Skip to main content

Beyond the HIPAA Privacy Rule Enhancing Privacy, Improving Health Through Research (2009) / Chapter Skim
Currently Skimming:

4 HIPAA, the Privacy Rule, and Its Application to Health Research
Pages 153-198

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 153...
... A section at the end of the chapter also describes the relationships between HIPAA and other federal and state laws. Because a great deal of health research in the United States is also subject to the Common Rule (described in Chapter 3)
Read the entire page →
From page 154...
... These provisions were included in the final version of HIPAA because health plans had requested federal legislation in this area from Congress. The use of electronic health information was expanding in the early 1990s, and the health care industry was unable to standardize the process and use of electronic health information without federal action.1 The security standards are one set of regulations mandated by the administrative simplification provisions of HIPAA.
Read the entire page →
From page 155...
... Its provisions also impose on covered entities affirmative requirements to safeguard the information in their possession. The Privacy Rule gives individuals certain rights with respect to their health information (reviewed by Pritts, 2008)
Read the entire page →
From page 156...
... , made recommendations to Congress on the privacy standards mandated in HIPAA September 1999 Congress failed to enact federal privacy legislation within the 3-year time limit set by HIPAA November 1999 HHS issued a proposed version of the privacy regulation for public comment December 2000 HHS published the original Privacy Rule, titled Standards for Privacy of Individually Identifiable Health Information March 2002 HHS published a proposed modification to the Privacy Rule and accepted additional public comments August 2002 HHS published the Final Privacy Rule April 2003 Covered entities were required to be in compliance with the Privacy Rule (except small health plans) The Association of American Medical Colleges launched a survey examining how research has been affected by the Privacy Rule and proposed recommendations for changes to the Privacy Rule In South Carolina Medical Association v.
Read the entire page →
From page 157...
... Small health plans were given until April 14, 2004, to be in compliance. OVERVIEW OF THE HIPAA PRIVACY RULE Entities Subject to the Privacy Rule The Privacy Rule applies to "covered entities,"9 which are individuals or organizations that electronically transmit health information in the 5 Standards for Privacy of Individually Identifiable Health Information: Final Rule, 65 Fed.
Read the entire page →
From page 158...
... , created or received by a covered entity. Personally identifiable health information is defined as information, including demographic information, that "relates to past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care for the individual" that either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual."11 The Privacy Rule does not protect personally identifiable health information that is held or maintained by an organization other than a covered entity (HHS, 2004c)
Read the entire page →
From page 159...
... • A public health agency that does not • A public health clinic that is part of a perform activities subject to the public health agency provisions of the Privacy Rule Restrictions on Use and Disclosure Covered entities may not use or disclose PHI except as permitted or required by the Privacy Rule.13 A covered entity may disclose PHI without the individual's permission for treatment, payment, and health care operations purposes. For other uses and disclosures, the Privacy Rule generally requires the individual's written permission, which is an "authorization" that must meet specific content requirements.
Read the entire page →
From page 160...
... As a result, the Privacy Rule permits, but does not require,22 covered entities to disclose PHI without authorization for specified public health purposes (Box 4-2)
Read the entire page →
From page 161...
... , the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration." A covered entity can release PHI to a public health authority, without authoriza tion or waiver of authorization, in the following circumstances: • Monitoring health threats and diseases • Child abuse or neglect • Products regulated by the FDA • Persons at risk of contracting or spreading a disease • Workplace surveillance State laws may also permit or require the release of PHI for activities other than those listed above.
Read the entire page →
From page 162...
... 28 U.S. Secretary of Health and Human Services, Recommendations on the Confidentiality of Individually-Identifiable Health Information to the Committees on Labor and Human Resources (September 11, 1997)
Read the entire page →
From page 163...
... In proposing the Privacy Rule, HHS acknowledged that ideally, it would have preferred to directly regulate researchers by extending the protections of the Common Rule to nonfederally funded research and imposing additional criteria for the waiver of authorization in research.29 However, HHS recognized that it did not have the authority to do so, and therefore, it attempted to protect the health information released to researchers indirectly (but within the scope of its limited authority) by imposing disclosure restrictions on covered entities.
Read the entire page →
From page 164...
... . Authorization of Future Research Under the Common Rule, it is permissible to obtain patient consent for future research with biological samples or information stored in databases, with oversight by an IRB, if such future uses are described in sufficient detail to allow an informed consent.
Read the entire page →
From page 165...
... In contrast, Privacy Boards did not exist under the Common Rule. Privacy Boards were created by the Privacy Rule and only have authority to review applications for waivers of authorization.
Read the entire page →
From page 166...
... . However, the committee recommends that this discordance between the Privacy Rule and the Common Rule be eliminated through guidance explicitly stating that future research may go forward if the authorization describes the types or categories of research that may be conducted with the PHI stored in a biospecimen bank or database, and if an IRB or Privacy Board determines that the proposed new research is not incompatible with the initial consent and authorization and poses no greater than minimal risk to the privacy of individuals (Wendler, 2006)
Read the entire page →
From page 167...
... HHS noted, however, "[T] he privilege of using individually identifiable health information for research purposes without individual authorization requires that the information be used and disclosed under strict conditions that safeguard individuals' confidentiality."37 One situation in which the Privacy Rule permits a covered entity to use and disclose PHI for research purposes without obtaining authorization from each patient is when an IRB or a Privacy Board (Box 4-3)
Read the entire page →
From page 168...
... An IRB or a Privacy Board may waive the authorization requirement in whole or in part. A complete waiver of authorization means that no authorization is required for the covered entity to use and disclose PHI.
Read the entire page →
From page 169...
... The terms "adequate plan" and "adequate written assurance" are highly subjective, and thus different institutions are likely to set varying thresholds for "minimal risk." Thus, to facilitate appropriate authorization requirements for responsible research, the committee recommends that HHS simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study. In the 2000 version of the Privacy Rule, one of the criteria for waiver of authorization was that "the privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individual, and the importance of the knowledge that may rea 40 See 45 C.F.R.
Read the entire page →
From page 170...
... Activities Preparatory to Research A second situation where a covered entity is permitted to use and disclose PHI without obtaining authorization is for activities that are preparatory to research.44 Review by an IRB or a Privacy Board is also not required for activities preparatory to research. A covered entity may permit researchers to look through its medical records in order to develop research protocols and to aid the recruitment of research participants if it obtains from the researcher representations that the information sought is necessary for the research purpose, that information will be reviewed only for the stated purposes preparatory to research, and that no PHI will be removed from the covered entity by the researcher in the course of the review45 (HHS, 2004a,c)
Read the entire page →
From page 171...
... External researchers must get an IRB/Privacy Board approved waiver of authorization to perform any recruitment activities. This creates an artificial distinction between internal and external researchers that actually provides less privacy protection than that afforded by the Common Rule, which requires that any activities preparatory to research involving human subjects, or related to initial recruitment of subjects for research studies, be reviewed and approved by an IRB (HHS, 2003)
Read the entire page →
From page 172...
... Covered entities are not required to obtain authorization from the personal representative or next of kin to conduct research on a decedent's PHI, nor are they required to receive a waiver of authorization. These provisions are similar to the Common Rule, which defines a "human subject" as a "living individual."46 However, the Privacy Rule does require that researchers make several representations, either in writing or orally, to the covered entity prior to the covered entity granting the researcher access to a decedent's PHI.
Read the entire page →
From page 173...
... .51 In practice, this can mean that a covered entity may no longer routinely disclose for research data that have been anonymized according to the Common Rule (Pritts, 2008)
Read the entire page →
From page 174...
... 9. Health plan beneficiary numbers.
Read the entire page →
From page 175...
... Limited Datasets Many researchers have argued that removal of all 18 data categories as required by the HIPAA Privacy Rule's deidentification standards can render the dataset unusable for many research projects (Casarett et al., 2005; HHS, 2002; Kulynych and Korn, 2002; SACHRP, 2004) (see also Chapter 5)
Read the entire page →
From page 176...
... . A limited dataset may be created by a covered entity or the covered entity can enter into a business associate agreement with another party, including the intended recipient, to create the limited dataset on its behalf.56 To disclose a limited dataset for research without individual authorization, the covered entity must enter into a data use agreement with the recipient.
Read the entire page →
From page 177...
... , but the French health care system and legal environment are quite different than in the United States. In testimony at an Institute of Medicine workshop on the HIPAA Privacy Rule and health research, legal experts noted the shortcomings of the limited dataset (IOM, 2006)
Read the entire page →
From page 178...
... Using such intermediaries would increase patient privacy protections and allay concerns of covered entities, and thus would facilitate greater use of health data for research and also lead to more meaningful study results. CMS provides a similar service for Medicare and Medicaid data, via contractors who create standardized data files that are tailored for research (Box 4-5)
Read the entire page →
From page 179...
... Every data file includes a unique, encrypted CCW beneficiary identifier that allows the researcher to link a beneficiary's data across data sources and types within the CCW system. The Process: A researcher must submit to CMS a data release request that includes a research design and objectives, which are reviewed by a CMS Privacy Board to ensure that the project will assist CMS "in monitoring, managing, and improving the Medicare and Medicaid programs or the services provided to ben eficiaries." The Privacy Board is instructed to "balance the potential risks to the beneficiary confidentiality with the probable benefits gained from the completed research," as well as to consider the researchers' demonstrated expertise and experience in conducting such a study.
Read the entire page →
From page 180...
... New knowledge of the human genome, combined with advances in computing capabilities, are expected to help decipher the roles that genetics and the environment play in the origins of complex but common human diseases, such as cancer, heart disease, and diabetes. In this genomic age of health research, patient samples stored in biospecimen banks can provide a wealth of information for addressing long-standing questions about health and disease, and efforts are underway to create large genomic databases for that purpose (Adams, 2008; Greely, 2007; Lowrance, 2002; Lowrance and Collins, 2007)
Read the entire page →
From page 181...
... Accounting of Research Disclosures The "accounting of disclosures" provision of the HIPAA Privacy Rule gives individuals the right to receive a list of certain disclosures that a covered entity has made of their PHI in the past 6 years, including disclosures 63 See http://www.genome.gov/20019523/.
Read the entire page →
From page 182...
... The AOD requirement was intended "as a means for the individual to find out the nonroutine purposes for which his or her PHI was disclosed by the covered entity, so as to increase the individual's awareness of persons or entities other than the individual's health care provider or health plan in possession of this information."65 This requirement does not actually protect privacy; it merely requires covered entities to record disclosures that have already happened. In addition, the AOD requirement does not constitute an audit trail, as there are numerous exceptions to the requirement, including disclosures for health care operations, pursuant to an authorization, as part of a limited dataset, for national security or intelligence purposes, and to correctional institutions or law enforcement official.
Read the entire page →
From page 183...
... Indeed, SACHRP concluded that the cost and burden of compliance with AOD requirements was so high that institutions were likely to accept the risk of noncompliance rather than incur the cost of compliance. Noting that researchers must establish a certain standard of privacy protections before an IRB or a Privacy Board will grant a waiver of authorization, or before a covered entity will permit a researcher to access PHI preparatory to research, SACHRP recommended that covered entities should inform patients in the HIPAA "Notice of Privacy Practices" that their PHI may be used and disclosed for research purposes without their authorization if sufficient privacy safeguards are in place.
Read the entire page →
From page 184...
... The Privacy Rule does not provide for a private right of action by patients or research participants.67 Thus, an individual whose privacy is violated under the Privacy Rule cannot sue the covered entity or individual who breached his or her privacy. Rather, an individual can file a claim with HHS's Office for Civil Rights (OCR)
Read the entire page →
From page 185...
... .76 In spite of this enforcement record, many covered entities remain hesitant to share health information due to concerns about liability (Pritts, 2008)
Read the entire page →
From page 186...
... The federal regulations most relevant to health research are the Common Rule77 and the Food and Drug Administration (FDA) Protection of Human Subjects Regulations, which have similar origins and intent78 (see Chapter 3)
Read the entire page →
From page 187...
... In general, the Privacy Rule preempts contrary state laws relating to the privacy of health information. Generally, this means that if it is impossible for a covered entity to comply with both the Privacy Rule and the state law in question, the Privacy Rule will be applied in the situation and the state law will be considered void.80 This general rule has three exceptions.
Read the entire page →
From page 188...
... In its current state, however, the HIPAA Privacy Rule is difficult to reconcile with other federal regulations, including HHS regulations for the protection of human subjects (the Common Rule) , FDA regulations pertaining to human subjects,81 and other applicable federal or state laws.
Read the entire page →
From page 189...
... For example, HHS should develop guidance to clearly state that future research with repositories can go forward under the Privacy Rule with IRB/Privacy Board oversight. Many institutions create and maintain databases with patient health information as well as repositories with biological materials collected from patients, and use them for many types of health research, including studies to understand diseases or to compare patient outcomes following different treatments.
Read the entire page →
From page 190...
... Thus, it is imperative that the informed consent and authorization documents are easily understood and meaningful to the individuals involved. Ideally, all relevant information should be integrated into one simple document, but the HIPAA Privacy Rule's complex provisions have generated misperceptions about restrictions on individuals' ability to provide compound authorization for the related activities of clinical trial participation and biospecimen donation, and some institutions require two complete authorization forms with all the attendant language rather than two signature lines on the same form.
Read the entire page →
From page 191...
... The committee believes that IRBs and Privacy Boards can protect research participants, including their privacy and confidentiality interests, and thus recommends that IRB/Privacy Board approval (as required under the Common Rule) should be required for all researchers (internal and external to the covered entity)
Read the entire page →
From page 192...
... Until then, the committee recommends that disclosures of PHI made for health research and public health purposes be exempted from the HIPAA Privacy Rule's AOD requirement. However, in the interest of transparency, institutions should maintain a list, accessible to the public, of all studies approved by its IRB or Privacy Board.
Read the entire page →
From page 193...
... 2008. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on AcademyHealth survey results.
Read the entire page →
From page 194...
... 2007. PowerPoint presentation to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the HIPAA Privacy Rule & research: Update from HHS Office for Civil Rights.
Read the entire page →
From page 195...
... 2008. Comments to the Institute of Medicine Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule, on the impact of the HIPAA Privacy Rule on pharmaceutical research.
Read the entire page →
From page 196...
... 2008. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research.
Read the entire page →
From page 197...
... . Alternatives to project-specific consent for access to personal information for health research.
Read the entire page →

Key Terms

  • covered entity
  • hipaa privacy
  • health research
  • health information
  • covered entities

  • common rule
  • privacy board
  • privacy boards
  • identifiable health
  • disclose phi

  • health insurance
  • privacy protections
  • genetic information
  • personally identifiable
  • individually identifiable

  • business associate
  • simplification provisions
  • health plans
  • research purposes
  • administrative simplification

  • human subjects
  • informed consent
  • insurance portability
  • accountability act
  • protected health

  • board approval
  • state laws
  • state law
  • aod requirement
  • electronic health


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.