HIPAA General Guidelines

Download | A Microsoft Word Document Version of This Page

The new federal regulations regarding the confidentiality of patient health information (known as the HIPAA Privacy Regulations) apply to research projects involving NU Investigators. Compliance with these regulations must be achieved by no later than April 14, 2003.

NU has adopted a Research Policy to address the HIPAA privacy obligations of Provider Entities relating to the disclosure of health information concerning subjects participating in Research and the role of NU and the NU IRB with respect to those obligations. The NU Research Policy will require written authorization, waiver of authorization or that an "exception" from the authorization requirement be obtained for research studies that fall under the HIPAA regulations as of April 14, 2003. The authorization will be a separate document from the informed consent. Templates, forms and instructions for authorizations and waiver requests will be available on the IRB web site. Please consult these materials before preparing the appropriate documents for each of your active studies.

The IRB will require a response from you by April 1, 2003 for each active project, indicating the type of HIPAA compliance necessary, along with the appropriate authorization, requests for waiver or request for exception for each attached study.

General guidelines for determining the type of HIPAA compliance needed for each study are:

1. HIPAA authorization requirements do not apply to a study if any of the following applies:
   1. A study is closed to accrual before April 14, 2003 and no reconsenting will take place after this date; or
   2. All subject health-related information will be obtained from the subject directly; or
   3. No individual health information is collected for study (see list of PHI below*); or
   4. All subject involvement, contact with subjects and data collection are complete before April 14, 2003.
2. IRB may except a study from the HIPAA authorization requirement if one of the following apply:
   1. Information being used or disclosed is "de-identified" as required by HIPAA; or
   2. Information being used or disclosed constitutes a Limited Data Set; or
   3. All use of individual health information is solely for preparation for research and no identifying information will be recorded or removed from the source; or
   4. All research involves decedents and their information only; or
   5. All research involves educational records or student health records.
3. A "Waiver of HIPAA Authorization" may be granted if all of the following apply:
   1. The use or disclosure of information involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
      1. An adequate plan to protect the identifiers from improper use/disclosure.
      2. An adequate plan to destroy the identifiers at the earliest possible time consistent with the research, unless there is a health or research justification for retaining identifiers or is otherwise required by law.
      3. Adequate written assurances that individual health information will not be reused/disclosed to any other person or entity, except as required by law, for authorized oversight of the research or for other research.
   2. The research could not practicably be conducted without the waiver.
   3. The research could not practicably be conducted without access to and use of the information.
4. HIPAA requires authorization from research subjects if you will be accessing medical records and either or both of the following applies:
   1. New subjects are enrolled on or after April 14, 2003; or
   2. Currently enrolled subjects are reconsented, for any reason, on or after April 14, 2003.

The HIPAA Privacy Rule lists the following as Protected Health Information (PHI*).

Names All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of the zip code if according to the current publicly available data from the Bureau of the census: a) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and b) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

Telephone numbers Fax numbers Electronic mail addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic or code.