HIPAA is an acronym for the federal Health Insurance Portability and Accountability Act (1996, 2000, 2002) (http://privacyruleandresearch.nih.gov/). The privacy rule of HIPAA limits and restricts the use and disclosure of protected health information (PHI). PHI is identifiable health information in any form that is created, received, or maintained by a covered entity (see 18 PHI identifiers). A covered entity is defined as health care providers, health plans, and healthcare clearinghouses. PHI can be used or disclosed for treatment, payment, and healthcare business operations of covered entities. HIPAA requires that patients sign a consent that informs them that PHI will be used for treatment, payment, or health care operations by the covered entity. Although the Privacy Rule protects disclosure of PHI, it still ensures that researchers can have access to information needed for research. Improper use of and disclosure of PHI can result in civil and criminal penalties.
The HIPAA privacy rule does allow for researchers to access PHI under certain circumstances 1) a specific authorization has been obtained from the patient or 2) a waiver of patient authorization has been granted by a privacy board or an IRB under limited conditions. In order to protect privacy the patient information that is disclosed to the researcher by the covered entity will be the minimum necessary to accomplish the intended purpose or request. Clayton State University is not a covered entity. However, it is a hybrid entity since there are some departments on the campus that would fall under the covered entity guidelines such as human resources and the health clinic. Researchers are not covered entities in themselves, unless they provide health care or participate in electronic transactions as described in the HIPAA regulations.
Note: All health care information collected by researchers is not regulated by the HIPAA Privacy Rule e.g. 1) Protected health information that has been de-identified 2) Health information collected by researchers who are not part of a covered entity 3) Health information that is not related to a health care service 4) Health information that is not entered in a medical record, nor will the patient be informed of the results 5) Health information that is kept only in the researchers records
An authorization is used only to obtain the patient's permission to use or disclose their PHI. The authorization does not take the place of the subject's informed consent to participate in a research study. A patient authorization to use PHI can be in a separate document from the consent or included as a section in the consent. The following information is required to be included in the authorization:
PHI can be used under limited circumstances by the researcher without patient authorization. A privacy board or an IRB committee can grant a waiver of authorization if the following three criteria are met:
Before a covered entity may use or disclose PHI for research based on a waiver or an alteration of Authorization (request not to include all elements of the authorization) by an IRB, a covered entity must receive documentation showing the following:
The primary investigator and research team must complete and submit evidence of completion of HIPAA training when submitting a CSU IRB application.
If a HIPPA violation has occurred you can report the violation to the Office of Civil Rights (OCR) through the Complaint Portal Assistant or by completing the Health Information Privacy Complaint Form Package. You can also request a copy of this form from an OCR regional office. If you need help filing a complaint or have a question, you can email OCR at OCRMail@hhs.gov.