HIPAA is the Health Insurance Portability and Accountability Act of 1996. This federal law has an "Administrative Simplification" title within it that includes provisions for Privacy and Security of personal health information, as well as for electronic standards for communicating claims data, and unique identifiers for healthcare providers and organizations. The provisions of HIPAA that most affect research are the Privacy Rule, and a corresponding Security Rule.
A covered entity is an organization that, by virtue of providing healthcare services and billing for them using electronic means, is subject to the provisions of HIPAA. The University of California is a "hybrid covered entity" meaning that provides healthcare services but also has other functions, such as education and research.
Protected Health Information is a type of individually-identifiable information that arises out of a healthcare service context. The protections of the HIPAA Privacy Rule apply to PHI. Not all individually identifiable information is PHI, however. Specifically, in a research context, a study only uses or produces PHI if it is using medical records as a source of information, or is providing a healthcare service to the research participant. For more information on this, see the University of California's HIPAA Task Force paper on the topic of when research data is and is not PHI.
If the research involves review of person-identifiable medical records, or the study results in new information that is added to medical records (such a test of a new diagnostic or therapeutic agent or device), then it is using or creating PHI and is subject to HIPAA Privacy Rule provisions.
However, not all person-identifiable information acquired in
setting is PHI. For more information on this, see the University
of California's HIPAA Task Force paper on the topic of when
research data is and is not PHI. When in doubt, contact the HRPP
program office and we will assist you in determining whether HIPAA
Research projects that are subject to HIPAA will require the following:
For research studies that use or create PHI, HIPAA mandates that 7 additional elements be explained in a separately signed authorization for use of personal health information:
Compliance was required as of April 14, 2003. Newly enrolled participants in research studies affected by HIPAA will need to sign a separate HIPAA authorization form. Permissions and authorizations executed prior to April 14, 2003 remain in place, and there is no need to re-consent participants already enrolled in studies as of that date.
De-identified information is the term used for personal health information that has had identifying characteristics removed. This form of data was historically called "anonymous" but the authors of HIPAA recognized that health information is so rich in potentially identifying characteristics that it can never be truly anonymous; there will always be some potential for re-identification of an individual. HIPAA contains a "safe harbor" provision that states information is not subject to HIPAA restrictions on PHI if 18 different elements are removed. A listing of these elements is available as part of the UCSD HRPP Factsheet on Deidentified Health Information.
A minimum data set is a partially de-identified dataset that has 8 elements removed rather than 18. Because a minimum data set retains information that could be used to relatively easily re-identify an individual (such as medical record numbers and dates of hospital admissions), research involving use or disclosure of a minimum data set has to be accompanied by a Data Use Agreement specifying the researcher's agreement to use the data only for approved research purposes, and that the researcher will not attempt to re-identify individuals. Although HIPAA does not require IRB review of research that uses HIPAA minimum data sets, at UCSD researchers should submit an application for Expedited Review to receive documentation of project approval for presentation to the Medical Records Department.
As noted in the application instructions, item 11, a copy of the HIPAA authorization(s) that will be used on the study must be provided to the IRB. The IRB reviews the authorization to ensure information outlined as being collected in the Research Plan is appropriately requested on the authorization. Note that the authorization cannot be revised and is not stamped approved by the IRB because the authorization is a institutional document.
Return to UCSD HRPP HIPAA information page