Research and HIPAA Privacy Protections Guidelines

To conduct research while protecting patient privacy, researchers must follow strict guidelines. HIPAA (Health Insurance Portability and Accountability Act) regulations dictate how protected health information (PHI) can be used and disclosed.

The HIPAA Privacy Rule defines PHI as individually identifiable health information, which includes demographic information, medical histories, and treatment records. Researchers must obtain a valid authorization from the patient before accessing their PHI.

Researchers must also ensure that their studies comply with the HIPAA Privacy Rule's requirements for de-identification of PHI. This involves removing or altering certain identifying information, such as names and dates of birth, to protect patient confidentiality.

By following these guidelines, researchers can minimize the risk of violating HIPAA regulations and maintain the trust of their patients.

Suggestion: Hipaa Omnibus Rule of January 2013 Did What

Research that involves Protected Health Information (PHI) is covered by HIPAA.

HIPAA affects research that uses, creates, or discloses PHI. There are two ways a research study would involve PHI: the study involves review of medical records as one (or the only) source of research information, or the study creates new medical records because as part of the research a health-care service is being performed.

For another approach, see: Accounting Research

Retrospective studies, which involve reviewing past medical records, typically involve PHI. Prospective studies may also involve PHI when a researcher contacts a participant's physician to obtain or verify some aspect of a person's health history.

Most sponsored clinical trials that submit data to the FDA will involve PHI because study monitors have an obligation to compare research records to the medical records of participants.

Here are some scenarios that involve PHI:

Health information obtained directly from research subjects solely for research purposes does not require HIPAA compliance. However, if researchers are placing research results into a participant's medical record at a covered entity, HIPAA compliance is required.

On a similar theme: Research Etfs

HIPAA requires that all patients receive a Notice of Privacy Practices on their first contact with a covered entity, such as a hospital or research institution, after April 14, 2003. This notice explains the entity's privacy practices regarding a patient's medical records.

The Notice of Privacy Practices is different from the IRB-HSR Consent Form and/or the stand-alone HIPAA authorization. Researchers must obtain an acknowledgement of receipt of the UVA Notice from all research subjects, which can be checked in the A2K3 system.

If a research subject has not yet signed the acknowledgement form, the principal investigator is responsible for giving the subject the Notice and obtaining the subject's signature. If the subject has a medical record number, the form should be sent to Health Information Services.

HIPAA allows both use and disclosure of Protected Health Information (PHI) for research purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB).

The HIPAA Privacy Rule governs PHI, which is defined as information that can be linked to a particular person that arises in the course of providing a health care service. This includes demographic information, medical records, and billing information for medical services rendered.

Here's a breakdown of the types of research that involve PHI:

To obtain a subject's PHI for research, researchers must follow specific guidelines. The subject must grant written permission through an Authorization, or the IRB may grant a waiver of the authorization requirement.

Researchers must also ensure that the PHI is handled properly. If the PHI has been de-identified in accordance with the standards set by HIPAA, it is no longer considered PHI and can be used freely.

A subject can revoke their authorization to use or disclose PHI for research purposes at any time. To do this, they must request revocation in writing to the principal investigator, and the researcher must honor this request.

Here are the ways a subject can revoke their authorization:

Disclosure of Information is a crucial aspect of research involving Protected Health Information (PHI). This can be done under specific circumstances.

The subject of the PHI must have granted specific written permission through an authorization for the use of PHI for research. Alternatively, the Institutional Review Board (IRB) can grant a waiver of the authorization requirement.

If the PHI has been de-identified in accordance with the standards set by HIPAA, it can be disclosed for research purposes. This means that no longer meets the definition of PHI, and therefore, no authorization is needed.

A limited data set can also be released for research purposes, with certain identifiers removed and a data use agreement between the researcher and the covered entity.

Individuals have the right to obtain a record of certain disclosures of their PHI by covered entities or their business associates. This is known as an accounting of disclosures.

A covered entity must account for disclosures of an individual's PHI made during the six years prior to the request, unless a particular disclosure or type of disclosure is excluded from this accounting requirement.

The accounting includes the date of disclosure, the name and address of the person or entity that received the PHI, a description of what PHI was disclosed, and a brief statement regarding the purpose of the disclosure.

For multiple disclosures to the same person or entity for a single purpose, the accounting must include the date of the initial disclosure, the name and address of the person or entity, a brief description of the PHI disclosed, and a brief statement of the reason for the disclosure.

A different take: Hipaa Confidentiality Statement

In large studies with a waiver of authorization, a modified tracking method can be used. This involves maintaining information about the research protocol, the types of PHI disclosed, and the dates or time periods during which disclosures occurred.

The researcher must also assist in contacting the sponsor and recipient researcher if it is reasonably likely that an individual's PHI was disclosed to them.

A different take: Define Phi Hipaa

If a subject wants to revoke their authorization, they must do so in writing to the principal investigator.

The principal investigator must honor the subject's request, except in cases where the researcher has already relied on the authorization.

A subject can revoke their authorization at any time, and the researcher must respect their decision.

Researchers can continue to use PHI obtained before the revocation, as necessary to maintain the integrity of the research study.

Use or disclosure of identifiable information obtained prior to revocation is permitted for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.

A fresh viewpoint: Kaiser Hipaa Authorization

To ensure that your research team is compliant with HIPAA regulations, it's essential to provide the necessary training. According to Brown's Human Research Protection Program, PIs and research team members must complete the CITI HIPAA module if they'll be collecting, accessing, or receiving PHI as part of their research.

This training is required to ensure that research staff understand the importance of protecting sensitive health information. The IRB Policy on Education and Training in the Conduct of Human Subjects Research emphasizes the need for education and training in this area.

The CITI HIPAA module is a crucial step in ensuring compliance with HIPAA regulations. It's not just a suggestion, but a requirement for anyone who will be working with PHI.

Here are the key training requirements:

By providing the necessary training, you can help ensure that your research team is compliant with HIPAA regulations and that sensitive health information is protected.

HIPAA requires that certain records be maintained in both healthcare and research contexts, including authorizations for use of PHI, which should be kept in research records for at least six years.

These records should include documentation of an approved waiver of authorization, also kept for six years after the end of the study. Brown recommends storing signed informed consent documents together with research authorization forms.

The Brown PI may not share PHI beyond the members of the research study team without executing an outgoing Data Use Agreement.

To ensure the security of sensitive data, researchers must implement technical safeguards when sending data via electronic media, such as data encryption. If unsure, they should engage the assistance of the IT-TSC by calling 717-531-6281.

Check this out: Explain the Importance of Protecting Patient Data and Hipaa Standards.

Information Security is a top priority when handling sensitive information like Protected Health Information (PHI). HIPAA requires research projects to use physical, technical, and administrative safeguards to protect confidentiality.

Broaden your view: Billing Information Is Protected under Hipaa

Physical safeguards are essential, including storing person-identifiable data in locked file cabinets and restricting access to only those project staff who need it. Paper records should not be kept in public areas where passers-by may accidentally see their content.

Technical safeguards apply to computer systems where PHI is stored, and include using password-protected access, screensavers with a timeout that locks access after a period of time, and audit trails that record who has created or changed PHI data in the system. Wherever feasible, personal-identifiable elements of the computerized research records should be stored separately, and if feasible, in an encrypted format.

Administrative safeguards are also crucial, including signed confidentiality agreements and publication of policies regarding the confidentiality and security of research data. The HIPAA Privacy Rule permits use of PHI for reviews preparatory to research, but in the University of California system, this is considered part of the overall research plan and requires IRB review prior to commencing.

In some cases, researchers must comply with specific security standards, such as the Data Risk Classifications set by the Office of Information Technology (OIT). For example, Brown PIs must comply with these classifications, which specify the levels of risk for PHI and required minimum security standards for servers housing such data.

Recommended read: Security Standards Hipaa

Here is a summary of the Data Risk Classifications:

Researchers must also take extra precautions when sending sensitive data via ground mail services, using insured carriers, requiring a receiving signature, and implementing package tracking services. When sending PHI or other sensitive data stored on electronic media, data encryption is also required.

Explore further: Hipaa Security Services

HIPAA requires that certain records be maintained in both healthcare and research contexts. Authorizations for use of PHI should be kept in research records for at least six years.

Documentation of an approved waiver of authorization must also be kept for six years after the end of the study.

Informed consent documents should be stored together with research authorization forms for easier access.

Business Associate Agreements can be a bit tricky to understand, but basically, they're agreements between a covered entity and a business associate that outlines how the business associate will use and protect PHI.

Broaden your view: Hipaa Business Continuity

In the context of research, it's rare for a researcher to be considered a business associate, unless they're de-identifying PHI on behalf of a covered entity. This is a key distinction to make.

A Business Associate Agreement is not required for every research project, but it's essential to understand the HIPAA rules that govern the use of PHI.

To determine if a Business Associate Agreement is needed, consider the type of research being conducted and the level of access to PHI required. If PHI will be shared with a third party, a Business Associate Agreement may be necessary.

Here are some key elements that a Business Associate Agreement should include:

By understanding the requirements for Business Associate Agreements, researchers can ensure that they're complying with HIPAA regulations and protecting sensitive patient information.

Research involving deceased individuals is not considered human subjects research and therefore does not require IRB oversight, unless the study includes both living and deceased individuals.

If you're working with de-identified data, you'll need to remove specific information to protect the individual's identity. This includes names, geographic subdivisions, zip codes, dates of birth and death, and more. According to the HIPAA Privacy Rule, you can retain the first three digits of a zip code if the zip code area contains more than 20,000 people.

Here's a list of information that must be removed from de-identified data:

The HIPAA Privacy Rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual.

Decedent research is a bit of a special case. According to federal policy, research involving deceased individuals is not considered human subjects research and therefore does not require IRB oversight unless the research study includes both living and deceased individuals.

Deceased individuals are treated differently under the HIPAA Privacy Rule. The rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual.

Readers also liked: What Is the Hipaa Privacy Rule

You'll need to provide documentation of the death of the individuals whose PHI is sought by the researchers if the covered entity requests it. This is a requirement for research involving decedents.

If you're working with decedent PHI, there are specific conditions that must be met. Here are the requirements:

It's worth noting that the HIPAA Privacy Rule explicitly excludes from the definition of PHI individually identifiable health information regarding a person who has been deceased for more than 50 years.

De-Identified Data is a crucial concept when working with sensitive information, especially when it comes to decedents. The goal is to render data not individually identifiable, so there's a very small risk that it could be used to identify the individual.

To achieve this, the Statistical Method is used, which involves a person with knowledge of statistical and scientific principles. This method ensures that the data is de-identified, making it safe for use.

A unique perspective: Hipaa Data Governance

The first step in de-identifying data is to remove identifying information, such as names and geographic locations. This includes street addresses, city, county, and precinct information.

Here are some specific items to remove or modify:

By following these guidelines, you can ensure that your data is properly de-identified and safe to use.

Accounting for research and HIPAA privacy protections is crucial to avoid costly fines and reputational damage. HIPAA requires covered entities to maintain accurate and complete records of all protected health information (PHI) transactions.

Protected health information is defined as any individually identifiable health information, including demographic, medical history, and treatment records. This includes electronic, paper, and oral communications.

To maintain accurate records, researchers must use secure and reliable methods for collecting, storing, and transmitting PHI. This includes using secure online portals, encrypted email, and password-protected databases.

HIPAA also requires covered entities to provide patients with access to their PHI, including the right to request amendments to their records. Researchers must ensure that patients are informed about their rights and how to exercise them.

If this caught your attention, see: Client Condition Is Protected under Hipaa

You need to prepare a research protocol or gather information preparatory to research, but you don't need an IRB application if you're not directly recruiting subjects. This is known as the Preparatory to Research Exception under the HIPAA Privacy Rule.

To access medical records for this purpose, you'll need to complete a specific form, the "UPMC HIPAA Research Agreement: PHI Usage for Reviews Preparatory to Research." You can obtain this form by emailing [email protected] or calling (412) 647-4461. Submit the form to the UPMC Health Information Management Department or the designated individual.

Researchers cannot remove any PHI from UPMC during this review process. They can only obtain a summary of numbers of patients with certain characteristics, such as "85 male patients with type 2 diabetes, 45 to 60 years of age, diagnosed after the age of 40, and seen in the hospital in the past 3 years."

To ensure compliance, follow these guidelines:

To ensure compliance with HIPAA regulations, research staff must complete the required training. The CITI HIPAA module is a must for individuals collecting, accessing, or receiving PHI as part of their research.

In the event of study approval suspension, it's the Principal Investigator's responsibility to ensure all research staff members have completed the necessary training.

The Human Subjects Research Education and Training policy requires PIs and research team members to receive appropriate instruction and education. This includes completing the CITI HIPAA module.

IRB policy mandates education and training in the conduct of human subjects research. Research staff must be aware of these requirements to avoid potential issues.

Here are some key points to remember about HIPAA training requirements:

To start a research project, it's essential to understand the basics of HIPAA privacy protections. HIPAA stands for the Health Insurance Portability and Accountability Act, which regulates how medical information is shared.

Protected Health Information (PHI) is a key concept in HIPAA, and it refers to any individually identifiable health information. Authorization is required to share PHI, and researchers need to understand the core elements of authorization.

The HIPAA authorization process involves obtaining a patient's written consent to share their PHI. However, there are exceptions and alternatives to written consent, such as using a UPMC-Certified Honest Broker System.

When conducting research, it's crucial to determine the type of study you're undertaking. There are three main types: retrospective studies with no personal identifiers, medical record reviews with personal identifiers, and medical record reviews using a UPMC-Certified Honest Broker System.

To prepare a research protocol, you'll need to consider the specific requirements for your study type. This might involve developing a hypothesis, preparing a consent form, or obtaining a waiver for written consent.

Broaden your view: What Are Hipaa Identifiers