About HRPP
Contact Us
Consent Assistant
Dates
Fact Sheets
e-IRB Services
Forms
Guidelines
Links
News
Public Notices
Research Directory
School of Medicine
Training
UCSD InfoPath
 		 HIPAA Frequently Asked Questions
  1. What is HIPAA?
  2. What is a HIPAA covered entity ?
  3. What is Protected Health Information (PHI)?
  4. Is my research subject to HIPAA?
  5. If my research is subject to HIPAA, what do I as a researcher have to do to comply?
  6. How does HIPAA affect language in Informed Consent documents?
  7. When does HIPAA become effective?
  8. What is de-identified information?
  9. What is a minimum data set?
  10. Does the IRB need to review my project's HIPAA Authorization?
  11. Where can I get training on Research aspects of HIPAA?
  12. Where can I get more information on HIPAA and Research?
  1. What is HIPAA?

    2. HIPAA is the Health Insurance Portability and Accountability Act of 1996.  This federal law has an "Administrative Simplification" title within it that includes provisions for Privacy and Security of personal health information, as well as for electronic standards for communicating claims data, and unique identifiers for healthcare providers and organizations.  The provisions of HIPAA that most affect research are the Privacy Rule, and a corresponding Security Rule.
     
  2. What is a HIPAA covered entity ?

    3. A covered entity is an organization that, by virtue of providing healthcare services and billing for them using electronic means, is subject to the provisions of HIPAA.  The University of California is a "hybrid covered entity" meaning that provides healthcare services but also has other functions, such as education and research.
     
  3. What is Protected Health Information (PHI)?

    4. Protected Health Information is a type of individually-identifiable information that arises out of a healthcare service context.  The protections of the HIPAA Privacy Rule apply to PHI.  Not all individually identifiable information is PHI, however.  Specifically, in a research context, a study only uses or produces PHI if it is using medical records as a source of information, or is providing a healthcare service to the research participant.  For more information on this, see the University of California's HIPAA Task Force paper on the topic of when research data is and is not PHI.
     
  4. Is my research subject to HIPAA?

    5. If the research involves review of person-identifiable medical records, or the study results in new information that is added to medical records (such a test of a new diagnostic or therapeutic agent or device), then it is using or creating PHI and is subject to HIPAA Privacy Rule provisions.  Clinical research done within the VA that requires adding a registration record in the VA's Computerized Patient Records System (CPRS) is creating PHI whether or not a healthcare service is rendered, since it is adding information to medical records that are covered by HIPAA.

    However, not all person-identifiable information acquired in a research setting is PHI.  For more information on this, see the University of California's HIPAA Task Force paper on the topic of when research data is and is not PHI. When in doubt, contact the HRPP program office and we will assist you in determining whether HIPAA applies.
     

  5. If my research is subject to HIPAA, what do I as a researcher have to do to comply?

    6. Research projects that are subject to HIPAA will require the following:
     
    a. A signed HIPAA authorization will be required for newly consented study participants starting April 14, 2003, or the project must have a Waiver of Authorization approved by the IRB.  Participants who signed consents prior to April 14, 2003 do not need to be reconsented. Although federal regulations allow the HIPAA language to be included in the consent, California law requires a separate "stand-alone" HIPAA authorization form, which is also available in a Spanish language version. VA investigators should use the VA-specific version of this stand-alone authorization.
    b.  Confidentiality of the information must be protected by physical security, access controls such as password-protected computer applications, and by the general principles of "minimum necessary" and "need to know".
    c. When PHI created de novo in a research setting, such as by a clinical trial of a new treatment, is disclosed outside of the University of California, an audit trail log of what information was sent and to whom it was sent needs to be maintained, and an accounting of disclosures must be available to a research participant upon request, of disclosures that included their data. Note that this is not the case if medical records information is used for research pursuant to an authorization. The authorization essentially converts PHI into RHI as the information moves from the medical record into the research record, and subsequent use of the RHI is governed by the terms of the authorization, not by HIPAA.
  6. How does HIPAA affect language in Informed Consent documents?

    7. For research studies that use or create PHI, HIPAA mandates that 7 additional elements be explained in a separately signed authorization for use of personal health information:
     
    1. Description of information to be used.
    2. Name of person(s) or class of persons (e.g., project staff)  who will use the information
    3. Name of persons or organizations to whom PHI information will be released.  (e.g., study staff, project sponsors and the central coordinating offices of multi-center trials)
    4. Expiration date or event that ends authorization to use PHI (e.g., completion of the research), or statement that authorization does not expire.
    5. Statement of right to revoke authorization (part of withdrawal from study procedures).
    6. If information will be disclosed to other organizations, statement that information may no longer be protected.
    7. A statement that individual may inspect or copy the records (researcher may stipulate records are not available until after study complete)
     
  7. When does HIPAA become effective?

    8. Compliance was required as of April 14, 2003.  Newly enrolled participants in research studies affected by HIPAA will need to sign a separate HIPAA authorization form.  Permissions and authorizations executed prior to April 14, 2003 remain in place, and there is no need to re-consent participants already enrolled in studies as of that date.
     
  8. What is de-identified information?

    9. De-identified information is the term used for personal health information that has had identifying characteristics removed.  This form of data was historically called "anonymous" but the authors of HIPAA recognized that health information is so rich in potentially identifying characteristics that it can never be truly anonymous; there will always be some potential for re-identification of an individual.  HIPAA contains a "safe harbor" provision that states information is not subject to HIPAA restrictions on PHI if 18 different elements are removed.  A listing of these elements is available as part of the UCSD HRPP Factsheet on Deidentified Health Information.
     
  9. What is a minimum data set?

    10. A minimum data set is a partially de-identified dataset that has 8 elements removed rather than 18.  Because a minimum data set retains information that could be used to relatively easily re-identify an individual (such as medical record numbers and dates of hospital admissions), research involving use or disclosure of a minimum data set has to be accompanied by a Data Use Agreement specifying the researcher's agreement to use the data only for approved research purposes, and that the researcher will not attempt to re-identify individuals.  Although HIPAA does not require IRB review of research that uses HIPAA minimum data sets, at UCSD researchers should submit an application for Expedited Review to receive documentation of project approval for presentation to the Medical Records Department.
     
  10. Does the IRB need to review my project's HIPAA Authorization?

    11. Stand-alone companion authorizations that follow the standard authorization format do not need IRB review, however if a study sponsor wishes to have the IRB approval stamp on the Authorization, HRPP will review and approve the form. The signed original of the authorization should be maintained in the project's research records along with the signed original of the informed consent document.
     
  11. Where can I get training on Research aspects of HIPAA?

    12. UCSD's HRPP has developed an online tutorial assessment on Research Aspects of HIPAA that covers about a dozen different HIPAA-related topics. Upon successful completion a personalized certificate of completion is generated. Register online for the tutorial here.
     
  12. Where can I get more information on HIPAA and Research?

    13. One good source is the HIPAA website maintained by the US Office of Civil Rights.  If you are a faculty, staff or student of UCSD, you can also call or e-mail the UCSD Human research protections program with your HIPAA-related questions.

Return to UCSD HRP HIPAA information page