HIPAA and Research

Overview

Florida Atlantic is committed to conducting research in compliance with all applicable laws, regulations, and university policies. As part of its commitment, the University has adopted policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA is a federal law that establishes national standards for protecting the privacy and security of health information and defines specific rights for individuals with respect to their health information. Individually identifiable health information that is created or received by a "covered entity" qualifies as protected health information (PHI) and is subject to the rules and regulations of HIPAA. This includes a later update to HIPAA, the Health Information Technology for Economical and Clinical Health Act (HITECH).

Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research. All Florida Atlantic faculty, staff and students should be aware of the importance of protecting patient information and should be sensitive to the laws and regulations designed to safeguard PHI. For more information see Policy 10.3.7 Disclosure and Use of Protected Health Information (PHI) in Research.

What Constitutes PHI?

The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. These identifiers are:

1. Name	10. Health plan beneficiary number(s)
2. Address (all geographic all geographic subdivisions smaller than state, including street address, city county, and zip code)	11. Certificate or license number(s)
3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)	12. Vehicle identifiers and serial numbers, including license plate numbers
4. Telephone numbers	13. Device identifiers and serial numbers
5. Fax numbers	14. Web URL
6. Email address	15. Internet Protocol (IP) address
7. Social Security Number	16. Finger of voice print
8. Medical record number	17. Photographic image (not limited to face)
9. Account number(s)	18. Any other characteristic that could uniquely identify the individual

How do I De-Identify Data?

The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors. If a communication contains any of the 18 HIPAA identifiers, or parts of the identifier, such as initials, the data is to be considered “identified”. To be considered “de-identified”, all of the HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.

The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.

Information on how to de-identify PHI is available via the US Department of Health and Human Services.

What is a Limited Data Set?

A “limited data set” (LDS) is a limited set of identifiable patient information as defined in HIPAA. A “limited data set” of information may be disclosed to an outside party without a patient’s authorization if certain conditions are met. First, the purpose of the disclosure may only be for research, public health or health care operations. Second, the person receiving the information must sign a data use agreement.

What Information is in a LDS?

A LDS is information from which “facial” identifiers have been removed. Specifically, as it relates to the individual or his or her relatives, employers or household members, all the following identifiers must be removed in order for health information to be LDS

Names;
Street addresses (other than town, city, state and zip code);
Telephone numbers;
Fax numbers;
Email addresses;
Social Security numbers;
Medical records numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate license numbers;
Vehicle identifiers and serial numbers, including license plates;
Device identifiers and serial numbers;
URLs;
IP address numbers;
Biometric identifiers (including finger and voice prints); and
Full face photos (or comparable images).

The health information that may remain in the information disclosed includes:

Dates such as admission, discharge, service, birth, death;
City, state, five digit or more zip code; and
Ages in years, months or days or hours.

It is important to note that this information is still PHI under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.

When does a LDS need a Data Use Agreement?

Because LDS is still PHI, the Privacy Regulations contemplate that the privacy of individuals will be protected by requiring covered entities to enter into data use agreements (DUA) with recipients of LDS. The data use agreement must meet standards specified in the Privacy Regulations. A DUA must:

Establish the permitted uses and disclosures of the limited data set;
Identify who may use or receive the information;
Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law;
Require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
Require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware;
Require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information will agree to the same restrictions as provided in the agreement; and
Prohibit the recipient from identifying the information or contacting the individuals.

DUAs for Florida Atlantic generated data may be accessed here. If receiving data from an external covered entity, the DUA accompanied by the list of requested data from the medical record must be submitted to the IRB as part of the related research protocol review and approval.

Required Training

HIPAA training is available via the Collaborative Institutional Training Initiative (CITI). CITI's Information Privacy and Security (IPS) materials cover the principles of data protection, focusing on the healthcare-related privacy and information security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Information on how to access this training may be found on our Human Research Mandatory Training page.

Resources