HIPAA Guidance Document

Introduction

M.I.T. is committed to conducting research in compliance with all applicable laws and regulations. To ensure this, the Committee on the Use of Humans as Experimental Subjects (COUHES) is publishing this guidance document to assist the M.I.T. research community in implementing the requirements of the HIPAA Privacy Rule

What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. The purpose of the Act was to increase the ease with which people could transfer their health care information from one insurer or provider to the next. Congress, as part of HIPAA, required the development of privacy regulations to protect the confidentiality of individually identifiable health care information. The final privacy Rule was issued on August 14, 2002 (www.hhs.gov/ocr/hipaa/finalreg.html). M.I.T . has until April 14, 2003 to comply with the Privacy Rule.

Who is affected by HIPAA?

All researchers (faculty, staff, or students) at MIT who access or create Protected Health Information (PHI) preceding or during the conduct of their research must comply with the HIPAA regulations.

The Privacy Rule, while not intended to directly regulate the conduct of research, does have implications for the use and disclosure of protected health information (PHI) in the conduct of research. It contains sections that impose requirements on those involved in research, both individuals and institutions. This guidance discusses those requirements and how M.I.T. researchers can comply with those requirements.

HIPAA Privacy Rule and the "Common Rule"

A primary source of regulation of research is the Federal Policy for Human Subject Protection, known as the Common Rule. This federal regulation has been adopted by 17 federal departments and agencies, as the basis for protection of human subjects in research.

The Privacy Rule does not make any changes to the Common Rule. However, it does contain several provisions that resemble provisions of the Common Rule or that reference those provisions. Similarly, the Privacy Rule contains specific requirements for the composition of a Privacy Board, which, for M.I.T. research purposes, will be COUHES.

COUHES and researchers must continue to adhere to the mandates of the Common Rule while implementing the requirements of the HIPAA Privacy Rule.

What is PHI?

Protected Health Information is, for research purposes, any information pertaining to the past, present, or future physical or mental health or condition of an individual. PHI may be information that is recorded electronically, on paper, or orally. PHI may concern living people or dead people (referred to in the law as "decedents"). PHI does NOT include de-identified information or biological tissue with no accompanying information, such as an accession number or code number that may be linked to an identifier.

Key Concepts and Definitions

Covered Entity - This definition applies to individual researchers involved in obtaining, using, and disclosing PHI of subjects. The M.I.T. Medical Department is also a single covered entity for the purpose of complying with the Privacy Rule.

Use and Disclosure of Information - According to the definitions in the Privacy Rule, information is "used" when it remains within the entity holding the information (for example, when it is shared between M.I.T. researchers) and it is "disclosed" when it is released outside the entity (for example M.I.T.) that holds this information.

Role of COUHES - The Privacy Rule does not regulate the work of COUHES as it relates to the protection of human subjects. However, in regard to research data, M.I.T. relies heavily on COUHES as the key point of contact within M.I.T. as a "covered entity" for researchers. For the purposes of human subject research at M.I.T., all such requests for authorizations for release, waivers or alterations of PHI will be reviewed by COUHES.

Minimum Necessary - The Privacy Rule restricts use and disclosure of PHI. However, it does contain exceptions granting access in certain circumstances. Underlying all the exceptions, however, is the principle that any access should be limited to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure.

For M.I.T. research purposes, this standard requires a M.I.T. researcher to evaluate the needs of his or her study and to request access only to those pieces of information that are necessary for the complete and accurate development of the research. This is advisable as ethical research practice (although not required) even if a research subject permits more information to be used or disclosed.

What kind of research and researchers are affected by the HIPAA regulations?

Any kind of research conducted under the auspices of M.I.T. that creates or uses protected health information is subject to the HIPAA regulations. This includes such research activities as clinical research, behavioral, and social science studies, as well as basic science research activities. It includes research that involves the provision of treatment as well as research that provides neither treatment nor diagnosis.

All studies involving creation or use of Protected Health Information (PHI) must be reviewed and approved in advance by COUHES

All researchers at M.I.T. who wish to conduct research involving protected health information MUST complete HIPAA training before they will be allowed to have access to individually identifiable health information in any form.

What types of health information are there?

There are three categories of health information. The Privacy Rule identifies distinct methods for using and disclosing such information for research purposes. The researcher should be familiar with these choose the method most suited to his or her study.

The authorization requirements for use are different for each.

Individually Identifiable Health Information: includes any subset of health information, including demographic information collected from an individual, that:

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse (an organization that codes health data)
  2. Relates to the past, present or future physical or mental health or condition, the past, present or future provision of care to an individual, or the past, present or future payment for the provision of health care to an individual
  3. Identifies the individual (or there is a reasonable basis to believe that the information can be used to identify the individual)

An authorization for the disclosure of individually identifiable health information signed by the research subject is almost always required. This describes the process through which a subject allows researchers to access protected health information.

The information in the authorization must include:

  • a description of the information to be used for research purposes
  • who may use or disclose the information
  • who may receive the information
  • purpose of the use or disclosure
  • expiration date or event (if the information will be kept indefinitely, the authorization states that there is no expiration date)
  • individual's signature and date
  • right to revoke authorization
  • right to refuse to sign authorization (if this happens, the individual may be excluded from the research and any treatment associated with the research)
  • if relevant, that the research subject's access rights are to be suspended while the clinical trial is in progress, and that the right to access PHI will be reinstated at the conclusion of the clinical trial.

A template for a standard authorization form is available from the COUHES website.

The authorization will generally be part of the informed consent process, since COUHES will review the authorization as part of its review of the informed consent proposed by the researcher.

Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization. Subjects will not be allowed to participate in the research study if they do not sign an authorization for release of their protected health information.

An alternative to asking each research subject for an authorization is to ask COUHES for a waiver of authorization or an alteration of the standard elements of an authorization. If the use of individually identifiable health information meets the requirements for a waiver of authorization, then COUHES may approve such a waiver. The request for a waiver of authorization shall form part of the COUHES standard form human subjects application process.

The criteria COUHES uses in approving requests for a waiver of authorization are as follows:the use or disclosure of protected health information must involve no more than minimal risk to the privacy, safety, and welfare of the individual:

  • the research could not practicably be conducted without the waiver or alteration; and
  • the research could not practicably be conducted without access to the protected health information

COUHES must also consider if the researcher has provided:

  • an adequate plan to protect the identifiers from improper use or disclosure
  • an adequate plan to destroy the identifiers at the earliest opportunity, unless retention of identifiers is required by law or is justified by research or health issues
  • adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject

De-Identified Information: Health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual. De-identified health information is not subject to the authorization requirements of the Privacy Rule. Information is considered de-identified if 18 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject of the information. The identifiers include:

  1. names
  2. geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial five digits of a zip code to 000
  3. all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89
  4. telephone numbers
  5. fax numbers
  6. electronic mail addresses
  7. Social Security numbers
  8. medical record numbers
  9. health plan beneficiary numbers
  10. account numbers
  11. certificate/license numbers
  12. vehicle identifiers and serial numbers, including license plate numbers
  13. device identifiers and serial numbers
  14. Web Universal Resource Locator (URL)
  15. biometric identifiers, including finger or voice prints
  16. full face photographic images and any comparable images
  17. Internet Protocol address numbers
  18. any other unique identifying number characteristic or code

Limited Data Set: The limited data set option is a less restrictive option than complete de-identification in that it allows the inclusion of health information with certain identifiers. However, it does not allow unfettered access to identifiable information and requires certain safeguards.

A limited data set is information disclosed by a covered entity to a researcher who has no relationship with the individual whose information is being disclosed. The covered entity is permitted to disclose PHI, with certain direct identifiers included, subject to obtaining a data use agreement from the researcher receiving the limited data set. A data use agreement specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the data or contact with the individuals. A template for a data use agreement is available from the COUHES office.

Identifiers that are allowed in the limited data set are:

  1. admission, discharge and service dates
  2. birth date
  3. date of death
  4. age (including age 90 or over)
  5. geographical subdivisions such as state, county, city, precinct and five digit zip code

What information must researchers provide to COUHES?

As part of completing their COUHES application researchers must provide details about the types of information they will use in their research, how it will be used, who will have access to it, and when it will be destroyed. Specifically, they are asked:

  • What risks are posed by the use of the data and how have they been minimized?
  • What is the justification for access to the data and why are they necessary to conduct the research?
  • What plan does the researcher have to protect identifiers from improper use or disclosure?
  • What is the researcher's plan to destroy the identifiers? If it is not possible to destroy the identifiers, what is the health, legal, or scientific justification?
  • Has the researcher provided adequate written assurance that the PHI will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject?

Researchers requesting waivers of authorization will also need to document:

  • that the use or disclosure poses no more than minimal risk to the subject
  • that the research could not practicably be conducted without the waiver
  • that the research could not practicably be conducted without access to the protected health information.

Research subjects' rights under HIPAA

Right to an accounting: When a research subject signs an authorization to disclose PHI, the covered entity is not required to account for the authorized disclosure. Nor is an accounting required when the disclosed PHI was contained in a limited data set or is released to the researcher as de-identified data. However, an accounting is required for research disclosures of identifiable information obtained under a waiver or exception of authorization. Research subjects may request an accounting of disclosures going back for up to six years.

Right to revoke authorization: A research subject has the right to revoke his or her authorization unless the researcher has already acted in reliance on the original authorization. Under the authorization revocation provision, covered entities may continue to use or disclose PHI collected prior to the revocation as necessary to maintain the integrity of the research study. Examples of permitted disclosures include submissions of marketing applications to the FDA, reporting of adverse events, accounting of the subject's withdrawal from the study and investigation of scientific misconduct.

Reviews Preparatory to Research

In certain circumstances when a researcher is preparing a protocol, the Privacy Rule and M.I.T. policy allow for the access to PHI without an authorization from the individual or a waiver from COUHES. However, the researcher must document that:

  1. the access is only to prepare a protocol
  2. no protected health information will be removed from MIT
  3. the protected health information accessed is necessary for the preparatory review

This access is granted only to M.I.T. researchers; non-M.I.T. researchers may not access MIT data.

Research on Decedents' Information

Research on decedents' information is permitted if the researcher obtains either orally or in writing:

  1. representations that the use or disclosure is sought solely for research on the PHI of decedents
  2. documentation, at the request of COUHES, of the death of such individuals
  3. representation that the PHI for which use or disclosure is sought is necessary for the research purposes.

It is suggested that the researcher have written documentation in his/her files covering these issues.

Transition Provision (Grandfather Provision)

A transition provision was included in the Privacy Rule that has significant impact on the research community by "grandfathering" certain research studies that are underway at the compliance date mandated for the Privacy Rule.

The Privacy Rule allows for use and disclosure of PHI created or received for research, either before or after April 14, 2003, if one of the following was obtained prior to that date:

  • An authorization or other express legal permission from the individual to use or disclose his or her information for research,
  • The legally effective informed consent of the individual to participate in the research, OR
  • A valid waiver of informed consent from COUHES

However, if a subject is asked for informed consent (or asked to re-consent) on or after April 14, 2003, an authorization must be obtained at that time.

Summary of Transition Provisions:

  • Waiver of informed consent obtained prior to April 14, 2003: No action necessary. The waiver is deemed a "waiver" for Privacy Rule purposes for the duration of the research study
  • Informed Consent obtained prior to April 14, 2003: Information obtained pursuant to an informed consent signed prior to April 14, 2003, even if the information is not obtained until after April 14, 2003, is "grandfathered" under the Privacy Rule. HOWEVER, if the subject is "re-consented," that is, asked for a new informed consent ON OR AFTER April 14, 2003, a valid authorization must be obtained.
  • Informed Consent obtained ON OR AFTER April 14, 2003: Must include a separate authorization form or must obtain waiver of authorization from COUHES. Note that if subjects will be asked to give their informed consent to participate in the research, it is unlikely that COUHES will grant a waiver of authorization.

More Information

COUHES will continue to provide guidance to its research community. Questions regarding this guidance and requests for further information should be directed to Judith Medeiros-Adams (jadams@mit.edu) or by calling 617-253-6787.

COUHES
77 Massachusetts Ave.
Room E25-143B
Cambridge, MA 02139
617/253-6787
617/253-8420 (fax)

Copyright © 2003 Massachusetts Institute of Technology
Comments and questions to jadams@mit.edu
Website created by WebSmith Design
Last modified on Thursday, 06-Oct-2005 18:59:25 EDT