HIPAA-related Projects in SSA and Chapin Hall

University of Chicago, SSA/CHC IRB January 2018 School of Social Service Administration & Chapin Hall IRB

Guidance on Health Insurance Portability and Accountability Act (HIPAA)

I. Overview

The Privacy Rule, at 45 CFR parts 160 and 164, establishes a category of health information, defined as protected health information (PHI), which requires an individual to provide signed permission, known as an Authorization that satisfies the Privacy Rule, before a Covered Entity can use or disclose the individual's PHI for research purposes.

Under certain circumstances, however, the Privacy Rule permits a Covered Entity to use or disclose PHI for research without an individual's Authorization. One way a Covered Entity can use or disclose PHI for research without an Authorization is by obtaining proper documentation of a waiver of the Authorization requirement by an IRB or Privacy Board.

Authorizations and waivers of Authorizations will only permit the use or disclosure for the specific research study for which they were obtained.

The Privacy Rule applies to Covered Entities and Business Associates but it may still affect researchers who are not part of a Covered Entity because their access to PHI may be from a data provider or data owner who is a Covered Entity or Business Associate. An entity described as a Business Associate provides certain contractual services but those services do not involve research; however, a Covered Entity may engage Business Associates to assist in de-identifying PHI, to prepare de-identified data, or a Limited Data Set.

Serving as a privacy board under Section 164.512 of the Privacy Rule the SSA/CHC IRB reviews all HIPAA projects in SSA and Chapin Hall (unless another privacy board or IRB reviews a project).

II. Researchers Access to Protected Health Information

1. Collection or Analysis of Identifiable Health Information for Research Purposes.

In general, the Privacy Rule allows Covered Entities to use and disclose PHI for research if authorized to do so by the subjects. PHI can be used for research studies if a protocol study uses an Authorization Form (preferably the Covered Entity’s) to request permission from individuals to access their PHI, or if the protocol study demonstrates that the Covered Entity already obtained Authorization from individuals for a specific research project.

2. An Authorization Waiver or Partial Waiver Requests for Research Purposes.

PHI can be used or disclosed for research if a Covered Entity receives documentation that an IRB or Privacy Board has waived the requirement for Authorization or allowed an alteration. Researchers may request a waiver or alteration of Authorization in a protocol study if the IRB application provides the following required review criteria:

    1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals based on the presence of the following elements:
      1. An adequate plan to protect the identifiers from improper use and disclosure;
      2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
      3. An adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this subpart;
    2. The research could not practicably be conducted without the waiver or alteration; and;
    3. The research could not practicably be conducted without access to and use of the PHI.3. 

3. PHI or Health Information that Does Not Identify Individuals.

De-identifying PHI. Covered Entities may use or disclose health information that is deidentified without restriction under the Privacy Rule. Covered Entities or Business Associates seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification or by removing certain pieces of information from each PHI record.

Non-identifiable data must meet one of the following two criteria:

    1. Only fully de-identified data are used as determined by the Safe Harbor method (removal of 18 types of identifiers) or determined by an statistician expert who applies statistical or scientific principles under §164.514; or
    2. A Limited Data Set is obtained under an approved Data Use Agreement, which must be signed by an Institutional Official. The Date Use Agreement (DUA) must specify the following:
      1. Uses, and who is permitted to receive it;
      2. Safeguards to prevent the use or disclosure of the information other than as provided for in the DUA;
      3. Assurance to report to the Covered Entity of any un-allowed use of data;
      4. Assurance that any named subcontractor, to whom the recipient provides the Limited Data Set, agrees to the same restrictions and conditions that apply to the recipient; and
      5. Not identify the information or contact the individuals.

4. PHI Use is Solely for Preparatory to Research.

Activities involved in preparing for research, Covered Entities may use or disclose PHI to a researcher without an individual’s Authorization, a waiver or an alteration of Authorization or a data use agreement.

The Covered Entity must obtain from researchers the following statements:

    1. A written or oral request that will be presented to the Covered Entity’s designated official to access PHI for research preparation (e.g., for identifying potential subjects or protocol development);
    2. Acknowledgement that the researchers are not permitted to remove any PHI from the Covered Entity;
    3. The PHI for which use or access is requested is necessary for the research.

5. Research on Decedents’ PHI.

To use or disclose PHI of the deceased for research, Covered Entities are not required to obtain Authorizations from a personal representative or family member, a waiver or an alteration of the Authorization, or a data use agreement. However, the Covered Entity must receive from the researcher who is seeking access to decedents’ PHI the following:

    1. Oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents;
    2. Oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes,; and
    3. Documentation, at the request of the Covered Entity, of the death of the individuals whose PHI is sought by the researchers.

III. Key Definitions

Covered Entity

Covered Entity is a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.

Business Associate

Business Associate provides services limited to legal, actuarial, accounting, consulting, data aggregation, and management as required under a Covered Entity and Business Associate contract.

Health Information

Health Information is any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health, condition or future payment of an individual for the provision of health care to an individual.

Individually Identifiable Health Information (IIHI)

IIHI is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a Covered Entity and (2) relates with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI)

PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.

De-Identified Health Information

De-identified Health Information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to deidentify protected health information; either: (1) a formal determination by a qualified statistician;

Limited Data Set

A Limited Data Set is a dataset of PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed (16 out of 18 type of identifiers as defined by HIPAA). A Limited Data Set may be used and disclosed for research, health care operations, or public health purposes, provided the recipient of the Limited Data Set enters into a data use agreement signed by an Institutional Official.

State Laws for Private Health Records Illinois

State Laws relating to private identifiable health information also govern research when applicable (e.g., Personal Information Protection Act, Mental Health and Developmental Disabilities Confidentiality Act, HIV Confidentiality Act, and Alcoholism and Other Drug Abuse and Dependency Act). or (2) the removal of specified 18 identifiers (Safe Harbor method).

Non-Research Permitted Uses and Disclosures without Authorization

(1) PHI released to the individual patient, or provided for an opportunity for the individual (or legally authorized representative) to agree or object or object to the use or disclosure; (2) PHI used for treatment, payment, and health care operations (including Business Associate contracts); (3) PHI disclosed for public health situations and needs; (4) PHI disclosed when compelled by law; and (5) Business Associate contractual services.