HIPAA Requirements for Research Projects
The Health Insurance Portability and Accountability Act (HIPAA) is the federal legislation that governs all uses and disclosures of Protected Health Information (PHI), for both the living and the dead, in order to protect individual privacy. While Boston College is not a Covered Entity, some research projects may take place within other organizations that are Covered Entities. In such cases, researchers must be prepared to use and control PHI in compliance with the provisions of HIPAA and any commitments the university has agreed to accept in support of its researchers and their research projects.
Specific HIPAA provisions govern the release of PHI for research purposes by Covered Entities and researchers at uncovered entities who seek research subjects or information from or through the assistance of Covered Entities. While HIPAA defines research in the same way as the Common Rule that governs activities involving human subjects, the HIPAA provisions that address seeking and receiving approval for use of PHI differ significantly.
PHI is information that:
Is a subset of health information, including demographic information, collected from an individual, and relates to the past, present or future physical or mental health or condition of an individual; and either (i) identifies the individual; or (ii) where there is a reasonable basis to believe the information can be used to identify the individuals;
Is created or received by Covered Entities, which include health plans, health care clearinghouses, and health care providers that transmit any information in electronic form in connection with any of their transactions related to treatment, payment or health care operations, including the fact that an individual is a patient or member of a plan; and
May be released only with written patient authorization, or through a regulatory exception, such as public health reporting by the Covered Entity.
Types of information which are considered potential individual identifiers:
Note that these are different from the definition of identifiers in the Common Rule that governs federally-sponsored research involving human participants. HIPAA identifiers are:
- Names (individual, employer, relatives, etc.)
- Address (street, city, county, precinct, zip code – initial 3 digits if geographic unit contains less
than 20,000 people, or any other geographical codes)
- Telephone number
- Fax number
- Social Security numbers
- Medical record numbers
- Dates (except for years) connected to subjects, including birth date, admission date, discharge date,
date of death, ages >89 and all elements of dates indicative of such age (except that such age and
elements may be aggregated into a category “Age >90”)
- E-mail addresses
- Health Plan Beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle Identifiers and Serial numbers (e.g., VINs, License Plate numbers)
- Device Identifiers and Serial Numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric Identifiers (e.g., finger or voice prints)
- Full face photographic images) and any comparable images
- Any other unique identifying number, characteristic, or code
Researchers planning to make use of PHI in any part of their research projects must apply to the Boston College Institutional Review Board (BC IRB) for approval and must additionally, as part of that application, provide specific HIPAA-related information about the use of the PHI. The application will be reviewed by the BC IRB and Privacy Board/ IRB of the cooperating institution depending on the specifics of the study. Researchers who will have access to PHI at a Covered Entity must complete an Authorization Form or an Application for Waiver of Authorization to Use Protected Health Information.
When PHI is derived from or through a cooperating organization that is a covered entity with an IRB/Privacy Board: It is likely that the HIPAA application and approval process will take place as part of the IRB review at the cooperating organization. That organization may require the use of its own Authorization Form template. In addition, the cooperating organization may require an agreement to be signed governing the disclosure and confidentiality of PHI. The investigator will need to provide affirmative evidence beyond an IRB approval of a research protocol that the use of PHI has been approved by the IRB/Privacy Board of the cooperating organization. The investigator may also be requested to provide additional information on the use of PHI as part of the BC IRB approval process.
When the cooperating organization or practitioners do not have an IRB/Privacy Board: The full approval process will most likely occur through the BC IRB. The Authorization Form template approved by the BC IRB for use by Boston College researchers will be used in such cases. There may also be a need to execute an agreement with the Covered Entity governing the use and confidentiality of PHI.
Specific Responsibilities of Researchers Using PHI:
- Certify that the use of the information will be for research purposes only
- Provide the source of the information (name of institution, organization, or individual)
- Detail the specific categories of PHI to be used (e.g., diagnosis, treatment, status, insurance status,
Research Situations and Required Approvals/Forms:
The forms mentioned below must be submitted to the BC IRB in those instances that the providing organization does not have an IRB or Privacy Board. The research categories are:
Data obtained by HIPAA authorization from individual subjects. A Statement on HIPAA Protected Health Information Use must be submitted to the BC IRB and/or the Privacy Board/IRB of the Cooperating Organization depending on the circumstances.
De-identified data (include no HIPAA identifiers as previously listed). A HIPAA De-Identification Certification Form must be submitted to either the BC IRB and/or the Privacy Board/IRB of the Cooperating Institution depending on the circumstances.
Limited data sets (include no HIPAA identifiers except dates, such as birth date, admission and/or discharge date, treatment dates or geographic location excluding street address). A cooperating organization may wish to have an agreement signed covering limited data sets. Researchers are encouraged to submit these agreements to the BC IRB for review to ensure that the agreement does not conflict with the researchers approved protocol or create unfavorable circumstances for either the research or Boston College. If a Cooperating Institution does not have its own template, researchers are required to use the Boston College Limited Data Set Agreement template.
Data Preparatory to Research (data that will be reviewed only to establish that sufficient or appropriate data exist for the proposed work, which may not be removed from the covered provider’s premises during the review, nor may the investigator record or disclose any PHI, including the HIPAA identifiers listed above, in a way that may directly or indirectly be used to identify particular individuals). An Application to Review PHI in Preparation for Research must be submitted to the BC IRB and/or the Privacy Board/IRB of the Cooperating Organization depending on the circumstances.
Data on decedents only. An Application for Research on Decedent’s Information must be submitted to the BC IRB and/or the Privacy Board/IRB of the Cooperating Organization depending on the circumstances.
While the BC IRB has created forms acceptable to it, researchers having access to PHI at cooperating organizations having Privacy Boards/IRBs will very likely be required to use forms prescribed by those organizations. The BC IRB will defer to this requirement and will not require use of its form templates.