The HIPAA Privacy Rule establishes a category of health information, referred to as protected health information (PHI), which may be used or disclosed to others only in certain circumstances or under certain conditions. PHI is a subset of what is termed individually identifiable health information. With certain exceptions, the Privacy Rule applies to individually identifiable health information created or maintained by a covered entity. Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims, eligibility inquiries, and research. Researchers are not themselves covered entities, unless they are also health care providers and engage in any of the covered electronic transactions. If researchers are employees of a covered entity (e.g., a covered hospital, such as Memorial Hermann Hospital or UT Health), they must comply with the UT HIPAA privacy policies and procedures.
The list of the 18 identifiers are as follows: (1) Names (including initials); (2) all geographic subdivisions smaller than a state, except for the initial three digits of the ZIP code if the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; (3) all elements of dates except year, and all ages over 89 or elements indicative of such age; (4) telephone numbers; (5) fax numbers; (6) email addresses; (7) social security numbers; (8) medical record numbers; (9) health plan beneficiary numbers; (10) account numbers; (11) certificate or license numbers; (12) vehicle identifiers and license plate numbers; (13) device identifiers and serial numbers; (14) URLs; (15) IP addresses; (16) biometric identifiers; (17) full-face photographs and any comparable images; (18) any other unique, identifying characteristic or code, except as permitted for re-identification in the Privacy Rule.
HIPAA Authorization for Disclosure of PHI
One way the Privacy Rule protects the privacy of PHI is by generally giving individuals the opportunity to agree to the uses and disclosures of their PHI by signing an Authorization form for uses and disclosures not otherwise permitted by the Rule. The Privacy Rule establishes the right of an individual, such as a research subject, to authorize a covered entity to use and disclose his/her PHI for research purposes. This requirement is in addition to the informed consent to participate in research. A valid Privacy Rule Authorization is an individual’s signed permission that allows a covered entity to use or disclose the individual’s PHI for the purposes, and to the recipient or recipients, as stated in the Authorization. When an Authorization is obtained for research purposes, the Privacy Rule requires that it pertain only to a specific research study, not to nonspecific research or to future, unspecified projects. The Privacy Rule considers the creation and maintenance of a research repository or database as a specific research activity, but the subsequent use or disclosure by a covered entity of information from the database for a specific research study will require separate Authorization unless the PHI use or disclosure is permitted without Authorization or by waiver (see waiver information below). If an Authorization for research is obtained, the actual uses and disclosures made must be consistent with what is stated in the Authorization. The signed Authorization must be retained by the covered entity for 6 years from the date of creation or the date it was last in effect, whichever is later.
IRB Waiver – Screening and Recruitment
CPHS may permit researchers to review PHI in medical records or elsewhere to prepare a research protocol, or for similar purposes preparatory to research, such as screening and recruiting potential participants. This review allows the researcher to determine, for example, whether a sufficient number or type of records exists to conduct the research; and/or identifying potential candidates for inclusion into the study prior to obtaining informed consent.
IRB Waiver – Retrospective Chart Review
For some types of research, it may be impracticable for researchers to obtain written Authorization from research participants, for example, for some research conducted on existing databases or repositories where no contact information is available. The Privacy Rule permits a covered entity to use or disclose PHI for research purposes without Authorization (or with an altered Authorization), if the covered entity received proper documentation that CPHS has granted a waiver (or an alteration) of the Authorization requirement for the research use or disclosure of PHI.
IRB Waiver – Decedent Data
CPHS may provide access to decedents’ records for research purposes if the covered entity receives from the researcher: representations that the decedents’ PHI is necessary for the research and is being sought solely for research on the PHI of decedents (not, for example, living relatives of decedents); and, upon request of the covered entity, documentation of the deaths of the study subjects.
Studies Exempt from HIPAA
Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule. Covered entities seeking to release this health information must determine that the information has been deidentified using either statistical verification of de-identification or by removing certain pieces of information from each record as specified in the Rule. The Privacy Rule allows a covered entity to de-identify data by removing all 18 elements that could be used to identify the individual or the individual’s relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information.