Research Activities and the Health Insurance Portability and Accountability Act (HIPAA)

REG 01.25.08

Governance - General
Print-friendly version

Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.

History: First Issued: April 14, 2003.

Additional References: HIPAA Forms ; The Health Insurance Portability and Accountability Act (HIPAA); Department of Health and Human Services Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule); Department of Health and Human Services Security and Electronic Signature Standards (HIPAA Security Rule); Department of Health and Human Services Standards for Electronic Transactions (HIPAA Electronic Transactions Rule);
NCSU Health care Components Notice of Privacy Practices

Contact Info: Associate Vice Chancellor for Research Administration ; Regulatory Compliance Administrator.

1. Introduction

1.1.The federal Privacy Rule issued pursuant to the Health Insurance and Portability and Accountability Act of 1996 (HIPAA) governs how health care providers use and disclose individually identifiable patient health information (Protected Health Information or PHI), including use and disclosure for research purposes. As a general rule, researchers need an Authorization from the patient or a waiver of authorization from an Institutional Review Board (IRB) or Privacy Board to obtain and use PHI for research purposes. The Privacy Rule supplements and does not supercede the Common Rule applicable to federally sponsored research or the Food and Drug Administration regulations governing clinical trials of new drugs and medical devices, both of which protect the confidentiality of human subjects in research.

2. Scope

This regulation applies to researchers seeking access to PHI from covered health care providers. The term researcher includes employees and students who conduct research, assist with the performance of research, or are otherwise involved in research activities at NCSU.

3. Definitions

3.1. Research: Research means "a systematic investigation, including research development, testing, and evaluation designed to develop or contribute to generalizable knowledge."

3.2. Protected Health Information (PHI): HIPAA defines PHI as 1) health information, including demographic information, 2) created or received by a health care provider (3) which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual and 4) that identifies or can be used to identify any individual. PHI does NOT include education records, student medical records as covered in the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.1232g; 34 CFR Part 99), or de-identified PHI. De-identified PHI is health information that cannot be identified to the individual patient. De-identified PHI must remove specific identifiers (set forth in HIPAA) with respect to the individual, his or her relatives, employers and household members.

3.3. Covered entity: A health plan, health care clearinghouse or health care provider that engages in certain electronic transactions as specified by HIPAA. A covered entity may be a hybrid entity in which case only its health care components are subject to the Privacy Rule. NCSU is a hybrid entity whose "Covered Health Care Components" are Student Health Services, the Counseling Center and Sports Medicine.

3.4. Authorization: An Authorization is specialized written permission for use and/or disclosure of an individual's PHI for purposes other than treatment, payment or health care operations. An authorization must contain specific elements as specified by the HIPAA Privacy Rule, otherwise it will not be considered a valid authorization.

3.5. Activities Preparatory to Research: These are defined as activities designed to aid in planning or preparing a research protocol or proposal (e.g. record and chart reviews, population analyses, recruitment planning, etc.), but do not include preliminary research activities such as pilot studies or focus groups.

3.6. Limited Data Set: A limited data set is defined as PHI that excludes specific identifiers. See Section 4.5.2, below.

4. Obtaining PHI for research purposes from Health Care Providers

The HIPAA Privacy Rule provides generally that covered entities may not disclose PHI for research purposes except pursuant to an individual's authorization or a waiver by an IRB or a special Privacy Board. Exceptions to this general requirement exist for activities preparatory to research, research on PHI of decedents, and disclosure of limited data sets to an employee of a covered entity (or in the case of a hybrid entity, its covered health care component) pursuant to a data use agreement. De-identified health information may be used or disclosed for research purposes without an Authorization or IRB waiver as it is exempt from HIPAA.

4.1. Individual Authorization

A valid Authorization under the HIPAA Privacy Rule must contain specific elements and meet certain implementation requirements. See Section 3.2.2 of REG01.25.09 - Privacy and Confidentiality of Individually Identifiable Health Care Information for the required elements. Researchers seeking an Authorization to access PHI should use an approved Authorization Form. Forms may be obtained from Research Administration Sponsored Programs. The requested PHI must be limited to that information necessary to carry out the applicable research protocol, consistent with HIPAA 's minimum necessary standard. A copy of the Authorization must be provided to the individual.

4.2. Waiver by an IRB

A Covered Entity is permitted to disclose PHI for research purposes without a Authorization if an IRB has either waived the Authorization requirement or has approved a modified Authorization. Requests for a Waiver of Authorization or modified Authorization may be submitted to the IRB following the procedures in Section 5.

4.3. Activities preparatory to research

4.3.1. PHI may to be used or disclosed without an authorization or IRB waiver for the preparation for, or development of a research protocol, provided that the researcher: 1) is an employee of a Covered Health Care Component at NCSU, and 2) documents that all the following criteria are satisfied:

4.3.1a) The use or disclosure of PHI is solely to prepare a research protocol, or to identify prospective research participants for purposes of seeking an Authorization;

4.3.1b) The researcher shall not record or remove the PHI from the Covered Health Care Component; and

4.3.1c) The PHI sought is necessary for the purposes of the research.

4.3.2. The Head of the Covered Health Care Component, or his/her designee, shall review, approve and maintain the above documentation.

4.3.3. Researchers who are not employees of a Covered Health Care Component must obtain an Authorization or Waiver of Authorization prior to accessing PHI for activities that are preparatory to research.

4.4 Research on PHI of Decedents

4.4.1. HIPAA permits disclosure of PHI of decedents to researchers if they provide documentation to the covered entity of the subjects death, that the PHI is necessary for research purposes, and that the PHI will only be used for the research.

4.5 Disclosure of Limited Data Sets

4.5.1. Under HIPAA, a researcher may use a Limited Data Set for any research purpose without an Authorization or Waiver of Authorization if the covered entity agrees to provide Limited Data Sets.

4.5.2. A Limited Data Set must exclude all of the following direct identifiers of the individual or of the individual's relatives, employers, or household members of the individual: names; postal address information other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and any other number, characteristic or code that could be used to identify the individual.

4.5.3. A researcher must sign a Data Use Agreement that meets the requirements of the HIPAA Privacy Rule. The agreement includes provisions limiting use of the data only for the research for which it was received, 2) agreeing to use appropriate safeguards to prevent use or disclosure of the data other than as permitted by the HIPAA Privacy Rule, and 3) agreeing not to re-identify the data or contact the individual. In requesting a Limited Data Set the requestor must specify the purposes of the Limited Data Set and the categories of data elements requested to satisfy the minimum necessary standard of HIPAA. See ___ CFR 164.114(e)(4). Form may be obtained from the Research Administration Sponsored Programs.

4.6. Use or Disclosure of "De-Identified" Health Information

4.6.1. De-identified health information is exempt from HIPAA and may be used or disclosed for research purposes without an authorization or IRB waiver.

4.6.2. Researchers must provide documentation to the IRB that the health information has been de-identified by one of the following two methods:

4.6.2a. Statistical Method. The IRB may determine that health information is de-identified for purposes of this Policy, if an independent, qualified statistician:

determines that the risk of re-identification of the data, alone or in combination with other data, is very small; and documents the methods and results by which the health information is de-identified, and the expert makes his/her determination of risk. Note: the expert may not be the researcher or anyone directly involved in the research study.

4.6.2b. Removal of All Identifiers. Identifiers concerning the individual and the individual's employer, relatives and household members that must be removed include: names; geographic subdivisions smaller than a state; zip codes; dates directly related to an individual; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images; and any other number, characteristic or code that could be used to identify the individual.

4.6.3. Re-identification Code. The de-identified information may be assigned a code that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that, the key to such a code is not accessible to the researcher requesting to use or disclose the de-identified health information. Other uses of code numbers to identify data are not considered de-identified under HIPAA.

5. Procedures for requesting IRB Waiver of Authorization

5.1. Submission of Request for Waiver of Authorization and Contents

5.1.1. A request for Waiver of Authorization must be completed by the researcher and submitted to the IRB along with an IRB submission for prior review and approval. A Request for a Waiver of Authorization is not the same as a request for Waiver of Consent for Research under 45 CFR 46.

5.1.2. The Request for Waiver must contain the following:

5.1.2a. A plan to protect the identifiers from improper use and disclosure;

5.1.2b. A plan to destroy the identifiers as soon as possible, consistent with the purposes of the research, unless there is a compelling health or research justification for retaining the identifiers or the retention is required by law, and

5.1.2c. adequate written assurances that PHI will not be reused or re-disclosed to any other person or entity, except where required by law, for oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted under HIPAA.

5.2. Criteria for IRB approval

5.2.1. To approve a waiver, the IRB must find that disclosure poses a minimal risk to privacy based on the adequacy of plans submitted by the researcher with regard to the matters addressed in Section 5.1.2., above, that the research could not be done practicably without the waiver and without access to and use of the PHI.

5.2.2. The IRB shall maintain the following documentation about the waiver of authorization:

5.2.2a. A statement identifying the IRB and the date on which the waiver request was approved;

5.2.2b. A description of the PHI for which access has been determined to be necessary;

5.2.2c. A statement that the IRB determined that the waiver satisfied the criteria for waiver;

5.2.2d. a statement that the waiver has been reviewed and approved under either normal or expedited review procedures following requirements of the Common Rule; and

5.2.2e. The documentation is signed by the IRB chair or his/her designee.

6. Use and Disclosure of PHI for the Purpose of Contacting and/or Recruiting Potential Research Participants.

6.1. Physicians, and other health care providers of an NCSU Covered Health Care Component, may contact their own patients for purposes of recruiting them to participate in a research study without an Authorization, provided all the requirements of Section IV. C "Use and Disclosure of PHI Without Authorization Preparatory to Research," are satisfied.

6.2. Individuals responding to an advertisement regarding participation in a research study may be given an explanation of the study (including, but not limited to, the name of the principal investigator and description of the study) prior to granting an Authorization.

6.3. An Authorization must be obtained from an individual who has indicated interest in participating in a research study prior to asking the individual any screening questions that involve PHI.

6.4. All other uses and disclosures of PHI by a Covered Health Care Component for the purpose of contacting and/or recruiting potential research participants requires an Authorization or Waiver of Authorization.

7. Individual's Access to Research Information

7.1. As a general rule, individuals who participate in research have a right to access their own PHI that is maintained at NCSU. See NCSU Regulation #_____, Privacy and Confidentiality of Protected Health Information, Section V.B.

8. Individual's Revocation of Research Authorization.

8.1. As a general rule, an individual may revoke his/her Authorization, in writing to the Principal Investigator, at any time. However, the researcher may continue to use and disclose, for research integrity, any PHI collected from the individual pursuant to such Authorization before it was revoked.

9. Transition Provision.

9.1. Researchers may continue to use and disclose PHI created or received before and after April 13, 2003, if the researcher has obtained any one of the following prior to such date:

9.1.1. The individual's informed consent to participate in the research; or

9.1.2. An IRB waiver of informed consent for the research.

Necessary forms:

Request for Authorization Waiver

IRB Waiver documentation form

Data Use Agreement

Left Navigation