HIPAA Info & Forms

Guidelines on Usage of Protected Health Information

HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs disclosure of personally identifiable health information (deemed “protected health information”- PHI) by hospitals, physicians, and other HIPAA-defined “Covered Entities” (CEs). PHI is broadly defined by HIPAA to include identifiable data on a person’s physical or mental heath, health care, or payment for health care. PHI includes, for example, a list of a person’s current medications or a person’s weight, smoking status, or date of surgery.

What are “Covered Entities?”

HIPAA defines “Covered Entities” to be hospitals, physicians, health care providers, insurance agencies, or others who maintain or transmit PHI for purposes of treatment, payment, or health care operations (such as accreditation programs.) Most researchers are not themselves CEs, because they do not maintain or transmit health data for purposes of treatment, payment, or health care operations. However, many researchers obtain PHI from CEs as part of their research projects. The HIPAA Privacy Rule governs the circumstances under which CEs can disclose PHI to researchers.

What Types of Information Are Subject to HIPAA?

Health data that a researcher obtains directly from research participants, rather than from CEs, is NOT subject to the HIPAA Privacy Rule. For example, if a researcher takes a subject’s blood pressure, that data is not subject to the Privacy Rule.

If, on the other hand, the researcher wants to obtain the subject’s blood pressure from a physician, the physician’s ability to disclose the information is governed by the Privacy Rule. Similarly, a physician sending a “medical clearance” form for a study participant to a researcher would be subject to HIPAA. However, if the physician gave the medical clearance form to the study participant, and the study participant delivered it to the researcher, the disclosure would NOT be subject to HIPAA.

Conditions for Releasing PHI

There are 3 conditions under which a CE can release PHI to a researcher:

  1. Every subject has signed an Authorization for the CE to release the PHI to the researcher
  2. An Institutional Review Board (IRB) has granted the research a Waiver of Authorization
  3. The researcher De-identifies the health information to HIPAA standards
Authorization

In most research cases, each subject must sign an authorization for the CE to release PHI to the researcher. Authorizations are separate from consent forms and must contain specific information.

Hospitals and other large CEs may require the researcher to use their standard agency authorization form. Researchers are advised to contact CEs and determine this before investing time in creating an authorization form specific to their research study.

An authorization must be written in plain language and include the following elements according to Federal Law 45 CFR 164.508:

  1. Description of information to be disclosed
  2. Specification of persons or class of persons authorized to disclose the information
  3. Specification of who (name or class of persons) that disclosure can be made to
  4. Purpose for which disclosed data would be used
  5. Expiration date for authorization
  6. Statement of right to revoke authorization and method to revoke
  7. Statement that person can inspect or copy PHI to be disclosed
  8. Whether PHI disclosure is linked to remuneration or benefit for CE
  9. Statement that disclosed information may be re-disclosed and will no longer be protected by HIPAA
  10. Signed and dated by individual/guardian. (If the guardian signs, include a description of guardian’s authority to act for individual.)

View sample authorization form. (open Word Document)

Waiver of Authorization

An IRB can grant waiver of authorization (45 CFR 164.512(i)) for a research study if it determines that the waiver criteria under 45 CFR 164.512(i)(2)(ii) are met.

(A) The use or disclosure of protected health information (PHI) involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements.

  1. An adequate plan to protect the identifiers from improper use and disclosure;
  2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  3. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this HIPAA and approved by the IRB;

(B) The research could not practicably be conducted without the waiver or alteration; and
(C) The research could not practicably be conducted without access to and use of the PHI.

Covered Entities

Covered Entities (CEs) with their own IRBs may require that the waiver be granted by the agency IRB, rather than UNC Charlotte’s IRB. Researchers are advised to contact CEs and determine this before applying for a Waiver of Authorization from the UNC Charlotte IRB. After determining this, if you still wish to request a Waiver of Authorization from the UNC Charlotte IRB, you may do so as part of your protocol application submission

De-identification

Health information that cannot be traced to an individual is not subject to the HIPAA Privacy Rule (45 CFR 164.514). The Covered Entity (NOT the UNC Charlotte IRB) must make this determination. The determination can be made through either of the following:

  1. expert opinion, or
  2. removal of identifying information
Using an Expert to Determine De-identification of PHI

Expert opinion must be rendered by a person with expertise in methodology for de-identifying PHI. The expert must determine that risk of identification is very small and must document his/her methodology and analysis.

Removal of Identifiers

The CE must NOT have actual knowledge that the disclosed information could be used to identify the subject and MUST REMOVE all identifiers of subjects, and their relatives, employers, and household members.

HIPAA REQUIRES REMOVAL OF

  • Names
  • Addresses
  • Geographic subdivisions smaller than state
  • All dates related to the subject (e.g. birth date) [Exception: Birth year and age (if under 89) may be retained.]
  • Telephone, fax, e-mail, SSNs
  • Medical record and health plan numbers
  • Account numbers
  • Certificate and license numbers
  • VIN and license plate numbers
  • Device identifiers and serial numbers
  • URLS and IP addresses
  • Fingerprints, voice prints, etc
  • Images
  • Any other identifiers

Since the Covered Entity must make the determination that data have been sufficiently de-identified, the role of the UNC Charlotte IRB is education and advice. The UNC Charlotte IRB can assist researchers in deciding which data must be removed in order for the data to be considered de-identified.

Research on Deceased People

Additional rules apply to research on deceased people, and disclosures to prepare research protocols. Contact the Office of Research Protections and Integrity for guidance.

Burden of Compliance

The burden for complying with HIPAA falls on the CE, so it is ultimately the responsibility of the CE to determine if the conditions that allow disclosure of PHI have been met. UNC Charlotte’s IRB can help researchers through the process, but the CE will always be the one to make the final decision about whether PHI can be shared with a researcher.

Related Forms

Sample Authorization to Disclose PHI (for Covered Entities)