PARTNERS HUMAN RESEARCH COMMITTEE

Partners_Logo

 

HIPAA Frequently Asked Questions

A. Background

1) What is HIPAA and what is its relationship to the Privacy Rule?
2) What is the status of the Privacy Rule and when do I have to be in compliance?

B. Fundamental facts

3) What does the Privacy Rule protect?
4) Who does the Privacy Rule cover? And why does it cover me as a researcher?
5) What is identifiable information? How can information be deidentified? What is a "limited data set"?
6) Is coded information identifiable?
7) What individual rights does the Privacy Rule provide? And are these relevant to research subjects?
8) What is the Privacy Notice?
9) Individual Rights: Does a subjects have a right under the Privacy Rule to see ALL of his/her research information?
10) Individual Rights: How may a subject amend his/her medical information?
11) Individual Rights: What is the accounting/tracking system?
12) What does revocation of authorization mean?

C. Key Implications for Research

13) How will the Privacy Rule affect me as a researcher?
14) How can you access existing health information (e.g., chart reviews)?
15) What are the requirements for obtaining permission to access identifiable information for research?
16) How do I obtain a waiver of consent/authorization?
17) Once I have a waiver can I access all of the subjects' information?
18) Can I still do research using records of decedents?
19) Will the Privacy Rule affect informed consent documents for clinical trials?
20) How will the Privacy Rule affect recruitment of patients to clinical trials?

A. Background:

1) What is HIPAA and what is its relationship to the Privacy Rule?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA primarily addressed issues of insurance coverage, but in addition, it required the development of a law that would provide privacy protections for health information. HIPAA requested that Congress pass a comprehensive law, but if Congress was unable to do so, the Secretary of the Department of Health and Human Services (DHHS) was required to write regulation. Congress did not pass a law and the Privacy Rule was written by DHHS.

2) What is the status of the Privacy Rule and when do I have to be in compliance?

The compliance date for the original Privacy Rule was April 14, 2003. DHHS recently issued new changes to the regulations to implement mandates in recent federal statutes (the Health Information Technology for Economic and Clinical Health Act of 2009 and the Genetic Information Nondiscrimination Act of 2008) and otherwise to improve the strength and workability of the rules. The compliance date for these recent regulatory changes is September 23, 2013.

B. Fundamental facts:

3) What does the Privacy Rule protect?

The Rule protects individually identifiable health information. The Rule defines health information to include information, including genetic information (as defined by the Genetic Information Nondiscrimination Act – see http://healthcare.partners.org/phsirb/hipaaglos.htm) that is:

  • created or received by a "covered entity," including a health care provider, health plan, or health care clearinghouse
  • that relates to the past, present or future physical or mental health or condition of the individual, or
  • that relates to the provision of health care in the past, present or future.

Note that the Rule protects identifiable health information of decedents as well as living individuals, for a period running until 50 years after the date of death

For a discussion of identifiable information and how it may be deidentified, please see Q&A 5 and 6 below.

4) Who does the Privacy Rule cover? And why does it cover me as a researcher?

HIPAA covers three types of entities:

  • Health Care Providers
  • Health Care Payers
  • Health Care Clearinghouses

Hospitals, physicians, and other providers within Partners are all health care providers, directly covered by the Rule. At Partners, research activities are covered by the Rule and researchers must comply with its requirements.


5) What is identifiable information? How can information be deidentified?
What is a "limited data set?"

The Rule defines three categories of health information: identifiable information (to which the Rule applies), deidentified information (to which the Rule does not apply), and a limited data set (a middle option, to which limited parts of the Rule apply). Each of these is explained below.

Identifiable information: The Privacy Rule defines identifiable by defining de-identifiable. But in general, identifiable information includes information with any personal identifiers as well as information about an individual, or his or her relatives or employer, that alone or in combination could identify the individual. For more detail, see the identifiers that must be removed to deidentify information.

Deidentified information:
The Privacy Rule does not apply to deidentified health information. The Rule provides two methods for deidentifying such information.

Method 1:
18 specific elements listed below - relating to the individual, relatives, or employer - must be removed, and you must ascertain there is no other available information that could be used alone or in combination to identify an individual.
1. Names
2. Geographic subdivisions smaller than a state
3. All elements of dates (except year) related to an individual - including dates of admission, discharge, birth, death - and for persons >89 y.o., the year of birth cannot be used.
4. Telephone numbers
5. FAX numbers
6. Electronic mail addresses
7. SSN
8. Medical Record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. Internet protocol addresses
16. Biometric identifiers, including finger and voice prints
17. Full face photos, and comparable images
18. Any unique identifying number, characteristic or code

Method 2:
A person with appropriate expertise must determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual. AND this person must document the methods and justification for this determination.

Limited data set: This is a set of data that is not fully deidentified. While it excludes 15 of the 18 personal identifiers listed in method 1 for deidentification, it allows the retention of dates (e.g., date of birth, admission and discharge dates) as well as some geographic information (city, state and zip code but not street address).

  • This option is available only for research, health care operations, and public health purposes.
  • Most Privacy Rule requirements do not apply to a limited data set used internally or disclosed (for example, disclosures do not have to be tracked).
  • BUT, the following two requirements apply:

(1) the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
(2) the recipient must agree to a "data use agreement," which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals.


6) Is coded information identifiable?

The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified. The Privacy Rule does consider the code itself to be identifiable and hence, protected health information.

Of note, the Privacy Rule and the Common Rule (the regulation that governs human subject research and imposes IRB requirements) do not agree on the issue of whether or not coded information is "identifiable." The Common Rule, in contrast to the Privacy Rule, considers coded information to be identifiable. Therefore, while access to coded information alone might not be covered by the Privacy Rule, because it is covered by the Common Rule, it would still require IRB review.


7) What individual rights does the Privacy Rule provide? And are these relevant to research subjects?

The Privacy Rule gives individuals a number of new rights. Research subjects will enjoy similar rights.

Individuals/subjects have the right to:

  • Request access to their health care information
  • Request that their health care information be amended
  • Receive, upon request, an accounting of all disclosures of their medical information, if they haven't specifically authorized the disclosures (or another exception does not apply).
  • Revoke authorization for the use/disclosure of identifiable health information, to the extent the researchers have not already relied on it.
  • Request an alternative means or place of contacting the individual (e.g., home vs. work)
  • Right to request restrictions on uses or disclosures (but covered entity or researcher is not required to agree)

8) What is the Privacy Notice?

The Privacy Notice is a document that describes how Partners HealthCare System will use, disclose, and protect a person's health information. Everyone entering the Partners HealthCare System must receive a copy of this Notice and sign a form attesting to receipt of same. Research subjects who receive their health care at a Partners HealthCare System setting should have received this notice as part of the provision of their care. If, however, a person's enrollment into research is the first interaction with Partners HealthCare System after the compliance date of the Rule, then it is incumbent on the investigator to provide the subject with the Privacy Notice and to make a good faith effort to obtain signed documentation that the Notice was received.


9) Individual Rights:

Does a subject have a right under the Privacy Rule to see ALL of his/her research information?

No.

Under the Privacy Rule, a subject can access any information that is maintained in a Designated Record Set. The Privacy Rule defines a Designated Record Set as medical and billing records about individuals and any other records used to make decisions about individuals. Therefore, the Designated Record Set includes information that is generated in research and recorded in the medical chart or billing records, as well as information that is recorded elsewhere (e.g., a lab notebook) but that may be used to make clinical or billing decisions about the subject (e.g., a blood pressure reading). However, information that is generated in research and lacks clinical validity or clinical utility generally will be considered outside of the Designated Record Set (unless it is recorded in the medical chart or billing records).

The Privacy Rule allows a researcher to delay access to the Designated Record Set until the end of the study (e.g., in the case of a randomized controlled trial). But, the investigator must inform the subject of such a delay in the authorization to use or disclose identifiable health information. (Note that it is possible that additional research information might have to be released pursuant to a subpoena or other legal process.)

10) Individual Rights: How may a subject amend his/her medical information?

Under the Privacy Rule, individuals may amend protected health information to which they have access. There will not be a separate amending process for investigators. Investigators must be able to refer subjects to the appropriate institutional office for processing of a request for amendment. For more information see the Partners policy 'Patient Rights: Access and Amendment to Protected Health Information' (PHS internal only link)

11) Individual Rights: What is the accounting/tracking system?

The Privacy Rule requires that a record be kept that tracks the disclosure of any identifiable information that is made without an authorization (with very few other exceptions). (Disclosed means that the information was sent to an entity outside of Partners HealthCare System - this means that tracking does not have to be done for uses of information within the Partners system.)

Hence for research, tracking of disclosures will have to be done if a waiver of authorization is obtained.

Each investigator must maintain a record of individuals who had PHI disclosed under a waiver of authorization within the last six years. The following items generally must be tracked and made available to an individual upon request.

  • Date of the disclosure
  • Name of person/entity that received the PHI
  • Description of what PHI was disclosed
  • Brief statement regarding the purpose of the disclosure

One caveat:

If a research protocol requires multiple disclosures to the same outside party over a period of time, the following tracking is adequate:

  • For the first disclosure, all of the above must be tracked.
  • For subsequent disclosures, tracking can refer to the initial tracking and should include the frequency, periodicity or the number of disclosures that will be made.
  • The date of the last disclosure must be documented.

In summary, if a person requests a record of all disclosures of PHI, the person may receive:

  • • specific information about any disclosures that included PHI of the requesting individual without his/her authorization (with some additional exceptions), including disclosures for waived authorization.

What is the researcher's responsibility?

  • Obtain individuals' authorization as required by the Privacy Rule and whenever possible if tracking will be difficult, since the rule does not require tracking of authorized disclosures
  • For disclosures with a waiver of authorization:
    • Maintain a tracking log with the names of each individual for whom PHI was disclosed as well as the disclosure information noted above.

12) What does revocation of authorization mean?

    A subject has always had the right to revoke consent to participate in research. The Privacy Rule also permits a subject to revoke permission for researchers to use or disclose his or her identifiable information for research. The researchers must honor this request, except to the extent they have already relied on the permission. For example, if researchers have already included a person's protected health information in an analysis, the analysis can be maintained but the researcher should consult with the IRB regarding the individual's request. In addition, HHS guidance specifies that researchers may "continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study." This guidance means that researchers may not disclose additional information that they have not yet accessed at the time the authorization is withdrawn. They may, however, use or disclose identifiable information already gathered for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.

C. Key Implications for Research:

13) How will the Privacy Rule affect me as a researcher?

    The Rule will affect you in two major ways:

    1. How you access existing health information (i.e., chart reviews)
    2. How you handle identifiable information created as a part of clinical research.
    Each of these is addressed separately.

14) How can you access existing health information (e.g., chart reviews)?

    First, you must ask if the information is identifiable (as defined in Q&A numbers 5 and 6).

    If the information is not identifiable, the Privacy Rule does not apply.

    If the information is identifiable, the Privacy Rule applies, and you may access the information if:

    you obtain written permission ("authorization") from the individuals, or

    you obtain a waiver of the requirement for authorization from the IRB

15) What are the requirements for obtaining permission to access identifiable information for research?

    Both the Common Rule and the Privacy Rule must be considered.

    The Common Rule requires either an informed consent or a waiver of informed consent for any human subjects research. Records review research most always is done with an expedited review and a waiver of informed consent. The Common Rule allows a waiver only if specific criteria are met.

    The Privacy Rule requires a written authorization or waiver of authorization for access to existing protected health information. It is assumed that most records review will be allowed with a waiver of the authorization. The Privacy Rule allows a waiver of authorization if specific criteria are met.

    Of note, the criteria required by the Common Rule and the Privacy Rule are similar, but not the same.

    In the rare situation in which informed consent and authorization are required for access to existing PHI, the informed consent and the authorization can be merged into a single document if all elements required by both rules are included. But, as noted above, for accessing medical records for research purposes a waiver of consent and authorization will most often be approved.

16) How do I obtain a waiver of consent/authorization?

    As is current practice, you must apply to the IRB to obtain a waiver of informed consent to the research. The IRB will also consider waivers of written authorization. The Privacy Rule permits a waiver of authorization to use or disclose identifiable health information, but it has different criteria than those for a waiver of consent under the Common Rule. Therefore, you will need to submit information to the IRB that addresses all the criteria of the two rules.

17) Once I have a waiver can I access all of the subjects' information?

    No.

    The Privacy Rule permits only the minimum necessary amount of information to be accessed under a waiver for research. You will have to identify and justify what identifiable health information you will need.

18) Can I still do research using records of decedents?

19) Will the Privacy Rule affect informed consent documents for clinical trials?

    Yes.

    The Common Rule already requires the informed consent process and form to address how confidentiality will be protected. The Privacy Rule imposes more specific requirements, in that in addition to informed consent, investigators must obtain a written authorization for the use and disclosure of subjects' identifiable health information. This authorization must include several detailed elements.

    The Privacy Rule does allow the authorization language to be incorporated into the IRB approved consent form - thus, subjects would have to sign only a single form.

    In general, the following items must be considered: If as part of the clinical trial, the investigator plans to access a subject's existing health information, then the informed consent document must contain the required elements of the Privacy Rule authorization for accessing health information. The IRB has template language for the authorization.

    The consent form must also include authorization for the use and disclosure of new information that is generated in the course of the research. The Privacy Rule includes specific criteria that must be included. The IRB has template authorization language that incorporates all Privacy Rule requirements.

20) How will the Privacy Rule affect recruitment of patients to clinical trials?

    Researchers may recruit study participants in a number of ways. Privacy protections must be considered for each. As background, research in which an individual is contacted or recruited for enrollment must be reviewed and approved by an IRB. The Common Rule requires an IRB to consider the process for subject recruitment as part of its review. (Please see existing Partners recruitment policies).

    The Privacy Rule adds a new privacy focus to this review, as explained below. Following IRB review and approval of recruitment procedures:

    (i) an individual may contact a researcher about a study with no new Privacy Rule requirements;
    (ii) a treating physician may share information with a researcher to determine a patient's eligibility for a study with no new Privacy Rule requirements;
    (iii) as is current practice, if approved by the IRB, a treating physician and researcher within Partners may co-sign a recruitment letter to patients with no new Privacy Rule requirements; and
    (iv) if a researcher wants to review medical records to identify potential subjects, then as is current practice, the researcher must apply for a waiver to the IRB by completing the PHRC protocol application, and the waiver determination will now include Privacy Rule criteria as well as the Common Rule criteria.

    Following IRB review of recruitment procedures, an investigator may access protected health information en route to obtaining authorization and consent from a research subject. PHI gathered from individuals who decline to enroll must be eliminated. Please see the PHRC policy: Prescreening of Research Subjects During Recruitment.

Updated 10/2013