Research and HIPAA Privacy Protections Guidelines

Author

Reads 972

Medical Practitioners doing a research on a Lab
Credit: pexels.com, Medical Practitioners doing a research on a Lab

To conduct research while protecting patient privacy, researchers must follow strict guidelines. HIPAA (Health Insurance Portability and Accountability Act) regulations dictate how protected health information (PHI) can be used and disclosed.

The HIPAA Privacy Rule defines PHI as individually identifiable health information, which includes demographic information, medical histories, and treatment records. Researchers must obtain a valid authorization from the patient before accessing their PHI.

Researchers must also ensure that their studies comply with the HIPAA Privacy Rule's requirements for de-identification of PHI. This involves removing or altering certain identifying information, such as names and dates of birth, to protect patient confidentiality.

By following these guidelines, researchers can minimize the risk of violating HIPAA regulations and maintain the trust of their patients.

What is Covered

Research that involves Protected Health Information (PHI) is covered by HIPAA.

HIPAA affects research that uses, creates, or discloses PHI. There are two ways a research study would involve PHI: the study involves review of medical records as one (or the only) source of research information, or the study creates new medical records because as part of the research a health-care service is being performed.

For another approach, see: Accounting Research

Credit: youtube.com, Who is covered by the HIPAA Privacy Rule?

Retrospective studies, which involve reviewing past medical records, typically involve PHI. Prospective studies may also involve PHI when a researcher contacts a participant's physician to obtain or verify some aspect of a person's health history.

Most sponsored clinical trials that submit data to the FDA will involve PHI because study monitors have an obligation to compare research records to the medical records of participants.

Here are some scenarios that involve PHI:

  • The study involves review of medical records as one (or the only) source of research information.
  • The study creates new medical records because as part of the research a health-care service is being performed.

Health information obtained directly from research subjects solely for research purposes does not require HIPAA compliance. However, if researchers are placing research results into a participant's medical record at a covered entity, HIPAA compliance is required.

On a similar theme: Research Etfs

HIPAA Privacy Protections

HIPAA requires that all patients receive a Notice of Privacy Practices on their first contact with a covered entity, such as a hospital or research institution, after April 14, 2003. This notice explains the entity's privacy practices regarding a patient's medical records.

Credit: youtube.com, The HIPAA Privacy Rule

The Notice of Privacy Practices is different from the IRB-HSR Consent Form and/or the stand-alone HIPAA authorization. Researchers must obtain an acknowledgement of receipt of the UVA Notice from all research subjects, which can be checked in the A2K3 system.

If a research subject has not yet signed the acknowledgement form, the principal investigator is responsible for giving the subject the Notice and obtaining the subject's signature. If the subject has a medical record number, the form should be sent to Health Information Services.

HIPAA allows both use and disclosure of Protected Health Information (PHI) for research purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB).

The HIPAA Privacy Rule governs PHI, which is defined as information that can be linked to a particular person that arises in the course of providing a health care service. This includes demographic information, medical records, and billing information for medical services rendered.

Here's a breakdown of the types of research that involve PHI:

  • The study involves review of medical records as one (or the only) source of research information.
  • The study creates new medical records because as part of the research a health-care service is being performed at a covered entity or by a covered entity.

Disclosure and Revocation

Credit: youtube.com, HIPAA Privacy Rule

To obtain a subject's PHI for research, researchers must follow specific guidelines. The subject must grant written permission through an Authorization, or the IRB may grant a waiver of the authorization requirement.

Researchers must also ensure that the PHI is handled properly. If the PHI has been de-identified in accordance with the standards set by HIPAA, it is no longer considered PHI and can be used freely.

A subject can revoke their authorization to use or disclose PHI for research purposes at any time. To do this, they must request revocation in writing to the principal investigator, and the researcher must honor this request.

Here are the ways a subject can revoke their authorization:

  • Request revocation in writing to the principal investigator
  • Researchers must honor this request, except to the extent the researcher has already relied on the authorization

Disclosure of Information

Disclosure of Information is a crucial aspect of research involving Protected Health Information (PHI). This can be done under specific circumstances.

The subject of the PHI must have granted specific written permission through an authorization for the use of PHI for research. Alternatively, the Institutional Review Board (IRB) can grant a waiver of the authorization requirement.

Credit: youtube.com, Disclosure Information Advisory

If the PHI has been de-identified in accordance with the standards set by HIPAA, it can be disclosed for research purposes. This means that no longer meets the definition of PHI, and therefore, no authorization is needed.

A limited data set can also be released for research purposes, with certain identifiers removed and a data use agreement between the researcher and the covered entity.

Individuals have the right to obtain a record of certain disclosures of their PHI by covered entities or their business associates. This is known as an accounting of disclosures.

A covered entity must account for disclosures of an individual's PHI made during the six years prior to the request, unless a particular disclosure or type of disclosure is excluded from this accounting requirement.

The accounting includes the date of disclosure, the name and address of the person or entity that received the PHI, a description of what PHI was disclosed, and a brief statement regarding the purpose of the disclosure.

For multiple disclosures to the same person or entity for a single purpose, the accounting must include the date of the initial disclosure, the name and address of the person or entity, a brief description of the PHI disclosed, and a brief statement of the reason for the disclosure.

Credit: youtube.com, Authorized Disclosures and Privacy Rule Expectations: Module 2 of 5

In large studies with a waiver of authorization, a modified tracking method can be used. This involves maintaining information about the research protocol, the types of PHI disclosed, and the dates or time periods during which disclosures occurred.

The researcher must also assist in contacting the sponsor and recipient researcher if it is reasonably likely that an individual's PHI was disclosed to them.

A different take: Define Phi Hipaa

Revocation by Subject

If a subject wants to revoke their authorization, they must do so in writing to the principal investigator.

The principal investigator must honor the subject's request, except in cases where the researcher has already relied on the authorization.

A subject can revoke their authorization at any time, and the researcher must respect their decision.

Researchers can continue to use PHI obtained before the revocation, as necessary to maintain the integrity of the research study.

Use or disclosure of identifiable information obtained prior to revocation is permitted for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.

A fresh viewpoint: Kaiser Hipaa Authorization

Training Requirements

Credit: youtube.com, What are the HIPAA Training Requirements?

To ensure that your research team is compliant with HIPAA regulations, it's essential to provide the necessary training. According to Brown's Human Research Protection Program, PIs and research team members must complete the CITI HIPAA module if they'll be collecting, accessing, or receiving PHI as part of their research.

This training is required to ensure that research staff understand the importance of protecting sensitive health information. The IRB Policy on Education and Training in the Conduct of Human Subjects Research emphasizes the need for education and training in this area.

The CITI HIPAA module is a crucial step in ensuring compliance with HIPAA regulations. It's not just a suggestion, but a requirement for anyone who will be working with PHI.

Here are the key training requirements:

  • CITI HIPAA online training is required for PIs and research team members who will be collecting, accessing, or receiving PHI.
  • Failure to complete the required training may result in the IRB immediately suspending study approval.

By providing the necessary training, you can help ensure that your research team is compliant with HIPAA regulations and that sensitive health information is protected.

Record Keeping and Security

Credit: youtube.com, HIPAA Privacy vs HIPAA Security

HIPAA requires that certain records be maintained in both healthcare and research contexts, including authorizations for use of PHI, which should be kept in research records for at least six years.

These records should include documentation of an approved waiver of authorization, also kept for six years after the end of the study. Brown recommends storing signed informed consent documents together with research authorization forms.

The Brown PI may not share PHI beyond the members of the research study team without executing an outgoing Data Use Agreement.

  • Authorizations for use of PHI must be kept in research records for at least six years.
  • Documentation of an approved waiver of authorization must also be kept for six years after the end of the study.
  • Signed informed consent documents should be stored together with research authorization forms.

To ensure the security of sensitive data, researchers must implement technical safeguards when sending data via electronic media, such as data encryption. If unsure, they should engage the assistance of the IT-TSC by calling 717-531-6281.

Information Security

Information Security is a top priority when handling sensitive information like Protected Health Information (PHI). HIPAA requires research projects to use physical, technical, and administrative safeguards to protect confidentiality.

Credit: youtube.com, Security Incident Reports and Records Management

Physical safeguards are essential, including storing person-identifiable data in locked file cabinets and restricting access to only those project staff who need it. Paper records should not be kept in public areas where passers-by may accidentally see their content.

Technical safeguards apply to computer systems where PHI is stored, and include using password-protected access, screensavers with a timeout that locks access after a period of time, and audit trails that record who has created or changed PHI data in the system. Wherever feasible, personal-identifiable elements of the computerized research records should be stored separately, and if feasible, in an encrypted format.

Administrative safeguards are also crucial, including signed confidentiality agreements and publication of policies regarding the confidentiality and security of research data. The HIPAA Privacy Rule permits use of PHI for reviews preparatory to research, but in the University of California system, this is considered part of the overall research plan and requires IRB review prior to commencing.

In some cases, researchers must comply with specific security standards, such as the Data Risk Classifications set by the Office of Information Technology (OIT). For example, Brown PIs must comply with these classifications, which specify the levels of risk for PHI and required minimum security standards for servers housing such data.

Recommended read: Security Standards Hipaa

Credit: youtube.com, Different Types of Security In Records Management

Here is a summary of the Data Risk Classifications:

  • Data Risk Classifications
  • Level 2 Risk: De-identified PHI and/or limited datasets
  • Level 3 Risk: PHI that does not constitute a limited dataset

Researchers must also take extra precautions when sending sensitive data via ground mail services, using insured carriers, requiring a receiving signature, and implementing package tracking services. When sending PHI or other sensitive data stored on electronic media, data encryption is also required.

Explore further: Hipaa Security Services

Record Keeping

HIPAA requires that certain records be maintained in both healthcare and research contexts. Authorizations for use of PHI should be kept in research records for at least six years.

Documentation of an approved waiver of authorization must also be kept for six years after the end of the study.

Informed consent documents should be stored together with research authorization forms for easier access.

Business Associate Agreements

Business Associate Agreements can be a bit tricky to understand, but basically, they're agreements between a covered entity and a business associate that outlines how the business associate will use and protect PHI.

Broaden your view: Hipaa Business Continuity

Credit: youtube.com, HIPAA Training 101: Who Needs HIPAA Business Associate Agreements?

In the context of research, it's rare for a researcher to be considered a business associate, unless they're de-identifying PHI on behalf of a covered entity. This is a key distinction to make.

A Business Associate Agreement is not required for every research project, but it's essential to understand the HIPAA rules that govern the use of PHI.

To determine if a Business Associate Agreement is needed, consider the type of research being conducted and the level of access to PHI required. If PHI will be shared with a third party, a Business Associate Agreement may be necessary.

Here are some key elements that a Business Associate Agreement should include:

  • Specific permitted uses and disclosures of PHI
  • Identify who is permitted to use or receive PHI
  • Stipulations that the recipient will use or disclose PHI only for specified purposes

By understanding the requirements for Business Associate Agreements, researchers can ensure that they're complying with HIPAA regulations and protecting sensitive patient information.

Decedents and De-Identified Data

Research involving deceased individuals is not considered human subjects research and therefore does not require IRB oversight, unless the study includes both living and deceased individuals.

Credit: youtube.com, HIPAA: protection and use of US health information

If you're working with de-identified data, you'll need to remove specific information to protect the individual's identity. This includes names, geographic subdivisions, zip codes, dates of birth and death, and more. According to the HIPAA Privacy Rule, you can retain the first three digits of a zip code if the zip code area contains more than 20,000 people.

Here's a list of information that must be removed from de-identified data:

  • name
  • all geographic subdivisions smaller than a state
  • zip code or equivalents
  • dates directly related to individual, all elements of dates, except year
  • all ages over 89 or dates indicating such an age
  • telephone number
  • fax number
  • email address
  • Social Security number
  • medical record number
  • health plan number
  • account numbers
  • certificate or license numbers
  • vehicle identification/serial numbers, including license plate numbers
  • device identification/serial numbers
  • Universal Resource Locators (URLs)
  • Internet Protocol (IP) addresses
  • biometric identifiers, including finger and voice prints
  • full-face photographs and comparable images
  • any other unique identifying number, characteristic, or code

The HIPAA Privacy Rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual.

Decedent

Decedent research is a bit of a special case. According to federal policy, research involving deceased individuals is not considered human subjects research and therefore does not require IRB oversight unless the research study includes both living and deceased individuals.

Deceased individuals are treated differently under the HIPAA Privacy Rule. The rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual.

Readers also liked: What Is the Hipaa Privacy Rule

Credit: youtube.com, De-identified Data | Kaiser Permanente Research Bank

You'll need to provide documentation of the death of the individuals whose PHI is sought by the researchers if the covered entity requests it. This is a requirement for research involving decedents.

If you're working with decedent PHI, there are specific conditions that must be met. Here are the requirements:

  • The use or disclosure is sought solely for research on the PHI of decedents.
  • The PHI for which use or disclosure is sought is necessary for the purposes of the proposed research.
  • At the request of the covered entity, documentation of the death of the individuals whose PHI is sought by the researchers will be provided.

It's worth noting that the HIPAA Privacy Rule explicitly excludes from the definition of PHI individually identifiable health information regarding a person who has been deceased for more than 50 years.

De-Identified Data

De-Identified Data is a crucial concept when working with sensitive information, especially when it comes to decedents. The goal is to render data not individually identifiable, so there's a very small risk that it could be used to identify the individual.

To achieve this, the Statistical Method is used, which involves a person with knowledge of statistical and scientific principles. This method ensures that the data is de-identified, making it safe for use.

A unique perspective: Hipaa Data Governance

Credit: youtube.com, What is Data De-Identification?

The first step in de-identifying data is to remove identifying information, such as names and geographic locations. This includes street addresses, city, county, and precinct information.

Here are some specific items to remove or modify:

  • name
  • all geographic subdivisions smaller than a state (street address, city, county, precinct)
  • zip code or equivalents must be removed, but can retain the first three digits of the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people
  • dates directly related to individual, all elements of dates, except year (date of birth, admission date, discharge date, date of death)
  • all ages over 89 or dates indicating such an age
  • telephone number
  • fax number
  • email address
  • Social Security number
  • medical record number
  • health plan number
  • account numbers
  • certificate or license numbers
  • vehicle identification/serial numbers, including license plate numbers
  • device identification/serial numbers
  • Universal Resource Locators (URLs)
  • Internet Protocol (IP) addresses
  • biometric identifiers, including finger and voice prints
  • full-face photographs and comparable images
  • any other unique identifying number, characteristic, or code

By following these guidelines, you can ensure that your data is properly de-identified and safe to use.

Accounting

Accounting for research and HIPAA privacy protections is crucial to avoid costly fines and reputational damage. HIPAA requires covered entities to maintain accurate and complete records of all protected health information (PHI) transactions.

Protected health information is defined as any individually identifiable health information, including demographic, medical history, and treatment records. This includes electronic, paper, and oral communications.

To maintain accurate records, researchers must use secure and reliable methods for collecting, storing, and transmitting PHI. This includes using secure online portals, encrypted email, and password-protected databases.

HIPAA also requires covered entities to provide patients with access to their PHI, including the right to request amendments to their records. Researchers must ensure that patients are informed about their rights and how to exercise them.

If this caught your attention, see: Client Condition Is Protected under Hipaa

Preparatory Activities

Credit: youtube.com, HIPAA for Research: Module 1 - Introduction

You need to prepare a research protocol or gather information preparatory to research, but you don't need an IRB application if you're not directly recruiting subjects. This is known as the Preparatory to Research Exception under the HIPAA Privacy Rule.

To access medical records for this purpose, you'll need to complete a specific form, the "UPMC HIPAA Research Agreement: PHI Usage for Reviews Preparatory to Research." You can obtain this form by emailing [email protected] or calling (412) 647-4461. Submit the form to the UPMC Health Information Management Department or the designated individual.

Researchers cannot remove any PHI from UPMC during this review process. They can only obtain a summary of numbers of patients with certain characteristics, such as "85 male patients with type 2 diabetes, 45 to 60 years of age, diagnosed after the age of 40, and seen in the hospital in the past 3 years."

To ensure compliance, follow these guidelines:

  1. The use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research;
  2. No PHI will be removed in any manner, including by means of copying or notes, from the original source of the PHI, to include patient records of Penn State Health; and
  3. The PHI for which access is sought is necessary for the research purpose.

Training and Guidance

Credit: youtube.com, HIPAA Privacy Compliance: It's The Law - Training Course

To ensure compliance with HIPAA regulations, research staff must complete the required training. The CITI HIPAA module is a must for individuals collecting, accessing, or receiving PHI as part of their research.

In the event of study approval suspension, it's the Principal Investigator's responsibility to ensure all research staff members have completed the necessary training.

The Human Subjects Research Education and Training policy requires PIs and research team members to receive appropriate instruction and education. This includes completing the CITI HIPAA module.

IRB policy mandates education and training in the conduct of human subjects research. Research staff must be aware of these requirements to avoid potential issues.

Here are some key points to remember about HIPAA training requirements:

  • Complete the CITI HIPAA module for collecting, accessing, or receiving PHI.
  • Ensure research staff members complete the required training.
  • Principal Investigators are responsible for study approval suspension due to lack of training.

Table of Contents

To start a research project, it's essential to understand the basics of HIPAA privacy protections. HIPAA stands for the Health Insurance Portability and Accountability Act, which regulates how medical information is shared.

Protected Health Information (PHI) is a key concept in HIPAA, and it refers to any individually identifiable health information. Authorization is required to share PHI, and researchers need to understand the core elements of authorization.

Credit: youtube.com, The Differences Between The HIPAA Privacy Rule and HIPAA Security Rule

The HIPAA authorization process involves obtaining a patient's written consent to share their PHI. However, there are exceptions and alternatives to written consent, such as using a UPMC-Certified Honest Broker System.

When conducting research, it's crucial to determine the type of study you're undertaking. There are three main types: retrospective studies with no personal identifiers, medical record reviews with personal identifiers, and medical record reviews using a UPMC-Certified Honest Broker System.

To prepare a research protocol, you'll need to consider the specific requirements for your study type. This might involve developing a hypothesis, preparing a consent form, or obtaining a waiver for written consent.

Broaden your view: What Are Hipaa Identifiers

Lola Stehr

Copy Editor

Lola Stehr is a meticulous and detail-oriented Copy Editor with a passion for refining written content. With a keen eye for grammar and syntax, she has honed her skills in editing a wide range of articles, from in-depth market analysis to timely financial forecasts. Lola's expertise spans various categories, including New Zealand Dollar (NZD) market trends and Currency Exchange Forecasts.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.