The Privacy Rule is a Federal Regulation under the Health Insurance Portability and Accountability Act (HIPAA) that protects certain health information.  This rule was implemented April 14, 2003.   The rule regulates the way certain health care groups, called covered entities, handle the individually identifiable health information known as protected health information (PHI).  It establishes the conditions under which covered entities can use or disclose PHI for many purposes, including research.

One way the Privacy Rule protects the PHI is by giving individuals the opportunity to agree to the uses and disclosures of their PHI by signing an Authorization agreement.  This agreement authorizes the covered entity (i.e. hospital, health care providers, health care clearinghouses or health plans) to use and disclose the subject’s PHI for research purposes.  This requirement is in addition to the informed consent to participate in research required under the HHS Protection of Human Subjects Regulations and other applicable Federal and State Laws.

Protected Health Information (PHI)

There are 18 elements considered PHI under HIPAA.

1.     Names

2.     All geographic subdivisions smaller than a state, including street address, city county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if according to the current publicly available data from the Bureau of Census if:

a.   the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.

b.   The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people are changed to 000.

3.   All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 and over.

4.      Telephone numbers

5.      Facsimile numbers.

6.      Electronic mail addresses.

7.      Social security numbers.

8.      Medical record numbers.

9.      Health plan beneficiary numbers.

10.  Account numbers.

11.  Certificate/license numbers.

12.  Vehicle identifiers and serial numbers, including license plate numbers.

13.  Device identifiers and serial numbers.

14.     Web universal resource locators (URLs).

15.     Internet protocol (IP) address numbers.

16.     Biometric identifiers, including fingerprints and voiceprints.

17.     Full face photographic images and any comparable images.

18.     Any other unique identifying number, characteristic, or code unless otherwise permitted by the Privacy Rule for re-identification.

Authorization Agreement

An Authorization differs from an informed consent in that an Authorization focuses on privacy risks and states how, why, and to whom the PHI will be used and /or disclosed for research.

There are nine elements of an Authorization (See Appendix 12 for an Authorization Template):

Core Elements

·         What type of information may be used or disclosed?

A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner.

·         Who can use or disclose information?

List the names or other specific identification of the person or persons (or class of persons) authorized to use or disclose.

·         To whom can the information be disclosed?

List the names or other specific identification of the person or persons to whom the covered entity may make the requested use or disclosure.

·         What is the purpose of the use or disclosure?

A description of each purpose of the requested use or disclosure.

·         When does the Authorization expire?

Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure.

·         How do I give my consent?

Signature of the individual and date.  If the individual’s legally authorized representative signs the Authorization, a description of the representative’s authority must also be provided.

Required Statements

·         Can I revoke this Authorization?

A statement of the individual’s rights to revoke the Authorization and how to do so and if applicable, exceptions to the right to revoke the Authorization.

·         What if I refuse to sign this Authorization?

Whether treatment, payment, enrollment or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization.

·       When is my information not protected?

A statement of the potential risk that PHI will be re-disclosed by the recipient. 

The Authorization can either be separate from the main body of the

consent in an addendum or contained within the body of the consent in a section called “Confidentiality of Personal Health Information”.

In order to be valid, the Authorization must:

-          be written in plain language (at an 8^th grade level),

-          contain the core elements and the required statements listed above in question format,

-          be approved by the IRB prior to implementation, and

-         a signed copy of the Authorization (if separate)must be given to the subject.

Waiver or Alteration of the Authorization Requirement

For research uses and disclosures of PHI, an IRB (or Privacy Board) may approve a waiver or an alteration of the Authorization requirement in whole or in part.  To be approved, the waiver must

1.     The use or disclosure of the PHI involves no more than minimal

risk to the privacy of individuals based on, at least, the presence of the following elements:

a.      An adequate plan to protect health information identifiers from improper use and disclosure.

b.      An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research.

c.      Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.

2.      The research could not practicably be conducted without the waiver or alteration.

3.     The research could not practicably be conducted without access to and use of PHI.

When a waiver or alteration is granted additional requirements apply.

-         Minimum necessary:  The least information reasonably necessary to accomplish the intended purpose or use, disclosure or request must be used for the research.

-         Accounting of disclosures: The investigator must keep track of any disclosure of PHI made during the research and be able to provide this information to the covered entity.

De-Identified Data

Information that is de-identified may be used for research purposes without an Authorization or waiver of Authorization.  To be de-identified, all 18 elements of PHI must be removed from the data.

Limited Data Set

The Privacy Rule also permits a covered entity to use and disclose PHI in a limited data set without obtaining an Authorization or waiver of Authorization.

A limited data set is described as health information that excludes direct identifiers (such as name, address, SSN, telephone number) but may include city, state, ZIP code, elements of date and other numbers.

In order to obtain information in a limited data set, a data use agreement must be completed between the covered entity and the investigator.  The data use agreement is the means by which covered entities obtain satisfactory assurances that the recipient of the limited data set will use or disclose PHI only for the specified purpose.

The IRB is not involved in the data use agreement but will provide the investigator the information needed to obtain one.

Research on Decedent’ Protected Health Information

The Federal regulations, through the Common Rule, define research as involving living human subjects and do not cover research done on decedents.  However, the Privacy Rule requires safeguards for the protection of PHI of decedents.  In order to accomplish this, an investigator who is seeking access to decedent’s PHI must provide to the IRB, as the agent of the covered entity:

1.     Oral or written representation that the use and disclosure is sought solely for research,

2.     Oral or written representation that the PHI is necessary for the research purposes, and

3.     Documentation, at the request of the IRB, of the death of the individuals whose PHI will be used.

Back to top