National Institutes of Health


Sitemap Contact
National Institutes of Health HIPAA Privacy Rule - Information for Researchers
HomeDictionaryFAQResources

Educational Materials

Clinical Research

Authorizations

Institutional Review Boards

Privacy Boards

Information for Patients

HIPAA Privacy Rule Booklet for Research

Health Services Research and the HIPAA Privacy Rule

Research Repositories, Databases


Slide Presentations

National Institutes of Health
Slide Presentation on the Privacy Rule and Research


01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43

Slide 01

Please see description below for information in image.

This presentation provides basic information about certain provisions of the Privacy Rule in the context of health research. It is not official guidance, does not contain all relevant provisions, and attendees should consult the Privacy Rule at 45 CFR Parts 160 and 164 and guidance (http://www.hhs.gov/ocr/hipaa).

Top of Page

Slide 02

Please see description below for information in image.

The HIPAA Privacy Rule and Research

Top of Page

Slide 03

Please see description below for information in image.

The Privacy Rule...

Beginning on April 14, 2003, the Privacy Rule protects the privacy of certain individually identifiable health information by establishing conditions for its use and disclosure by health plans*, health care clearinghouses, and certain health care providers.

*Small health plans not required to comply until April 14, 2004.

Top of Page


Slide 04

Please see description below for information in image.

How Might the Privacy Rule Affect Research?

Depends on:
What you do/where you work
Type of information you use, collect, receive or release

Top of Page

Slide 05

Please see description below for information in image.

Three Rules -- Privacy Rule, Common Rule, FDA Regulations

  • Privacy Rule does not replace or modify the Common Rule or FDA regulations.


  • Privacy Rule is in addition to privacy protections of these regulations.


    • Applies to covered entities regardless of funding.
    • Contains standards for de-identifying health information.
    • Requires Authorization for certain uses and disclosures of certain health information.
    • Applies to decedents' information.
Top of Page

Slide 06

Please see description below for information in image.

Who is Covered?

  • A health care provider who transmits health information electronically in connection with a transaction for which the Secretary has adopted standards.
         Example: a physician who electronically bills for services
  • A health plan.
  • A health care clearinghouse.
Top of Page

Slide 07

Please see description below for information in image.

What is Covered?

Protected Health Information (PHI) = Covered Entity + Health information + Identifier

  • Transmitted or maintained in any form (paper, oral, electronic, forms, web-based, etc.).
  • Decedents' information included.
  • Does not include de-identified health information or biological tissue and certain other exceptions (e.g., employment records or education records covered by FERPA).
Top of Page

Slide 08

Please see description below for information in image.

Removal of These Identifiers* Makes Information De-identified

- Names
- Geographic info (including city and ZIP)
- Elements of dates (except year), ages over 89 years
- Telephone #s
- Fax #s
- E-mail address
- Social Security #
- Medical record, prescription #s
- Health plan beneficiary #s
- Account #s
- Certificate/license #s
- VIN and Serial #s, license plate #s
- Device identifiers, serial #s
- Web URLs
- IP address #s
- Biometric identifiers (finger prints)
- Full face, comparable photo images
- Unique identifying #s

*See 45 CFR 164.514(b)(2)(i) for a complete list.
Health information is de-identified if the above identifiers of the individual or of relatives, employers, or household members of the individuals are removed and the covered entity has no actual knowledge that remaining information can be used, alone or in combination with other information, to identify the individual.


Top of Page

Slide 09

Please see description below for information in image.

Sources of PHI

MEDICAL CHART Checklist:
Covered Entity?
Yes No

Individually Identifiable?
Yes No

Health Information*?
Yes No
Record No. 0012345
Name: Jane Doe
Address: 1234 NIH Way
Bethesda, MD 20892
Date of Birth: 12/05/60
Gender: Female
Physician: Dr. Smith
Diagnosis: Bronchitis
Treatment: Zithromax

*PHI includes demographic information about an individual. See the definitions of health information and individually identifiable health information at 45 CFR 160.103.

Top of Page

Slide 10

Please see description below for information in image.

Sources of PHI

Research Study Database

Study ID Last Name Zip Code Age DBP SBP Heart Rate
001 Doe 20892 41 80 120 60
002 Smith 20601 35 90 140 78
003 Jacob 32548 38 81 130 70
004 Cho 56482 45 85 120 67
Checklist:
Covered Entity?
Yes No

Individually Identifiable?
Yes No

Health Information*?
Yes No
*PHI includes demographic information about an individual. See the definitions of health information and individually identifiable health information at 45 CFR 160.103.

Top of Page

Slide 11

Please see description below for information in image.

Key Point about Research

  • For research, the Privacy Rule permits covered entities to use and disclose PHI for research conducted:
    • with individual authorization, or
    • without individual authorization under limited circumstances.
Top of Page

Slide 12

Please see description below for information in image.

Authorizations for Research

  • Must be for a specific research study - Authorization for future, unspecified research is NOT permitted but Authorization may be obtained to permit the use or disclosure of PHI to create or maintain a repository or database.
  • Different from, but may be combined with, informed consent.
  • Review/approval by IRB/Privacy Board NOT needed under Privacy Rule. (But other regulations would require IRB review when combined with informed consent documents.)
  • Must contain "core elements" & "required statements," and a signed copy must be given to the individual.
  • Research Authorizations need not expire, but this must be stated.
Top of Page

Slide 13

Please see description below for information in image.

Elements of an Authorization to Use or Disclose PHI

Core Elements (signified by * ) Statements (signified by - )
* Description of PHI to be used or disclosed
* Person(s) authorized to make the requested use or disclosure.
* Person(s) to whom the covered entity may disclose PHI.
* Each purpose for the use or disclosure.
* Expiration date or event* (e.g. "end of the research study" or "none").
* Participant Signature and
       Date
- Right to revoke Authorization plus exceptions and process.
- Ability/Inability to condition treatment, payment, or enrollment/eligibility for benefits on Authorization.
- PHI may no longer be protected by Privacy Rule once it is disclosed by the covered entity.
The authorization must be written in plain language, and the covered entity must provide the individual with a copy of the signed Authorization.

Top of Page

Slide 14

Please see description below for information in image.

Common Rule vs. Privacy Rule

Research WITH patient permission

Common Rule/ FDA Regulated ==> IRB review and Informed consent
Privacy Rule ==> Individual authorization

Top of Page

Slide 15

Please see description below for information in image.

Not All Research Activities Need Authorization!

  • For research, the Privacy Rule permits covered entities to use and disclose PHI for research conducted:
    • with individual authorization, or
    • without individual authorization under limited circumstances.
Top of Page

Slide 16

Please see description below for information in image.

Use or Disclosure of PHI Without Authorization

Covered entities do not always need to get Authorization for research-related activities.

  1. De-identify PHI.
  2. Limited Data Set with Data Use Agreement.
  3. IRB or Privacy Board waiver of Authorization requirement.
  4. Activity preparatory to research.
  5. Research is on decedents' information.
  6. Research qualifies for the Transition Provisions.
Top of Page

Slide 17

Please see description below for information in image.

Option 1: De-identified Health Information

  • Completely de-identified information (18 elements removed) and no knowledge that remaining information can (alone or in combination with other information) identify the individual.
OR
  • Statistically "de-identified" information where a qualified statistician determines that there is a "very small" risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual and documents the methods and results of the analysis.
Top of Page

Slide 18

Please see description below for information in image.

Does "Unique Identifier" Include a
Re-identification Code?

  • A covered entity may assign a code to allow information de-identified under the Privacy Rule to be re-identified by the covered entity, as long as:
    • The code is not derived from or related to information about the individual.
    • The code is not otherwise capable of being translated to identify the individual. And
    • The covered entity does not use or disclose the code for any other purpose, and does not disclose the mechanism for re-identification.
  • Disclosure of a code or other means of record identification designed to enable coded (or otherwise de-identified information) to be re-identified is a disclosure of PHI. And
  • If de-identified information is re-identified, a covered entity must use or disclose such re-identified information in accordance with the Privacy Rule.
Top of Page

Slide 19

Please see description below for information in image.

Option 2: Limited Data Set with Data Use Agreement

  • The Privacy Rule permits limited types of identifiers to be released for research with health information (referred to as a Limited Data Set).
  • Limited Data Sets can only be used and released in accordance with a Data Use Agreement between the covered entity and the recipient.
Top of Page

Slide 20

Please see description below for information in image.

Limited Data Set with Data Use Agreement

A data set that excludes the following direct identifiers can be considered a Limited Data Set
  • Names
  • Postal address info (if other than city, town, state, and ZIP)
  • Telephone and fax #s
  • E-mail address
  • Social Security #
  • Medical record numbers
  • Health plan #s
  • Account #s
  • Certificate/license #s
  • VIN and Serial #s, license plate #s
  • Device identifiers, serial #s
  • Web URLs
  • IP address #s
  • Biometric identifiers (finger prints)
  • Full face photographic images and any comparable images

Top of Page

Slide 21

Please see description below for information in image.

Limited Data Set with Data Use Agreement

  • The Limited Data Set CAN contain
    • Elements of Dates.
    • City, town, state, and ZIP.
    • Other unique identifiers, characteristics and codes not previously listed as direct identifiers (previous slide).
Top of Page

Slide 22

Please see description below for information in image.

MEDICAL CHART Individually Identifiable

MEDICAL CHART Checklist:
Covered Entity?
Yes No

Individually Identifiable?
Yes No

Health Information*?
Yes No
Record No. 0012345
Name: Jane Doe
Address: 1234 NIH Way
Bethesda, MD 20892
Date of Birth: 12/05/60
Gender: Female
Physician: Dr. Smith
Diagnosis: Bronchitis
Treatment: Zithromax

Top of Page

Slide 23

Please see description below for information in image.

MEDICAL CHART Individually Identifiable Limited Data Set

MEDICAL CHART Checklist:
Covered Entity?
Yes No

Individually Identifiable?
Yes No

Health Information*?
Yes No
Record No.
Name:
Address: 1234 NIH Way
Bethesda, MD 20892
Date of Birth: 12/05/60
Gender: Female
Physician: Dr. Smith
Diagnosis: Bronchitis
Treatment: Zithromax

Top of Page

Slide 24

Please see description below for information in image.

MEDICAL CHART De-identified

MEDICAL CHART Checklist:
Covered Entity?
Yes No

Individually Identifiable?
Yes No

Health Information?
Yes No
Record No.
Name:
Address:
Date of Birth:
Gender: Female
Physician: Dr. Smith
Diagnosis: Bronchitis
Treatment: Zithromax

If the covered entity has actual knowledge that remaining information can be used to identify the individual, the information is considered individually identifiable, and therefore, generally is PHI.

Top of Page

Slide 25

Please see description below for information in image.

The Data Use Agreement MUST

  • Describe permitted uses and disclosures (recipient cannot use or disclose PHI in a way that the covered entity cannot).
  • Identify who can use and receive the Limited Data Set.
  • Require the recipient to:
    • Use or disclose information for specified purposes only.
    • Apply safeguards to protect the information.
    • Report known, non-permitted uses or disclosures to the covered entity.
    • Ensure that agents/ subcontractors agree to the same standards as in the agreement.
    • Not re-identify the information or contact the individuals.
Top of Page

Slide 26

Please see description below for information in image.

Option 3: Waiver of Authorization

  • A covered entity is permitted to use or disclose PHI for research when it obtains required documentation of the IRB or Privacy Board approval of a waiver of Authorization.
  • Note: A covered entity is also permitted to use or disclose PHI for research when it obtains an altered Authorization under the Privacy Rule and required documentation of the IRB or Privacy Board approval of an alteration of Authorization.
Top of Page

Slide 27

Please see description below for information in image.

IRB/Privacy Board Criteria for Waiving or Altering Authorization

  1. The use or disclosure involves no more than minimal risk because of an adequate plan/assurance:
Yes No
  1. To protect identifiers from improper use or disclosure.
Yes No
  1. To destroy identifiers at earliest opportunity, consistent with the conduct of the research.
Yes No
  1. That PHI will not be inappropriately reused or disclosed.
Yes No
  1. The research could not practicably be conducted without the waiver or alteration.
Yes No
  1. The research could not practicably be conducted without access to and use of PHI.
Yes No

Signature of IRB/Privacy Board Chair (or Designee)               Date

Top of Page

Slide 28

Please see description below for information in image.

Required Documentation of a Waiver or Alteration of Authorization Includes:

  1. Identity of the approving IRB or Privacy Board.
  2. Date on which the waiver or alteration was approved.
  3. A statement that the IRB or Privacy Board has determined that all of the specified criteria for a waiver or an alteration were met.
  4. A brief description of the PHI for which use or access has been determined by the IRB or Privacy Board to be necessary in connection with the specific research activity.
  5. A statement that the waiver or alteration was reviewed and approved under either normal or expedited review procedures.
  6. The required signature of the IRB or Privacy Board chair or the chair's designee.
Top of Page

Slide 29

Please see description below for information in image.

Option 4: Preparatory to Research Covered entity must obtain representation from the researcher that:

Covered entity must obtain representation from the researcher that:

  • The use or disclosure of PHI is sought solely to prepare a protocol or for a similar preparatory purpose.
  • PHI will not be removed from the covered entity. AND
  • PHI is necessary for research purposes.
Top of Page

Slide 30

Please see description below for information in image.

Research Recruitment Identify Subjects Contact Subjects

Covered Entity Identify Subjects Contact Subjects
Yes

  • Preparatory to Research provision.
  • Need representation from workforce member.
Yes

  • Health care operation to get Authorization.
  • Waiver of Authorization.
Researcher (non-covered)
Yes

  • Preparatory to Research provision.
  • Need representation from researcher.
Yes

  • Waiver of Authorization.
  • As a business associate of covered entity for the health care operation.

Top of Page

Slide 31

Please see description below for information in image.

Option 5: Research on Decedents' PHI*

Researcher must represent that:

  • Use or disclosure solely for research on decedents' information.
  • PHI is necessary for research, and
  • Individual is a decedent, and provide documentation upon covered entity's request.


*Research on decedents' PHI could include information generated from dissecting a corpse.

Top of Page

Slide 32

Please see description below for information in image.

Option 6: "Grandfathered" Research Permissions

  • Grandfathered-in under the Transition Provisions if, BEFORE April 14, 2003, covered entity obtains:
    • Participant's informed consent,
    • Waiver by an IRB of informed consent (unless informed consent sought after compliance date), or
    • Authorization or other express legal permission to use or disclose PHI for research.
    • Grandfathering ends when any change made after compliance date makes prior permission invalid.
Top of Page

Slide 33

Please see description below for information in image.

EXAMPLE: Transition Provisions

  • A study needs 1000 participants enrolled.
  • 600 enrolled by signing informed consent before April 14, 2003.
  • 400 will enroll after April 14, 2003.
  • How many participants need to give Authorization? 400
  • How many informed consents were transitioned (presuming the informed consent was not nullified by revisions)? 600
Top of Page

Slide 34

Please see description below for information in image.

If the Transition Provisions do not Apply and the information is PHI...

A covered entity will need one of the following:
  1. Authorization,
  2. IRB/Privacy Board waiver or alteration of Authorization,
  3. Appropriate representations and/or documentation when the use or disclosure is on decedents' information or for reviews preparatory to research, or
  4. Data Use Agreement for limited data set disclosures.
Top of Page

Slide 35

Please see description below for information in image.

Public Health Disclosures to a Public Health Authority

  • Disclosure without Authorization permitted to a public health authority and certain other entities for public health activities.
  • EXAMPLE: Adverse event reporting to a person subject to the jurisdiction of FDA (e.g., clinical trials drug sponsor), FDA or NIH (where authorized to receive such reports).
  • A covered entity may disclose PHI related to an adverse event to NIH if required to do so by NIH regulations. Even if not required to do so, the researcher may disclose adverse events to NIH as a public health authority, as noted above.
  • Also see guidance on public health at http://www.cdc.gov/privacyrule/
Top of Page

Slide 36

Please see description below for information in image.

Privacy Rights Affecting Research

The Privacy Rule generally entitles individuals to, among other things:

  • Access and request amendments to their PHI in health records.
  • Receive an accounting of certain disclosures.
  • Revoke an Authorization.
Top of Page

Slide 37

Please see description below for information in image.

Access to Research Records

  • Individuals have the right to inspect and obtain a copy of their PHI maintained by covered entities in a "designated record set."
  • For research records, patients may have right to access records if:
    • The records involve medical records (e.g., some clinical trials) or they are used to "make decisions about individuals." AND
    • The researcher is a covered entity or a business associate of a covered entity.
  • EXCEPT: While a trial is ongoing, covered researchers may deny access if the individual agrees in advance (e.g., in an Authorization) and has been informed that access resumes upon completion of research.
Top of Page

Slide 38

Please see description below for information in image.

Accounting for Disclosures

  • "Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information."
  • A covered entity is generally required to account for PHI research disclosures made after the compliance date without Authorization.
  • Including for research disclosures of PHI for:
    • Reviews preparatory to research.
    • Research using decedents' PHI.
    • Research under a waiver of Authorization (including waivers that meet the transition provision requirements).
    • Disclosures for public health activities.
    • Most disclosures mandated by law.
Top of Page

Slide 39

Please see description below for information in image.

Types of Accounting

  • Generally
    Description of PHI, date, recipient, recipient address if known, purpose.
  • Multiple disclosures to same person for same purpose
    Description of PHI, date of first disclosure; recipient; recipient address if known; purpose; frequency, periodicity or no. of disclosures, date of last disclosure.
  • For disclosures of PHI of 50 or more individuals for a particular research purpose
    Name of protocol, description of protocol or research activity and PHI disclosed, date or period of time during which disclosure occurred or may have occurred and last date of disclosure, name, address, and phone no. of sponsor and recipient (and a requirement to assist in contacting the sponsor/researcher), statement that the PHI may or may not have been disclosed for a particular protocol or research activity.
Top of Page

Slide 40

Please see description below for information in image.

Accounting - When NOT needed

Accounting is NOT needed for disclosures of PHI:

  • Pursuant to an Authorization.
  • In Limited Data Sets with a Data Use Agreement.
  • To the individual.
  • Made before April 14, 2003.
  • Which have been de-identified.
  • To carry out treatment, payment, or health care operations purposes.
  • For certain other purposes.
Top of Page

Slide 41

Please see description below for information in image.

Accounting for Research Disclosures

With a waiver of Authorization?
Yes No
When decedent's Info? Yes No
When preparatory to research? Yes No
When public health activities, e.g. adverse event reporting? Yes No
With "grandfathered" permissions? Yes No
To the patient? Yes No
Before April 14, 2003 (or April 14, 2004, for small health plans)? Yes No

Top of Page

Slide 42

Please see description below for information in image.

Revoking an Authorization

  • Individuals have the right to revoke their Authorization.
  • EXCEPT, covered entities may continue to use or disclose PHI that was obtained before a revocation if necessary to maintain the integrity of the research study. (Reliance exception)
  • For example, researcher can continue using PHI to account for a subject's withdrawal from study.
Top of Page

Slide 43

Please see description below for information in image.

Privacy Rule Resources for Researchers

Office for Civil Rights (OCR) Web site http://www.hhs.gov/hipaaprivacy/research/

Top of Page

Home - Dictionary - FAQ - News - Events - Resources - Site Map - Contact Information
Site last updated: 02/02/2007
Department of Health and Human Services National Institutes of Health USAGov The HIPAA Privacy Rule