HIPAA and Research
UTA is not a HIPAA (Health Insurance Portability and Accountability Act) Covered Entity, therefore data collected from human subjects in an independent UTA research study is not considered PHI protected by the HIPAA Privacy Rule, even if some of the information collected may relate to the subjects’ physiology or health status. However, there are cases when the Privacy Rule requirements may apply, such as when UTA is collaborating with a Covered Entity or is requesting PHI from a Covered Entity for the purposes of research. The standard method of obtaining PHI from a subject is to obtain their written Authorization, which has similar required elements of informed consent and can usually be combined with the consent process/documentation. PHI can also be used or obtained without Authorization under these specific circumstances:
- Under a Waiver of Authorization (must meet certain criteria and be approved by a Privacy Board);
- As a Limited Data Set (must be absent of specific identifiers and be formalized by a Data Use Agreement (DUA) through UTA’s Agreement Management Office);
- Activities preparatory to research, to identity and contact prospective research subjects; or
- For research on decedents' information (must meet certain criteria to be approved by the Covered Entity releasing the PHI).
Authorizations and Waivers of Authorization must be reviewed by a HIPAA Privacy Board. Depending on the project, UTA’s IRB may serve as the Privacy Board, or it may be required to go through the Covered Entity’s Privacy Board. Researchers should first check with the Covered Entity to determine their policy requirements. If UTA will serve as the Privacy Board, the IRB will review the HIPAA Authorization or Waiver of Authorization as part of the IRB protocol application.
When HIPAA authorization will be obtained, example HIPAA Authorization language can be inserted into the consent form this NIH guidance: https://privacyruleandresearch.nih.gov/authorization.asp
Oftentimes the protection of PHI requires information technology safeguards, please refer to data security standards in human subjects research for further information. Please note, any email sent to an external recipient or text message containing PHI must be encrypted to follow the HHS Policy for Encryption of Computing Devices and Information, this includes emails and text messages sent to participants.
Under federal regulations, 45 CFR 160, Protected health information means individually identifiable health information that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Covered entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
UTA is not a covered entity but collaborates with covered entities. These collaborations can include the primary collection of PHI, receipt of PHI, or access to PHI.
(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic or code, except as permitted by paragraph (c) of this section; and
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
In CITI, under the course named HIPAA for Education and Research, investigators and IRB members must complete these modules:
- Basics of Health Privacy (ID 1417)
- Health Privacy Issues for Researchers (ID 1419)