HIPAA: The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), effective April 14, 2003, will
have an impact on research conducted by Carnegie Mellon University researchers whose studies involve
the collection and analysis of existing medical record information obtained from a third party source (such
as UPMC Health System, Children’s Hospital, West Penn Hospital) and on the use of medical records for
the identification of potential research subjects.
Researchers will need to submit human subject protocol applications to third party sources and ensure they
follow their HIPAA requirements. Researchers will also need to follow Carnegie Mellon’s HIPAA
requirements. To avoid redundancy of human subject protocol applications, Carnegie Mellon’s IRB will
accept and review the third party source human subjects protocol applications and consent forms provided
the researcher completes Carnegie Mellon’s HIPAA Human Subjects Clearance Request Form.
RESEARCHERS MUST COMPLETE THE UNIVERSITY OF PITTSBURGH’s MODULE 6:
PRIVACY REQUIREMENTS FOR RESEARCHERS UNDER HIPAA (located at
http://rpf.health.pitt.edu/rpf/index.cfm) and submit the training certificates to Regulatory
Compliance Administration, Warner Hall, Room 414 (fax no. 412-268-6279).
An Introduction to the Impact on Research
HIPAA and Research
Pathways for Data Access
HIPAA: An Introduction to the Impact on Research
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was designed to improve the
efficiency and effectiveness of the healthcare system. In response to the original HIPAA law,
Health and Human Services (HHS) published an additional regulation referred to as the Privacy
Rule that relates directly to organizations involved in healthcare operations that transmit health
information electronically. Typical organizations covered by HIPAA include:
Health care clearinghouses; and
Health care providers who conduct certain financial and administrative transactions
electronically, such as billing and fund transfers.
The Privacy Rule establishes Federal protections for the privacy of protected health
information (PHI), which is defined as individually identifiable health information transmitted or
maintained in any form or medium including paper records. Explicitly, PHI:
Relates to the past, present or future physical or mental health condition.
Relates to the provision of health care or the past, present, or future payment for the
provision of health care.
Identifies individual or could reasonably be used to identify individual. AND
Has been transmitted or maintained in any form or medium (electronic, paper, oral).
All affected entities will need to be in compliance with the Privacy Rule by April 14, 2003 - this
includes research conducted at Carnegie Mellon University that that utilizes PHI.
HIPAA and Research
HIPAA directly affects research with human participants where:
1. The researcher's data is PHI obtained from a third party source such as a physician's
office, hospital, or clinic that treated the patient(s). For example, researchers will need to
follow HIPAA guidelines to access any UPMC Health System or Children’s Hospital
2. The researcher is a physician whose study participants are receiving treatment as part of
The HIPAA privacy standards WILL NOT directly affect researchers' access to records and
databases that do not include PHI created or maintained by covered entities. For example,
researchers will still have access to governmental databases or databases maintained by non-
Whenever the proposed research will utilize health information resulting from patient treatment,
researchers should submit their protocol for review to Regulatory Compliance Administration.
Regulatory Compliance Administration and the IRB can help determine if HIPAA regulations
Pathways for Data Access
Beginning April 14, 2003, health care providers covered by HIPAA may only use or disclose PHI
for treatment, payment, and health care operations purposes. When research depends on PHI,
there are six primary pathways permitting access to PHI for research related purposes:
1. Review preparatory to research
For the purpose of study design and protocol development
Review must be essential for conduct of research
No PHI may be removed from the covered entity providing the data
2. Patient (Participant) authorization
Similar to current informed consent requirement
Includes additional elements and statements pertaining specifically to data privacy
Can be combined with informed consent form/process
ORP will provide a template for use in designing a valid authorization
For current research, if participant consent is obtained prior to April 14, 2003,
research on PHI may continue without authorization.
If consent is not obtained before the compliance date, authorization will be required
from each participant in order to access PHI.
3. Waiver of authorization by IRB/Privacy Board
Waivers may be approved when research cannot feasibly be conducted on de-
identified data or authorization cannot practically be obtained from research
Must demonstrate that disclosure of PHI will involve no more than minimal risk to the
privacy of the individuals
Must demonstrate adequate plans to protect the data from improper use and
All Waiver requests will be reviewed by Carnegie Mellon’s full IRB at a convened
meeting (The IRB meets the first Friday of every month. Submittals are due a week
before the meeting.)
4. De-identification of data
De-identified data is not technically PHI, since it is unlikely to be able to
be used to identify the individual
18 categories of identifiers must be removed from the data for it to be
classified as de-identified. These are:
Geographic subdivisions smaller than a state except 3 initial zip code
digits, with certain stipulations
All elements of dates (except year) and all ages over 89 (and all
elements of dates, including year, indicative of such age)
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers, including license plate
numbers§ Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic or code
5. Limited data set and data use agreement
Requires fewer identifiers be removed than de-identified data
Allows use of dates and ages, device identifiers and serial numbers, and other unique
identifiers not mentioned above, except those that could easily be used to identify the
Must be used in conjunction with a Data Use Agreement, a document intended to assure
the data provider that the data will only be used or disclosed for limited purposes as
specified in the research protocol
Regulatory Compliance Administration will provide a template for developing a Data Use
6. Research on decedent's information
Research on the PHI of decedents is allowed under the Privacy Rule
Several assurances will need to be provided to the covered entity in order to access
7. Data Sharing
Carnegie Mellon University (CMU) supports the concept of data sharing. Data sharing is
essential for expedited translation of research results into knowledge, products,
procedures to improve human health, and advancement of scientific and academic
knowledge. CMU endorses the sharing of final research data to serve these and other
important scientific goals. CMU expects and supports the timely release and sharing of
final research data from CMU conducted studies for use by other researchers.
CMU understands HIPAA regulations may affect the process of data sharing. To comply
with HIPAA regulations and with data sharing policies issued by PHS funding agencies,
researchers are encouraged to create de-identified data sets when reporting and
publishing their research findings that contain protected health information.
Information about data sharing and the NIH policy on data sharing can be found at
Research activities funded by PHS agencies must comply with the funding agencies’
policy on data sharing.
All researchers working with PHI will need to complete mandatory online training for researchers
on the new HIPAA regulations. RESEARCHERS MUST COMPLETE THE UNIVERSITY OF
PITTSBURGH’s MODULE 6: PRIVACY REQUIREMENTS FOR RESEARCHERS UNDER HIPAA
and submit the training certificates to Regulatory Compliance Administration, Warner Hall, Room
414 (fax no. 412-268-6279).
Department of Health and Human Services "Clinical Research and the HIPPA
Privacy Rule." Detailed information that includes a Frequently Asked Questions
and Answers section explaining how the Privacy rule affects researchers and
Office for Civil Rights. "OCR Guidance Explaining Significant Aspects of the
Final Privacy Rule." December 5, 2002. Office for Civil Rights. December 13,
Woods, Gerald W. "Impact of the HIPAA Privacy Rule on Academic Research"
ACENET. November 22, 2002. American Council on Education. December 13,
University of Pittsburgh’s Institutional Review Board website HIPAA link