HIPAA's Impact on Research
While the majority of ASU research does not fall under HIPAA’s purview, it is important to understand HIPAA to be cognizant of when these rules may need to be applied. If you have questions related to HIPAA, please contact firstname.lastname@example.org.
On April 14, 2003, the Department of Health and Human Services published the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPPA); it was passed as Public Law 104-191. It affects ASU researchers who access identifiable health information from HIPAA “Covered Entities”. Identifiable health information is protected by the HIPAA Privacy Rule and is known as Protected Health Information (PHI). It also governs disclosure of data to individuals who propose to use PHI for research purposes, as oftentimes researchers need to request PHI to develop a research protocol or to access PHI when collecting data from a clinical record held by a covered entity.
Arizona State University (ASU) is a "hybrid entity" with "covered components" which must comply with the provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the implementing regulations (45 CFR Parts 160, 162 and 164).
The current designated covered components for ASU include the following:
- ASU Health Services
- ASU Counseling Services
- Speech and Hearing Clinics
- College of Nursing and Healthcare Innovation’s Health Clinics
- Center for Health Information and Research
- University Technology Office
The HIPAA Privacy Regulations will impact research projects involving protected health information, if the information is obtained from one of the "covered components" listed above or from another covered entity outside ASU, such as a hospital or pharmacy.
Importance of ASU Researchers Being HIPAA Savvy
It is essential that ASU researchers have a working knowledge of HIPAA as they establish or maintain partnerships with covered entities so their human subjects protocols are not interrupted and so that they can gain access to PHI for their human subjects research. Researchers who want to access PHI must request the information from and meet the requirements of the covered entity from which they are requesting the information. Under HIPAA, covered entities are required to either establish a Privacy Board or designate an Institutional Review Board (IRB) as their Privacy Board to review and approve requests for PHI. Here at ASU we have designated our IRB to perform the duties of the Privacy Board. Investigators requiring permission from the IRB to use PHI must submit the request using the standard Bioscience IRB application form available online at: http://researchintegrity.asu.edu/humans/forms.
The regulations permit the use, release or disclosure of PHI when specific written permission is given by the individual or, if individual authorization is impractical or if the risk of disclosure is low, when an institutional review board approves a waiver of individual authorization.
If the individual is also participating in the research project as a human subject, then the Principal Investigator is required to fulfill both the requirements for informed consent, including anonymity, and a separate authorization for the use or release of personal health information.
The regulation allows the use of a single form to gather the necessary approvals, as long as the approvals are separate and distinct.
Guidelines for Handling Sensitive Information (e.g., HIPAA, IRB, Sensitive, Classified Information)
The basic guidelines listed below should be used for any senstive information. Additional specific recommendations for protecting PHI can be found here.
- No HIPAA protected data may be stored on a personal computer.
- Use of personal computers to store university data is not allowed.
- Data must be segregated from master lists; master lists must be stored on separate secure computers/servers.
- Data should be encrypted whenever possible; password protection is not adequate; appropriate firewalls must be in place.
- Encryption is required when sensitive files are sent via email.
- Passwords must be individually assigned and not shared; they should be changed routinely.
- Users’ accounts must be removed if such users no longer have reason to access the information.
- Computers must be properly maintained; software patches applied promptly.
- Rooms/suites need to be locked and access limited.
Pathways to Accessing PHI
There are various means by which researchers can obtain PHI. For additional guidance, please see the attached decision tree/flowchart entitled Research at ASU and the Health Information Portability and Accountability Act (HIPAA). Methods for accessing PHI are as follows:
- Information requested is “de-identified” (If information is de-identified it does not fall under HIPAA)
- A patient authorization is obtained
- Authorization requirement is waived by IRB/Privacy Board
- Information is collected only for preparatory work of research
- Only a limited data set is collected and accompanied with a data use agreement
- Only decedent PHI is being collected
- Data Use Agreement
Requirements for Requesting a Waiver of Authorization for the Use or Disclosure of PHI
The Principal Investigator must provide the rationale and the necessary explanation for the items noted below to the ASU IRB (acting as ASU’s Privacy Board) required to make the waiver determination:
- The use or disclosure of PHI involves "minimal risk" to the subject's privacy;
- An adequate plan exists to protect identifiers from improper use or disclosure (you may need to provide the reviewing body with a copy of the plan);
- An adequate plan exists to describe the destruction of personal identifiers as soon as possible or at the end of the research period;
- Written assurance by the PI that the PHI will not be reused or redisclosed (except as required by law);
- The research could not "practicably" be conducted without the waiver;
- The research could not "practicably" be conducted without the use or disclosure of PHI; and
- A description of the PHI required for research
Covered Entities under the HIPAA Privacy Regulations include the following entities: 1) health plans; 2) healthcare clearinghouses; and 3) healthcare providers who conduct certain electronic transactions, including billing and claims. Therefore, "covered entities" will include hospitals, skilled nursing facilities, pharmacies, most physician practices and most other healthcare providers. Entities such as ASU may also be covered entities, even if the entity's primary purpose is not the provision of healthcare services, if the entity has a unit that is a health plan, healthcare clearinghouse or healthcare provider. Such entities are referred to as "hybrid entities" under the regulation.
HIPAA is the Health Insurance Portability and Accountability Act of 1996, which mandates significant change in the laws and regulations governing the provision of health benefits, the delivery and payment of healthcare services, and the security and confidentiality of individually identifiable, protected health information in written, electronic or oral formats.
Hybrid Entity is a covered entity whose business activities include both covered and non-covered functions, and that designates those healthcare components that must comply with the HIPAA Privacy Regulations.
Personal Representative is the person who is legally entitled to act on behalf of the individual and may include the following: a parent of an unemancipated minor, a court appointed guardian, or the individual named to act on behalf of another through a power of attorney or health care representative.
Protected Health Information (PHI) means health information, in any form, collected or created as a consequence of the provision of healthcare if the information includes any information (including demographic information) that identifies or could be used to identify an individual. PHI includes information that is used for research purposes if that information identifies or could be used to identify a human research subject, including name, address, social security number, account numbers, treatment records, pharmacy records, lab reports, etc.