HIPAA Frequently Asked Questions  

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. As the name suggests, the legislation has several goals.

One of the major objectives is to ensure that employees have uninterrupted health insurance coverage as they move from one job to another. However, another part of the legislation directly affects healthcare providers. The goal of this section (referred to as Title II: Administrative Simplification) is to improve the efficiency of the healthcare system through the increased use of electronic information systems. The law allows the Department of Health and Human Services (DHHS) to develop regulations that set universal standards for electronic transactions between healthcare providers and insurance companies.

Another key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards. In general, the law defines protected health information as information created by a healthcare provider, for use in the treatment of an individual or to obtain payment for such treatment, that is likely to identify that individual. DHHS requirements to are incorporated into the both the University's and the UNC Healthcare Systems' policies concerning the privacy, confidentiality, and security of protected health information.

What is a "covered entity"?

"Covered entity" is the term that the HIPAA regulations use to describe the businesses in the health care industry that are subject to HIPAA regulations. Specifically, covered entities are health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with the following transactions: health care claims or encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment or disenrollment or eligibility information re health plans, health plan premium payments, referral certification and authorization, first report of injury, or health claims attachments. [last revised 2/17/03]

What is PHI?

PHI (“protected health information”) is the term that the HIPAA regulations use to describe the specific health care consumer information that HIPAA is intended to protect. The general idea is that PHI is individually identifiable health and health care payment information, including the demographic data that is a potential identifier of the individual, maintained in the records of health care providers (and health plans and health care clearinghouses. PHI does not include individually identifiable health information in personnel records or education records covered by the Family Educational Right and Privacy Act (“FERPA”). [last revised 2/24/03]

What are some examples of procedures required under HIPAA for handling protected health information?

HIPAA regulations define using PHI not just in terms of who receives the information but how it may be used. Examples of HIPAA requirements include:

• Stricter standards for physical and electronic security for PHI.

• Restricted access to PHI for in-house personnel on a "need to know" basis.

• Maintenance of a record of all disclosures of the PHI outside of the original authorized purpose, with access for the individual to that record of disclosures of her/his PHI.

• Access to copies of his/her PHI for each individual patient, and a process for responding to patient requests for amendment of the PHI record.

• Requirement to provide a notice of privacy practices to all patients.

• Requirement of a specific authorization from the individual or waiver of authorization from a privacy board or IRB for disclosure of PHI for purposes other than the consented healthcare, including research.

Where can I get more information and answers to questions about HIPAA?

For a national perspective, there are four particularly comprehensive Web sites about HIPAA. They are:

• The Office of Civil Rights: http://www.hhs.gov/ocr/hipaa

• The Department of Health and Human Services: http://aspe.hhs.gov/adminsimp

• Association of American Medical Colleges: http://www.aamc.org/members/gir/gasp/

• Phoenix Health Systems (a healthcare IT consulting firm): http://www.hipaadvisor.com

For HIPAA questions specifically related to UNC-Chapel Hill, contact your Privacy Liaison or the University's HIPAA Privacy or Security Officers -- see UNC-Chapel Hill HIPAA Contact Persons.

How does HIPAA affect a research study that also involves health care treatment?

HIPAA requires that research study subjects who will receive health care as part of the study authorize the use of their PHI in that research - or that a privacy board or Institutional Review Board (IRB) waive the authorization requirement - regardless of the consent for treatment.  Additionally, any research-generated PHI that may be applied to treatment decisions is subject to HIPAA's medical record requirements.

How do the HIPAA privacy regulations apply to research?

HIPAA privacy regulations are concerned with control and privacy of personal health information for health care consumers and health insurance consumers. HIPAA applies to research by regulating the research use and disclosure of individually identifiable health information generated within health care treatment, health care payment and health care operations and maintained in the designated records of health care providers (and health plans and health care clearinghouses). [last revised: 2/5/03]

Does HIPAA apply to my research even if I am not a health care provider?

Yes, if you are seeking for your research use individually identifiable health information from records in the custody of "covered entities" (most health care providers, health plans and health care clearinghouses) HIPAA applies to your access to and use of that data whether or not you are a health care provider. [last revised: 2/20/03]

How do the HIPAA privacy regulations apply to my research if I am not a health care provider?

HIPAA regulates how health care providers, health plans and health care clearinghouses may disclose/share individually identifiable health information from their records for research. [last revised: 2/20/03]

What is the relationship between HIPAA and the human subjects protection regulations of the Common Rule for which IRB review was established?

HIPAA is a floor of personal health information protections for health care consumers. Individuals whose PHI is used in identifiable form in research are human research participants who are entitled to the identifiable private information protections of the Common Rule as well as the health information protections of HIPAA. [last revised: 2/20/03]

What are the HIPAA privacy regulations with respect to disclosing PHI to researchers and using PHI in research?

HIPAA regulates how covered entities may disclose PHI to researchers for use in research. HIPAA permits a covered entity to disclose PHI for use in research only through the following six options:

1. A signed patient authorization is obtained from the individual whose PHI  is sought for research.
   (Example:  A clinical researcher enrolling patients in an interventional study will obtain a signed authorization from the research participant at the same time that the researcher is obtaining a signed informed consent document, and will present a copy of the authorization to the covered entity from whose records the researcher is seeking the PHI.)

2. Waiver by an IRB or a Privacy Board of the authorization requirement for use of individually identifiable PHI for research.
   (Example: A researcher requesting access to data for a retrospective chart review study will likely request IRB approval of a waiver of the authorization requirement as well as a waiver of the informed consent requirement, and will present a copy of the IRB's waiver of authorization to the covered entity from whose records the researcher is seeking the PHI.)

3. Review of PHI solely in preparation for research, without collecting the PHI for research use.
   (Example: A researcher wanting to review records of PHI to determine whether there is sufficient data to support an idea for a research study can be given access to those records for that purpose by a covered entity without either authorization or waiver of authorization but may ask the researcher to provide written assurance that the researcher will only use the data as a pre-research review and will not remove any of it from the covered entity.)

4. Complete "de-identification" of the data.
   (Example: A researcher wants aggregate information about how many times a given procedure is performed on individuals in a specified age range and doesn't need to have any information about any individual cases. None of the 18 HIPAA-listed identifiers is provided to the researcher along with the health information; therefore, HIPAA does not require that the covered entity have any documentation to release this kind of completely de-identified information to a researcher.)
    

5. Conversion of the PHI to a "limited data set" devoid of specified facial identifiers together with execution of a data use agreement with specified provisions covering use and disclosure of the limited data set.
   (Example: a research study needs data from a covered entity's records on the incidence a disease and treatment together with some data about individual cases limited to date of birth, date of diagnosis, date of treatment, date of death and geographic information less specific than postal address. The covered entity may release that information to the researcher if a data use agreement is executed to pledge the researcher to certain limitations on use and disclosure of that "limited data set.")
    

6. Use of PHI solely of decedents.
   (Example: A researcher only wants individually identifiable health information on decedents. The covered entity may release that information to the researcher as long as it is confident that only PHI about decedents is being requested and that the information is really needed for research. The covered entity may ask the researcher to provide an explanation of why the information is needed for research and may also request documentation of the decedent status of the individuals.) [last revised: 2/17/03]

I understand about obtaining information from covered entities' records for use in research. Is PHI ever created within the course of conducting research?

When a health care activity is performed within the research study itself -for example, a clinical trial or other clinical intervention study - any individual clinical record information that is generated within that research is PHI that is subject to all the HIPAA regulations that apply to PHI that becomes part of the health care treatment, payment and operations records of the health care provider, health plan and/or health care clearinghouse. For example, clinical information generated within a research study may be simultaneously entered into the clinical record of an individual patient and into the research data set intended to produce generalizable knowledge. The research use of the PHI and protection of the privacy and security of the research data set must be in accord with the terms and conditions of the IRB approval, the informed consent and the authorization as well as relevant institutional policies on data privacy and security.  [last revised: 2/20/03]

When is individually identifiable health information that is created within a research study not PHI?

1. When there is no health care performed as an activity within the research study, and

2. there is no billing for health care treatment within the research study, and

3. the individually identifiable health information created within the study (by obtaining health information/health measurements directly from the human participant) is not expected to be shared by the researchers with the individual's health care provider or medical records or health plan except in the unanticipated event of a potential adverse event, then that individually identifiable health information is not PHI subject to HIPAA. One example of this might be an exercise study that collects personal health data directly from the research participant and perhaps performs some health screening testing (blood pressure measurements, etc.) but does not include health care and does not bill for health care and does not transmit health information about individuals to a medical record (although participants may personally transmit the information to their health care providers or others at their own discretion).

Three additional important points in this scenario:

1. It must be made clear to research participants that the researchers do not intend to share the individually identifiable health information generated within the research study with the research participants' health care providers or medical records or health plans except in the event of a potential adverse event requiring that the information be shared for appropriate health care for the individual. This clarification is particularly vital in research studies where the researcher also functions as a health care provider in other situations or where health measurements are performed by the researchers or where the study occurs in a setting that appears to be clinical.

2. If the individually identifiable health information is shared with the individual's health care provider either

    

   (a) voluntarily by the individual or

    

   (b) by the researcher in response to a potential adverse event, then the individually identifiable health information that was originally generated only within the research performance becomes PHI in the records of the health care provider but does not reach back to create PHI status for the same information originally generated in the separate research data set.

    

3. Individually identifiable health information that is not PHI is still potentially sensitive personal information that should be treated with privacy and confidentiality protections commensurate with its sensitivity and the pledges made to the human participants about its use and disclosure. [last revised: 2/20/03]

Does HIPAA regulate how PHI created in the course of a research study is handled?

Clinical treatment performed in the course of a clinical research study must be handled in accord with the appropriate medical practices regarding entry of the individual's treatment data into the medical record. The research use of the information must be disclosed and authorized in the authorization and informed consent documents that the research participant signs. These documents should specify how PHI created in the course of a research study will be treated, for example:

• how PHI will be used in the research study,

• whether any of the data will be entered into the medical record, and

• whether the information will be shared with any health plan for payment purposes for any activities included within the study participation. [last revised: 2/17/03]

What is an authorization?

An authorization is a document signed by an individual and giving that individual's explicit permission to obtain her/his specified PHI from health care provider(s) and use it for a specified purpose other than the individual's health care, such as research. HIPAA is specific about the elements that must be included in a valid authorization document. [last revised: 2/20/03]

How is an authorization different than an informed consent?

An authorization is a HIPAA required document that defines only the terms and conditions of permission to use specified PHI from specified health care providers for a specified research project. Except for authorizations to use psychotherapy notes in research, which must always be stand alone documents, an authorization can be combined with the informed consent document. However, there are some features of an authorization that may be easier to handle as a separate document, including the requirements that the authorization be kept for six years following its last effective date and that it may only be revoked in writing, as well as the need to present a copy of the authorization to health care providers (or health plans or health care clearinghouses) to obtain the authorized access to PHI in their records.
[last date: 2/20/03]

How do I obtain an authorization to obtain and use PHI in my research?

Apply to your IRB for approval of an authorization form to use in the informed consent process in your research project. The IRB has a template authorization form for you to complete and present for IRB approval. When you have an IRB approved form of authorization for use in your research study, you are able to include the discussion and execution of this form in the informed consent process with each human research participant. Covered entities may want a copy of this authorization (or a waiver of authorization - see below) when you request access to the research participant's individually identifiable health information in their records. [last date: 2/20/03]

What if the human research participant revokes the authorization?

If the authorization is revoked, the researcher generally cannot continue to collect PHI on the participant for use in the research study; however, the researcher can continue to use the PHI already obtained before the revocation to the extent necessary to preserve the integrity of the research study. [last revised: 2/20/03]

What is a waiver of authorization?

A waiver of authorization is documentation that an IRB or a Privacy Board (Privacy Board is defined in HIPAA) has reviewed the proposed research acquisition and use of PHI and has approved a waiver of all or part of the authorization requirement for obtaining and using individually identifiable PHI in the research. HIPAA specifies elements that must be included in a valid waiver of authorization document. [last revised: 2/20/03]

How is a waiver of authorization different than a waiver of informed consent?

The waiver of authorization is based solely on an assessment of the privacy risks in the proposed research use of individually identifiable PHI.
[last revised: 2/5/03]

How do I obtain a waiver of authorization to use PHI in my research?

Apply to your IRB for approval of a waiver of the authorization requirement. This is similar to a request for waiver of the informed consent requirement. The IRB has an application form for requesting approval of a waiver of authorization. When the IRB has approved a waiver of authorization, it will issue an approval document. Covered entities may want a copy of this waiver of authorization (or an authorization - see above) when you request access to the research participant's individually identifiable health information in their records. [last revised: 2/5/03]

What about recruitment?

Under HIPAA, a covered entity may not provide individually identifiable health information to researchers outside its own workforce for recruitment contact without either the individual's authorization (not generally practical under most circumstances) or a waiver of authorization from the IRB. An IRB may approve a waiver of authorization solely for recruitment contact even if the IRB will require the human participant's authorization for using PHI in the research study. HIPAA permits the health care provider who has a direct treatment relationship with an individual to initiate discussion about possible research participation without any authorization or waiver of authorization. [last revised: 2/20/03]

What is a deidentified data set?

A deidentified data set is PHI from which the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:

Names;

All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

Telephone numbers;

Fax numbers;

Electronic mail addresses;

Social security numbers;

Medical record numbers;

Health plan beneficiary numbers;

Account numbers;

Certificate/license numbers;

Vehicle identifiers and serial numbers, including license plate numbers;

Device identifiers and serial numbers;

Web Universal Resource Locators (URLs);

Internet Protocol (IP) address numbers;

Biometric identifiers, including finger and voice prints;

Full face photographic images and any comparable images; and

Any other unique identifying number, characteristic, or code, other than dummy identifiers that are not derived from actual identifiers and for which the reidentification key is maintained by the health care provider and not disclosed to the researcher;
and

(ii) The covered entity may not consider the information deidentified if it has actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
[last revised: 2/20/03]

What are the requirements for obtaining and using a deidentified data set for my research?

Deidentified data sets do not contain any individually identifiable health information. Neither authorization nor waiver of authorization nor a data use agreement is required by HIPAA for a covered entity to disclose deidentified data for use in research.
[last revised: 2/17/03]

What is a limited data set?

In contrast to a deidentified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, State and zip code. A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
Names;
Postal address information, other than town or city, State, and zip code;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints; and
Full face photographic images and any comparable images.
[last revised: 2/20/03]

What are the requirements for using a limited data set?

A covered entity may use or disclose a limited data set from its PHI records for research use without either authorization or waiver of authorization if the researcher executes a data use agreement that binds the limited data set recipient to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data. [last revised: 2/17/03]

How do I obtain a limited data set for use in my research?

Contact the health care entity that holds the data record to request the limited data set. If the holder of the data record does not have a standard form of data use agreement for releasing the information, the Office of University Counsel can provide one. [last revised: 2/5/03]

What if the covered entity is not able to package the data in a limited data set format or a deidentifed format for release to my research study?

Contact the Office of University Counsel for assistance: 962-1219.

What uses of PHI are permitted under HIPAA in a review preparatory to research?

The "review preparatory to research" is an option that allows review (but not research use) of individually identifiable PHI by researchers and does not require authorization or waiver of authorization. In the "review preparatory to research" option, a covered entity may allow researchers to review PHI in the covered entity's records as a preparation for research but may not permit researchers to collect any of the PHI for actual research use. For example, the researcher may be permitted to review PHI to determine whether there is enough information in the records to make a potential research project feasible; however, under the "review preparatory to research" the researcher may not transcribe information from the records for inclusion in research data. The covered entities whose records are reviewed in this preparation for research may require written assurance from the researcher that the pre-research review will be in accord with this HIPAA regulation. See also Question #17 above re recruitment. [last revised: 2/20/03]

What about research using the PHI of decedents?

Research using the individually identifiable PHI of decedents requires neither authorization nor waiver of authorization nor a data use agreement. However, the covered entity holding the records of the decedent's PHI may require verification the individual's decedent status and a statement by the researcher that the information sought is solely about decedents and is necessary for the research study. [last revised: 2/17/03]

What about research in progress on 4/13/03?

(1) An individual's authorization is not required for a covered entity to disclose PHI of a human research participant who has executed an informed consent prior to April 14, 2003. The individual does not need to execute an authorization document for the researcher to obtain and use the participant's PHI in the research study on or after April 14, 2003.
(2) For research being conducted under a waiver of informed consent approved by the IRB prior to April 14, 2003, an IRB waiver of authorization is not required for the covered entity to disclose PHI to the research study on or after April 14, 2003.
If a research participant enrolls in a research study on or after April 14, 2003, a covered entity may disclose that participant's PHI only if the research participant executes an authorization. Research studies seeking IRB approval of waiver of informed consent on or after April 14, 2003, will also need to seek IRB approval of a waiver of authorization. [last revised: 2/20/03]

What about PHI in existing research data sets?

PHI in research data sets that prior to April 14, 2003, are already existing and maintained completely separately from the designated record sets of covered entities, e.g. separately from health care treatment, payment and operations records of covered entities, can be used in accord with the terms and conditions of the IRB approval under which they were acquired prior to April 14, 2003. [last revised: 2/20/03]

What about secondary analysis?

HIPAA requires that authorizations, waivers of authorization, and data use agreements for use of PHI in research must be specific to a research study. PHI obtained for research on or after April 14, 2003, under an authorization or a waiver of authorization or a data use agreement for one study or for collection in a data repository, may only be used in another research study under an authorization, waiver of authorization or data use agreement specific to that second study. For many secondary analyses, an IRB waiver of authorization may be the most appropriate and practical HIPAA-compliant approach. [last revised: 2/20/03]

What about sharing data with other researchers?

PHI in research data acquired on or after April 14, 2003, may only be shared with other researchers in accord with the agreement for acquiring the PHI, i.e. only in accord with the terms of the authorization or waiver of authorization or data use agreement. Research data that includes PHI may be shared, disclosed or transferred among the investigators named in the authorization, waiver of authorization or data use agreement. Sharing or disclosing or transferring the data outside of that circle requires IRB review and approval of the proposed research study for which the data would be shared. In the event that the original investigators wish to share research data that includes PHI with another colleague not originally identified as part of the research team within the existing approved study, contact the IRB for review of a change in the approved protocol. [last revised: 2/20/03]

What about using research data that includes PHI in presentations or publications?

Inclusions of identifiable personal information from research in presentations or publications of any type must be in accord with the terms and conditions of all existing agreements about how the individual's information may be used including: the terms and conditions of IRB approval of the research protocol, the authorization or waiver of authorization, the informed consent or waiver of informed consent, any data use agreement that ha been executed, etc. [last revised 2/20/03]

What about reidentification codes?

Researchers with PHI in research data sets established and separate from health care treatment, payment and operations records prior to April 14, 2003, can continue the identification coding practices that were established under the IRB approval for the research that generated the research data set. For any PHI acquired for research use on or after April 14, 2003, the HIPAA regulations apply to reidentification codes as follows:

For individually identifiable PHI acquired under an authorization or IRB waiver of authorization, the PHI must be treated with no less privacy and security than whatever privacy practices have been stated in the authorization and informed consent or waiver of authorization and waiver of informed consent through which the PHI was acquired. For example, as a privacy practice for a given research study, the researchers may be using completely identifiable PHI but may choose to handle it primarily in a format in which participants are identified only by a code (in lieu of facial identifiers), and the researchers may maintain tight control of the reidentification code through secure storage and limited access. The standards that apply are those described in the permissions through which the PHI was acquired.

For PHI that has been released for research use in de-identified form without either authorization or waiver of authorization, HIPAA requires that (a) the covered entity that released the de-identified data must not release the reidentification code or reidentification mechanism to the researchers, and (b) that the code itself must not be derived from identifiers.
[last revised: 2/20/03]

If a site is disclosing data about individual patients that does not include any of the 18 identifiers listed in 45 CFR 164.514(b)(2)(i), but does identify the site from which the data has been disclosed, does the geographic location of the site constitute an identifier of "geographic subdivision smaller than a State" for the individual?

No. The deidentified information does not lose it's deidentification status simply by virtue of identification of the disclosing site. This is true as long as one other HIPAA caveat is met: The disclosing covered entity does not have actual knowledge that the deidentified information could be used alone or in combination with other information available to folks outside the covered entity to identify an individual who is the subject of the information.

How do I REPORT an INCIDENT to the IT Security Office?

To report computer security problems at UNC-Chapel Hill:

• Call 919-962-HELP (4357) 24 hours a day, seven days a week.
• Or send email to security@unc.edu.

Is the HIPAA Privacy Rule suspended during a national, or public health emergency?

No; however, the Secretary of HHS may waive certain provisions of the Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. For more information go here.