Research at the University of Washington and Compliance with HIPAA

What is HIPAA? - Who is affected by HIPAA? - What is PHI? - What kind of research and researchers are affected by the HIPAA regulations? - Who will review research use of HIPAA-regulated information? - What types of health information are there? - Authorization requirements - Waiver of authorization for research: What information must researchers provide to the IRB? - Research subjects' rights under HIPAA - What effect does HIPAA have on recruitment of research subjects? - What will researchers have to do to request a waiver of authorization? - Research authorization templates

What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. The purpose of the Act was to increase the ease with which people could transfer their health care information from one insurer or provider to the next. Congress, as part of HIPAA, required the development of privacy regulations to protect the confidentiality of individually identifiable health care information. The final privacy Rule was issued on August 14, 2002 (www.hhs.gov/ocr/hipaa/finalreg.html). The University of Washington has until April 14, 2003 to comply with the Privacy Rule.

Who is affected by HIPAA?

All researchers (faculty, staff, or students) at the UW who access or create Protected Health Information (PHI) preceding or during the conduct of their research must comply with the HIPAA regulations.

What is PHI?

Protected Health Information is any information pertaining to a) the past, present, or future physical or mental health or condition of an individual; b) the provision of health care to an individual; or c) the past, present, or future payment for the provision of health care to an individual. PHI may be information that is recorded electronically, on paper, or orally. PHI may concern living people or dead people (referred to in the law as "decedents"). PHI does NOT include de-identified information or biological tissue with no accompanying information, such as an accession number or code number, that may be linked to an identifier.

What kind of research and researchers are affected by the HIPAA regulations?

Any kind of research conducted under the auspices of the UW and UW Medicine that creates or uses protected health information is subject to the HIPAA regulations. This includes such research activities as clinical trials, chart reviews, epidemiological studies, behavioral, and social science studies, as well as basic science research activities. It includes research that involves the provision of treatment as well as research that provides neither treatment nor diagnosis.

All studies involving creation or use of Protected Health Information (PHI) must be reviewed and approved in advance by the UW's Human Subjects Division.

All researchers, whether or not they are directly connected with UW Medicine, who wish to conduct research involving protected health information must complete HIPAA training before they will be allowed to have access to individually identifiable health information in any form.

Who will review research use of HIPAA-regulated information?

HIPAA rules require a Privacy Board or Institutional Review Board (IRB) to review the research use of HIPAA-regulated health information. The University of Washington's Human Subjects Division and Human Subjects Review Committees will serve this role for UW researchers.

What types of health information are there?

There are three categories of health information. The authorization requirements for use are different for each.

Individually Identifiable Health Information (IIHI): includes any subset of health information, including demographic information collected from an individual, that:

Is created or received by a health care provider, health plan, employer, or health care clearinghouse (an organization that codes health data);
Relates to the past, present or future physical or mental health or condition, the past, present or future provision of care to an individual, or the past, present or future payment for the provision of health care to an individual; and,
Identifies the individual (or there is a reasonable basis to believe that the information can be used to identify the individual.)

An authorization signed by the research subject is almost always required for the disclosure of individually identifiable health information. However, if the use meets the requirements for a waiver of authorization, the Human Subjects Review Committees may approve such a waiver.

De-Identified Information: Health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual. Information is considered de-identified if 18 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject of the information. The identifiers include

names,
geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people
all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89,
telephone numbers,
fax numbers,

electronic mail addresses,

Social Security numbers,

medical record numbers,

health plan beneficiary numbers,

account numbers,

certificate/license numbers,

vehicle identifiers and serial numbers, including license plate numbers,

device identifiers and serial numbers,

Web Universal Resource Locator (URL),

biometric identifiers, including finger or voice prints,

full face photographic images and any comparable images,

Internet Protocol address numbers

any other unique identifying number characteristic or code

The Human Subjects Review Committees may allow waivers of authorization for access to de-identified health information.

Limited Data Set: A limited data set is information disclosed by a covered entity to a researcher who has no relationship with the individual whose information is being disclosed. The covered entity is permitted to disclose PHI, with direct identifiers removed, subject to obtaining a data use agreement from the researcher receiving the limited data set. A data use agreement specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the data or contact with the individuals.

The PHI in a limited data set may not be used to contact subjects. The Human Subjects Review Committees may allow waivers of authorization for use of limited data sets in research. If the data are to be removed from the hospital, the researchers must sign a data use agreement with the hospital.

Direct identifiers that must be removed from the information for a limited data set are:

name,
address information (other than city, State, and zip code),
telephone and fax numbers,
e-mail address,
Social Security number,
certificate/license number,
vehicle identifiers and serial numbers,
URLs and IP addresses,
full face photos and other comparable images,
medical record numbers, health plan beneficiary numbers, and other account numbers,
device identifiers and serial numbers,
biometric identifiers including finger and voice prints.

Identifiers that are allowed in the limited data set are:

admission, discharge and service dates,
birth date,
date of death,
age (including age 90 or over),
geographical subdivisions such as state, county, city, precinct and five digit zip code.

Authorization requirements

The HIPAA regulations use the term "authorization" to describe the process through which a patient allows researchers to access protected health information. The authorization for disclosure and use of protected health information may be combined with the consent form that a research subject signs before agreeing to be in a study. It may also be a separate form. In either case, the information must include:

a description of the information to be used for research purposes;
who may use or disclose the information
who may receive the information
purpose of the use or disclosure
expiration date or event (if the information will be kept indefinitely, the authorization states that there is no expiration date)
individual's signature and date
right to revoke authorization
right to refuse to sign authorization (if this happens, the individual may be excluded from the research and any treatment associated with the research)
if relevant, that the research subject's access rights are to be suspended while the clinical trial is in progress, and that the right to access PHI will be reinstated at the conclusion of the clinical trial.

Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization.

Waiver of authorization for research

The UW Human Subjects Review Committees use these criteria in approving requests for a waiver of authorization for research:

the use or disclosure of protected health information must involve no more than minimal risk to the privacy, safety, and welfare of the individual;
the research could not practicably be conducted without the waiver or alteration; and
the research could not practicably be conducted without access to the protected health information.

The Human Subjects Review Committees must also consider if the researcher has provided:

an adequate plan to protect the identifiers from improper use or disclosure;
an adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law or is justified by research or health issues; and
adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject.

What information must researchers provide to the IRB?

Researchers must provide more detailed information about the types of information they will use in their research, how it will be used, who will have access to it, and when it will be destroyed. Specifically, they are asked:

What risks are posed by the use of the data and how have they been minimized?
What is the justification for access to the data and why are they necessary to conduct the research?
What plan does the researcher have to protect identifiers from improper use or disclosure?
What is the researcher's plan to destroy the identifiers? If it is not possible to destroy the identifiers, what is the health, legal, or scientific justification?
Has the researcher provided adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject?

Researchers requesting waivers of authorization will also need to document:

that the use or disclosure poses no more than minimal risk to the subject;
that the research could not practicably be conducted without the waiver; and
that the research could not practicably be conducted without access to the protected health information.

Research subjects' rights under HIPAA

Right to an accounting: When a research subject signs an authorization to disclose PHI, the covered entity is not required to account for the authorized disclosure. Nor is an accounting required when the disclosed PHI was contained in a limited data set or is released to the researcher as de-identified data. However, an accounting is required for research disclosures of identifiable information obtained under a waiver or exception of authorization. Research subjects may request an accounting of disclosures going back for up to six years.

Right to revoke authorization: A research subject has the right to revoke his or her authorization unless the researcher has already acted in reliance on the original authorization. Under the authorization revocation provision, covered entities may continue to use or disclose PHI collected prior to the revocation as necessary to maintain the integrity of the research study. Examples of permitted disclosures include submissions of marketing applications to the FDA, reporting of adverse events, accounting of the subject's withdrawal from the study and investigation of scientific misconduct.

What effect does HIPAA have on recruitment of research subjects?

Recruitment of subjects for research is subject to the general authorization requirements. The Privacy Rule classifies recruitment as "research" rather than as health care operations or marketing. Because development or use of research databases falls within the definition of "research," a covered entity may disclose PHI in a database to sponsors for subject recruitment only after an authorization from the research subject or a waiver from the UW's Human Subjects Review Committee has been obtained.

Neither an authorization nor a waiver is required to disclose PHI contained in a limited data set or as de-identified data. Limited data sets will make it easier to create databases of potential subjects to see if it is feasible to conduct a clinical trial or to perform epidemiological research. There are a couple of important limitations on the use of PHI in a limited data set for subject recruitment. The PHI may not be used to contact subjects, and, because telephone numbers, internet provider addresses, and email addresses are not part of a limited data set, this information may not be collected by researchers from prospective subjects.

When researchers want to approach potential subjects to participate in a study whom they have identified using PHI under a waiver of authorization, they must use an approach method that has been approved in advance by the Human Subjects Review Committee.

Examples of approach mechanisms include using an intermediary such as the patient's primary care provider or a member of the medical staff actually caring for that patient, or sending the potential subject a letter signed by the patient's provider.

What will researchers have to do to request a waiver of authorization?

In completing the application to the UW Human Subjects Review Committee,

Explain how the use of PHI involves no more than minimal risk to individuals
Explain why such a waiver will not adversely affect privacy rights or welfare of individuals in the study
Explain why the study could not practicably be conducted without a waiver
Explain why it is necessary to access and use protected health information to conduct this research
Explain how the risks to privacy posed by use of PHI in this research are reasonable in relation to the anticipated benefits
Explain the plan to protect identifiers from re-disclosure
Explain the plan to destroy identifiers. Provide a date by which this will take place. If identifiers must be retained, provide the reason (scientific, health, or other) why this is necessary.
Confirm that the PHI will not be reused or disclosed to anyone else.

Research authorization templates

Researchers must use a separate HIPAA authorization form. The form must be signed and dated by the research subject or the subject's personal representative or legally authorized surrogate. The standard template is available at http://www.washington.edu/research/hsd/form.php?id=58.

Research at the University of Washington and Compliance with HIPAA

Main Human Subjects page Finder List

Main Human Subjects page
Finder List