HIPAA Privacy Rule and Research at OSF HealthCare

“HIPAA” is an acronym for the Health Insurance Portability and Accountability Act , passed by Congress in 1996.

As part of HIPAA, Congress required the Department of Health and Human Services (DHHS) to promulgate privacy regulations to protect the confidentiality of individually identifiable health care information.

These regulations have taken form in the Privacy Rule , which specifies permissible uses and disclosures by entities subject to HIPAA

The purpose of the HIPAA Privacy Rule is to establish minimum Federal standards for safeguarding the privacy of individually identifiable health information.

Covered entities, which must comply with the Rule, may not use or disclose protected health information (PHI) except as permitted or required under the provisions of the Privacy Rule.

The Rule also confers certain rights on individuals, including rights to access and amend certain health information and to obtain a record of when and how their PHI has been shared with others for certain purposes.

In addition, the Rule establishes administrative requirements for covered entities.

Covered entities that fail to comply with the Privacy Rule may be subject to both civil monetary penalties, criminal monetary penalties, and/or imprisonment.

HIPAA in Research

PHI includes identifiable health information about subjects of clinical research gathered by a researcher who is a covered health care provider.

The HIPAA Privacy Rule permits a covered entity to use or disclose PHI for research under the following circumstances and conditions:

  • If the subject of the PHI has granted specific written permission through an Authorization that satisfies HIPAA Privacy Rule requirements (45 CFR 164.508 )
  • For reviews preparatory to research with representations obtained from the researcher that satisfies HIPAA Privacy Rule requirements (45 CFR 164.512(i)(1)(ii) )
  • For research solely on decedents' information with certain representations and, if requested, documentation obtained from the researcher that satisfies HIPAA Privacy Rule requirements (45 CFR 164.512(i)(1)(iii) )
  • If the covered entity receives appropriate documentation that an IRB or a Privacy Board has granted a waiver of the Authorization requirement that satisfies HIPAA Privacy Rule requirements (45 CFR 164.512(i) )
  • If the covered entity obtains documentation of an IRB or Privacy Board's alteration of the Authorization requirement as well as the altered Authorization from the individual
  • If the PHI has been de-identified in accordance with the standards set by the HIPAA Privacy Rule, in which case, the health information is no longer PHI (45 CFR 164.514(a)-(c) )
  • If the information is released in the form of a limited data set, with certain identifiers removed and with a data use agreement between the researcher and the covered entity, as specified in the HIPAA Privacy Rule (45 CFR 164.514(e) )
  • Under a "grandfathered" informed consent of the individual to participate in the research, an IRB waiver of such informed consent, or Authorization or other express legal permission to use or disclose the information for research as specified under the transition provisions of the HIPAA Privacy Rule (45 CFR 164.532(c) )

Important HIPAA Terms to Know

Covered Entity

A health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a transaction.

Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities.

Covered entities can be institutions, organizations, or people.

Researchers are covered entities if they are also health care providers that transmit health information in electronic form in connection with a transaction.

For example, physicians who conduct clinical studies or administer experimental therapeutics to participants during the course of a study must comply with the Privacy Rule if they meet the HIPAA definition of a covered entity.

Business Associate

A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a Covered Entity. Business Associates are subject to the same requirements regarding the security and privacy of PHI as Covered Entities.

Employees of a Covered Entity are not themselves Business Associates.

Examples of Business Associates include persons performing data analysis, quality assurance or billing services on behalf of the Covered Entity.

Review the OSF Guidance for Investigators: Business Associate Agreements  for additional assistance with determining if an entity is a business associate and establishing business associate arrangements.

Identifiable Health Information

Any subset of health information, including demographic information collected from an individual, that:

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse (an organization that codes health data);
  2. Relates to the past, present or future physical or mental health or condition, the past, present or future provision of care to an individual, or the past, present or future payment for the provision of health care to an individual; and
  3. Identifies the individual (or there is a reasonable basis to believe that the information can be used to identify the individual).

Protected Health Information (PHI)

Individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a Covered Entity or Business Associate.

De-Identified Health Information

Health information is considered de-identified when it does not identify an individual, and the Covered Entity has no reasonable basis to believe that the information can be used to identify an individual. 

De-identified health information is not PHI, and thus is not protected by the Privacy Rule nor subject to HIPAA’s authorization requirements, even when used or disclosed by a Covered Entity or a Business Associate.

For additional information on health information de-identification procedures, including the 18 identifiers that must be removed, review the OSF Guidance for Investigators: De-Identifying PHI Under the HIPAA Privacy Rule .

PHI Use

The sharing, employment, application, utilization, examination, or analysis of PHI within the Covered Entity holding the information (i.e. OSF HealthCare).

PHI Disclosure

The release, transfer, provision of access to, or divulging in any manner of PHI outside of the covered entity holding the information (i.e. OSF HealthCare).

HIPAA Authorization

PHI may be used and disclosed for research with an individual's written permission in the form of an Authorization. When an Authorization is obtained for research purposes, the Privacy Rule requires that it pertain only to a specific research study, not to nonspecific research or to future, unspecified projects.

PHI may be used and disclosed for research without an Authorization in limited circumstances: Under a waiver of the Authorization requirement, as a limited data set with a data use agreement, preparatory to research, and for research on decedents' information.

Waiver of HIPAA Authorization

A determination made by an IRB or Privacy Board that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project.

Limited Data Set (LDS)

PHI that excludes specific categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver/alteration of Authorization for its use and disclosure, with a data use agreement.

Data Use Agreement (DUA)

An agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information may be used and how it will be protected.

A DUA is the means by which covered entities obtain satisfactory assurances that the recipient of a limited data set will use or disclose PHI in the data set only for specified purposes.

Even if the person requesting a limited data set from a covered entity is an employee or otherwise a member of the covered entity's workforce, a written DUA must be in place between the covered entity and the limited data set recipient.

Accounting of PHI Disclosures

Accounting of disclosures of PHI obtained under a waiver of HIPAA Authorization for research purposes is required by the HIPAA Privacy Rule.

When a research subject signs a HIPAA Authorization, the Covered Entity is not required to account for the authorized disclosure of PHI. Nor is an accounting required when the disclosed PHI is contained in a limited data set or a de-identified data set.

Individuals may request an accounting of PHI disclosures for research purposes for up to six years prior to the date of the request.

Applying the HIPAA Privacy Rule to My Research Project

If your research involves a business associate arrangement, the HIPAA Privacy Rule requires a covered entity to enter into a written contract with the business associate.

That written contract must include a Business Associate Addendum, where OSF Healthcare obtains satisfactory assurances that the business associate will appropriately safeguard the security and privacy of the PHI being received.

Review the OSF Guidance for Investigators: Business Associate Agreements  for additional assistance with determining if an entity involved in your research is a business associate and if so, how to establish a business associate arrangement.

If your research intends to use or disclose health information that is considered de-identified, it must first be determined that the information has been properly de-identified according to one of the two acceptable methods provided by the Privacy Rule: statistical verification or by removing certain pieces of information from each record (i.e. the 18 HIPAA identifiers).

Review the OSF Guidance for Investigators: De-Identifying PHI Under the HIPAA Privacy Rule for additional information on de-identification procedures, including the 18 identifiers that must be removed.

If your research involves using or disclosing PHI outside of the covered entity, determine whether the PHI constitutes a limited data set (LDS) using the OSF Data Use Form . If the PHI is considered to be a LDS, a Data Use Agreement may need to be in place before beginning the research project.   

If your research involves disclosing PHI outside of the covered entity, an accounting of those disclosures may be required by the HIPAA Privacy Rule (45 CFR 164.528 ).

Review the OSF Guidance for Investigators: HIPAA Accounting of Disclosures to determine whether an accounting of disclosures is necessary and, if so, what content must be accounted for.

Additional HIPAA in Research Educational Resources