Rule and Research Authorization under HIPAA.​​​​​​​

6. Is the health information of normal healthy volunteers in my clinical research study considered PHI?

The HIPAA Privacy Rule does not protect the health information of healthy normal volunteers, but hospital registration for these participants creates a clinical record that is PHI.​​​​​​​

7. How does the hospital Notice of Privacy Practice under the HIPAA Privacy Rule impact clinical research?

A research unit that is part of a Covered Entity may need to provide the Notice of Privacy Practices to a subject if participation in a clinical trial is the initial contact with the Covered Entity.​​​​​​​

8. My research files contain PHI that has been authorized for use under a HIPAA Research Authorization. Does the HIPPA Privacy Rule have any other requirements for this data?

There are HIPAA Security Standards that require reasonable operational, technical, and physical safeguards for PHI that:

  1. Ensure confidentiality and integrity of information
  2. Prevent unauthorized use or disclosure
  3. Protect against external threats and physical hazards

Contact your Information Technology office for more information about HIPAA security standards.​​​​​​​

9. How will Revocation of Authorization by study participants permitted under the HIPAA Privacy Rule impact my studies?

A research subject has the right to revoke, in writing, his/her authorization at any time. However, research subjects cannot revoke authorization to the extent that the study is reliant on previously authorized information. You may continue to use data already collected to protect the integrity or accuracy of a study.

10. What are the penalties associated with failing to comply with HIPAA Privacy Rule regulations?

There are both civil and criminal penalties for improper use or disclosure of PHI. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.

​​​​​​​11. Does HIPAA apply in the following situations?

  • Coded information used for my study - The HIPAA Privacy Rule does not apply if all 18 HIPAA identifiers are removed from this information. The HIPAA Privacy Rule does apply to the code that allows re-identification of the PHI. The Common Rule considers coded information to be indirectly identifiable.
  • Studies that are NOT regulated by the FDA or the NIH - Yes - The HIPAA Privacy Rule applies regardless of funding source and even if FDA and HHS regulations are not applicable.
  • Researchers working in a hospital - Yes - The HIPAA Privacy Rule covers researchers within a Covered Entity because they generate PHI (e.g. in clinical trials) and receive, access, or use PHI.

​​​​​​​​​​​​​​12. Is a HIPAA Research Authorization or Waiver required in the following situations?

  • Retrospective chart reviews. - Yes - A retrospective chart review may require a HIPAA Waiver. This will be evaluated by the IRB/Privacy Board upon submission
  • Quality Assurance projects for health care operations only. - No - They are permitted under the HIPAA Privacy Rule as “health care operations” so no separate authorization or waiver is required.
  • Quality Assurance projects for research. - Yes - a HIPAA waiver is required.
  • Use of PHI for Recruitment. - Yes – a HIPAA waiver is required.
  • Databases for research containing PHI - Yes - Databases where PHI is placed processed and stored that are resources for research require HIPAA Research Authorization or Waiver. Since the definition of Research is the same under HIPAA and the Common Rule these databases also require IRB approval.

HIPAA Privacy Officers Contact Information

Tufts Medicine

Carly Tucker
HIPAA Contact
(617) 636-0198

Tufts University

Akiyo Fujii
Associate General Counsel
(617) 627-3336

Tufts University School of Dental Medicine

Sherry Harper
Senior Compliance Officer