The HIPAA privacy regulations were not intended to impede medical research. Nevertheless, such research is affected by HIPAA, because any use or disclosure of protected health information (PHI) by a "covered entity" is subject to the privacy regulations, including a use or disclosure pertaining to medical research.
In this context it should be noted that PHI is individually identifiable health information that is created or received by a covered entity, and a "covered entity" is a health care provider who conducts certain transactions electronically, a health plan, or a health care billing clearinghouse.
Therefore, if a researcher is a covered entity or a member of the workforce of a covered entity, the researcher's uses and disclosures of PHI would be subject to the privacy regulations, and subject to the covered entity's notice of privacy practices. Similarly, if a researcher wishes to obtain such information from a covered entity, the covered entity would need to determine whether it could make the disclosure under the terms of the privacy regulations and under the terms of its notice of privacy practices (regardless of whether the researcher is a covered entity).
On the other hand, information that would otherwise be PHI is sometimes created by entities that are not covered by the privacy regulations. In those cases, use or disclosure of the information is not subject to the limitations found in the privacy regulations. For example, a health care provider who does not conduct any HIPAA transactions electronically (that is, a non-covered provider), and who also conducts research, may gather information from patients that would otherwise be PHI, and use and disclose that information for research purposes free of the restrictions found in the HIPAA privacy regulations.
In light of the foregoing, whenever a researcher is a covered entity or part of the workforce of a covered entity, or whenever a researcher seeks PHI from a covered entity, the researcher needs to heed the 8 provisions of the privacy regulations that permit uses and disclosures of PHI for research purposes.
PHI may be used or disclosed for any purpose, including research, with the written authorization of the individual whose PHI is to be used or disclosed. The privacy regulations specify the required content for such an authorization.
2. Waiver of Authorization
An Institutional Review Board (IRB) or a Privacy Board (PB) may grant a complete or partial waiver of the authorization requirement. For example, an IRB or PB could give a partial waiver of the authorization requirement to permit a covered entity to disclose to a researcher the names and addresses of individuals with a specific medical condition so that the researcher could contact those individuals and invite them to participate in a study. Alternatively, the IRB or PB could grant a complete waiver and permit a covered entity to disclose all of the PHI of certain individuals to a researcher. A complete waiver is not usually appropriate, however, for clinical research involving human subjects.
3. Incomplete Authorization
An IRB or PB may, instead of granting a waiver of the authorization requirement, allow the researcher to use an authorization that does not contain all of the elements otherwise required by the privacy regulations. For example, a researcher could be permitted to use an authorization that does not describe each purpose of the requested use or disclosure when identification of the specific research study could affect the results of the study.
4. Preparations for Research
A covered entity may permit a researcher to review PHI for certain purposes before beginning research. For example, a researcher may need to determine whether there are records of a sufficient number of patients with a specified condition to determine if a statistically valid study can be conducted. The researcher must represent to the covered entity that no PHI will be removed from the covered entity during such a preparatory review, that the PHI will be used or disclosed only to prepare the research protocol or other preparatory purposes, and that the PHI sought is necessary for the research.
5. Decedents' Information
PHI may be used and disclosed for research if the researcher represents to the covered entity that the use or disclosure is sought for research involving only the PHI of deceased individuals, and that the PHI sought is necessary for the research. In addition, the covered entity may require that the researcher provide documentation of the death of the individuals whose PHI is sought.
6. Deidentified Information
Deidentified information is created when 18 identifiers specified by the privacy regulations are removed from PHI, or when a qualified statistician determines that there is only a very small risk that the information could be used, alone or in combination with other reasonably available information, to identify the individual who is the subject of the information. Deidentified information is not treated as PHI. The identifiers that must be removed to deidentify PHI include the obvious, such as name, address, and phone numbers, and also the less obvious, such as vehicle or device identifiers or serial numbers.
7. Limited Data Sea
A limited data set is created when 16 specified identifiers are removed from PHI. A limited data set is "almost deidentified" information in that only two identifiers that must be removed for deidentification may be left in a limited data set. For deidentification, all elements of an address (except the first three digits of a zip code) must be removed, while a limited data set may include the town or city, the state, and the full zip code. In addition, deidentified information must be stripped of all elements of dates (except year) that directly relate to an individual, while dates may be left in a limited data set.
A limited data set may be used or disclosed only if an agreement is in place that establishes the permitted uses and disclosures, as well as who is permitted to use or receive the data set. The agreement must also include the recipient's promises: to safeguard the data set; to report any inappropriate uses or disclosures; to ensure that any of its agents to whom the data set is disclosed agree to the same restrictions and conditions; and not to identify or contact the individuals whose PHI is included in the data set.
8. Grandfathered Consent or Waiver
The transition provisions of the privacy regulations permit a covered entity to continue to use and disclose PHI for research pursuant to informed consent or other express permission from the affected individual, or pursuant to a waiver of informed consent by an IRB, received before the covered entity's deadline for compliance with the privacy regulations.