Guidelines on Usage of Protected Health Information
HIPAA Privacy Rule
What are "Covered Entities?"
What Types of Information Are Subject to HIPAA?
If, on the other hand, the researcher wants to obtain the subject’s blood pressure from a physician, the physician’s ability to disclose the information is governed by the Privacy Rule. Similarly, a physician sending a "medical clearance" form for a study participant to a researcher would be subject to HIPAA. However, if the physician gave the medical clearance form to the study participant, and the study participant delivered it to the researcher, the disclosure would NOT be subject to HIPAA.
Conditions for Releasing PHI
- Every subject has signed an authorization for the CE to release the PHI to the researcher
- An Institutional Review Board (IRB) has granted the research a waiver of authorization
- The researcher de-identifies the health information to HIPAA standards
Read Before You Proceed
Please read the following information before deciding which approach to use in your study.
Hospitals and other large CEs may require the researcher to use their standard agency authorization form. Researchers are advised to contact CEs and determine this before investing time in creating an authorization form specific to their research study.
An authorization must be written in plain language and include the following elements according to Federal Law 45 CFR 164.508:
- Description of information to be disclosed
- Specification of persons or class of persons authorized to disclose the information
- Specification of who (name or class of persons) that disclosure can be made to
- Purpose for which disclosed data would be used
- Expiration date for authorization
- Statement of right to revoke authorization and method to revoke
- Statement that person can inspect or copy PHI to be disclosed
- Whether PHI disclosure is linked to remuneration or benefit for CE
- Statement that disclosed information may be re-disclosed and will no longer be protected by HIPAA
- Signed and dated by individual/guardian. (If the guardian signs, include a description of guardian’s authority to act for individual.)
Waiver of Authorization
(A) The use or disclosure of protected health information (PHI) involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements.
- An adequate plan to protect the identifiers from improper use and disclosure;
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
- Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this HIPAA and approved by the IRB;
(C) The research could not practicably be conducted without access to and use of the PHI.
Using Covered Entities’ Waiver Forms
- expert opinion, or
- removal of identifying information
Using an Expert to Determine De-identification of PHI
Removal of Identifiers
HIPAA REQUIRES REMOVAL OF
- Geographic subdivisions smaller than state
- All dates related to the subject (e.g. birth date) [Exception: Birth year and age (if under 89) may be retained.]
- Telephone, fax, e-mail, SSNs
- Medical record and health plan numbers
- Account numbers
- Certificate and license numbers
- VIN and license plate numbers
- Device identifiers and serial numbers
- URLS and IP addresses
- Fingerprints, voice prints, etc
- Any other identifiers
Since the Covered Entity must make the determination that data have been sufficiently de-identified, the role of the UNC Charlotte IRB is education and advice. The UNC Charlotte IRB can assist researchers in deciding which data must be removed in order for the data to be considered de-identified.