HIPAA
HIPAA's Impact on Research
The majority of ASU research does not fall under HIPAA’s purview. Obtaining data directly from the research subject this does not fall under HIPAA’s purview If you have questions, please contact research.integrity@asu.edu
Background Information
Arizona State University (ASU) is a "hybrid entity" with "covered components" which must comply with the provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the implementing regulations (45 CFR Parts 160, 162 and 164).
The current designated covered components for ASU include the following:
Covered Components
- Campus Health Services
- Speech and Hearing Clinics
- College of Nursing and Healthcare Innovation’s Health Clinics
- Center for Health Information and Research
- University Technology Office
The HIPAA Privacy Regulations will impact research projects involving protected health information, if the information is obtained from one of the "covered components" listed above or from another covered entity outside ASU, such as a hospital or pharmacy.
Definitions
Covered Entities under the HIPAA Privacy Regulations include the following entities: 1) health plans; 2) healthcare clearinghouses; and 3) healthcare providers who conduct certain electronic transactions, including billing and claims. Therefore, "covered entities" will include hospitals, skilled nursing facilities, pharmacies, most physician practices and most other healthcare providers. Entities such as ASU may also be covered entities, even if the entity's primary purpose is not the provision of healthcare services, if the entity has a unit that is a health plan, healthcare clearinghouse or healthcare provider. Such entities are referred to as "hybrid entities" under the regulation.
HIPAA is the Health Insurance Portability and Accountability Act of 1996, which mandates significant change in the laws and regulations governing the provision of health benefits, the delivery and payment of healthcare services, and the security and confidentiality of individually identifiable, protected health information in written, electronic or oral formats.
Hybrid Entity is a covered entity whose business activities include both covered and non-covered functions, and that designates those healthcare components that must comply with the HIPAA Privacy Regulations.
Personal Representative is the person who is legally entitled to act on behalf of the individual and may include the following: a parent of an unemancipated minor, a court appointed guardian, or the individual named to act on behalf of another through a power of attorney or health care representative.
Protected Health Information (PHI) means health information, in any form, collected or created as a consequence of the provision of healthcare if the information includes any information (including demographic information) that identifies or could be used to identify an individual. PHI includes information that is used for research purposes if that information identifies or could be used to identify a human research subject, including name, address, social security number, account numbers, treatment records, pharmacy records, lab reports, etc.