Research Activities and the Health Insurance Portability and Accountability Act (HIPAA)
REG 01.25.08
Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.
History: First Issued: April 14, 2003.
Related Policies:
NCSU REG01.25.09 - Privacy and Confidentiality of Individually Identifiable Health Care Information
NCSU RUL01.25.02 - Use and Disclosure of Protected Health Information
Additional References: HIPAA Forms ; The Health Insurance Portability and Accountability Act (HIPAA); Department of Health and Human Services Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule); Department of Health and Human Services Security and Electronic Signature Standards (HIPAA Security Rule); Department of Health and Human Services Standards for Electronic Transactions (HIPAA Electronic Transactions Rule);
NCSU Health care Components Notice of Privacy Practices
Contact Info: Associate Vice Chancellor for Research Administration ; Regulatory Compliance Administrator.
1. Introduction
1.1.The federal Privacy Rule issued pursuant to the Health Insurance and Portability
and Accountability Act of 1996 (HIPAA) governs how health care providers use
and disclose individually identifiable patient health information (Protected
Health Information or PHI), including use and disclosure for research purposes.
As a general rule, researchers need an Authorization from the patient or a
waiver of authorization from an Institutional Review Board (IRB) or Privacy
Board to obtain and use PHI for research purposes. The Privacy Rule supplements
and does not supercede the Common Rule applicable to federally sponsored research
or the Food and Drug Administration regulations governing clinical trials
of new drugs and medical devices, both of which protect the confidentiality
of human subjects in research.
2. Scope
This regulation applies to researchers seeking access to PHI from covered
health care providers. The term researcher includes employees and students
who conduct research, assist with the performance of research, or are otherwise
involved in research activities at NCSU.
3. Definitions
3.1. Research: Research means "a systematic investigation, including
research development, testing, and evaluation designed to develop or contribute
to generalizable knowledge."
3.2. Protected Health Information (PHI): HIPAA defines PHI as 1) health
information, including demographic information, 2) created or received by
a health care provider (3) which relates to the past, present, or future physical
or mental health or condition of an individual; the provision of health care
to an individual; or the past, present or future payment for the provision
of health care to an individual and 4) that identifies or can be used to identify
any individual. PHI does NOT include education records, student medical records
as covered in the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.1232g;
34 CFR Part 99), or de-identified PHI. De-identified PHI is health information
that cannot be identified to the individual patient. De-identified PHI must
remove specific identifiers (set forth in HIPAA) with respect to the individual,
his or her relatives, employers and household members.
3.3. Covered entity: A health plan, health care clearinghouse or health
care provider that engages in certain electronic transactions as specified
by HIPAA. A covered entity may be a hybrid entity in which case only its health
care components are subject to the Privacy Rule. NCSU is a hybrid entity whose "Covered Health Care Components" are Student Health Services, the Counseling
Center and Sports Medicine.
3.4. Authorization: An Authorization is specialized written permission
for use and/or disclosure of an individual's PHI for purposes other than treatment,
payment or health care operations. An authorization must contain specific
elements as specified by the HIPAA Privacy Rule, otherwise it will not be
considered a valid authorization.
3.5. Activities Preparatory to Research: These are defined as activities
designed to aid in planning or preparing a research protocol or proposal (e.g.
record and chart reviews, population analyses, recruitment planning, etc.),
but do not include preliminary research activities such as pilot studies or
focus groups.
3.6. Limited Data Set: A limited data set is defined as PHI that excludes
specific identifiers. See Section 4.5.2, below.
4. Obtaining PHI for research purposes from Health Care Providers
The HIPAA Privacy Rule provides generally that covered entities may not disclose
PHI for research purposes except pursuant to an individual's authorization
or a waiver by an IRB or a special Privacy Board. Exceptions to this general
requirement exist for activities preparatory to research, research on PHI
of decedents, and disclosure of limited data sets to an employee of a covered
entity (or in the case of a hybrid entity, its covered health care component)
pursuant to a data use agreement. De-identified health information may be
used or disclosed for research purposes without an Authorization or IRB waiver
as it is exempt from HIPAA.
4.1. Individual Authorization
A valid Authorization under the HIPAA Privacy Rule must contain specific
elements and meet certain implementation requirements. See Section 3.2.2
of REG01.25.09 - Privacy and Confidentiality of Individually Identifiable Health
Care Information for the required elements. Researchers
seeking an Authorization to access PHI should use an approved Authorization
Form. Forms may be obtained from Research Administration Sponsored Programs. The requested PHI must be limited
to that information necessary to carry out the applicable research protocol,
consistent with HIPAA 's minimum necessary standard. A copy of the Authorization
must be provided to the individual.
4.2. Waiver by an IRB
A Covered Entity is permitted to disclose PHI for research purposes without
a Authorization if an IRB has either waived the Authorization requirement
or has approved a modified Authorization. Requests for a Waiver of Authorization
or modified Authorization may be submitted to the IRB following the procedures
in Section 5.
4.3. Activities preparatory to research
4.3.1. PHI may to be used or disclosed without an authorization or IRB waiver
for the preparation for, or development of a research protocol, provided
that the researcher: 1) is an employee of a Covered Health Care Component
at NCSU, and 2) documents that all the following criteria are satisfied:
4.3.1a) The use or disclosure of PHI is solely to prepare a research protocol,
or to identify prospective research participants for purposes of seeking
an Authorization;
4.3.1b) The researcher shall not record or remove the PHI from the Covered
Health Care Component; and
4.3.1c) The PHI sought is necessary for the purposes of the research.
4.3.2. The Head of the Covered Health Care Component, or his/her designee,
shall review, approve and maintain the above documentation.
4.3.3. Researchers who are not employees of a Covered Health Care Component
must obtain an Authorization or Waiver of Authorization prior to accessing
PHI for activities that are preparatory to research.
4.4 Research on PHI of Decedents
4.4.1. HIPAA permits disclosure of PHI of decedents to researchers if they
provide documentation to the covered entity of the subjects death, that
the PHI is necessary for research purposes, and that the PHI will only be
used for the research.
4.5 Disclosure of Limited Data Sets
4.5.1. Under HIPAA, a researcher may use a Limited Data Set for any research
purpose without an Authorization or Waiver of Authorization if the covered
entity agrees to provide Limited Data Sets.
4.5.2. A Limited Data Set must exclude all of the following direct identifiers
of the individual or of the individual's relatives, employers, or household
members of the individual: names; postal address information other than
town or city, State, and zip code; telephone numbers; fax numbers; electronic
mail addresses; social security numbers; medical record numbers; health
plan beneficiary identifiers; account numbers; certificate/license numbers;
vehicle identifiers and serial numbers, including license plate numbers;
device identifiers and serial numbers; web universal resource locators (URL);
internet protocol (IP) address numbers; biometric identifiers, including
finger and voice prints; full face photographic images and any comparable
images; and any other number, characteristic or code that could be used
to identify the individual.
4.5.3. A researcher must sign a Data Use Agreement that meets the requirements
of the HIPAA Privacy Rule. The agreement includes provisions limiting use
of the data only for the research for which it was received, 2) agreeing
to use appropriate safeguards to prevent use or disclosure of the data other
than as permitted by the HIPAA Privacy Rule, and 3) agreeing not to re-identify
the data or contact the individual. In requesting a Limited Data Set the
requestor must specify the purposes of the Limited Data Set and the categories
of data elements requested to satisfy the minimum necessary standard of
HIPAA. See ___ CFR 164.114(e)(4). Form may be obtained from the Research
Administration Sponsored Programs.
4.6. Use or Disclosure of "De-Identified" Health Information
4.6.1. De-identified health information is exempt from HIPAA and may be used
or disclosed for research purposes without an authorization or IRB waiver.
4.6.2. Researchers must provide documentation to the IRB that the health
information has been de-identified by one of the following two methods:
4.6.2a. Statistical Method. The IRB may determine that health information
is de-identified for purposes of this Policy, if an independent, qualified
statistician:
determines that the risk of re-identification of the data, alone or in
combination with other data, is very small; and documents the methods
and results by which the health information is de-identified, and the
expert makes his/her determination of risk. Note: the expert may not be
the researcher or anyone directly involved in the research study.
4.6.2b. Removal of All Identifiers. Identifiers concerning the individual
and the individual's employer, relatives and household members that must
be removed include: names; geographic subdivisions smaller than a state;
zip codes; dates directly related to an individual; telephone numbers;
fax numbers; electronic mail addresses; social security numbers; medical
record numbers; health plan beneficiary numbers; account numbers; certificate/license
numbers; vehicle identifiers and serial numbers, including license plate
numbers; device identifiers and serial numbers; web universal resource
locators (URL); internet protocol (IP) address numbers; biometric identifiers,
including finger and voice prints; full face photographic images; and
any other number, characteristic or code that could be used to identify
the individual.
4.6.3. Re-identification Code. The de-identified information may be assigned
a code that can be affixed to the research record that will permit the information
to be re-identified if necessary, provided that, the key to such a code
is not accessible to the researcher requesting to use or disclose the de-identified
health information. Other uses of code numbers to identify data are not
considered de-identified under HIPAA.
5. Procedures for requesting IRB Waiver of Authorization
5.1. Submission of Request for Waiver of Authorization and Contents
5.1.1. A request for Waiver of Authorization must be completed by the researcher
and submitted to the IRB along with an IRB submission for prior review and
approval. A Request for a Waiver of Authorization is not the same as a request
for Waiver of Consent for Research under 45 CFR 46.
5.1.2. The Request for Waiver must contain the following:
5.1.2a. A plan to protect the identifiers from improper use and disclosure;
5.1.2b. A plan to destroy the identifiers as soon as possible, consistent
with the purposes of the research, unless there is a compelling health
or research justification for retaining the identifiers or the retention
is required by law, and
5.1.2c. adequate written assurances that PHI will not be reused or re-disclosed
to any other person or entity, except where required by law, for oversight
of the research project, or for other research for which the use or disclosure
of PHI would be permitted under HIPAA.
5.2. Criteria for IRB approval
5.2.1. To approve a waiver, the IRB must find that disclosure poses a minimal
risk to privacy based on the adequacy of plans submitted by the researcher
with regard to the matters addressed in Section 5.1.2., above, that the research could
not be done practicably without the waiver and without access to and use
of the PHI.
5.2.2. The IRB shall maintain the following documentation about the waiver
of authorization:
5.2.2a. A statement identifying the IRB and the date on which the waiver
request was approved;
5.2.2b. A description of the PHI for which access has been determined to
be necessary;
5.2.2c. A statement that the IRB determined that the waiver satisfied the
criteria for waiver;
5.2.2d. a statement that the waiver has been reviewed and approved under
either normal or expedited review procedures following requirements of
the Common Rule; and
5.2.2e. The documentation is signed by the IRB chair or his/her designee.
6. Use and Disclosure of PHI for the Purpose of Contacting and/or Recruiting
Potential Research Participants.
6.1. Physicians, and other health care providers of an NCSU Covered Health
Care Component, may contact their own patients for purposes of recruiting
them to participate in a research study without an Authorization, provided
all the requirements of Section IV. C "Use and Disclosure of PHI Without
Authorization Preparatory to Research," are satisfied.
6.2. Individuals responding to an advertisement regarding participation in
a research study may be given an explanation of the study (including, but
not limited to, the name of the principal investigator and description of
the study) prior to granting an Authorization.
6.3. An Authorization must be obtained from an individual who has indicated
interest in participating in a research study prior to asking the individual
any screening questions that involve PHI.
6.4. All other uses and disclosures of PHI by a Covered Health Care Component
for the purpose of contacting and/or recruiting potential research participants
requires an Authorization or Waiver of Authorization.
7. Individual's Access to Research Information
7.1. As a general rule, individuals who participate in research have a right
to access their own PHI that is maintained at NCSU. See NCSU Regulation #_____,
Privacy and Confidentiality of Protected Health Information, Section V.B.
8. Individual's Revocation of Research Authorization.
8.1. As a general rule, an individual may revoke his/her Authorization, in
writing to the Principal Investigator, at any time. However, the researcher
may continue to use and disclose, for research integrity, any PHI collected
from the individual pursuant to such Authorization before it was revoked.
9. Transition Provision.
9.1. Researchers may continue to use and disclose PHI created or received before
and after April 13, 2003, if the researcher has obtained any one of the following
prior to such date:
9.1.1. The individual's informed consent to participate in the research; or
9.1.2. An IRB waiver of informed consent for the research.
Necessary forms:
Request for Authorization Waiver
IRB Waiver documentation form
Data Use Agreement
