Research & Economic Development

Office of the Vice Chancellor

HIPAA FAQs

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 and modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). HIPAA affects the healthcare and health insurance industries and has several goals.

One of the major objectives is to ensure that employees have uninterrupted health insurance coverage as they move from one job to another. Another part of the legislation directly affects healthcare providers. The goal of this section (referred to as Title II: Administrative Simplification) is to improve the efficiency of the healthcare system through the increased use of electronic information systems. The law requires the Department of Health and Human Services (“DHHS”) to develop regulations that set national standards for electronic transactions between healthcare providers and insurance companies.

An additional, fundamental goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information (“PHI”). DHHS sets and enforces national standards to accomplish this key objective. In general, the law defines protected health information as information created by a healthcare provider, for use in the treatment of an individual or to obtain payment for such treatment, that is likely to identify that individual. The DHHS requirements are incorporated into the University’s policies concerning the privacy, confidentiality, and security of protected health information.

What is a “covered entity”?

“Covered entity” is the term that the HIPAA regulations use to describe the businesses and individuals in the health care industry that are subject to HIPAA regulations. Specifically, covered entities are health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with the following transactions: health care claims or encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment or disenrollment or eligibility information re health plans, health plan premium payments, referral certification and authorization, first report of injury, or health claims attachments.

What is PHI?

Protected Health Information, or PHI, describes the specific health care information that HIPAA is intended to protect. PHI is information in any form that can be linked to a particular person that is created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to that person’s health or payment for their health care. PHI does not include individually identifiable health information in personnel records or education records covered by the Family Educational Right and Privacy Act (“FERPA”).

What are some examples of procedures required under HIPAA for handling protected health information?

HIPAA regulations define using PHI not just in terms of who receives the information but how it may be used. Examples of HIPAA requirements include:

  • Strict standards for the physical and electronic security of PHI.
  • Restricted access to PHI for in-house personnel on a “need to know” basis.
  • Maintenance of a record of disclosures of PHI, to which an individual may obtain access.
  • Access to copies of his/her PHI for each individual patient, and a process for responding to patient requests for amendment of the PHI record.
  • Requirement to provide a notice of privacy practices to all patients.
  • Requirement to obtain authorization from an individual, or obtain a waiver of authorization from the Institutional Review Board, for the use and/or disclosure of that individual’s PHI for research purposes.

Where can I get more information and answers to questions about HIPAA?

The following web sites offer comprehensive information about HIPAA:

For HIPAA questions specifically related to UMKC, contact the Research Compliance Office.

How do the HIPAA privacy regulations apply to research?

The HIPAA privacy regulations, codified as the Privacy Rule, only apply to covered entities (and Business Associates). The Privacy Rule regulates the way covered entities (and Business Associates) handle PHI and establishes the conditions under which covered entities (and Business Associates) may use or disclose PHI for many purposes, including research. Although not all research involving health information is subject to the Privacy Rule, the Privacy Rule can affect certain aspects of research. The Privacy Rule does affect research that relies upon the use or disclosure of PHI from covered entities, including clinical research, bio-repositories and databases, and health services research.

How does HIPAA affect a research study that also involves health care treatment?

HIPAA requires that research study subjects, who will receive health care treatment as part of the study, sign a written authorization allowing for the use of their PHI for the research study – or that a privacy board or Institutional Review Board waive the authorization requirement. This authorization is separate from a research study subject’s consent for treatment. Where research-generated PHI may be applied to treatment decisions is subject to HIPAA’s medical record requirements.

Does HIPAA apply to my research even if I am not a health care provider?

Yes, if your research requires the use of PHI from records in the custody of covered entities, HIPAA applies to your access to and use of that data whether or not you are a health care provider.

How do the HIPAA privacy regulations apply to my research if I am not a health care provider?

HIPAA regulates how health care providers, health plans and health care clearinghouses may disclose/share PHI from their records for research.

What is the relationship between HIPAA and the human subjects protection regulations of the Common Rule for which IRB review was established?

HIPAA is a floor of personal health information protections for health care consumers. Individuals whose PHI is used in research are human subjects research participants and are therefore entitled to the identifiable private information protections of the Common Rule as well as the health information protections of HIPAA.

What are the HIPAA privacy regulations with respect to disclosing PHI to researchers and using PHI in research?

HIPAA regulates how covered entities may disclose PHI to researchers for use in research. HIPAA permits a covered entity to disclose PHI for use in research only through the following six options:

  1. A signed patient authorization is obtained from the individual whose PHI is sought for research.
    (Example: A clinical researcher enrolling patients in an interventional study will obtain a signed authorization from the research participant at the same time that the researcher is obtaining a signed informed consent document, and will present a copy of the authorization to the covered entity from whose records the researcher is seeking the PHI.)
  2. Waiver by an IRB or a Privacy Board of the authorization requirement for use of individually identifiable PHI for research.
    (Example: A researcher requesting access to data for a retrospective chart review study will likely request IRB approval of a waiver of the authorization requirement as well as a waiver of the informed consent requirement, and will present a copy of the IRB’s waiver of authorization to the covered entity from whose records the researcher is seeking the PHI.)
  3. Review of PHI solely in preparation for research, without collecting the PHI for research use.
    (Example: A researcher wanting to review records of PHI to determine whether there is sufficient data to support an idea for a research study can be given access to those records for that purpose by a covered entity without either authorization or waiver of authorization but may ask the researcher to provide written assurance that the researcher will only use the data as a pre-research review and will not remove any of it from the covered entity.)
  4. Complete “de-identification” of the data.
    (Example: A researcher wants aggregate information about how many times a given procedure is performed on individuals in a specified age range and doesn’t need to have any information about any individual cases. In this case, the covered entity may release completely de-identified data to the researcher without authorization or a waiver of authorization. HIPAA allows a covered entity to de-identify data by removing all 18 specific identifiers listed in the Privacy Rule (see “What is a de-identified data set?” below).
  5. Conversion of the PHI to a “limited data set” devoid of specified facial identifiers together with execution of a data use agreement with specified provisions covering use and disclosure of the limited data set.
    (Example: a research study needs data from a covered entity’s records on the incidence a disease and treatment together with some data about individual cases limited to date of birth, date of diagnosis, date of treatment, date of death and geographic information less specific than postal address. The covered entity may release this limited information to the researcher if a data use agreement is executed to pledge the researcher to certain limitations on the use and disclosure of the “limited data set.”)
  6. Use of PHI solely of decedents.
    (Example: A researcher only wants individually identifiable health information on decedents. The covered entity may release that information to the researcher as long as it is confident that only PHI about decedents is being requested and that the information is really needed for research. The covered entity may ask the researcher to provide an explanation of why the information is needed for research and may also request documentation of the decedent status of the individuals.)

I understand about obtaining information from covered entities’ records for use in research. Is PHI ever created within the course of conducting research?

When a health care activity is performed within the research study itself -for example, a clinical trial or other clinical intervention study – any individual clinical record information that is generated within that research is PHI that is subject to all the HIPAA regulations that apply to PHI that becomes part of the health care treatment, payment and operations records of the health care provider, health plan and/or health care clearinghouse. For example, clinical information generated within a research study may be simultaneously entered into the clinical record of an individual patient and into the research data set intended to produce generalizable knowledge. The research use of the PHI and all protections of the privacy and security of the research data set must be in accord with the terms and conditions of the IRB approval, the informed consent, and the authorization as well as relevant institutional policies on data privacy and security.

When is individually identifiable health information that is created within a research study not PHI?

  1. When there is no health care performed as an activity within the research study, and
  2. there is no billing for health care treatment within the research study, and
  3. the individually identifiable health information created within the study (by obtaining health information/health measurements directly from the human participant) is not expected to be shared by the researchers with the individual’s health care provider or health plan, nor included in the individual’s medical records, except in the unanticipated occurrence of a potential adverse event, then that individually identifiable health information is not PHI subject to HIPAA. One example of this might be an exercise study that collects personal health data directly from the research participant and performs some health screening testing (blood pressure measurements, etc.). In this case the study provides no provision of health care, does not bill for any health care treatment or service, and transmits no individual health information about participants to a medical record (although participants may personally transmit the information to their health care providers or others at their own discretion).

Three additional important points in this scenario:

  1. It must be made clear to research participants that the researchers do not intend to share the individually identifiable health information generated within the research study with the research participants’ health care providers or medical records or health plans except in the event of a potential adverse event requiring that the information be shared for appropriate health care for the individual. This clarification is particularly vital in research studies where the researcher also functions as a health care provider in other situations or where health measurements are performed by the researchers or where the study occurs in a setting that appears to be clinical.
  2. If the individually identifiable health information is shared with the individual’s health care provider either
  1. voluntarily by the individual or
  2. by the researcher in response to a potential adverse event, then the individually identifiable health information that was originally generated only within the research performance becomes PHI in the records of the health care provider but does not reach back to create PHI status for the same information originally generated in the separate research data set.
  1. Individually identifiable health information that is not PHI is still potentially sensitive personal information that should be treated with privacy and confidentiality protections commensurate with its sensitivity and the pledges made to the human participants about its use and disclosure.

Does HIPAA regulate how PHI created in the course of a research study is handled?

Clinical treatment performed in the course of a clinical research study must be handled in accord with the appropriate medical practices regarding entry of the individual’s treatment data into the medical record. The research use of the information must be disclosed and authorized in the both the authorization and informed consent documents that the research participant signs. These documents should specify how PHI created in the course of a research study will be treated, for example:

  • how PHI will be used in the research study,
  • whether any of the data will be entered into the medical record, and
  • whether the information will be shared with any health plan for payment purposes for any activities included within the study participation.

What is an authorization?

An authorization is a document signed by an individual that gives that individual’s explicit permission to obtain her/his specified PHI from health care provider(s) and use it for a specified purpose(s) other than the individual’s health care, such as research. HIPAA lists specific the elements that must be included in a valid authorization document.

How is an authorization different than an informed consent?

An authorization is a document required by HIPAA that defines only the terms and conditions of permission to use specified PHI from specified health care providers for a specified research project. Except for authorizations to use psychotherapy notes in research, which must always be stand-alone documents, an authorization can be combined with the informed consent document. However, there are some features of an authorization that may be easier to handle as a separate document, including the requirements that the authorization be kept for six years following its last effective date and that it may only be revoked in writing, as well as the need to present a copy of the authorization to health care providers (or health plans or health care clearinghouses) to obtain the authorized access to PHI in their records.

How do I obtain an authorization to obtain and use PHI in my research?

Apply to your IRB for approval of an authorization form to use in the informed consent process in your research project. The IRB has a template authorization form for you to complete and present for IRB approval. When you have an IRB approved form of authorization for use in your research study, you are able to include the discussion and execution of this form in the informed consent process with each human research participant. Covered entities may want a copy of this authorization (or a waiver of authorization – see below) when you request access to the research participant’s PHI in their records.

What if the human research participant revokes the authorization?

If the authorization is revoked, the researcher generally cannot continue to collect PHI on the participant for use in the research study; however, the researcher can continue to use the PHI already obtained before the revocation to the extent necessary to preserve the integrity of the research study.

What is a waiver of authorization?

A waiver of authorization is documentation that an IRB or a Privacy Board (Privacy Board is defined in HIPAA) has reviewed the proposed research acquisition and use of PHI and has approved a waiver of all or part of the authorization requirement for obtaining and using individually identifiable PHI in the research. HIPAA specifies elements that must be included in a valid waiver of authorization document.

How is a waiver of authorization different than a waiver of informed consent?

The waiver of authorization is based solely on an assessment of the privacy risks to individually identifiable PHI in the proposed research. A waiver of informed consent is based on the level of contact with study participants or documentation of consent.

How do I obtain a waiver of authorization to use PHI in my research?

Apply to your IRB for approval of a waiver of the authorization requirement. This is similar to a request for waiver of the informed consent requirement. The IRB has an application form for requesting approval of a waiver of authorization. When the IRB has approved a waiver of authorization, it will issue an approval document. Covered entities may want a copy of this waiver of authorization when you request access to the research participant’s PHI in their records.

What about recruitment?

Under HIPAA, a covered entity may not provide individually identifiable health information to researchers outside its own workforce for recruitment contact without either the individual’s authorization (not generally practical under most circumstances) or a waiver of authorization from the IRB. An IRB may approve a waiver of authorization solely for recruitment contact even if the IRB will ultimately require the human participants’ authorization for using PHI in the research study. HIPAA permits the health care provider who has a direct treatment relationship with an individual to initiate discussion about possible research participation without any authorization or waiver of authorization.

What is a deidentified data set?

A de-identified data set is PHI from which the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:

  • Names;
  • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
  • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
  • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code, other than dummy identifiers that are not derived from actual identifiers and for which the re-identification key is maintained by the health care provider and not disclosed to the researcher;

and

(ii) The covered entity may not consider the information de-identified if it has actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

What are the requirements for obtaining and using a deidentified data set for my research?

De-identified data sets do not contain any individually identifiable health information, are not considered PHI, and are not subject to HIPAA. Neither authorization nor waiver of authorization nor a data use agreement is required by HIPAA for a covered entity to disclose de-identified data for use in research.

What is a limited data set?

In contrast to a de-identified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, State and zip code. A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

  • Names;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images.

What are the requirements for using a limited data set?

A covered entity may use or disclose a limited data set from its PHI records for research use without either authorization or waiver of authorization if the researcher executes a data use agreement that binds the limited data set the researcher to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use and/or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data.

How do I obtain a limited data set for use in my research?

Contact the health care entity that holds the data record to request the limited data set. If the holder of the data record does not have a standard form of data use agreement for releasing the information, the Office of University Counsel can provide one.

What uses of PHI are permitted under HIPAA in a review preparatory to research?

The “review preparatory to research” is an option that allows review (but not research use) of PHI by researchers and requires neither an authorization nor a waiver of authorization. In the “review preparatory to research” option, a covered entity may allow researchers to review PHI in the covered entity’s records as a preparation for research but may not permit researchers to collect any of the PHI for actual research use. For example, the researcher may be permitted to review PHI to determine whether there is enough information in the records to make a potential research project feasible; however, under the “review preparatory to research” the researcher may not transcribe information from the records for inclusion in research data. The covered entities whose records are reviewed in this preparation for research may require written assurance from the researcher that the pre-research review will be in accord with this HIPAA regulation.

What about research using the PHI of decedents?

Research using the individually identifiable PHI of decedents requires neither authorization nor waiver of authorization nor a data use agreement. However, the covered entity holding the records of the decedent’s PHI may require documentation of the death of such individuals, as well as a statement by the researcher that the information sought is solely for research on PHI of decedents and is necessary for the research study.

What about research in progress on 4/13/03?

  1. An individual’s authorization is not required for a covered entity to disclose PHI of a human research participant who has executed an informed consent prior to April 14, 2003. The individual does not need to execute an authorization document for the researcher to obtain and use the participant’s PHI in the research study on or after April 14, 2003.
  2. For research being conducted under a waiver of informed consent approved by the IRB prior to April 14, 2003, an IRB waiver of authorization is not required for the covered entity to disclose PHI to the research study on or after April 14, 2003.

If a research participant enrolls in a research study on or after April 14, 2003, a covered entity may disclose that participant’s PHI only if the research participant executes an authorization. Research studies seeking IRB approval of waiver of informed consent on or after April 14, 2003, will also need to seek IRB approval of a waiver of authorization.

What about PHI in existing research data sets?

PHI in research data sets that prior to April 14, 2003, are already existing and maintained completely separately from the designated record sets of covered entities, e.g. separately from health care treatment, payment and operations records of covered entities, can be used in accord with the terms and conditions of the IRB approval under which they were acquired prior to April 14, 2003.

What about secondary analysis, future use studies, or bio-repositories?

HIPAA permits the use of compound authorizations for research studies. A researcher may combine an authorization for the use or disclosure of PHI for a research study with an authorization for a future research study that describes the future research sufficiently to provide reasonable notice to the potential subjects of possible use. An authorization for a research study may also be combined with an authorization for the creation or maintenance of a research database or bio-repository. Where the provision of research-related treatment is conditioned on one of the authorizations, any additional authorization must clearly differentiate between the conditioned and unconditioned components and provide the potential study subject with an opportunity to opt in to the research activities described in the unconditioned authorization. For psychotherapy notes, any authorization for their use or disclosure may only be combined with another authorization for the use of disclosure of psychotherapy notes.

What about sharing data with other researchers?

PHI in research data acquired on or after April 14, 2003, may only be shared with other researchers in accord with the agreement for acquiring the PHI, i.e. only in accord with the terms of the authorization or waiver of authorization or data use agreement. Research data that includes PHI may be shared, disclosed, or transferred among the investigators named in the authorization, waiver of authorization, or data use agreement. Sharing or disclosing or transferring the data outside of that circle requires IRB review and approval of the proposed research study for which the data would be shared. Contact the IRB for review of a change in the approved protocol if the original investigators wish to share research data that includes PHI with another colleague not originally identified as part of the research team within the existing approved study.

What about using research data that includes PHI in presentations or publications?

Inclusions of identifiable personal information from research in presentations or publications of any type must be in accord with the terms and conditions of all existing agreements about how the individual’s information may be used, including: the terms and conditions of IRB approval of the research protocol, the authorization or waiver of authorization, the informed consent or waiver of informed consent, any data use agreement that has been executed, etc.

What about reidentification codes?

HIPAA regulations apply to re-identification codes as follows:

For individually identifiable PHI acquired under an authorization or IRB waiver of authorization, the PHI must be treated with no less privacy and security than whatever privacy practices have been stated in the authorization and informed consent or waiver of authorization and waiver of informed consent through which the PHI was acquired. For example, as a privacy practice for a given research study, the researchers may be using completely identifiable PHI but may choose to handle it primarily in a format in which participants are identified only by a code (in lieu of facial identifiers), and the researchers may maintain tight control of the re-identification code through secure storage and limited access. The standards that apply are those described in the permissions through which the PHI was acquired.

For PHI that has been released for research use in de-identified form without either authorization or waiver of authorization, HIPAA requires that (a) the covered entity that released the de-identified data must not release the re-identification code or re-identification mechanism to the researchers, and (b) that the code itself must not be derived from identifiers.

Researchers with PHI in research data sets established and separate from health care treatment, payment and operations records prior to April 14, 2003, can continue the identification coding practices that were established under the IRB approval for the research that generated the research data set.

If a site is disclosing data about individual patients that does not include any of the 18 identifiers listed in 45 CFR 164.514(b)(2)(i), but does identify the site from which the data has been disclosed, does the geographic location of the site constitute an identifier of “geographic subdivision smaller than a State” for the individual?

No. The de-identified information does not lose its de-identification status simply by virtue of identification of the disclosing site. This is true as long as one other HIPAA caveat is met: the disclosing covered entity does not have actual knowledge that the de-identified information could be used alone or in combination with other information available to individuals outside the covered entity to identify an individual who is the subject of the information.