HIPAA FAQ

HIPAA Frequently Asked Questions

Most of you are aware that the new Privacy Rule will require changes in the way that you conduct clinical research. New Questions and Answers will be added over the next months, so please periodically check this site for updates.

A. Background

1) What is HIPAA and what is its relationship to the Privacy Rule?
2) What is the status of the Privacy Rule and when do I have to be in compliance?

B. Fundamental facts

3) What does the Privacy Rule protect?
4) Who does the Privacy Rule cover? And why does it cover me as a researcher?
5) What is identifiable information? How can information be deidentified? What is a "limited data set"?
6) Is coded information identifiable?
7) What individual rights does the Privacy Rule provide? And are these relevant to research subjects?
8) What is the Privacy Notice?
9) Individual Rights: Does a subjects have a right under the Privacy Rule to see ALL of his/her research information?
10) Individual Rights: How may a subject amend his/her medical information?
11) Individual Rights: What is the accounting/tracking system?
12) What does revocation of authorization mean?

C. Key Implications for Research

13) How will the Privacy Rule affect me as a researcher?
14) How can you access existing health information (e.g., chart reviews)?
15) What are the requirements for obtaining permission to access identifiable information for research?
16) How do I obtain a waiver of consent/authorization?
17) Once I have a waiver can I access all of the subjects' information?
18) Can I still do research using records of decedents?
19) Will the Privacy Rule affect informed consent documents for clinical trials?
20) How will the Privacy Rule affect recruitment of patients to clinical trials?
21) Will I have to use new consent forms starting on April 14, 2003?
22) I am conducting a medical records study under an IRB-approved waiver of consent obtained prior to April 14, 2003. Do I need to do anything with respect to the Privacy Rule?

A. Background:

1) What is HIPAA and what is its relationship to the Privacy Rule?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA primarily addressed issues of insurance coverage, but in addition, it required the development of a law that would provide privacy protections for health information. HIPAA requested that Congress pass a comprehensive law, but if Congress was unable to do so, the Secretary of the Department of Health and Human Services (DHHS) was required to write regulation. Congress did not pass a law and the Privacy Rule was written by DHHS.

2) What is the status of the Privacy Rule and when do I have to be in compliance?

The compliance date is April 14, 2003 - at that time we must be in compliance with the Privacy Rule.

B. Fundamental facts:

3) What does the Privacy Rule protect?

The Rule protects individually identifiable health information. The Rule defines this to include information that is:

created or received by a "covered entity," including a health care provider, health plan, or health care clearinghouse

that relates to the past, present or future physical or mental health or condition of the individual, or

that relates to the provision of health care in the past, present or future.

For a discussion of identifiable information and how it may be deidentified, please see Q&A 5 and 6 below.

4) Who does the Privacy Rule cover? And why does it cover me as a researcher?

HIPAA covers three types of entities:

Health Care Providers

Health Care Payers

Health Care Clearinghouses

Hospitals, physicians, and other providers within Partners are all health care providers, directly covered by the Rule. Partners and PCHI are covered as clearinghouses because of certain billing functions they have.

Researchers who provide health care to individuals (e.g., in a clinical trial) are directly covered as health care providers.

Researchers who access existing protected health information must comply with the Privacy Rule because all Partners entities and affiliated individuals must protect the privacy of individually identifiable health information used or released for treatment and other purposes, including research.

5) What is identifiable information? How can information be deidentified?
What is a "limited data set?"

The Rule defines three categories of health information: identifiable information (to which the Rule applies), deidentified information (to which the Rule does not apply), and a limited data set (a middle option, to which limited parts of the Rule apply). Each of these is explained below.

Identifiable information: The Privacy Rule defines identifiable by defining de-identifiable. But in general, identifiable information includes information with any personal identifiers as well as information about an individual, or his or her relatives or employer, that alone or in combination could identify the individual. For more detail, see the identifiers that must be removed to deidentify information.

Deidentified information: The Privacy Rule does not apply to deidentified health information. The Rule provides two methods for deidentifying such information.

Method 1:
18 specific elements listed below - relating to the individual, relatives, or employer - must be removed, and you must ascertain there is no other available information that could be used alone or in combination to identify an individual.
1. Names
2. Geographic subdivisions smaller than a state
3. All elements of dates (except year) related to an individual - including dates of admission, discharge, birth, death - and for persons >89 y.o., the year of birth cannot be used.
4. Telephone numbers
5. FAX numbers
6. Electronic mail addresses
7. SSN
8. Medical Record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. Internet protocol addresses
16. Biometric identifiers, including finger and voice prints
17. Full face photos, and comparable images
18. Any unique identifying number, characteristic or code

Method 2:
A person with appropriate expertise must determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual. AND this person must document the methods and justification for this determination.

Limited data set: This is a set of data that is not fully deidentified. While it excludes 15 of the 18 personal identifiers listed in method 1 for deidentification, it allows the retention of dates (e.g., date of birth, admission and discharge dates) as well as some geographic information (city, state and zip code but not street address).

This option is available only for research, health care operations, and public health purposes.

Most Privacy Rule requirements do not apply to a limited data set used internally or disclosed (for example, disclosures do not have to be tracked).

BUT, the following two requirements apply:

(1) the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
(2) the recipient must agree to a "data use agreement," which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals.

6) Is coded information identifiable?

The Privacy Rule considers coded information to be de-identified if 18 specific identifiers are coded and the individual cannot reasonably be identified. The Privacy Rule does consider the code itself to be identifiable and hence, protected health information.
Of note, the Privacy Rule and the Common Rule (the regulation that governs human subject research and imposes IRB requirements) do not agree on the issue of whether or not coded information is "identifiable." The Common Rule, in contrast to the Privacy Rule, considers coded information to be identifiable. Therefore, while access to coded information alone might not be covered by the Privacy Rule, because it is covered by the Common Rule, it would still require IRB review.

7) What individual rights does the Privacy Rule provide? And are these relevant to research subjects?

The Privacy Rule gives individuals a number of new rights. Research subjects will enjoy similar rights.

Individuals/subjects have the right to:

Request access to their health care information

Request that their health care information be amended

Receive, upon request, an accounting of all disclosures of their medical information, if they haven't specifically authorized the disclosures (or another exception does not apply).

Revoke authorization for the use/disclosure of identifiable health information, to the extent the researchers have not already relied on it.

Request an alternative means or place of contacting the individual (e.g., home vs. work)

Right to request restrictions on uses or disclosures (but covered entity or researcher is not required to agree)

8) What is the Privacy Notice?

The Privacy Notice is a document that describes how Partners HealthCare System will use, disclose, and protect a person's health information. Everyone entering the Partners HealthCare System must receive a copy of this Notice and sign a form attesting to receipt of same. Research subjects who receive their health care at a Partners HealthCare System setting should have received this notice as part of the provision of their care. If, however, a person's enrollment into research is the first interaction with Partners HealthCare System after the compliance date of the Rule, then it is incumbent on the investigator to provide the subject with the Privacy Notice and to make a good faith effort to obtain signed documentation that the Notice was received.

9) Individual Rights:

Does a subject have a right under the Privacy Rule to see ALL of his/her research information?

No.

Under the Privacy Rule, a subject can access any information that is maintained in a Designated Record Set. The Privacy Rule defines a Designated Record Set as medical and billing records about individuals and any other records used to make decisions about individuals. Therefore, the Designated Record Set includes information that is generated in research and recorded in the medical chart or billing records, as well as information that is recorded elsewhere (e.g., a lab notebook) but that may be used to make clinical or billing decisions about the subject (e.g., a blood pressure reading). However, information that is generated in research and lacks clinical validity or clinical utility generally will be considered outside of the Designated Record Set (unless it is recorded in the medical chart or billing records).
The Privacy Rule allows a researcher to delay access to the Designated Record Set until the end of the study (e.g., in the case of a randomized controlled trial). But, the investigator must inform the subject of such a delay in the authorization to use or disclose identifiable health information. (Note that it is possible that additional research information might have to be released pursuant to a subpoena or other legal process.)

10) Individual Rights: How may a subject amend his/her medical information?

Under the Privacy Rule, individuals may amend protected health information to which they have access. There will not be a separate amending process for investigators. Investigators must be able to refer subjects to the appropriate institutional office for processing of a request for amendment. Specifics about such referral are being developed.

PHS Patient Requests for Amendment of Protected Health Information

11) Individual Rights: What is the accounting/tracking system?

The Privacy Rule requires that a record be kept that tracks the disclosure of any identifiable information that is made without an authorization (with very few other exceptions). (Disclosed means that the information was sent to an entity outside of Partners HealthCare System- This means that tracking does not have to be done for uses of information within the Partners system.)
Hence for research, tracking of disclosures will have to be done if a waiver of authorization is obtained.

Each institution must maintain a record of individuals who had PHI disclosed within the last six years. The Privacy Officer will develop a centralized system for these records because, when a person requests an accounting of disclosures, Partners may need to provide a list of disclosures from any Partners entity with which the person has a relationship (if that is the request). The following items generally must be tracked and made available to an individual upon request.

Date of the disclosure

Name of person/entity that received the PHI

Description of what PHI was disclosed

Brief statement regarding the purpose of the disclosure

One caveat:

If a research protocol requires multiple disclosures to the same outside party over a period of time, the following tracking is adequate:

For the first disclosure, all of the above must be tracked.

For subsequent disclosures, tracking can refer to the initial tracking and should include the frequency, periodicity or the number of disclosures that will be made.

The date of the last disclosure must be documented.

In summary, if a person requests a record of all disclosures of PHI, the person may receive:

specific information about any disclosures that included the requesting individual without his/her authorization (with some additional exceptions), including disclosures for waived authorization; and

What is the researcher's responsibility?

Obtain individuals' authorization as required by the Privacy Rule and whenever possible if tracking will be difficult, since the rule does not require tracking of authorized disclosures

For disclosures with a waiver of authorization:

Provide the Privacy Officer with the names of each individual for whom PHI was disclosed as well as the disclosure information noted above.

12) What does revocation of authorization mean?

A subject has always had the right to revoke consent to participate in research. The Privacy Rule also permits a subject to revoke permission for researchers to use or disclose his or her identifiable information for research. The researchers must honor this request, except to the extent they have already relied on the permission. For example, if researchers have already included a person's protected health information in an analysis, the analysis can be maintained but the researcher should consult with the IRB regarding the individual's request. In addition, HHS guidance specifies that researchers may "continue using and disclosing protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study." This guidance means that researchers may not disclose additional information that they have not yet accessed at the time the authorization is withdrawn. They may, however, use or disclose identifiable information already gathered for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.

C. Key Implications for Research:

13) How will the Privacy Rule affect me as a researcher?

The Rule will affect you in two major ways:

1. How you access existing health information (i.e., chart reviews)
2. How you handle identifiable information created as a part of clinical research.
Each of these is addressed separately.

14) How can you access existing health information (e.g., chart reviews)?

First, you must ask if the information is identifiable (as defined in Q&A numbers 5 and 6).

If the information is not identifiable, the Privacy Rule does not apply.

If the information is identifiable, the Privacy Rule applies, and you may access the information if:

you obtain written permission ("authorization") from the individuals, or

you obtain a waiver of the requirement for authorization from the IRB

15) What are the requirements for obtaining permission to access identifiable information for research?

Both the Common Rule and the Privacy Rule must be considered.

The Common Rule requires either an informed consent or a waiver of informed consent for any human subjects research. (See PHRC Consent Form Instructions.) Records review research most always is done with an expedited review and a waiver of informed consent. The Common Rule allows a waiver only if specific criteria are met.

The Privacy Rule requires a written authorization or waiver of authorization for access to existing protected health information. It is assumed that most records review will be allowed with a waiver of the authorization. The Privacy Rule allows a waiver of authorization if specific criteria are met.

Of note, the criteria required by the Common Rule and the Privacy Rule are similar, but not the same.

In the rare situation in which informed consent and authorization are required for access to existing PHI, the informed consent and the authorization can be merged into a single document if all elements required by both rules are included. But, as noted above, for accessing medical records for research purposes a waiver of consent and authorization will most often be approved.

16) How do I obtain a waiver of consent/authorization?

As is current practice, you must apply to the IRB to obtain a waiver of informed consent to the research. The IRB will also consider waivers of written authorization. The Privacy Rule permits a waiver of authorization to use or disclose identifiable health information, but it has different criteria than those for a waiver of consent under the Common Rule. Therefore, you will need to submit information to the IRB that addresses all the criteria of the two rules.

17) Once I have a waiver can I access all of the subjects' information?

No.

The Privacy Rule permits only the minimum necessary amount of information to be accessed under a waiver for research. You will have to identify and justify what identifiable health information you will need.

18) Can I still do research using records of decedents?

Yes. The Privacy Rule allows research on decedents' records, but privacy must be protected. Researchers must be aware of the policy regarding research on decedents.

All research protocols involving protected health information must be submitted to the HRC/IRB. As is current practice, the HRC/IRB will review the protocol. In most situations of records review, this is an expedited review with a waiver of the informed consent and authorization. If the research includes access to the records of decedents, the investigator will be asked to document that the decedents' PHI will only be used for research and that the information is necessary for the research.
Investigators must also be aware that the Privacy Rule states that entities may request documentation of the deaths.

19) Will the Privacy Rule affect informed consent documents for clinical trials?

Yes.

The Common Rule already requires the informed consent process and form to address how confidentiality will be protected. The Privacy Rule imposes more specific requirements, in that in addition to informed consent, investigators must obtain a written authorization for the use and disclosure of subjects' identifiable health information. This authorization must include several detailed elements.

The Privacy Rule does allow the authorization language to be incorporated into the IRB approved consent form - thus, subjects would have to sign only a single form.

In general, the following items must be considered: If as part of the clinical trial, the investigator plans to access a subject's existing health information, then the informed consent document must contain the required elements of the Privacy Rule authorization for accessing health information. Partners Research Affairs will provide model language for the authorization.

The consent form must include authorization for the use and disclosure of information that is generated in the course of the research. The Privacy Rule includes specific criteria that must be included. Research Affairs will provide model language that incorporates all Privacy Rule requirements.

20) How will the Privacy Rule affect recruitment of patients to clinical trials?

Researchers may recruit study participants in a number of ways. Privacy protections must be considered for each. As background, research in which an individual is contacted or recruited for enrollment must be reviewed and approved by an IRB. The Common Rule requires an IRB to consider the process for subject recruitment as part of its review. (Please see existing Partners recruitment policies and forms on recruitment).

The Privacy Rule adds a new privacy focus to this review, as explained below. Following IRB review and approval of recruitment procedures:

(i) an individual may contact a researcher about a study with no new Privacy Rule requirements;
(ii) a treating physician may share information with a researcher to determine a patient's eligibility for a study with no new Privacy Rule requirements;
(iii) as is current practice, if approved by the IRB, a treating physician and researcher within Partners may co-sign a recruitment letter to patients with no new Privacy Rule requirements; and
(iv) if a researcher wants to review medical records to identify potential subjects, then as is current practice, the researcher must apply for a waiver to the IRB by completing the PHRC protocol application, and the waiver determination will now include Privacy Rule criteria as well as the Common Rule criteria.

Following IRB review of recruitment procedures, an investigator may access protected health information en route to obtaining authorization and consent from a research subject. PHI gathered from individuals who decline to enroll must be eliminated. Please see the PHRC policy: Prescreening of Research Subjects During Recruitment.

21) Will I have to use new consent forms starting on April 14, 2003.

Any subject enrolled in a study on or after April 14, 2003 will have to sign a consent/authorization form that is compliant with the Common Rule and the Privacy Rule. Subjects who were enrolled before April 14, 2003 and have signed a Common Rule-compliant consent form do not have to sign an authorization. Even if subjects enrolled before April 14th have follow-up visits after that date, at this time new authorization will not be required.

Therefore, if all of your subjects were enrolled prior to April 14, 2003, you do not need a new consent form. But, if you plan to enroll any new subjects after April 14, 2003, you will need a new HIPAA-compliant consent/authorization document.

22) I am conducting a medical records study under an IRB-approved waiver of consent obtained prior to April 14, 2003. Do I need to do anything with respect to the Privacy Rule?

You should continue protecting the privacy of subjects' information, but you do not need to re-apply to the IRB. Ongoing studies for which the IRB approved a waiver of informed consent before April 14, 2003 are grand-fathered under the Privacy Rule. HHS specifically rejected the need for an IRB to reconsider these studies, given the undue burden it would impose. Although a new waiver is not required, it is important to note that the individual rights provide by the Privacy Rule go into effect on April 14, 2003. As a result, any disclosure of PHI made pursuant to a waiver of authorization must be tracked as noted above.