Office of Human Research Ethics SOP 1801: Health Insurance Portability and Accountability Act (HIPAA)

Title

Office of Human Research Ethics SOP 1801: Health Insurance Portability and Accountability Act (HIPAA)

1. Purpose

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the creation of a Privacy Rule for identifiable health information. While the primary impact of the Privacy Rule is on the routine provision of and billing for health care, the Rule also affects the conduct and oversight of research.

The Privacy Rule defines individually identifiable health information transmitted or maintained by a covered entity in any form (electronic, written, or oral) as “protected health information” (PHI) and establishes the conditions under which investigators may access and use this information in the conduct of research.

Except as otherwise permitted, the Privacy Rule requires that a human research subject “authorize” the use or disclosure of the human research subject's PHI to be used in research. This authorization is distinct from the human research subject’s consent to participate in research, which is required under the Common Rule and U.S. Food and Drug Administration (FDA) regulations.

Under the Privacy Rule, a HIPAA authorization may be combined with the consent document for research. When the consent document is combined with an Authorization, 45 CFR part 46 and 21 CFR part 56 require IRB review of the combined document.

At UNC-Chapel Hill, the Office of Human Research Ethics (OHRE) is designated to act upon requests for waivers and alterations of the authorization requirement for research purposes for otherwise exempt projects and other categories of research not subject to IRB or Privacy Board oversight.

2. Procedure

2.1 The IRB's Role Under the Privacy Rule

Under the Privacy Rule, IRBs gained authority to consider, and act upon, requests for a partial or complete waiver or alteration of the Privacy Rule’s authorization requirement for uses and disclosures of PHI for research. Although U.S. Department of Health and Human Services (DHHS) and FDA Protection of Human Subjects Regulations include protections to help ensure the privacy of subjects and the confidentiality of information, the Privacy Rule supplements these protections by requiring covered entities to implement specific measures to safeguard the privacy of PHI. If certain conditions are met, an IRB may grant a waiver or an alteration of the Authorization requirement for research uses or disclosures of PHI.

UNC-Chapel Hill has designated the UNC-Chapel Hill IRB to fulfill the functions of a Privacy Board for human subject research. The Privacy Rule does not change the composition of an IRB. The Privacy Rule permits a covered entity to accept documentation of waiver or alteration approval from any qualified IRB or Privacy Board - not only the IRB overseeing the organization’s research.

When acting upon a request to waive or alter the authorization requirement, an IRB must follow the procedural requirements of the DHHS Protection of Human Subjects Regulations and, if applicable, FDA regulations, including using either the normal review procedures (review by the convened IRB) or the expedited review procedures.

When a request for a waiver or an alteration of the authorization requirement is considered by the convened IRB, a majority of the IRB members must be present at the meeting, including at least one member whose primary concerns are in nonscientific areas.

In order for an approval of a waiver or an alteration of the Privacy Rule's authorization requirement to be effective, it must be approved by a majority of the IRB members present at the convened meeting. If a member of the IRB has a conflicting interest with respect to the PHI use and disclosure for which a waiver or an alteration approval is being sought, that member may not participate in the review.

DHHS and FDA have established categories of research that may be reviewed by an IRB through an expedited review procedure. Expedited review of a request for a waiver or an alteration of the Authorization requirement is permitted where the research activity is on the DHHS or FDA list of approved categories and involves no more than minimal risks. In addition, 45 CFR 46.110 and 21 CFR 56.110 permit an IRB to use an expedited review procedure to review minor changes in previously approved research.

A modification to a previously approved research plan, which only involves the addition of an Authorization for the use or disclosure of PHI to the IRB-approved informed consent, may be reviewed by the IRB through an expedited review procedure, because this type of modification may be considered to be no more than a minor change to research.

If expedited review procedures are appropriate for acting on the request, the review may be carried out by the IRB Chair or by one or more experienced reviewers designated by the Chair from among the IRB members.

A member with a conflicting interest may not participate in an expedited review. If an IRB uses expedited review procedures, it must adopt methods for keeping all its members advised of requests for waivers or alterations of the Authorization requirement as well as those requests that have been granted under an expedited review procedure.

IRB documentation of approval of a waiver or alteration of the authorization requirement includes:

• The identity of the approving IRB;
• The date on which the waiver or alteration was approved;
• A statement that the IRB has determined that all the specified criteria for a waiver or an alteration were met;
• A brief description of the PHI for which use or access has been determined by the IRB to be necessary in connection with the specific research activity; and
• A statement that the waiver or alteration was reviewed and approved under either normal or expedited review procedures.

UNC-Chapel Hill will not release PHI to investigators without individual authorization or proper documentation of an IRB or Privacy Board approval of a waiver or alteration of the requirement.

2.2 Authorization

Except as otherwise permitted, the Privacy Rule requires that a human research subject “authorize” the use or disclosure of the human research subject's PHI to be used in research. This authorization is distinct from the human research subject's consent to participate in research, which is required under the Common Rule and FDA regulations. Just as a valid consent under Common Rule and FDA regulations must meet certain requirements, a valid authorization must contain certain statements and core elements [45 CFR 164.508(c)]. At UNC-Chapel Hill, authorization language is generally not to be incorporated into the consent document. Template HIPAA authorization documents, which include required HIPAA authorization language, are available from the IRB. Once executed, a signed copy must be provided to the individual providing authorization. Signed authorizations must be retained by the covered entity for six (6) years from the date of creation or the date it was last in effect, whichever is later.

A human research subject has the right to revoke their authorization at any time. Investigators are not required to retrieve information that was disclosed under the authorization before learning of the revocation. Additionally, investigators may continue to use and disclose PHI already obtained for the research under an authorization to the extent necessary to protect the integrity of the research.

When an authorization permits disclosure of PHI to a person or organization that is not a covered entity (such as a sponsor or funding source), the Privacy Rule does not continue to protect the PHI disclosed to such entity. However, other federal and state laws and agreements between the covered entity and recipient such as a Business Associate Agreement (BAA) or Confidentiality Agreement may establish continuing protections for the disclosed information. Under the DHHS Protection of Human Subjects regulations or the FDA Protection of Human Subjects regulations, an IRB may impose further restrictions on the use or disclosure of research information to protect human research subjects.

2.2.1 Authorization Core Elements

1. A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.
2. The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure.
3. The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure.
4. A description of each purpose of the requested use or disclosure.
5. Authorization expiration date or expiration event that relates to the human research subject or to the purpose of the use or disclosure (“end of the research study” or “none” are permissible for research, including for the creation and maintenance of a research database or repository).
6. Signature of the human research subject and date. If the human research subject's Legally Authorized Representative (LAR) signs the Authorization, a description of the LAR's authority to act for the human research subject must also be provided.

2.2.2 Authorization Required Statements

1. A statement of the human research subject's right to revoke their authorization, how to do so, and, if applicable, the exceptions to the right to revoke the human research subject's authorization or reference to the corresponding section of the covered entity’s notice of privacy practices.
2. Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on authorization, including research-related treatment and consequences of refusing to sign the authorization, if applicable.
3. A statement of the potential risk that PHI will be re-disclosed by the recipient. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.

2.2.3 Division of Responsibilities When One IRB Cedes Overview to Another

In the case of a separate HIPAA authorization form, the Relying Institution is responsible for ensuring that the form complies with applicable requirements in the HIPAA Privacy Rule. In the case of a combined consent and HIPAA authorization, the Reviewing IRB is responsible for ensuring that the form complies with applicable requirements in the HIPAA Privacy Rule.

2.3 Waiver or Alteration of the Authorization Requirement

Obtaining signed authorization to access and use PHI for research is not always feasible. The Privacy Rule contains criteria for waivers or alterations of authorization. If a covered entity has used or disclosed PHI for research pursuant to a waiver or alteration of authorization, documentation of the approval of the waiver or authorization must be retained for six (6) years from the date of its creation or the date it was last in effect, whichever is later.

For research uses and disclosures of PHI, an IRB or Privacy Board may approve a waiver or an alteration of the authorization requirement in whole or in part. A complete waiver occurs when the IRB or Privacy Board determines that no authorization will be required for a covered entity to use and disclose PHI for a particular research project. A partial waiver of authorization occurs when the IRB or Privacy Board determines that a covered entity does not need authorization for all PHI uses and disclosures for research purposes, such as accessing PHI for research recruitment purposes. An IRB or Privacy Board may also approve a request that removes some PHI, but not all, or alter the requirements for an authorization (an alteration).

In order for an IRB or Privacy Board to waive or alter authorization, the Privacy Rule (45 CFR 164.512(i)(2)(ii)) requires the IRB or Privacy Board to determine the following:

1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of human research subjects, based on, at least, the presence of the following elements:
   1. An adequate plan to protect health information identifiers from improper use and disclosure;
   2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a healthcare or research justification for retaining them or a legal requirement to do so); and
   3. Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
2. The research could not practicably be conducted without the waiver or alteration.
3. The research could not practicably be conducted without access to and use of the PHI.

The Privacy Rule allows institutions to rely on a waiver or an alteration of authorization obtained from a single Privacy Board to be used to obtain or release PHI in connection with a multi-site project. However, DHHS also recognizes that “covered entities may elect to require duplicate Privacy Board reviews before disclosing [PHI] to requesting researchers” (67 Federal Register 53232, August 14, 2002).

2.4 Activities Preparatory to Research

Under the preparatory to research provision of the Privacy Rule, a covered entity may permit a investigator who works for that covered entity to use PHI for purposes preparatory to research such as assessing the feasibility of conducting a research project, developing a grant application, or identifying potential human research subjects. A covered entity may also permit, as a disclosure of PHI, a researcher who is not a workforce member of that covered entity to review PHI (within that covered entity) for purposes preparatory to research.

The covered entity must obtain from an investigator representations that:

1. the use or disclosure is requested solely to review PHI as necessary to prepare a research plan or for similar purposes preparatory to research,
2. the PHI will not be removed from the covered entity in the course of review, and
3. the PHI for which use or access is requested is necessary for the research.

UNC Chapel-Hill investigators seeking to use PHI for preparatory to research purposes must contact the UNC Health Privacy Office to ensure compliance with applicable policies and procedures. 

2.5 Research Using Decedent's Information

UNC-Chapel Hill obtains from the investigator:

1. Representation that the use or disclosure sought is solely for research on the PHI of decedents;
2. Documentation, at the request of the covered entity, of the death of such individuals; and
3. Representation that the PHI for which use or disclosure is sought is necessary for the research purposes.

UNC Chapel-Hill investigators seeking to use decedents’ PHI for research purposes must contact the UNC Health Privacy Office to ensure compliance with applicable policies and procedures.

2.6 Future Uses: Databases and Repositories

The Privacy Rule recognizes the creation of a research database or a specimen repository to be a research activity if the data/specimens to be stored contain PHI. There are two separate activities that the covered entity must consider:

1. the use or disclosure of PHI for creating a research database or repository, and
2. the subsequent use or disclosure of PHI in the database for a particular research plan.

Individual authorization for the storage of PHI for future research must be sought unless the IRB has determined that the criteria for a waiver of the authorization requirement are satisfied.

See Section 2.3 of this SOP for a discussion of waivers of authorization.

At UNC-Chapel Hill, consent for research and authorization for use and/or disclosure of PHI are separate documents. As with any research activity, the separate consent and authorization for future research must describe the future research uses in sufficient detail to allow the prospective human research subject to make an informed decision. The investigator and IRB should be cognizant of uses of information/specimens that the target community may consider particularly sensitive, such as genetics, mental health, studies of origin, and use of tissues that may have cultural significance.

The consent and authorization forms can be a stand-alone documents or may be incorporated into another consent and authorization forms if the information/specimens will originate from another research activity, such as a clinical trial, unless the research involves the use or disclosure of psychotherapy notes. Authorizations for the use or disclosure of psychotherapy notes can only be combined with another authorization for a use or disclosure of psychotherapy notes.

If the consent and authorization for future research are combined with another research consent and authorization, the combined consent and combined authorization must clearly differentiate between the research activities and allow the prospective human research subject to opt-in to the future research. Opt-outs for future research are not permitted under the Privacy Rule because an opt-out process does not provide prospective human research subjects with a clear ability to authorize the use of their information/specimens for future research and may be viewed as coercive.

2.7 Corollary and Sub-studies

As with any other research, human research subject participation in corollary or sub-studies not essential to the primary aims of the research should be on a voluntary basis. This is particularly important when the primary research offers a potential benefit, such as treatment, that might compel the prospective human research subject to agree to something that they otherwise would not.

HIPAA reinforces this ethical principle by explicitly stating that authorization for “unconditioned” activities, for which there is no associated treatment, benefit, or other effect on the individual human research subject associated with participation, cannot be required. The published preamble to the HIPAA Omnibus clarifies the basis for this position, and the requirement that authorization for unconditioned activities involve a clear opt-in mechanism, stating:

• “This limitation on certain compound authorizations was intended to help ensure that individuals understand that they may decline the activity described in the unconditioned authorization yet still receive treatment or other benefits or services by agreeing to the conditioned authorization.” and “an opt out option does not provide individuals with a clear ability to authorize the optional research activity, and may be viewed as coercive by individuals.”

As with authorization for future research, it is acceptable to combine in a single document the authorization for a conditioned activity, such as a clinical trial, with authorization for an unconditioned activity such as a corollary or sub-study that does not directly benefit or effect the individual prospective human research subject, provided that:

1. The authorization clearly differentiates between the conditioned and unconditioned research activities;
2. The authorization clearly allows the prospective human research subject the option to opt in to the unconditioned research activities; and
3. Sufficient information is provided for the prospective human research subject to be able to make an informed choice about both the conditioned and unconditioned activities.

Separate authorization must be obtained for each research activity that involves the use and disclosure of psychotherapy notes. For example, authorization for the use and disclosure of psychotherapy notes for a clinical trial cannot be combined with an authorization for the use and disclosure of those psychotherapy notes for a corollary research activity.

2.8 De-identification of PHI under the Privacy Rule

Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule. The “Safe Harbor” method permits a covered entity to de-identify data by removing all 18 data elements that could be used to identify the human research subject or the human research subject's relatives, employers, or household members. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify human research subjects. Under this method, the identifiers that must be removed are the following:

1. Names.
2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
   1. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
   2. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.
3. All elements of dates (except year) for dates directly related to an human research subject, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
4. Telephone numbers.
5. Facsimile numbers.
6. Electronic mail addresses.
7. Social security numbers.
8. Medical record numbers.
9. Health plan beneficiary numbers.
10. Account numbers.
11. Certificate/license numbers.
12. Vehicle identifiers and serial numbers, including license plate numbers.
13. Device identifiers and serial numbers.
14. Web universal resource locators (URLs).
15. Internet Protocol (IP) address numbers.
16. Biometric identifiers, including fingerprints and voiceprints.
17. Full-face photographic images and any comparable images.
18. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.

Alternatively, a qualified statistician may certify that the risk is very small that health information could be used, alone or in combination with other available information, to identify human research subjects. The qualified statistician must document the methods and results of the analysis that justify such a determination. This analysis must be retained by the covered entity for six (6) years from the date of its creation or when it was last acted on, whichever is later.

The Privacy Rule permits a covered entity to assign to, and retain with, the de-identified health information, a code or other means of record re-identification if that code is not derived from or related to the information about the individual and is not otherwise capable of being translated to identify the human research subject. The covered entity may not use or disclose the code or other means of record identification for any other purpose and may not disclose its method of re-identifying the information.

NOTE: Data that is considered de-identified under HIPAA may still be considered human research subject data under the Common Rule, particularly when working with a small data set that can be further divided into smaller subsets. Additionally, while coded information may be de- identified under HIPAA, if the investigator holds or has the ability to access both the code and the data, the information is considered identifiable private information under the Common Rule.

2.9 Limited Data Sets and Data Use Agreements

Limited data sets are data sets stripped of certain direct identifiers. Limited data sets may be used or disclosed only for public health, research, or health care operations purposes. Because limited data sets may contain identifiable information, they are still PHI and as such are not considered de-identified under the Privacy Rule. Unlike de-identified data, PHI in limited data sets may include:

• addresses other than street name or street address or post office boxes,
• all elements of dates (such as admission and discharge dates), and/or
• unique codes or identifiers not listed as direct identifiers.

All of the following direct identifiers must be removed for PHI to qualify as a limited data set:

1. Names.
2. Postal address information, other than town or city, state, and ZIP code.
3. Telephone numbers.
4. Fax numbers.
5. Email addresses.
6. Social security numbers.
7. Medical record numbers.
8. Health plan beneficiary numbers.
9. Account numbers.
10. Certificate or license numbers.
11. Vehicle identifiers and license plate numbers.
12. Device identifiers and serial numbers.
13. URLs.
14. IP addresses.
15. Biometric identifiers.
16. Full-face photographs and any comparable images.

Before disclosing a limited data set, a covered entity must enter into a data use agreement (DUA) with the recipient, even when the recipient is a member of its workforce. The DUA establishes the parameters around the proposed uses and disclosures of the data, who is permitted to have access to the data, and stipulates the following:

• no other use will be made of the data,
• no attempt will be made to identify or contact individuals whose data are included in the limited data set,
• appropriate safeguards are in place to protect the data from unauthorized use, and
• the recipient will report any uses or disclosures of the PHI that they become aware of that not in keeping with the terms of the DUA.

DUAs for the purposes of research are available through the Office of Industry Contracting.

2.10 Research Subject Access to PHI and Other Types of Health Information

One exception is during a clinical trial, when the subject’s right of access can be suspended while the research is in progress. The subject must have been notified of and agreed to the temporary denial of access when providing consent and authorization. Any such notice must also inform the individual that the right to access will be restored upon conclusion of the clinical trial. Language accommodating this exclusion is included in the applicable the UNC-Chapel Hill research consent/authorization templates.

2.11 Accounting of Disclosures

The Privacy Rule generally grants individuals the right to a written “Accounting of Disclosures” of their PHI made by a covered entity without the individual’s authorization in the six (6) years prior to their request for an Accounting. A covered entity must therefore keep records of such PHI disclosures for six (6) years.

It is important to understand the difference between a use and a disclosure of PHI. In general, the use of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity outside the covered entity.

The Privacy Rule restricts both uses and disclosures of PHI, but it requires an accounting only for certain PHI disclosures.

Generally, an Accounting of Disclosures is required for:

1. Routinely Permitted Disclosures (e.g., under public health authority, to regulatory agencies, to persons with FDA-related responsibilities) with limited exceptions (e.g., law enforcement, national security, etc.); and
2. Disclosures made pursuant to:
   1. Waiver of Authorization,
   2. Research on Decedents’ Information, and
   3. Reviews Preparatory to Research.

An accounting is not needed when the PHI disclosure is made:

1. For treatment, payment, or health care operations,
2. Under an Authorization for the disclosure,
3. To an individual about themselves, or
4. As part of a limited data set under a data use agreement.

The Privacy Rule allows three methods for accounting for research-related disclosures that are made without the individual's Authorization or other than a limited data set:

1. A standard approach,
2. a multiple-disclosures approach, and
3. an alternative for disclosures involving 50 or more individuals.

Whatever approach is selected, the accounting is made in writing and provided to the requesting individual. Accounting reports to individuals may include results from more than one accounting method.

See the UNC-Chapel Hill Accounting of Disclosures of Protected Health Information (PHI) Policy for a detailed discussion on Accounting for Disclosures.

3. References

External Regulations and Consequences

• Health Insurance Portability and Accountability Act (HIPAA)
• U.S. Code of Federal Regulations - 21 CFR 56: Institutional Review Boards
• U.S. Code of Federal Regulations - 21 CFR 56.110: Expedited Review Procedures for Certain Kinds of Research Involving No More than Minimal Risk, and for Minor Changes in Approved Research
• U.S. Code of Federal Regulations - 45 CFR 46.110: Expedited Review Procedures for Certain Kinds of Research Involving No More than Minimal Risk, and for Minor Changes in Approved Research
• U.S. Code of Federal Regulations - 45 CFR 164.508(c): Uses and Disclosures for Which an Authorization is Required
• U.S. Code of Federal Regulations - 45 CFR 164.512(i)(2)(ii)): Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required
• U.S. Code of Federal Regulations - 45 CFR 46: Protection of Human Subjects
• U.S. Federal Register - 67 FR 53232: Standards for Privacy of Individually Identifiable Health Information. Document Number 02-20554. August 14, 2002.
• U.S. Federal Register - 78 FR 5565: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules ("HIPAA Omnibus"). Document Number 2013-01073. January 25, 2013.

UNC-Chapel Hill Policies, Standards, and Procedures

• OHRE SOP 0601: Exempt Studies
• OHRE SOP 1101: Obtaining Informed Consent from Research Subjects
• Accounting of Disclosures of Protected Health Information (PHI) Policy
• Policy on Individual Conflicts of Interest and Commitment

Contact Information

Policy Contact

Office of Human Research Ethics
CB 7097
720 Martin Luther King Jr. Blvd.
Bldg # 385, Second Floor
Chapel Hill, NC 27599-7097

Ph: 919-966-3113
Fax: 919-966-7879

Other Contacts

Office of Industry Contracting

Email: OSPContracting@unc.edu
Office of Industry Contracting website