National Institutes of Health


Sitemap Contact
National Institutes of Health HIPAA Privacy Rule - Information for Researchers
This website is currently in the process of being updated. For guidance on the HIPAA Privacy Rule in research, please see: https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
HomeDictionaryFAQResources

Educational Materials

Clinical Research

Authorizations

Institutional Review Boards

Privacy Boards

Information for Patients

HIPAA Privacy Rule Booklet for Research

Health Services Research and the HIPAA Privacy Rule

Research Repositories, Databases


Health Services Research and the HIPAA Privacy Rule

Get the Adobe Acrobat Reader

Health Services Research and the HIPAA Privacy Rule

Overview

Health services researchers conduct studies designed to improve the quality of health care, reduce its cost, improve patient safety, decrease medical errors, and broaden access to essential services. The evidence-based information produced by these researchers helps health care decision-makers make more informed decisions and improve the quality of health care services. Studies in health services research are often accomplished by analyzing large databases of health care information collected or maintained by health care providers, institutions, payers, and government agencies. With the implementation of the Federal Privacy Rule, health services researchers and database custodians have sought information about the Rule and how it may affect the use and disclosure of data for health services research.

As of April 14, 2003 , the Privacy Rule requires many health care providers and health insurers to obtain additional documentation from researchers before disclosing personal health information for research and to scrutinize researchers' requests for access to health information more closely. Although the Privacy Rule introduces new rules for the use and disclosure of health information by covered entities, researchers can help to enable their continued access to health data by understanding the Privacy Rule and assisting health care entities covered by the Privacy Rule in meeting its requirements.

This factsheet discusses the Privacy Rule and how it permits certain health care providers, health plans, and other entities covered by the Privacy Rule to use and disclose personal health information for health services research. Additional information about the Privacy Rule can be found in related publications, including:

Introduction to the Privacy Rule

In response to a congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services (HHS) issued the regulations Standards for Privacy of Individually Identifiable Health Information . For most covered entities, compliance with these regulations, known as the Privacy Rule, was required as of April 14, 2003.

The Privacy Rule is a response to public concern over potential abuses of the privacy of health information. The Privacy Rule establishes a category of health information, referred to as “protected health information” (PHI), which may be used or disclosed to others only in certain circumstances or under certain conditions. PHI is a subset of what is termed “individually identifiable health information.” With certain exceptions, the Privacy Rule applies to individually identifiable health information created or maintained by a covered entity. Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries.

Researchers are not themselves covered entities, unless they are also health care providers and engage in any of the covered electronic transactions. If, however, researchers are employees or other workforce members of a covered entity (e.g., a covered hospital or health plan ), they may have to comply with that entity's Privacy Rule policies and procedures. Researchers who are not themselves covered entities, or who are not workforce members of covered entities, may be indirectly affected by the Privacy Rule if covered entities supply their data.

In addition to the Privacy Rule, other regulations may apply as well. For instance, individual records held by covered entities that are also alcohol and substance abuse treatment providers are protected by the Federal Confidentiality of Alcohol and Substance Abuse Patient Records Regulation (see 42 CFR part 2). Also, the HHS and the U.S. Food and Drug Administration (FDA) Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56, respectively) may apply to health services research. In addition, if health-related research involves electronic PHI, covered entities must also consider the requirements of the HIPAA Security Rule (45 CFR part 160 and Part 164, subparts A and C). Compliance with the Security Rule is required no later than April 20, 2005 , for all HIPAA-covered entities, except for small health plans, which have an extra year to comply.

Use and Disclosure of PHI for Research

The Privacy Rule permits covered entities to use or disclose PHI for research purposes either with an individual's specific written permission, termed an “Authorization,” or without it, if certain conditions are met. A covered entity is permitted to use or disclose PHI for research purposes if it:

  • Obtains the individual's Authorization for the research use or disclosure of PHI as specified under section 164.508 of the Privacy Rule,

  • Obtains satisfactory documentation of an Institutional Review Board (IRB) or Privacy Board's waiver of the Authorization requirement that satisfies section 164.512(i) of the Privacy Rule,

  • Obtains satisfactory documentation of an IRB or Privacy Board's alteration of the Authorization requirement as well as the altered Authorization from the individual,

  • Uses or discloses PHI for reviews preparatory to research with representations from the researcher that satisfy section 164.512(i)(1)(ii) of the Privacy Rule,

  • Uses or discloses PHI for research solely on decedents' PHI with representations from the researcher that satisfy section 164.512(i)(1)(iii) of the Privacy Rule,

  • Provides a limited data set and enters into a data use agreement with the recipient as specified under section 164.514(e) of the Privacy Rule,

  • Uses or discloses information that is de-identified in accordance with the standards set by the Privacy Rule at section 164.514(a)-(c) (in which case, the health information is no longer PHI), or

Uses or discloses PHI based on a permission that predates the applicable compliance date of the Privacy Rule (generally, April 14, 2003), i.e., an express legal permission to use or disclose the information for the research, an informed consent of the individual to participate in the research, or a waiver by an IRB of informed consent to participate in the research. See the Privacy Rule at section 164.532(c).

Overview of the Impact of the Privacy Rule on Health Services Research

Health services research differs from other types of research in several ways. For example, in contrast to a clinical trial where the researcher may have the opportunity to ask each subject for his or her Authorization to use or disclose his or her PHI, health services researchers often work with large, population-level databases containing thousands or even millions of records. As a result, health services researchers frequently do not interact with the individual subjects of their research. In such circumstances, contacting data subjects to ask for their Authorization prior to a health services research study may not be practicable or even possible.

Another difference is that databases used in health services research may be compiled by entities such as hospitals, insurers, private organizations, and government agencies. Such database custodians have likely adopted their own policies to protect personal privacy while permitting the use of data for legitimate research. The Privacy Rule imposes national requirements that covered entities must meet before granting researchers access to the PHI in their databases.

Health services researchers should understand that the Privacy Rule distinguishes between a research study and a study that a covered entity may undertake as part of its health care operations to understand and improve its own service (i.e., a quality improvement study or assessment related to covered functions). The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” This definition is adapted from the definition of “research” found in the HHS Protection of Human Subjects Regulations at 45 CFR part 46. The Privacy Rule distinguishes between research and studies for quality assessment and improvement purposes based on whether the primary purpose of the study in question is to obtain generalizable knowledge. If the primary purpose of such a study is to obtain generalizable knowledge, then the activity cannot be considered to be a health care operations activity. Rather, it meets the definition of “research,” and any use or disclosure of PHI for such study must be made in accordance with the Privacy Rule's provisions on the use and disclosure of PHI for research. If, however, a covered entity is conducting a quality improvement or assessment study—-the primary purpose of which is not to develop or contribute to generalizable knowledge—then the study is considered to be a health care operation, and the covered entity may use or disclose PHI for the study as part of its health care operations under the Privacy Rule.

Unlike the Privacy Rule, a quality improvement or assessment study involving human subjects may be considered research under the HHS Protection of Human Subjects Regulations if the study was designed to contribute to generalizable knowledge regardless of whether that is its primary purpose. Thus, a covered entity conducting a health care operations study under the Privacy Rule (i.e., where creating generalizable knowledge is not the primary purpose of the study) still may be conducting “research” under the HHS Protection of Human Subjects Regulations . Thus, the covered entity may have to comply with the HHS Protection of Human Subjects Regulations, even though any uses or disclosures in question could be made without complying with the Privacy Rule's requirements that apply to uses and disclosures for research. The HHS Protection of Human Subjects Regulations apply to all research involving human subjects that is conducted or supported by any component of HHS, or under an applicable assurance, unless the research involves one or more of the categories of exempt research described under the HHS regulations at 45 CFR 46.101(b). The HHS Protection of Human Subjects Regulations require, among other things, an IRB to review research involving human subjects. The HHS Protection of Human Subjects Regulations at 45 CFR 46.102(f) define a “human subject,” in part, as a living individual about whom an investigator conducting research obtains “identifiable private information... Private information must be individually identifiable (i.e., the identity of the subject is or may be readily ascertained [emphasis added] by the investigator or associated with the information).”

Health services researchers may have had less contact with the process of IRB review than biomedical researchers. Because of the type of data used, health services research often is not considered research involving human subjects and may be exempt from the HHS Protection of Human Subjects Regulations. For example, the HHS Protection of Human Subjects Regulations would not apply if the research involved the collection or study of only existing records, and the research information was recorded by the investigator(s) in such a manner that (an) individual subject(s) could not be identified either directly or through identifiers linked to the subject(s). However, such data may be PHI under the Privacy Rule. Under the Privacy Rule, health information is individually identifiable if it identifies the individual or if there is a reasonable basis to believe the information could be used to identify the individual. Such information may include certain data elements, such as dates of service and ZIP Codes, that may not be considered to be identifiable private information under the HHS Protection of Human Subjects Regulations.

It is important to recognize that the Privacy Rule permits covered entities, such as certain hospitals, clinics, and other health care providers, to continue gathering information on their patients for treatment, payment, and health care operations purposes and to put this information into their own databases for these purposes without Authorization. Covered entities also are permitted to disclose PHI without Authorization to government-authorized public health authorities for disease surveillance, disease prevention, and other public health purposes, such as reporting disease and injury, in accordance with the Privacy Rule. In addition, the Privacy Rule permits other disclosures when required by law, for example, for State-mandated reporting to cancer registries. Thus, many databases that are now used for health services research will continue to be maintained and updated and will remain available to researchers, although, in some cases, under new terms.

How Covered Entities May Use and Disclose Data for Health Services Research Without Authorization From Data Subjects

Although covered entities may use or disclose PHI for research purposes on obtaining the Authorization of each data subject as indicated above, obtaining Authorization may not be practicable in certain health services research situations. This section explains in greater detail the conditions under which a covered entity may use or disclose PHI for research under the Privacy Rule without obtaining an Authorization from each data subject.

De-Identified Data Sets

The Privacy Rule permits covered entities to use and disclose data that have been de-identified without obtaining an Authorization and without further restrictions on use or disclosure because de-identified data are not PHI and, therefore, are not subject to the Privacy Rule. A covered entity may de-identify PHI in one of two ways. The first way, the “safe-harbor” method, requires the removal of every one of 18 identifiers enumerated at section 164.514(b)(2) of the Privacy Rule. Data that are stripped of these 18 identifiers are regarded as de-identified, unless the covered entity has actual knowledge that it would be possible to use the remaining information alone or in combination with other information to identify the subject.

The second way to de-identify PHI is to have a qualified statistician determine, using generally accepted statistical and scientific principles and methods, that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by the anticipated recipient to identify the subject of the information. The qualified statistician must document the methods and results of the analysis that justify such a determination.

It is important to note that the Privacy Rule permits a covered entity to assign to, and retain with, the de-identified health information a code or other means of record re-identification, if the following conditions are met . First , the re-identification code may not be derived from or related to information about the individual or otherwise be capable of being translated to identify the individual. For example, an encrypted individual identifier (e.g., an encrypted Social Security number) would make otherwise de-identified health information identifiable. An encrypted individual identifier does not meet the conditions for use as a re-identification code for de-identified health information because it is derived from individually identifiable information. Second, the covered entity may not use or disclose the code for any other purpose or disclose the mechanism for re-identification.

Limited Data Sets

In some cases, de-identified data may lack critical information needed for health services research (e.g., nine-digit ZIP Codes or dates of treatment). When such indirect identifiers are needed for the research, a covered entity may provide the data to a researcher as a limited data set. No Authorization or waiver or alteration of Authorization by an IRB or Privacy Board is required for a covered entity to use or disclose a limited data set.

Limited data sets are data sets stripped of certain direct identifiers that are specified in the Privacy Rule. Limited data sets may be used or disclosed only for public health, research, or health care operations purposes. Because limited data sets contain certain identifiers , they are not de-identified information under the Privacy Rule. Importantly, unlike de-identified data, PHI in limited data sets may include the following: Addresses other than street name or street address or post office boxes, all elements of dates (such as admission and discharge dates), and unique codes or identifiers not listed as direct identifiers at section 164.514(e).

Before disclosing a limited data set to a researcher, a covered entity must enter into a data use agreement with the researcher. Among other requirements set forth in section 164.514(e)(4) of the Privacy Rule, the data use agreement must identify who will receive the limited data set, establish how the data may be used and disclosed by the recipient, and provide assurances that the data will be protected. If the covered entity learns that the researcher has violated this agreement, the entity must take reasonable steps to end or repair the violation and, if such steps are unsuccessful, stop disclosing PHI to the researcher and report the problem to the HHS Office for Civil Rights. Additional information on limited data sets and data use agreements can be found in the booklet Protecting Personal Health Information in Research:Understanding the HIPAA Privacy Rule.

Waiver or Alteration of the Authorization Requirement by an IRB or Privacy Board

For some types of research, de-identified information or a limited data set may not be sufficient for the research purposes. It also may be impracticable for researchers to obtain written Authorization from research participants, for example, for some research conducted on existing databases or repositories where no contact information is available. To address these situations, the Privacy Rule contains criteria for waiving or altering the Authorization requirement by an IRB or another review body, called a Privacy Board. The Privacy Rule permits a covered entity to use or disclose PHI for research purposes without Authorization (or with an altered Authorization) if the covered entity receives proper documentation that an IRB or Privacy Board has granted a waiver (or an alteration) of the Authorization requirement for the research use or disclosure of PHI.

The Privacy Rule establishes criteria to be used by an IRB or Privacy Board in approving a waiver or alteration of the Authorization requirement . For a covered entity to use or disclose PHI under a waiver or alteration of the Authorization requirement, it must obtain documentation of, among other things, the IRB's or Privacy Board's determination that the following criteria have been met:

  • The use or disclosure involves no more than a minimal risk to the privacy of individuals based on at least the presence of (1) an adequate plan presented to the IRB or Privacy Board to protect PHI identifiers from improper use and disclosure; (2) an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and (3) adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule;

  • The research could not practicably be conducted without the requested waiver or alteration; and ,

  • The research could not practicably be conducted without access to and use of the PHI.

Additional information about the waivers and alterations of Authorization can be found in the publications Institutional Review Boards and the HIPAA Privacy Rule and Privacy Boards and the HIPAA Privacy Rule .

Research Involving Decedents' PHI

A covered entity may provide access to decedents' records for research purposes if the covered entity receives from the researcher (1) representations that the decedents' PHI is necessary for the research and is being sought solely for research on decedents (not, e.g., for research on living relatives of decedents) and (2) on request of the covered entity, documentation of the deaths of the study subjects.

No Authorization or waiver or alteration of Authorization by an IRB or Privacy Board is needed for use or disclosure of decedents' PHI for research, if these conditions are met.

Reviews Preparatory to Research

Covered entities may permit researchers to review PHI in medical records or elsewhere to prepare a research protocol or for similar preparatory to research purposes . This review allows the researcher to determine, for example, whether a sufficient number or type of records exist to conduct the research. Importantly, the covered entity may not permit the researcher to remove any PHI from the covered entity.

To permit the researcher to conduct a review preparatory to research, the covered entity must receive from the researcher representations that:

  • The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes,

  • No PHI will be removed from the covered entity during the review, and

  • The PHI that the researcher seeks to use or access is necessary for the research purposes.

Additional information on activities preparatory to research can be found in the publications Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule, Institutional Review Boards and the HIPAA Privacy Rule, and Clinical Research and the HIPAA Privacy Rule.

Research Permissions “Grandfathered” by the Transition Provisions of the Privacy Rule

The Privacy Rule contains a transition provision that, under certain conditions, allows covered entities to continue to use or disclose PHI for research without an Authorization or waiver or alteration of the Authorization requirement. For many such uses and disclosures of PHI in connection with research, a covered entity may rely on any one of the following that was obtained prior to the applicable compliance date (usually, April 14, 2003):

  • An Authorization or other express legal permission from an individual to use or disclose PHI for the research,

  • The informed consent of the individual to participate in the research, or

  • A waiver by an IRB of informed consent in accordance with applicable laws and regulations governing informed consent, unless informed consent is sought after the compliance date.

The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed: (1) Names; (2) all geographic subdivisions smaller than a State, except for the initial three digits of the ZIP Code if the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; (3) all elements of dates, except year, and all ages over 89 or elements indicative of such age;
(4) telephone numbers; (5) fax numbers; (6) email addresses; (7) Social Security numbers; (8) medical record numbers; (9) health plan beneficiary numbers; (10) account numbers;
(11) certificate or license numbers; (12) vehicle identifiers and license plate numbers; (13) device identifiers and serial numbers; (14) URLs; (15) IP addresses; (16) biometric identifiers; (17) full-face photographs and any comparable images; and (18) any other unique, identifying characteristic or code, except as permitted for re-identification in the Privacy Rule.

A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable.

The following direct identifiers of the individual or of relatives, employers, or household members must be removed for PHI to qualify as a limited data set: (1) Names; (2) postal address information, other than town or city, State, and ZIP Code; (3) telephone numbers; (4) fax numbers; (5) email addresses; (6) Social Security numbers; (7) medical record numbers; (8) health plan beneficiary numbers; (9) account numbers; (10) certificate or license numbers; (11) vehicle identifiers and license plate numbers; (12) device identifiers and serial numbers; (13) URLs; (14) IP addresses; (15) biometric identifiers; and (16) full-face photographs and any comparable images.

Other Privacy Rule Requirements When PHI Is Used or Disclosed for Research

Minimum Necessary Standard

When using or disclosing PHI for research without an Authorization, a covered entity must make reasonable efforts to limit the PHI used or disclosed to the minimum necessary amount to accomplish the research purpose. However, when disclosing PHI to a researcher who has provided proper documentation or representations as required under Section 164.512(i) of the Privacy Rule (i.e., documentation of an IRB or Privacy Board waiver or alteration of Authorization or representations and documentation as required for reviews preparatory to research or for research on decedents' PHI) a covered entity may reasonably rely on the researcher's request consistent with such documentation and representations as the minimum necessary amount of PHI for the research. See section 164.514(d)(3)(iii)(D) of the Privacy Rule.

Right to an Accounting of Disclosures

The Privacy Rule grants individuals new rights, including the right to receive an accounting of research disclosures made by a covered entity without the individual's Authorization (e.g., under a waiver of Authorization), except for disclosures of a limited data set. The individual has a right to such an accounting of disclosures made by a covered entity in the 6 years prior to the date on which the accounting is requested, not including the period prior to the compliance date of the Privacy Rule . For such disclosures, in general, individuals who request an accounting must be told which PHI was disclosed, to whom it was disclosed, and the date and purpose of the disclosure. Covered entities must provide the address of the recipient, if known.

For certain research disclosures made by a covered entity, two other options exist to facilitate providing an accounting. When multiple disclosures of PHI are made to the same person or entity for a single purpose, the accounting for such disclosures may consist of the information described above for the first disclosure, plus the number or frequency of disclosures, and the date of the last disclosure during the time period covered by the request.

In addition, if during the period covered by the accounting the covered entity has disclosed the records of 50 or more individuals for a particular research purpose, the covered entity may provide to the requester a more general accounting, with the following information:

  • The name and description of the protocols for which their PHI may have been disclosed,

  • A brief description of the type of PHI disclosed,

  • The date or period of time of the disclosures, including the date of the last such disclosure during the accounting period,

  • The contact information of the researcher and the research sponsor, and

  • A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or research activity.

Section 164.528(b)(4)(ii) of the Privacy Rule requires that, on request, the covered entity must help the individual contact the sponsor and researcher when it is reasonably likely that the individual's PHI was disclosed for a particular protocol. Additional information on accounting for disclosures can be found in the booklet Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule .

Commonly Asked Questions and Answers About the Privacy Rule and Health Services Research

 

Q: I am a health services researcher employed by a university that has designated itself as a “hybrid entity” for purposes of the Privacy Rule. The university's hospital and medical school are within the “health care component” of the hybrid entity, but my epidemiology department is not. Am I subject to the Privacy Rule requirements that apply to the health care component of the university?
   
 

A: No. The Privacy Rule permits a covered entity that performs both covered and noncovered functions as part of its business operations to elect to be a hybrid entity. A covered function is any function, the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. To become a hybrid entity, the covered entity must designate and include in its health care component(s) all components that would meet the definition of a covered entity if that component were a separate legal entity. In addition, a covered entity may include in its health care component any component that functions as a noncovered health care provider or that performs activities that would make the component a business associate of the entity if it were legally separate. However, the hybrid entity is not permitted to include in its health care component other types of components that do not perform the covered functions of the covered entity. For example, a university that has designated its hospital and medical school as the health care component may not also include a component that performs records research that is not used to support the covered functions of the health care component. Within the hybrid entity, most of the Privacy Rule requirements apply only to the health care component(s), although the hybrid entity retains certain oversight, compliance, and enforcement obligations. See section 164.105 of the Privacy Rule for more information.

Remember, however, that a health care component must comply with the Privacy Rule when using or disclosing PHI, including when sharing PHI with a non-health care component of a hybrid entity. Thus, for a health care component of a covered entity to disclose PHI to a researcher in a non-health care component of the entity, the disclosure of PHI must be permitted either by the individual's Authorization or by one of the Privacy Rule's exceptions to the Authorization requirement, such as a waiver of Authorization granted by an IRB or Privacy Board. In addition, since the Privacy Rule treats the sharing of PHI from the health care component to any non-health care component as a disclosure, a health care component's sharing of PHI with another component of the hybrid entity for research purposes may, in certain cases, be subject to the Privacy Rule's accounting requirements. See section 164.528 of the Privacy Rule.
   
 

Q: I am conducting a large research study in which I will obtain data from multiple covered entities. Must each covered entity disclosing data to me for my research receive documentation that its own IRB or Privacy Board has granted my project a waiver of Authorization?

   
 

A: No. The Privacy Rule permits covered entities reasonably to rely upon a researcher's documentation that a waiver was properly granted by a single IRB or Privacy Board, even if the IRB or Privacy Board is not affiliated with the covered entity. Under the Privacy Rule, one IRB or Privacy Board's documentation of waiver of Authorization suffices .

   
 

Q: I work for a covered entity and conduct observational studies on patients' reactions to various emergency room triaging. The nature of the study requires that individuals not know they are being observed. Under the HHS Protection of Human Subjects Regulations, the IRB is allowed to waive the informed consent requirement when certain criteria are met. Must I also receive documentation of an IRB waiver of the Authorization requirement under the Privacy Rule for observational studies?

   
 

A: It depends on whether the study is research, as defined by the Privacy Rule. The Privacy Rule distinguishes between research and studies for quality assessment and improvement purposes based on whether the primary purpose of the study in question is to obtain generalizable knowledge. The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” If the primary purpose of such a study is to obtain generalizable knowledge, then the activity does not meet the definition of a “health care operation” and, instead, meets the definition of “research,” and any use or disclosure of PHI for such study must be made in accordance with the Privacy Rule's provisions for the use and disclosure of PHI for research. For example, an IRB or a Privacy Board may waive or alter the Authorization requirement, as long as certain criteria at section 164.512(i)(2)(ii) are met (i.e., the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals and the research could not practicably be conducted without the requested waiver or alteration or without access to and use of the PHI).

If, however, a covered entity is conducting a quality improvement or assessment study, the primary purpose of which is not to develop or contribute to generalizable knowledge, then the study is considered to be a health care operation, and the covered entity may use or disclose PHI for the study as part of its health care operations under the Privacy Rule. The Privacy Rule does not require documentation of an IRB or Privacy Board waiver or alteration of Authorization for uses and disclosures of PHI for health care operations activities. Nor does the Privacy Rule require the individual's Authorization for uses and disclosures of PHI for health care operations activities.

   
 

Q: Under what circumstances may a Privacy Board or an IRB use an expedited review procedure to review requests for a waiver or alteration of the Authorization requirement?

   
 

A: A Privacy Board is permitted to use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the PHI for which use or disclosure is sought. Thus, a Privacy Board may use an expedited review procedure for any request that meets the waiver criterion at section 164.512(i)(2)(ii)(A) of the Privacy Rule, which requires that the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of (1) an adequate plan presented to the Privacy Board to protect PHI identifiers from improper use and disclosure; (2) an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and (3) adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of PHI is permitted by the Privacy Rule. For example, a Privacy Board may use an expedited review procedure to approve a request that meets all required criteria at section 164.512(i)(2)(ii), as well as disapprove a request that may meet the minimal risk criterion but not one or both of the other required criteria. If, however, a Privacy Board using an expedited review procedure determines that a request involves more than minimal risk to the privacy of individuals, the request must then be reviewed by the Privacy Board's normal review procedures. Where the Privacy Board is permitted, and elects, to use an expedited review procedure, the review and approval of the alteration or waiver of Authorization may be carried out by one or more members of the Privacy Board, as designated by the Privacy Board chair.

Under the Privacy Rule, an IRB that reviews research using the HHS or FDA Protection of Human Subjects Regulations must follow the procedures for normal and expedited IRB review set forth in these regulations when it reviews a request to waive or alter the Privacy Rule Authorization requirement. See 164.512(i)(2)(iv)(A). For IRBs , HHS and FDA have established categories of research that may be reviewed by an IRB through an expedited review procedure for compliance with their respective Protection of Human Subjects Regulations (see 63 Federal Register 60364, November 9, 1998, and 63 Federal Register 60353, November 9, 1998 ). Thus, expedited review of a request for a waiver or an alteration of the Authorization requirement is permitted under the Privacy Rule where the research activity is on the HHS or FDA list of approved categories and involves no more than minimal risk to the research subjects. In addition, 45 CFR 46.110 and 21 CFR 56.110 permit an IRB to use an expedited review procedure to review minor changes in previously approved research. Under the HHS and FDA regulations, a modification to a previously approved research protocol, which only involves the addition of an Authorization for the use or disclosure of PHI to the IRB-approved informed consent, may be reviewed by the IRB through an expedited review procedure, since this type of modification may be considered to be no more than a minor change to research. If expedited review procedures using the HHS or FDA Protection of Human Subjects Regulations are appropriate for acting on the request to waive or alter the Authorization under the Privacy Rule, the review may be carried out by the IRB chair or by one or more experienced reviewers designated by the chair from among the IRB members.

A member with a conflicting interest may not participate in an expedited review. If, under the HHS or FDA regulations, the head of the Federal department or agency (or his or her designee) regulating the research has restricted, suspended, terminated, or chosen not to authorize an institution or IRB to use expedited review procedures, under the Privacy Rule, any waiver or alteration granted on an expedited basis would not be valid.
   
 

Q: My employer, a covered entity, began collecting and analyzing PHI for a quality improvement study as part of its health care operations, but the study evolved into a research project. What do we need to do to be in compliance with the Privacy Rule?

   
  A: If a covered entity determines that a quality study has become a research activity (i.e., the primary purpose of the study is now to develop or contribute to generalizable knowledge), the covered entity must be able to establish that, at the time the study was initiated, the covered entity was not required to comply with the Privacy Rule's conditions for uses and disclosures for research. If the covered entity needs to use or disclose PHI for research (e.g., to collect further data in order to conduct the research), the covered entity must then comply with the Privacy Rule's research requirements by obtaining, for example, the individual's Authorization or an IRB or Privacy Board waiver of Authorization, before doing so.
   
 

Q: A covered hospital hired a researcher as a business associate to conduct a quality assessment study using PHI, and the researcher has made some findings that he or she would like to publish for his or her own purposes in a scientific or professional journal. Is this permissible under the Privacy Rule?

   
 

A: Generally not. The business associate agreement between the covered entity and the researcher generally may not authorize the researcher to use or disclose PHI created or received in the researcher's capacity as a business associate for the researcher's own purposes. The business associate agreement also must require that the PHI be returned to the covered entity or destroyed at termination of the contract, if feasible. However, a covered entity may provide the researcher with de-identified information that he or she may use for the purposes of preparing the publication or with PHI with individuals' Authorizations for such purpose. In addition, the business associate agreement between the covered entity and the researcher may authorize the researcher to de-identify PHI or to obtain Authorizations from individuals on behalf of the covered entity for publication, even if the researcher is ultimately the intended recipient of the information.

   
 

Q: Is a covered entity that conducts a quality study as part of its health care operations permitted by the Privacy Rule to publish the results?

   
 

A: A covered entity may publish the results of a health care operation's quality study if the health information is de-identified, prior to publication, in accordance with the Privacy Rule's de-identification standard. Alternatively, if the health information remains individually identifiable, the covered entity may obtain the individual's Authorization to publish the PHI. See sections 164.508 and 164.514 of the Privacy Rule for the requirements related to Authorizations and de-identification.

   
 

Q: Is a limited data set that has been de-identified according to the Privacy Rule still PHI or covered by the Privacy Rule?

   
 

A: No. Although information in a limited data set is PHI, if it is subsequently de-identified according to the Privacy Rule at section 164.514(a)-(c), it is not PHI, and therefore, its use and disclosure are not regulated by the Privacy Rule.

   
 

Q: Does the Privacy Rule require that the covered entity and the intended recipient of a limited data set sign the data use agreement?

   
 

A: Yes, unless a legally binding document can be created absent a signature under applicable State law.

   
 

Q: May a data use agreement identify specific entities, rather than persons, that are permitted to use or receive the limited data set?

   
 

A: Yes. A data use agreement between a covered entity and the intended recipient of a limited data set need not identify specific person(s) as the recipient(s). Rather, a data use agreement may identify a specific entity as the intended recipient, such as a particular laboratory, hospital department, or business, as long as the data use agreement is legally binding on both parties .

   
 

Q: Does the Privacy Rule require data use agreements to have an expiration date?

   
 

A: No. Data use agreements need not specify an expiration date.

   
 

Q: May a limited data set include a unique code or identifier not listed at section 164.514(e)(2) of the Privacy Rule?

   
 

A: A limited data set may include unique codes or identifiers not listed as direct identifiers at section 164.514(e)(2) of the Privacy Rule, provided the code or identifier does not replicate part of a listed direct identifier. For example, a limited data set may not include the last four digits of a Social Security number or an individual's initials since these identifiers are elements of, or replicate part of, a direct identifier. However, the limited data set may include a code that is derived from the individual's direct identifier as long as it does not replicate any part of the direct identifier. In any event, before a covered entity may use or disclose a limited data set, the recipient of the information must be restricted by a data use agreement from re-identifying the information or contacting the subjects of the information. See section 164.514(e)(4)(ii) for additional content requirements of the data use agreement.

   
 

Q: Does the Privacy Rule permit a covered entity to de-identify health information or create a limited data set without Authorization, waiver of the Authorization requirement from an IRB or Privacy Board, or representations for reviews preparatory to research?

   
 

A: Yes. In the Privacy Rule, such use is permissible because creating de-identified health information or a limited data set is a health care operation of the covered entity and, thus, does not require an individual's Authorization, a waiver of the Authorization requirement, or the representations associated with reviews prep-aratory to research. The Privacy Rule also does not require an IRB or Privacy Board to review or approve a data use agreement established for the use or disclosure of a limited data set.

If a business associate is hired by a covered entity to de-identify health information or to create a limited data set, such activity must be conducted in accordance with the business associate requirements at sections 164.502(e) and 164.504(e) of the Privacy Rule. These provisions require that the covered entity and the business associate enter into an agreement that, among other things, limits the business associate's use and disclosure of the PHI to the purposes specified in the agreement and requires the business associate to safeguard the information.

   
 

Q: May a covered entity that performs research create de-identified health information to be used to prepare a grant application for research as part of its health care operations, or is this activity a review preparatory to research?

   
 

A: Creating de-identified health information from PHI is a health care operation. Thus, to de-identify PHI, a covered entity that performs research need not have representations as required for a review preparatory to research, and the covered entity's subsequent use or disclosure of the de-identified information is not subject to the Privacy Rule. A covered entity is also permitted to hire a business associate to de-identify PHI.

   
 

Q: May a covered entity hire a researcher as a business associate to de-identify health information when the researcher is the intended recipient of the de-identified data?

   
 

A: Yes. A covered entity may hire the intended recipient of the de-identified data as a business associate for purposes of creating the de-identified data. That is, a covered entity may provide a business associate that is also the de-identified data recipient with PHI, including identifiers, so that the business associate can de-identify the data for the covered entity. However, the data recipient, as a business associate, must agree in its business associate agreement to return or destroy the identifiers once the de-identified data set has been created .

   
 

Q: May a covered entity that has hired a researcher as its business associate for the purposes of de-identifying data permit the researcher to assign to the de-identified data a re-identification code, if the researcher is also the intended recipient of the de-identified data?

   
 

A: Yes, provided the researcher is able to return or destroy all identifiers once the de-identified data set has been created, as required by her or his business associate contract. This would include the researcher's providing to the covered entity the mechanism for re-identification (the code key) and retaining no copy or other method of re-identification. In cases where the researcher has a standard method for assigning a re-identification code that necessarily remains with the researcher even after the other identifiers have been returned or destroyed, the information is not considered de-identified if the researcher assigns such a re-identification code.

   
 

Q: Is a covered entity's patient list that includes only names and addresses considered to be PHI if there is no other health or payment information attached?

   
 

A: Yes, because the names are in a context that indicates that the individuals named were patients of the covered entity. See the Privacy Rule's definition of “individually identifiable health information” at section 160.103, which explicitly includes demographic information collected from an individual.

   
 

Q: My health services research study at a covered entity involves obtaining information about patients' behaviors. If the only information I collect pertains to behaviors that could affect an individual's health–not diagnosis or other medical information–is this information PHI if it is identifiable?

   
 

A: Yes. In general, information about health behaviors is PHI if it:

(1) is held by a covered entity,

(2) identifies the individual or if there is a reasonable basis to believe the information could identify the individual, and

(3) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for health care.

Although it may not reveal a diagnosis or identify a medical condition, the information would be PHI as long as it relates to a past, present, or future physical or mental health condition of an individual and the other above criteria are met.

   
 

Q: A covered entity wants to conduct several studies to assess why some individuals do not sign the acknowledgment of receipt of the Notice of Privacy Practices, why some do not sign Authorization forms, and why others revoke their Authorizations. Is this permissible under the Privacy Rule?

   
 

A: Such studies may be considered a health care operation of a covered entity or research, depending on whether the primary purpose of the study is to develop or contribute to generalizable knowledge. If the primary purpose of such a study is to produce generalizable knowledge, then the activity does not meet the definition of “health care operations,” but is, instead, “research,” and any use or disclosure of PHI for such a study must be made in accordance with the Privacy Rule's research provisions on the use and disclosure of PHI for research (e.g., with an IRB or Privacy Board waiver or alteration of the Authorization requirement). If, however, a covered entity is conducting a quality improvement or assessment study, the primary purpose of which is not to develop or contribute to generalizable knowledge, then the study is considered to be a health care operation, and the covered entity may use or disclose PHI for the study as part of its health care operations under the Privacy Rule.

   
 

Q: My employer, a covered entity, is contemplating disclosing PHI for a research study under an IRB's waiver of the Authorization requirement. However, our Notice of Privacy Practices does not include a statement about “research.” Would we need to revise our Notice of Privacy Practices to include research uses and disclosures that are permitted without Authorization?

   
 

A: Yes. Any use or disclosure of PHI made by a covered entity must be consistent with its Notice of Privacy Practices, where the Privacy Rule requires the covered entity to have one. Among other things, the Notice must describe the uses and disclosures that the covered entity is permitted to make without an Authorization. Therefore, a covered entity is not permitted to use or disclose PHI for research activities without an Authorization if the covered entity's Notice does not so inform individuals.

   
 

Q: A researcher requests data that include a code derived from the last four digits of the Social Security number. This code is necessary to link individual records from different data sources (but is not used by the covered entity to re-identify the individual). The data contain none of the other identifiers listed at section 164.514(b)(2) of the Privacy Rule. Are the data considered to be de-identified under the Privacy Rule?

   
 

A: Generally not. Under the “safe-harbor” de-identification standard of the Privacy Rule, a de-identified data set may not contain unique identifying codes, except for codes that are not derived from, or do not relate to, information about the individual and that cannot be translated so as to identify the individual. A code derived from part of a Social Security number, medical record number, or other identifier would not meet this test. However , the Privacy Rule does permit, as an alternative to the “safe-harbor” method, covered entities to de-identify health information using a statistical method. The statistical method requires that a qualified statistician or scientist, applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, determine that the risk is very small that the remaining information could be used, alone or in combination with other reasonably available information, to identify an individual. In some cases, this statistical method may require the removal of fewer identifiers or allow certain identifiers to remain with the information as long as the risk of re-identification remains very small. See section 164.514(a)-(c) of the Privacy Rule for additional information about de-identification.

   
 

Q: May information de-identified under the Privacy Rule's “safe-harbor” method contain a data element that identifies a time period of less than a year (e.g., the fourth quarter of a specific year)?

   
 

A: No. The Privacy Rule's “safe-harbor” method for de-identifying health information requires removal of, among other elements, all elements of dates directly related to an individual, except for year. Thus, a data element such as the fourth quarter of a specified year must be removed if a covered entity intends to de-identify data using the “safe-harbor” method. However, fewer identifiers may need to be removed under the Privacy Rule's alternative method for de-identification, where a qualified statistician, applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, determines that the risk of re-identification is very small. Thus, it may be possible for certain elements of dates to be considered de-identified where this second method allows it. See section 164.514(b)(1) of the Privacy Rule.

As an alternative to de-identified data, the Privacy Rule would permit a covered entity to use or disclose information about dates in the form of a limited data set.

   
 

Q: May a limited data set contain ages over
89 years?

   
 

A: Yes. A limited data set may contain all ages, including those over 89, and all elements of dates indicative of such age.

   
 

Q: Must a covered entity account for disclosures of PHI contained in a limited data set?

   
 

A: No. The accounting requirement does not apply to disclosures of a limited data set. See section 164.528(a)(1)(viii) of the Privacy Rule.

   
 

Q: My medical research center is a covered entity. Does the Privacy Rule apply when we obtain a limited data set, or other PHI, from another source?

   
 

A: Yes. A covered entity is required to protect the PHI it receives as well as the PHI it creates. Moreover, when a covered entity receives a limited data set from another covered entity, the limited data set can be used and disclosed only within the bounds of the data use agreement.

   
 

Q: May an IRB or Privacy Board waive the Authorization requirement so that a covered entity may obtain Authorization for research orally?

   
  A: Yes. A covered entity is permitted to use or disclose PHI for research based on proper documentation from an IRB or Privacy Board that waives the Authorization requirement so that verbal permission can be obtained..
   
 

Q: Does the minimum necessary standard apply to research permissions that qualify for the transition provisions of the Privacy Rule (e.g., an informed consent document that was obtained prior to April 14, 2003)?

   
 

A: Yes. Since a “grandfathered” permission does not meet the requirements of section 164.508 of the Privacy Rule for Authorizations, the minimum necessary standard applies. Thus, covered entities are required to make reasonable efforts to limit uses and disclosures of PHI pursuant to permissions for research “grandfathered” by the Privacy Rule to the minimum amount necessary to accomplish the research purpose.

   
 

Q: Would the transition provisions apply if a covered entity obtained informed consent from study participants before the Privacy Rule compliance date but did not begin the research until after the compliance date?

   
 

A: Yes. Under the transition provisions of the Privacy Rule at section 164.532(c), a covered entity is permitted to use or disclose PHI pursuant to one of the listed permissions obtained prior to the compliance date, even if the research study did not begin until after the compliance date.

   
 

Q: Is a noncovered entity required to enter into a data use agreement before sending what would qualify under the Privacy Rule as a limited data set to the covered entity?

   
 

A: No. Such information is not considered PHI because it does not originate from a covered entity, and thus, it is not considered to be a limited data set under the Privacy Rule. However, the information will be considered PHI when in the hands of the recipient covered entity and, thus, may be used and disclosed only by the recipient in accordance with the Privacy Rule.

   
 

Q: Must disclosures of a limited data set for research be research-study specific?

   
  A: No .
   
 

Q: I am a researcher who works in the health care component of a hospital and obtained the appropriate documentation of an IRB waiver to disclose PHI for my research study. To conduct this study, I need to share with research collaborators certain PHI covered by the waiver, including dates of service, ZIP Codes, and medical record numbers. Must I account for the research disclosures of this information, and if so, how can I do so when the names or identities associated with the PHI are unknown to me?

   
 

A: The Privacy Rule requires covered entities to account for certain disclosures of PHI, including those made pursuant to an IRB waiver of Authorization, regardless of whether the disclosure includes the name or otherwise directly identifies the individual. However, the Privacy Rule affords covered entities significant latitude in designing compliance methods for the accounting requirement. For example, disclosures of PHI need not be noted in each individual's file. Rather, a covered entity may, if convenient, keep track of disclosures of PHI using the medical record number. When an individual requests an accounting, the individual's medical record number may be used to determine whether any disclosures have been made of his or her PHI.

In addition, where the PHI of 50 or more individuals has been disclosed for a particular research purpose pursuant to documentation of an IRB waiver or alteration of Authorization, the covered entity may provide a more simplified accounting to individuals that lists, among other things, the name of the protocol(s) for which the individuals' information may have been disclosed. See section 164.528(b)(4) of the Privacy Rule.

   
 

Q: May a researcher access PHI through a remote access connection as a review preparatory to research?

   
 

A: Under certain, specified conditions and reasonable and appropriate security safeguards, yes. However, covered entities must comply with the relevant standards in both the Privacy Rule and Security Rule (upon its compliance date) before access to PHI through a remote access connection for preparatory research purposes is permitted to occur.

Under the Privacy Rule, covered entities are permitted to use or disclose PHI for reviews preparatory to research if the researcher provides representations that satisfy section 164.512(i)(1)(ii). The required representations must, among other things, provide that no PHI will be removed from the covered entity by the researcher in the course of the review. Remote access connectivity (i.e., out-of-office computer access achieved through secure connections with access permissions and authentication) involves a transmission of electronic PHI, which is not necessarily a removal of PHI under the Privacy Rule. However, although the access to PHI through a remote access connection is not itself a removal of PHI, the printing, copying, saving, or electronically faxing of such PHI would be considered to be a removal of PHI from a covered entity.

The Privacy Rule permits a covered entity to rely on representations from persons requesting PHI if such reliance is reasonable under the circumstances. In the case of a request by a researcher to access PHI remotely, this means that, among other things, the risk of removal, as described above, should be assessed in order to determine whether it is reasonable to rely on the researcher's representation that the PHI will not be removed from the covered entity. The covered entity should determine whether its reliance is reasonable based on the circumstances of the particular case.

For example, a covered entity may conclude that it can reasonably rely on representations from researchers who are its employees or contractors because their activity is manageable through the covered entity's employment and related policies establishing sanctions for the misuse of PHI. On the other hand, where the researcher has no connection to the covered entity, the covered entity may conclude that it cannot reasonably rely on the researcher's representations that PHI will not be removed from the covered entity, unless the researcher's activity is managed in some other way.

Covered entities that permit their workforce or other researchers to access PHI via a remote access connection must also comply with (on and after the compliance date) the Security Rule's requirements for appropriate safeguards to protect the organization's electronic PHI. Specifically, the standards for access control
(45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security
(45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to protect the integrity of, and guard against the unauthorized access to, electronic PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect electronic PHI as it is transmitted, select a solution, and document the decision.

   
 

Q: May a researcher, who is a workforce member of an affiliated covered entity (ACE), take away PHI from another covered entity within the ACE under a review preparatory to research?

   
 

A: Yes. Affiliated covered entities are legally separate covered entities that designate themselves as a single covered entity, for purposes of the Privacy Rule. A covered entity is permitted to use or disclose PHI for a review preparatory to research as long as the PHI is not removed from the covered entity and other required representations are obtained. Thus, PHI can be reviewed for such purposes throughout the various members of the affiliated covered entity as long as PHI does not leave the premises of the affiliated covered entity and the required representations are obtained from the researcher. However, in order for a covered entity within the ACE to use or disclose PHI for a research study, it must obtain the individual's Authorization, obtain documentation of a waiver from an IRB or Privacy Board, or meet other conditions for the research use or disclosure under the Privacy Rule.

   
 

Q: How is a limited data set different from a designated record set?

   
 

A: A limited data set refers to PHI that excludes
16 categories of direct identifiers and that may be used or disclosed for purposes of research, public health, or health care operations as long as the covered entity enters into a data use agreement with the recipient of the information. A limited data set can be used or disclosed without obtaining either an individual's Authorization or a waiver or an alteration of Authorization. A covered entity may use and disclose a limited data set for research activities conducted by itself, another covered entity, or a researcher. Because limited data sets may contain identifiable information, they are still PHI.

A designated record set is “a group of records maintained by or for a covered entity that is
(1) The medical records and billing records about individuals maintained by or for a covered health care provider; (2) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) Used, in whole or in part, by or for the covered entity to make decisions about individuals.” A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. The Privacy Rule generally gives individuals the right to see and get a copy of their PHI in (a) designated record set(s). Research records maintained by a covered entity may be part of a designated record set if, for example, they also are medical records or if they are not medical records but are otherwise used to make decisions about individuals.

   
 

Q: If a researcher, who is a workforce member of a covered provider (not a hybrid entity), obtains through a waiver of Authorization a copy of individually identifiable medical and billing records from that covered provider for health services research, do individuals have a right to access this copy of their PHI?

   
 

A: Generally, individuals have the right to access their PHI within designated record sets. A designated record set is defined to include medical records or billing records about individuals maintained by or for a covered health care provider. (A record, in this regard, means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.) Research records maintained by a covered entity constitute a designated record set if, for example, it is a medical or billing record about the individual that is maintained by or for the covered health care provider or is a record that is used, in whole or in part, by the covered health care provider to make decisions about the individual. However, the Privacy Rule does not require that an individual be provided access to every copy or duplicate of PHI in a designated record set that may be maintained by the covered entity. Rather, a covered entity meets the Privacy Rule's requirements by providing the individual access to only one copy of the PHI. Thus, in cases where a covered entity has copies of medical and billing records in both its treatment and research records, the covered entity need only provide access to one set, when such access is requested by the individual.

   
 

Q: I am a noncovered researcher who received an individual's written revocation of an Authorization that had permitted several covered hospitals to provide PHI to me. Does the Privacy Rule require me to stop using the PHI for my research?

   
 

A: No. However, when an individual revokes an Authorization, the covered entity may not provide further data about the individual, and thus, such information could not be provided if the researcher asks for it. Also, a valid Authorization must inform the individual how the Authorization may be effectively revoked, and depending on the revocation process described in the Authorization, the researcher may have undertaken additional obligations to ensure that the individual's revocation is effectuated (i.e., the researcher may be under contractual or ethical obligations that prohibit her or him from requesting or receiving the individual's data after receiving the revocation).

   
 

Q: If an individual revokes his or her Authorization after PHI is stored in a covered entity's database for a particular research study, is the covered entity permitted to retain and use that individual's PHI for data analysis?

   
 

A: Yes, if the use or disclosure of such PHI is necessary to protect the integrity of the research (i.e., to make sure the research study is still reliable, for example). In general, a research subject has the right to revoke, in writing, his or her Authorization at any time, and the revocation is effective when the covered entity receives it in writing; but an individual may not revoke the Authorization to the extent that the covered entity has already acted in reliance on the Authorization. For example, a covered entity is not required to retrieve information that it disclosed under a valid Authorization before receiving the revocation. Likewise, for research uses and disclosures, the reliance exception would permit the continued use and disclosure of PHI already obtained pursuant to the Authorization to the extent necessary to protect the integrity of the research, for example, to account for the individual's withdrawal from the study. However, the reliance exception would not permit a covered entity to continue disclosing additional PHI to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her Authorization.

   
  Q: Is a covered entity permitted, after the Privacy Rule compliance date, to waive or alter the Authorization requirement for the use or disclosure of psychotherapy notes?
   
 

A: No. An IRB or Privacy Board may not grant a waiver or alteration of Authorization for the use or disclosure of psychotherapy notes. The Privacy Rule provides individuals with special protections for psychotherapy notes, which are notes recorded by a mental health provider that document or analyze counseling session conversations and that are maintained separately from the medical record. Unless the covered provider obtained, prior to the compliance date of the Privacy Rule, the individual's informed consent or other express legal permission for the research or an IRB waiver of informed consent for the research, a covered entity may not use or disclose these notes for research without the individual's written Authorization.

   
 

Q: I know that the Privacy Rule permits a covered entity to disclose decedents' PHI for research without Authorization or waiver, if the covered entity obtains certain representations from the researcher. May the covered entity also disclose the PHI of minor decedents to researchers, without obtaining Authorization from the person with authority to act on behalf of the decedent?

   
 

A: Yes. If the covered entity obtains the representations required by section 164.512(i)(1)(iii) from the researcher, the Privacy Rule permits a covered entity to use or disclose a decedent's PHI for research without Authorization from an executor, administrator, or other person having authority to act on behalf of the deceased individual or the individual's estate, even if the decedent is a minor. In addition to the required representations, the covered entity also may request that the researcher produce documentation of the death of each subject whose PHI is sought for the research.

   
 

Q: May an Authorization identify a third-party recipient's future use or disclosure of individually identifiable health information?

   
 

A: Yes. A valid Authorization may identify more than one purpose of the disclosure. For example, a research Authorization may state, “As part of this study, we may share your hospital discharge records with the sponsor of this study, the State hospital association, which may conduct a followup hospital discharge outcome study.” It should be noted, however, that the Authorization need not describe the third party's uses and disclosures of PHI.

   
 

Q: May a covered entity rely on an Authorization signed by parent on behalf of a minor child, even after the child has reached the age of majority? Similarly, would the Privacy Rule's transition provisions “grandfather” an informed consent signed by a minor's parent even if the child reached the age of majority before the Privacy Rule compliance date?

   
 

A: Yes. A valid Authorization signed by a parent, as the personal representative of a minor child at the time the Authorization is signed, remains valid until it expires or is revoked, even if such time extends beyond the child's age of majority. If the Authorization expires on the date the minor reaches the age of majority, the covered entity would be required to obtain a new Authorization form signed by the individual in order to further use or disclose PHI covered by the expired Authorization.

In addition, the Privacy Rule's transition provisions at section 164.532(c) “grandfather” permissions for research (e.g., an informed consent) obtained prior to compliance with the Privacy Rule (usually, April 14, 2003). Therefore, even if the child has reached the age of majority, the Privacy Rule “grandfathers” a parent's consent on behalf of his or her minor child for research so that the consent remains valid until it expires or is withdrawn.

   
 

Q: May a covered entity contract with a researcher as a business associate to avoid complying with the research requirements under the Privacy Rule with respect to disclosures to the researcher?

   
 

A : No. A covered entity may hire a researcher as a business associate to perform certain functions on its behalf, such as to create a limited data set or to create de-identified data. The business associate agreement must require, among other things, that the researcher return or destroy the PHI at termination of the contract, if feasible, and also must limit the uses and disclosures the researcher may make with the PHI. See sections 164.502(e) and 164.504(e) of the Privacy Rule. A covered entity may not use the business associate provisions to avoid having to comply with the conditions for research disclosures. Where a covered entity wishes to disclose PHI to a researcher for a research purpose, it must first obtain the individual's Authorization, obtain a waiver or alteration of Authorization from an IRB or Privacy Board, enter into a data use agreement if disclosing only a limited data set, or meet other conditions, as appropriate. This is true regardless of whether the covered entity and the researcher have entered into another contract or agreement.

   
 

Q: What is “data aggregation” under the Privacy Rule, and does it apply to combining multiple data sets for research?

   
 

A: The Privacy Rule allows a covered entity to disclose PHI to a business associate, subject to the terms of a business associate agreement, for the purpose of data aggregation. Data aggregation, for purposes of the Privacy Rule, occurs when a business associate of one covered entity combines the PHI it receives from that covered entity with other PHI from another covered entity (with whom it also has a business associate relationship) in order to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. Covered entities are permitted to contract with business associates to undertake quality assurance and comparative analyses that involve the PHI of more than one contracting covered entity. For example, a State hospital association could act as a business associate of its member hospitals and could combine data provided to it to assist the hospitals in evaluating their relative performance in areas such as quality, efficiency, and other patient care issues. However, the business associate contracts of each of the hospitals would have to permit the activity, and the PHI of one hospital could not be disclosed to another hospital unless the disclosure is otherwise permitted by the Rule (e.g., as de-identified information or a limited data set). A covered entity may hire a health services researcher as a business associate to perform such data aggregation services.

Although covered entities may participate in certain research activities that involve combining multiple sets of data for research (e.g., for a meta-analysis), such an activity is not considered data aggregation, as defined by the Privacy Rule, unless the activity is undertaken by a business associate in support of a covered entity's health care operations. Multiple covered entities may disclose PHI to a researcher for the researcher to combine the multiple sets of data for research without business associate agreements, because a research activity is not a business associate function or activity (e.g., a health care operation of a covered entity). However, each covered entity's disclosure of PHI to a researcher for research purposes must be permitted by the Privacy Rule (e.g., with an Authorization, waiver of the Authorization requirement, or as a limited data set).

   
 

Q: Is a covered entity permitted, as part of its health care operations activities, to disclose PHI to a business associate to create de-identified data or a limited data set that may function as a research database? Or does the covered entity need an Authorization or a waiver or alteration of the Authorization requirement for this activity?

   
 

A: In the Privacy Rule, creating de-identified data or a limited data set is a health care operation of the covered entity and, thus, does not require the covered entity to obtain an individual's Authorization or a waiver of the Authorization requirement, even if the limited data set or de-identified data will function as a research database. However, if a business associate is hired by a covered entity to create de-identified data or a limited data set, such activity must be conducted in accordance with the business associate requirements at sections 164.502(e) and 164.504(e).

A covered entity's subsequent disclosure of a limited data set–in any form, including as a database–for research must be made pursuant to a data use agreement between the covered entity and the recipient of the limited data set.

   
 

Q: Does the Privacy Rule permit a researcher who is a covered workforce member of a covered entity to transfer PHI, without individual Authorization, to another institution if, for example, the researcher changes jobs?

   
 

A: No, unless the original permission under which the researcher obtained or created the data (such as the individual's Authorization or a waiver by an IRB) was granted explicitly for the researcher himself or herself, rather than solely for the covered entity. Otherwise, any transfer of PHI from one covered entity to another entity for these research purposes must be done according to a new permission (Authorization, waiver, etc.) that covers such disclosure.

   
 

Q: I work at a community health center that is named for our city. Does the name of our health center need to be removed from the data before they can be considered de-identified under the de-identification safe harbor provisions at section 164.514(b)(2)(i) of the Privacy Rule? All other required data elements to be removed for de-identification have been stripped from the data.

   
 

A: No, provided the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify the individual, the name of the health center need not be stripped. The de-identification provisions at section 164.514(b)(2)(i) require, among other things, that most elements of the individual's address, including the name of the city, be removed from the data, not that the name or address of the provider be removed.

   
 

Q: Does the Privacy Rule permit covered entities to disclose PHI, to be used for public health activities described in section 164.512(b), to government agencies, such as the Agency for Healthcare Research and Quality (AHRQ), that also carry out research with this PHI and other data?

   
 

A: Yes, under appropriate conditions. Covered entities may disclose PHI to a government agency such as AHRQ, which has research and public health missions or mandates, as a public health disclosure to a public health authority if the conditions for such disclosures under section 164.512(b) are met. Thus, for example, the disclosure would be permitted under section 164.512(b)(1)(i) if the government agency is a public health authority (i.e., it is responsible for public health matters as part of its official mandate) and is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability or for the conduct of public health surveillance, investigations, or interventions. Examples of disclosures that may be permitted under section 164.512(b)(1)(i), where the public health authority is authorized by law to collect such information, are situations in which reports of adverse drug events are requested by the public health authority to find and publicize common prescription errors (the purpose of which is to improve public safety through the prevention of injury or disability) or the public health authority collects health care utilization data to monitor surgical outcomes (the purpose of which is public health surveillance). There may be cases where PHI that is disclosed for the conduct of public health activities also may be used by the government agency for research (e.g., monitoring patient safety trends and performing analysis of the data for research on systemic causes of medical error). In those cases, disclosures of PHI may be made either under the research provisions or under the public health provisions; the covered entity need not comply with both sets of requirements. For additional guidance on disclosures of PHI for public health purposes to a government agency that also conducts research, see HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services , located at http://www.cdc.gov/mmwr/ preview/mmwrhtml/m2e411a1.htm.


Department of Health and Human Services National Institutes of Health USAGov The HIPAA Privacy Rule