Introduction to HIPAA

H​IPAA Research Issues

Authorization / Waiver of Authorization

HIPAA Privacy Standards
Protected Health Information
Covered Entity
Hybrid Entity
Covered Entity Use of PHI
Research Use of PHI
Signed Authorization
Core Elements
Additional Statements
Revoking Authorization
Other Requirements
Transition Provisions
IRB Requirements
What’s Next
Waiver of Authorization
Minimum Necessary Requirement
Waiver of Authorization Criteria

HIPAA Privacy Standards

  • Health Insurance Portability and Accountability Act, Standards for Privacy of Individually Identifiable Health Information
  • 45 CFR 160 and 45 CFR 164
  • Final rule published 8/14/02
  • Compliance date 4/14/03

Protected Health Information

  • Maintained by covered entity
  • Recorded in any medium
  • Relates to past, present, future
    • physical or mental health or condition
    • provision of health care
    • payment for provision of health care
  • Identifies individual or could reasonably be used to identify the individual

Covered Entity

  • Health care providers who transmit health information electronically
  • Health plans
  • Health care clearinghouses
  • University of Iowa - hybrid entity

Hybrid Entity

  • Single legal entity with covered and non-covered functions
  • Limits HIPAA liability for institution
  • Typical covered components include:
    • Academic medical center, student health
  • Not covered components include:
    • College of law, history department

Covered Entity Use of PHI

  • Covered entity may use or disclose PHI for treatment, payment, or operations (TPO)
  • Privacy Notice to patients
  • Covered entity may not use or disclose PHI for any other reason except as permitted in the regulations

Research Use of PHI

  • Research is not TPO
  • Covered entity may not use or disclose PHI for research except as permitted in the regulations
  • What is except as permitted?
    • Signed authorization from patient
    • Waiver of authorization

Signed Authorization

  • Authorization may be combined with research Informed Consent Document
  • One signature – two purposes
    1. Authorizing covered entity to disclose PHI to the research team
    2. Documenting voluntary participation in a research study

Core Elements

  • Description of PHI to be used/disclosed
    • Meaningful info in study procedures
  • Who is authorized to disclose
    • Your health care provider
  • Who covered entity is disclosing to
    • Members of the research team
  • Purpose for the disclosure
    • This research study
  • Expiration date or event
    • Indefinitely for purposes of research
  • Signature, date, and if signed by LAR,
    • relationship to individual

Additional Statements

  • Consequences of refusal to sign the authorization
  • Potential for the disclosed information to be redisclosed by recipient, and no longer protected by HIPAA regs
  • Right to revoke the authorization
  • How to revoke (in writing, to whom) and exceptions

Revoking Authorization

  • May use/disclose already-obtained PHI to extent necessary to “preserve the integrity of the research study”
    • Submit SAE report to IRB
    • Send data to sponsor
  • May not collect or disclose additional data after authorization is revoked

Other Requirements

  • Authorization must be written in plain language 
  • PI must give subject copy of the signed authorization
    • Xerox what was signed
    • Sign two copies

Transition Provisions

  • If subject signed Consent prior to 4/14/03, no requirement to re-sign Consent containing HIPAA authorization
  • If study was approved with waiver of consent prior to 4/14/03, study is “grandfathered in”
  • If study includes PHI, any subject enrolled after 4/14/03 must use Consent that includes HIPAA authorization language

IRB Requirements

  • Must update Consent with HIPAA section (“Will My Health Information be Used During This Study?”) by 4/14/03 by submitting Modification/Update
  • Must include new Funding section also
  • IRB will not automatically require other updates (but may!)
  • Consider updating entire Consent to new template

What’s Next

  • New Project application form revisions
  • Specific questions for documenting “waiver of authorization”
  • Types of studies
    • Retrospective chart review
    • Retrospective specimen studies

Waiver of Authorization

  • Separate waiver from 45 CFR46 waiver of consent regulations
  • Must be approved by IRB or privacy board
  • Minimum necessary requirement applies

Minimum Necessary Requirement

  • Research with waiver of authorization subject to minimum necessary requirement
  • Only the PHI reasonably necessary for purpose of the research may be accessed
  • IRB application form will ask PI for specifics on what information is needed

Waiver of Authorization Criteria

  • Research could not practicably be conducted without the waiver
  • Research could not practicably be conducted without access to PHI
  • Use/disclosure of PHI involves no more than minimal risk to privacy, based on:
    • PI has adequate plan to protect identifiers from improper use/disclosure
    • PI has adequate plan to destroy identifiers at earliest opportunity
    • PI gives adequate written assurance that PHI will not be disclosed to others