Home Contacts Site Map
UB Research FAQ
Up HIPAA worksheet Data Extraction / Business Associates Identifiers UB Research FAQ Authorizations Waiver of Authorization Review Prep to Research Research on Decedents Transition Provisions Limited Datasets

1.  What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), passed in 1996, is intended to improve the efficiency and effectiveness of the health care system in the United States.

HIPAA has many parts.  One section associated with "Administrative Simplification" has four main parts. The first part includes national standards for transactions of electronic patient health, administrative and financial data between health care providers and health plans.  The second part, known as the "Privacy Rule", concerns the privacy of an individual's health information.  The third part, known as the "Security Rule", addresses security standards for safeguarding health information maintained in electronic form.  The fourth part sets up a system of national identifiers for employers, health plans and providers.  The Privacy Rule which takes effect on 4/14/2003 and the Security rule which takes effect 4/20/2005 both affect research that uses health information that can be linked to the individual who is its source through personal identifiers.

2. What is the Privacy Rule?

The HIPAA Privacy Rule takes effect on August 14, 2002.  The Privacy Rule includes standards to:

bulletLimit the use and disclosure of health information
bulletRestrict use and disclosure of health information to the minimum necessary to carry out its intended purpose
bulletGive patients several rights with respect to their health information including:

the right to:

Inspect, copy and request amendments to their medical records

Request restrictions on uses and disclosures of their health information

Request a listing of certain releases of their health information

Receive a Notice of Privacy Regulations

File a formal complaint about violations of privacy protections

Revoke an authorization for use/disclosure of identifiable health information

The Privacy Rule also:

bulletPlaces new requirements on researchers for access to health-related records and their use and further disclosure
bulletEstablishes criminal and civil penalties for improper use or disclosure

3. What are the major implications for researchers as a result of the Privacy Rule?

The HIPAA Privacy Rule is extremely complex and has required the development and implementation of new policies and procedures.  In practical terms the major changes are as follows:

bulletIn addition to informed consent requirements, investigators will need to obtain a signed authorization from the research subject granting permission for the use and disclosure of his or her health information.  
bulletThis signed authorization may be obtained through a document separate from and additional to the informed consent or the authorization language may be included in the informed consent document as long as all elements needed to have a valid authorization are included.
bulletFor medical records reviews and other types of research where obtaining a signed authorization (or informed consent) is impractical, a researcher may apply for a waiver of authorization.
bulletAccessing medical information from a hospital or other covered entity will now require additional measures  

4. I've heard that research is exempt from HIPAA; if that's true, why all the institutional effort towards HIPAA?  

bulletThere is a lot of information available about HIPAA.  Some of it good, some of it bad.  This is an example of the bad.  HIPAA specifically addresses research within its regulations.  For more information, see some of the reliable resources back on the main page, such as the Research Foundation or the Health and Human Services / Office of Civil Rights web sites.
bulletIn addition to stating how identifiable health information can be used or disclosed by a covered entity for research purposes, HIPAA establishes a national 'best practices' floor for protecting that information.  Even when identifiable health information is collected in areas not subject to HIPAA, providing fewer protections than this floor establishes would place both the researcher and the institution in an unfavorable light in terms of their integrity for protecting privacy rights of research subjects.  HIPAA also establishes a floor likely to be used in future civil litigation.


Selected FAQs from HHS/OCR FAQ page


Do I need authorization if an IRB requires a new consent for a subject that consented before HIPAA?

Question:  If research subjects' consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?

Answer:  Yes. If informed consent or reconsent (ie., asked to sign a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research. The revised informed consent document may be combined with the authorization elements required by 45 CFR 164.508. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review Boards.


Is the creation of a database for research permissible with an IRB/Privacy Board waiver? (retrieved 3/4/2003)

Question:  Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization?

Answer:  Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule – that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review and Privacy Boards.


When is a researcher a covered health care provider under HIPAA? (retrieved 3/4/2003)

Question:  When is a researcher a covered health care provider under HIPAA?

Answer:  A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule. See 45 CFR 160.102, 160.103. For example, a researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third party payer for payment, would be a covered health care provider under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf. For further assistance in determining covered entity status, see the “decision tool” at www.hhs.gov/ocr/hipaa/.


May I recruit research subjects under the Privacy Rule’s preparatory research provision? (retrieved 3/4/2003)

Question:   Can the preparatory research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) be used to recruit individuals into a research study?

Answer:  The preparatory research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity’s site. As such, a researcher who is an employee or a member of the covered entity’s workforce could use protected health information to contact prospective research subjects. The preparatory research provision would allow such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information for a research study. In addition, the Rule permits a covered entity to disclose protected health information to the individual who is the subject of the information. See 45 CFR 164.502(a)(1)(i). Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an Institutional Review Board (IRB) or Privacy Board waiver of the authorization. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review and Privacy Boards. However, a researcher who is not a part of the covered entity may not use the preparatory research provision to contact prospective research subjects. Rather, the outside researcher could obtain contact information through a partial waiver of individual authorization by an IRB or Privacy Board as permitted at 45 CFR164.512(i)(1)(i). The IRB or Privacy Board waiver of authorization permits the partial waiver of authorization for the purposes of allowing a researcher to obtain protected health information as necessary to recruit potential research subjects. For example, even if an IRB does not waive informed consent and individual authorization for the study itself, it may waive such authorization to permit the disclosure of protected health information as necessary for the researcher to be able to contact and recruit individuals into the study.

IMPORTANT UB NOTE: For recruitment purposes, the research cannot contact potential research subjects if they do not have a direct treatment relationship with those subjects.  If the researcher does not have a direct treatment relationship with the subjects, they must approach the subjects through someone who does have a direct treatment relationship with the subjects.


Is documentation from an IRB reliable evidence that requested information is the minimum necessary? (retrieved 3/4/2003)

Question:  May a covered entity accept documentation of an external Institutional Review Board's (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary?

Answer:   Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher’s documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR 164.512(i) that the information requested is the minimum necessary for the research purpose. See 45 CFR 164.514(d)(3)(iii). This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or from one that is associated with the covered entity.


Does the Privacy Rule provide research participants the right to access research records/results? (retrieved 3/4/2003)

Question:  What does the HIPAA Privacy Rule say about a research participant's right of access to research records or results?

Answer :   With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of  health information about themselves that is maintained by a covered entity or its business associate in a “designated record set.” A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care provider’s medical records and billing records, and a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. While it may be unlikely that a researcher would be maintaining a designated record set, any research records or results that are actually maintained by the covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule’s permitted exceptions applies.

One of the permitted exceptions applies to protected health information created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual’s access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access protected health information will be reinstated at the conclusion of the clinical trial.

This material is designed for internal University at Buffalo use only and is copyrighted.  Information and documents available on this site may be freely copied and used with appropriate attribution to the University at Buffalo.  None of the information on these pages should be construed as legal advice or expert opinion with respect to how any particular function or entity engages in work to come into compliance with HIPAA.
Last updated: July 28, 2009.  Privacy Policy
Hit Counter