Overview: Principal Investigators (“PI”) seeking access to and use of Private Health Information (“PHI”) of individually identifiable persons need to understand how the HIPAA Privacy Rule affects their access to and use of such information. The following information is provided to assist PI identification of issues they may have to consider in accessing and using such information. Additional guidance may be obtained at www.hhs.gov/ocr/hipaa and www.hhs.gov/ocr/privacysummary.pdf. In addition to considering the HIPAA Privacy Rule , PIs must also identify and comply with any additional federal, state, local, or institutional or funding agency privacy regulations or policies.

Some HIPAA Terminology

The Privacy Rule: The US Department of Health and Human Services issued the Privacy Rule in accordance with HIPAA. The Privacy Rule addresses the use and disclosure of individuals' health information (called Protected Health Information or PHI) by organizations subject to the Privacy Rule (called Covered Entities). The Privacy Rule requires that research subjects give authorization (contrast with human subject consent to participate in research) to use their PHI. Under some limited circumstances as defined within the regulation, individual authorization for PHI may be waived.

Business Associate: A business associate is generally an organization that performs functions or services for a covered entity that involve the use or disclosure of individually identifiable health information. These functions and services may include, but are not limited to, claims processing, data analysis, utilization review, and billing. Health policy and services researchers will oftentimes not need a business associate contract with a covered entity, but rather a protocol approved by an IRB or privacy board that meets HIPAA privacy rule requirements (see below). However, covered entities may initially assume that a business associate relationship is required before they can allow health policy or services research using PHI.

Covered Entities: health plans, health care clearinghouse, a health care provider who transmits any health information in electronic form in connection with a transaction covered by the Privacy Rule. Decision tool for covered entity status found at www.hhs.gov/oc/hipaa

Privacy Boards: For many health policy and services research projects, it is not practicable to obtain individual authorization to use PHI from all research subjects. Privacy boards, as well as IRBs, may consider and grant a request to waive (or alter) research subject authorization to use PHI. Covered entities may have an IRB, a privacy board, or both. PI's seeking a waiver or alteration of authorization must determine to whom to make their request.

Protected Health Information: means individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

Protected Health Information (PHI), HIPAA, and Research

Overview: PHI includes demographic and other data that relates to a specifically identifiable individual's past, present or future physical or mental health or condition; the provision of health care to that individual; or the past, present, or future payment for the provision of health care to that individual.

Authorized Use of PHI: Individuals may authorize in writing the release and/or disclosure of their PHI by covered entities. Health policy and services researchers who directly interact with subjects may obtain this authorization. Subjects can often provide authorization at the same time as informed consent.

De-identifying Health Information: PI's may chose to conduct research with de-identified health information. There are two ways to de-identify information; either: 1) a formal determination by a qualified statistician; or 2) the removal of 18 specified identifiers the absence of any knowledge by the covered entity that the remaining information could be used to identify the individual. Researchers must consult with the relevant privacy boards and IRBs to determine which of these two approaches should be used for their particular research project.

Disclosing PHI for Research: The Privacy Rule permits a covered entity to use and disclose PHI without written authorization by the subject of the PHI for research in the limited circumstances where the covered entity obtains: (1) documentation that alteration or waiver of individual authorizations has been approved by an IRB or Privacy Board; (2) representation by the researcher that the only intended use of the information is to prepare a research protocol for which the PHI is necessary for the research with an assurance that no PHI will be removed from the covered entity; and (3) if the research is solely for examining PHI of deceased persons and is necessary for the research. Covered entities also may make de-identified datasets available for health policy and services research.