HIPAA and Research at NAU
Why Should Researchers Be Aware of the HIPAA Privacy Rule?
It is important to understand that most of the research done at Northern Arizona University will not have to comply with the HIPAA Privacy Rule, even if it involves handling individually identifiable health information. This does not mean that institutional best practices will not be used to maintain the privacy of this information, it just means the federal HIPAA Privacy Regulations will not apply. The federal government requires compliance with its regulations for Covered Entities. Covered Entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries.
Researchers are not themselves Covered Entities, unless they are also health care providers and engage in any of the covered electronic transactions. If, however, researchers are employees or other workforce members of a Covered Entity (e.g., a covered hospital or health insurer), they may have to comply with that entity’s HIPAA privacy policies and procedures.
Researchers who are not themselves Covered Entities, or who are not workforce members of Covered Entities, may nonetheless be indirectly affected by the Privacy Rule if Covered Entities supply the data that will be used in the research. The HHS and the Food and Drug Administration’s (FDA) Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56, respectively) may also apply to research involving the development or use of research repositories and associated data. To gain access to this Protected Health Information created or maintained by Covered Entities, the researcher may have to provide supporting documentation on which the Covered Entity may rely in meeting the requirements, conditions, and limitations of the Privacy Rule.
Northern Arizona University is a “hybrid entity” with “covered components” called “covered entities” which must comply with the provisions of HIPAA. The current designated components for NAU include the following:
NAU Covered Entities Accordion Closed
1. Campus Health Services (health care provider)
2. Communication Sciences and Disorders (health care provider)
3. Institute for Human Development, Augmentative Communication (health care provider)
4. Enrollment Management and Student Affairs Financial Services
How Can Covered Entities Use and Disclose Protected Health Information for Research and Comply with the Privacy Rule?
Because a researcher at NAU may want to access PHI held by a Covered Entity, it is important for the researcher to understand how Covered Entities can use and disclose PHI for research and comply with the Privacy Rule.There are three key points to help understand how to keep research data secure and compliant with HIPAA.
- De-identified health information, as described in the Privacy Rule, is not PHI, and thus is not protected by the Privacy Rule.
- PHI may be used and disclosed for research with an individual’s written permission in the form of an authorization.
- PHI may be used and disclosed for research without an authorization in limited circumstances: Under a waiver of the Authorization requirement, as a limited data set with a data use agreement, preparatory to research, and for research on decedents’ information.
Listed below are nine ways in which data can be shared for research. Please review the embedded links and select the read more options if you would like more information on that topic.
1. Receive a written HIPAA Compliant Authorization. A compliant authorization checklist can help you determine if the form you have received meets the requirements. If you need to prepare a compliant authorization use the HIPAA Authorization Template.
2. The health information can be de-identified (requirements for de-identified data). De-identified data is not protected health information and is thus not protected by the Privacy Rule.
4. An IRB has waived the requirement for an Authorization.
5. The activities are just to prepare for research and required representations are obtained from the researchers.
Read more Accordion Closed
Covered entities may permit researchers to review PHI in medical records or elsewhere during reviews preparatory to research. These reviews allow the researcher to determine, for example, whether there is a sufficient number or type of records to conduct the research. Importantly, the covered entity may not permit the researcher to remove any PHI from the covered entity. To permit the researcher to conduct a review preparatory to research, the covered entity must receive from the researcher representations that:
- The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes.
- No PHI will be removed from the covered entity during the review.
- The PHI that the researcher seeks to use or access is necessary for the research purposes.
Additional information on activities preparatory to research can be found in the booklet, Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule.
6. The use or disclosure is for patient recruitment purposes.
Read more Accordion Closed
Identifying Research Participants
Under the “preparatory to research” provision, covered entities may use or disclose PHI to researchers to aid in study recruitment. The covered entity may allow a researcher, either within or outside the covered entity, to identify, but not contact, potential study participants under the “preparatory to research” provision. However, before permitting this activity, a covered entity must receive proper representation, as described above, from the researcher. Under the “preparatory to research” provision, no PHI may leave the covered entity.
Contacting Research Participants
Under the “preparatory to research” provision, covered entities may use and disclose PHI to researchers to aid in study recruitment. They may allow a researcher to identify, but not contact, potential study participants. To contact potential study participants, a researcher may do so, without Authorization from the individual, under the following circumstances:
- If the researcher is a workforce member of a covered entity, the researcher may contact the potential study participant, as part of the covered entity’s health care operations, for the purposes of seeking Authorization. In addition, a covered health care provider may discuss treatment alternatives, which may include participating in a clinical trial, with the patient as part of the patient’s treatment or the covered entity’s health care operations. Alternatively, the covered entity may contract with a business associate—who may be a researcher—to assist in contacting individuals on behalf of the covered entity to obtain their Authorizations.
- If the covered entity obtains documentation that an IRB has partially waived the Authorization requirement to disclose PHI to a researcher for recruitment purposes, the covered entity could disclose to the researcher that PHI necessary for the researcher to contact the individual.
7. The research involves only the information of decedents and required representations are obtained from the researchers.
Read more Accordion Closed
To use or disclose PHI of the deceased for research, covered entities are not required to obtain Authorizations from the personal representative or next of kin, a waiver or an alteration of the Authorization, or a data use agreement. However, the covered entity must obtain from the researcher who is seeking access to decedents’ PHI (1) oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents, (2) oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes, and (3) documentation, at the request of the covered entity, of the death of the individuals whose PHI is sought by the researchers.
8. The disclosure is required by law.
9. The research is “grandfathered”.
Read more Accordion Closed
Research Uses and Disclosures Under Permissions Obtained Prior to the Privacy Rule’s Compliance Date
Sections 164.532(a) and (c) of the Privacy Rule provide that, after the compliance date (for most covered entities, April 14, 2003), a covered entity may use or disclose an individual’s PHI without an Authorization, or waiver or alteration of the Authorization requirement, in connection with research, if specific conditions are met. For many such uses and disclosures of PHI in connection with research, a covered entity may rely on any one of the following that was obtained prior to the compliance date:
- An Authorization or other express legal permission from an individual to use or disclose PHI for research
- The informed consent of the individual to participate in the research
- A waiver by an IRB of informed consent in accordance with applicable laws and regulations governing informed consent, unless a new informed consent document is sought after the compliance date
The transition provisions do not apply if any change is made after the compliance date to an informed consent, express legal permission, or IRB waiver for the research obtained before the compliance date that would invalidate these prior permissions. In such cases, an Authorization that complies with section 164.508 of the Privacy Rule is required unless the activity is otherwise permitted by the Privacy Rule without Authorization (e.g., through a waiver of Authorization).
In some instances, express legal permissions, informed consents, or IRB-approved waivers of informed consents are not study specific. These permissions for research and waivers, if obtained before the compliance date, are grandfathered by the transition provisions even if provided for future unspecified research, subject to the conditions described above.
For questions about whether your research fits into one of the above categories, contact the NAU HIPAA Privacy Office at 928-523-6347.
For a comprehensive list of FAQ’s prepared by NIH please see below: