HIPAA and Research

Florida Atlantic is committed to conducting research in compliance with all applicable laws, regulations, and university policies. As part of its commitment, the University has adopted policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA is a federal law that establishes national standards for protecting the privacy and security of health information and defines specific rights for individuals with respect to their health information. Individually identifiable health information that is created or received by a "covered entity" qualifies as protected health information (PHI) and is subject to the rules and regulations of HIPAA. This includes a later update to HIPAA, the Health Information Technology for Economical and Clinical Health Act (HITECH).
Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research. All Florida Atlantic faculty, staff and students should be aware of the importance of protecting patient information and should be sensitive to the laws and regulations designed to safeguard PHI. For more information see Policy 10.3.7 Disclosure and Use of Protected Health Information (PHI) in Research.
The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. These identifiers are:
1. Name | 10. Health plan beneficiary number(s) |
2. Address (all geographic all geographic subdivisions smaller than state, including street address, city county, and zip code) | 11. Certificate or license number(s) |
3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89) | 12. Vehicle identifiers and serial numbers, including license plate numbers |
4. Telephone numbers | 13. Device identifiers and serial numbers |
5. Fax numbers | 14. Web URL |
6. Email address | 15. Internet Protocol (IP) address |
7. Social Security Number | 16. Finger of voice print |
8. Medical record number | 17. Photographic image (not limited to face) |
9. Account number(s) | 18. Any other characteristic that could uniquely identify the individual |
The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors. If a communication contains any of the 18 HIPAA identifiers, or parts of the identifier, such as initials, the data is to be considered “identified”. To be considered “de-identified”, all of the HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.
The Privacy Rule provides two de-identification methods: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.
Information on how to de-identify PHI is available via the US Department of Health and Human Services.
A “limited data set” (LDS) is a limited set of identifiable patient information as defined in HIPAA. A “limited data set” of information may be disclosed to an outside party without a patient’s authorization if certain conditions are met. First, the purpose of the disclosure may only be for research, public health or health care operations. Second, the person receiving the information must sign a data use agreement.
HIPAA training is available via the Collaborative Institutional Training Initiative (CITI). CITI's Information Privacy and Security (IPS) materials cover the principles of data protection, focusing on the healthcare-related privacy and information security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Information on how to access this training may be found on our Human Research Mandatory Training page.