14. Health Insurance Portability and Accountability Act (HIPAA)

14 Health Insurance Portability and Accountability Act (HIPAA)

14.1 Background

14.2 Effects of HIPAA on Research

14.3 HIPAA Authorized Access to Protected Health Information

14.4 Patient Rights and Research

14.5 HIPAA and Existing Studies

14 Health Insurance Portability and Accountability Act (HIPAA) 

14.1 Background 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required Congress to enact a health information privacy law (the “Privacy Rule”), which it did in August 2002. The Privacy Rule, which became effective on April 14, 2003, is intended to protect the privacy of an individual's health care information. It creates a federal "floor" of protection, with the understanding that states may create additional rights and protections. 

14.2 Effects of HIPAA on Research 

HIPAA’s definition of research is identical to that of the Common Rule: "a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge." Under HIPAA, “covered entities” must manage what is called “protected health information,” or “PHI,” in accordance with the Privacy Rule. Harvard is a hybrid entity, meaning that only certain divisions (including the University Health Services and the Bureau of Study Counsel) must follow the HIPAA regulations. Thus, any research taking place at a "covered entity" within the University, and involving PHI, must comply with the Privacy Rule. 

14.3 HIPAA Authorized Access to Protected Health Information 

HIPAA provides for the following means of gaining access to PHI: authorizations; 

IRB waiver under the HIPAA criteria; limited data sets; and de-identification of data sets. It is the responsibility of the covered entity to ensure that it only releases PHI to an investigator under one of these HIPAA compliant means . 

14.4 Patient Rights and Research 

Under HIPAA, patients have the right to receive a Notice of Privacy Practices, the right to access, inspect, and receive a copy of one’s own PHI, the right to request an amendment to one’s own PHI, and the right to an accounting of certain disclosures of PHI that occur outside the scope of treatment, payment, and health care operations that have not been authorized. 

14.5 HIPAA and Existing Studies 

Studies at a covered entity that enrolled human subjects prior to April 14, 2003 may proceed according to the protocol documents that were approved by the CUHS at that time; that is, researchers may continue to collect and use data gathered from these subjects, and no new documentation is required. However, any subject enrolled in a research project at a covered entity AFTER April 14, 2003 must sign a HIPAA-compliant authorization form unless the IRB waives consent under HIPAA criteria, or the research involves a limited data set of de-identified data. If the research involves a limited data set, then the researcher and the covered entity must have in place a HIPAA compliant data use agreement that addresses the use of the data and patient privacy concerns. If an authorization form is used, it would be in addition to the existing Informed Consent document. In a few cases, the Informed Consent document may be combined with a HIPAA authorization.