HIPAA The Health Insurance Portability and Accountability Act

Document Sample
HIPAA The Health Insurance Portability and Accountability Act Powered By Docstoc
					HIPAA: The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), effective April 14, 2003, will
have an impact on research conducted by Carnegie Mellon University researchers whose studies involve
the collection and analysis of existing medical record information obtained from a third party source (such
as UPMC Health System, Children’s Hospital, West Penn Hospital) and on the use of medical records for
the identification of potential research subjects.

Researchers will need to submit human subject protocol applications to third party sources and ensure they
follow their HIPAA requirements. Researchers will also need to follow Carnegie Mellon’s HIPAA
requirements. To avoid redundancy of human subject protocol applications, Carnegie Mellon’s IRB will
accept and review the third party source human subjects protocol applications and consent forms provided
the researcher completes Carnegie Mellon’s HIPAA Human Subjects Clearance Request Form.

PRIVACY REQUIREMENTS FOR RESEARCHERS UNDER HIPAA (located at and submit the training certificates to Regulatory
Compliance Administration, Warner Hall, Room 414 (fax no. 412-268-6279).

An Introduction to the Impact on Research
HIPAA and Research
Pathways for Data Access

HIPAA: An Introduction to the Impact on Research

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was designed to improve the
efficiency and effectiveness of the healthcare system. In response to the original HIPAA law,
Health and Human Services (HHS) published an additional regulation referred to as the Privacy
Rule that relates directly to organizations involved in healthcare operations that transmit health
information electronically. Typical organizations covered by HIPAA include:

        Health plans;
        Health care clearinghouses; and
        Health care providers who conduct certain financial and administrative transactions
         electronically, such as billing and fund transfers.

The Privacy Rule establishes Federal protections for the privacy of protected health
information (PHI), which is defined as individually identifiable health information transmitted or
maintained in any form or medium including paper records. Explicitly, PHI:

        Relates to the past, present or future physical or mental health condition.
        Relates to the provision of health care or the past, present, or future payment for the
         provision of health care.
        Identifies individual or could reasonably be used to identify individual. AND
        Has been transmitted or maintained in any form or medium (electronic, paper, oral).
All affected entities will need to be in compliance with the Privacy Rule by April 14, 2003 - this
includes research conducted at Carnegie Mellon University that that utilizes PHI.

HIPAA and Research

HIPAA directly affects research with human participants where:

    1. The researcher's data is PHI obtained from a third party source such as a physician's
         office, hospital, or clinic that treated the patient(s). For example, researchers will need to
         follow HIPAA guidelines to access any UPMC Health System or Children’s Hospital
         patient records.
    2.   The researcher is a physician whose study participants are receiving treatment as part of
         the research.

The HIPAA privacy standards WILL NOT directly affect researchers' access to records and
databases that do not include PHI created or maintained by covered entities. For example,
researchers will still have access to governmental databases or databases maintained by non-
healthcare providers.

Whenever the proposed research will utilize health information resulting from patient treatment,
researchers should submit their protocol for review to Regulatory Compliance Administration.
Regulatory Compliance Administration and the IRB can help determine if HIPAA regulations

Pathways for Data Access

Beginning April 14, 2003, health care providers covered by HIPAA may only use or disclose PHI
for treatment, payment, and health care operations purposes. When research depends on PHI,
there are six primary pathways permitting access to PHI for research related purposes:

    1. Review preparatory to research
            For the purpose of study design and protocol development
            Review must be essential for conduct of research
            No PHI may be removed from the covered entity providing the data
    2. Patient (Participant) authorization
        Similar to current informed consent requirement
        Includes additional elements and statements pertaining specifically to data privacy
        Can be combined with informed consent form/process
        ORP will provide a template for use in designing a valid authorization
        For current research, if participant consent is obtained prior to April 14, 2003,
             research on PHI may continue without authorization.
            If consent is not obtained before the compliance date, authorization will be required
             from each participant in order to access PHI.

    3. Waiver of authorization by IRB/Privacy Board
        Waivers may be approved when research cannot feasibly be conducted on de-
             identified data or authorization cannot practically be obtained from research
            Must demonstrate that disclosure of PHI will involve no more than minimal risk to the
             privacy of the individuals
          Must demonstrate adequate plans to protect the data from improper use and
          All Waiver requests will be reviewed by Carnegie Mellon’s full IRB at a convened
           meeting (The IRB meets the first Friday of every month. Submittals are due a week
           before the meeting.)

   4. De-identification of data

          De-identified data is not technically PHI, since it is unlikely to be able to
           be used to identify the individual
          18 categories of identifiers must be removed from the data for it to be
           classified as de-identified. These are:
          Names
          Geographic subdivisions smaller than a state except 3 initial zip code
           digits, with certain stipulations
          All elements of dates (except year) and all ages over 89 (and all
           elements of dates, including year, indicative of such age)
          Telephone numbers
          Fax numbers
          Electronic mail addresses
          Social security numbers
          Medical record numbers
          Health plan beneficiary numbers
          Account numbers
          Certificate/license numbers
          Vehicle identifiers and serial numbers, including license plate
           numbers§ Device identifiers and serial numbers
          Web Universal Resource Locators (URLs)
          Internet Protocol (IP) address numbers
          Biometric identifiers, including finger and voice prints
          Full face photographic images and any comparable images
          Any other unique identifying number, characteristic or code

5. Limited data set and data use agreement

      Requires fewer identifiers be removed than de-identified data
      Allows use of dates and ages, device identifiers and serial numbers, and other unique
       identifiers not mentioned above, except those that could easily be used to identify the
      Must be used in conjunction with a Data Use Agreement, a document intended to assure
       the data provider that the data will only be used or disclosed for limited purposes as
       specified in the research protocol
      Regulatory Compliance Administration will provide a template for developing a Data Use

6. Research on decedent's information
         Research on the PHI of decedents is allowed under the Privacy Rule
         Several assurances will need to be provided to the covered entity in order to access
          decedents' PHI

7. Data Sharing

Carnegie Mellon University (CMU) supports the concept of data sharing. Data sharing is
essential for expedited translation of research results into knowledge, products,
procedures to improve human health, and advancement of scientific and academic
knowledge. CMU endorses the sharing of final research data to serve these and other
important scientific goals. CMU expects and supports the timely release and sharing of
final research data from CMU conducted studies for use by other researchers.

CMU understands HIPAA regulations may affect the process of data sharing. To comply
with HIPAA regulations and with data sharing policies issued by PHS funding agencies,
researchers are encouraged to create de-identified data sets when reporting and
publishing their research findings that contain protected health information.

Information about data sharing and the NIH policy on data sharing can be found at

Research activities funded by PHS agencies must comply with the funding agencies’
policy on data sharing.

HIPAA Training

All researchers working with PHI will need to complete mandatory online training for researchers
(located at
and submit the training certificates to Regulatory Compliance Administration, Warner Hall, Room
414 (fax no. 412-268-6279).


 Department of Health and Human Services "Clinical Research and the HIPPA
Privacy Rule." Detailed information that includes a Frequently Asked Questions
and Answers section explaining how the Privacy rule affects researchers and

 Office for Civil Rights. "OCR Guidance Explaining Significant Aspects of the
Final Privacy Rule." December 5, 2002. Office for Civil Rights. December 13,
Woods, Gerald W. "Impact of the HIPAA Privacy Rule on Academic Research"
ACENET. November 22, 2002. American Council on Education. December 13,

University of Pittsburgh’s Institutional Review Board website HIPAA link