What is HIPAA?.:.HIPAA.:.IRB.:.OPRS

Mission : FAQs : Contact : Forms : Search : IRB Home : OPRS Home

What's New
General Information
eIRB
Templates
IRB Meetings
Committees
IRB Member Handbook
Policies and Guidance
Education and Training
HIPAA
IRB ListServe
Additional Resources

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended to improve the efficiency and effectiveness of the health care system by standardizing electronic data interchange. HIPAA directly regulates three types of "Covered Entities":

Health care providers (including organizations and individuals):
Health plans (insurers and payers); and
Health care clearinghouses (billing services).

HIPAA has three main parts:

Insurance portability
Fraud enforcement (accountability)
Administrative simplification

The first 2 components Đportability and accountability-are already in effect.

Portability ensures that individuals moving from one health plan to another will have continuity of coverage and will not be denied coverage under preexisting condition clauses.
Accountability increases the federal government's fraud enforcement authority in several areas.

The third component, administrative simplification, was developed to provide privacy protection for health information, and is known as the Privacy rule.

In General, Research is not an activity to which HIPAA privacy standards apply. In addition, Northwestern University Personnel do not engage in treatment activities even when treatment is provided in conjunction with a Research study in which such personnel may be involved. Therefore when conducting research, Northwestern University Personnel are not "Covered Entities" subject to the HIPAA privacy standards and the corresponding sanctions for violation of those standards.

However, the HIPAA privacy standards do regulate a Provider Entity's disclosure of individual health information to Northwestern University for use and disclosure of such health information in connection with research.

Accordingly, Northwestern University has adopted a policy to address the HIPAA privacy obligations of Provider Entities relating to the disclosure of health information concerning subjects participating in Research and the role of Northwestern University and the Northwestern University IRB with respect to those obligations.

The HIPAA Research policy is available on the IRB web site.

What are the Objectives of the Privacy Rule?

To limit the use and disclosure of health information
To restrict most uses and disclosures of health information to the minimum necessary to carry out the intended purpose
To give patients the right to receive a notice of Privacy Practices describing how Northwestern University and its affiliates use and disclose their health information and give them the means to control this information.

The Privacy Rule establishes new requirements for access to health-related records by researchers and the use and further disclosure of protected health information.

Enforcement

Improper use or disclosure can result in criminal and civil penalties:

$25,000 for multiple violations in the same year,
$250,000 and/or up to 10 years imprisonment for knowingly misusing a person's protected health information.

What does the Privacy Rule protect?

The rule protects information acquired by NU researchers including demographic information, that could reasonably identify an individual and:

relates to the past, present, or future physical or mental health, condition or treatment of an individual; or
describes the past, present, or future payment for the provision of healthcare to an individual

What is Protected Health Information (PHI)? Protected Health Information is identifiable health information that providers have acquired in the course of serving patients.
Data elements that make information individually identifiable include, but are not limited to the following:

Names
Addresses
Employers' names or addresses
Relatives' names or addresses
Dates
Telephone and fax numbers
E-mail addresses
Social Security numbers
Medical Record numbers
Certificate numbers (including device serial numbers for implants)
Member or account numbers
Voiceprints,
Fingerprints
Full face photos and comparable images
Any other characteristics that may be used, individually or in combination, to identify the individual.

Essentially, individually identifiable information is anything that can be used to identify a subject. Releasing this information for reasons other than treatment, payment, or operations, without obtaining an authorization or a waiver is a violation of the privacy regulations.

Compliance Deadline The compliance date for the Privacy Rule is April 14, 2003.

What are the major implications for NU Researchers as a result of the Privacy Rule?

Clinical research is one area that is uniquely impacted by the regulations.

From a clinical investigator perspective, the new regulations will affect how you access existing health information (medical/database record reviews).

In practical terms, the major changes are as follows:

New authorization requirements: In addition to informed consent requirements, investigators will need starting April 14, 2003 to obtain an authorization from the research subject, with more detailed information, in order to use and release identified Protected Health Information for research. This new authorization needs to be submitted to IRB for approval.
NU has developed a specific form called "Research Subject Authorization, Confidentiality & Privacy Rights" available on the IRB web site.
It is the Investigator's responsibility to be certain that this form is signed by each research subject enrolled on or after April 14, 2003 in addition to the informed consent form. Investigators must be certain this requirement is fulfilled. Otherwise, investigators may not be able to use or disclose subjects' protected information or any related research data, and will have violated their rights under HIPAA.

This authorization requirement does not apply when research subjects were enrolled in studies prior to April 14, 2003 and are not required to be reconsented after this date.

Waiver of authorization

Waiver of authorization may be granted by the IRB, but must satisfy specific following criteria:

the research could not feasibly be conducted without the waiver,
the research could not feasibly be conducted without access to the PHI,
the use or disclosure plan involves no more than minimal risk to a subject's privacy, and includes:
- a plan to protect identifiers,
- a plan to destroy identifiers at the earliest opportunity that's consistent with the goals of the study, unless there is a health or research justification for retaining them, and
- written assurances that you won't reuse PHI.

NU has developed a "Request for Waiver of Authorization" Form available on the IRB web site.

Exceptions

Exceptions from HIPAA authorization may be approved by the IRB, if one of the following applies:

Information being used or disclosed is "de-identified" as defined by HIPAA
Information being used or disclosed constitutes a Limited Data Set
All use of individual health information is solely for preparation for research and no identifying information will be recorded or removed from the source
All research involves decedents and their information only
All research involves educational records or student health records.

NU has developed a "Exception from HIPAA Authorization" form available on the IRB Web site.

... ... ... What is HIPAA?


Office for Research

Mission : FAQs : Contact : Forms : Search : IRB Home : OPRS Home
What's New General Information eIRB Templates IRB Meetings Committees IRB Member Handbook Policies and Guidance Education and Training HIPAA IRB ListServe Additional Resources	What is HIPAA? Download \| A Microsoft Word Document Version of This Page The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended to improve the efficiency and effectiveness of the health care system by standardizing electronic data interchange. HIPAA directly regulates three types of "Covered Entities": Health care providers (including organizations and individuals): Health plans (insurers and payers); and Health care clearinghouses (billing services). HIPAA has three main parts: Insurance portability Fraud enforcement (accountability) Administrative simplification The first 2 components Đportability and accountability-are already in effect. Portability ensures that individuals moving from one health plan to another will have continuity of coverage and will not be denied coverage under preexisting condition clauses. Accountability increases the federal government's fraud enforcement authority in several areas. The third component, administrative simplification, was developed to provide privacy protection for health information, and is known as the Privacy rule. In General, Research is not an activity to which HIPAA privacy standards apply. In addition, Northwestern University Personnel do not engage in treatment activities even when treatment is provided in conjunction with a Research study in which such personnel may be involved. Therefore when conducting research, Northwestern University Personnel are not "Covered Entities" subject to the HIPAA privacy standards and the corresponding sanctions for violation of those standards. However, the HIPAA privacy standards do regulate a Provider Entity's disclosure of individual health information to Northwestern University for use and disclosure of such health information in connection with research. Accordingly, Northwestern University has adopted a policy to address the HIPAA privacy obligations of Provider Entities relating to the disclosure of health information concerning subjects participating in Research and the role of Northwestern University and the Northwestern University IRB with respect to those obligations. The HIPAA Research policy is available on the IRB web site. What are the Objectives of the Privacy Rule? To limit the use and disclosure of health information To restrict most uses and disclosures of health information to the minimum necessary to carry out the intended purpose To give patients the right to receive a notice of Privacy Practices describing how Northwestern University and its affiliates use and disclose their health information and give them the means to control this information. The Privacy Rule establishes new requirements for access to health-related records by researchers and the use and further disclosure of protected health information. Enforcement Improper use or disclosure can result in criminal and civil penalties: $25,000 for multiple violations in the same year, $250,000 and/or up to 10 years imprisonment for knowingly misusing a person's protected health information. What does the Privacy Rule protect? The rule protects information acquired by NU researchers including demographic information, that could reasonably identify an individual and: relates to the past, present, or future physical or mental health, condition or treatment of an individual; or describes the past, present, or future payment for the provision of healthcare to an individual What is Protected Health Information (PHI)? Protected Health Information is identifiable health information that providers have acquired in the course of serving patients. Data elements that make information individually identifiable include, but are not limited to the following: Names Addresses Employers' names or addresses Relatives' names or addresses Dates Telephone and fax numbers E-mail addresses Social Security numbers Medical Record numbers Certificate numbers (including device serial numbers for implants) Member or account numbers Voiceprints, Fingerprints Full face photos and comparable images Any other characteristics that may be used, individually or in combination, to identify the individual. Essentially, individually identifiable information is anything that can be used to identify a subject. Releasing this information for reasons other than treatment, payment, or operations, without obtaining an authorization or a waiver is a violation of the privacy regulations. Compliance Deadline The compliance date for the Privacy Rule is April 14, 2003. What are the major implications for NU Researchers as a result of the Privacy Rule? Clinical research is one area that is uniquely impacted by the regulations. From a clinical investigator perspective, the new regulations will affect how you access existing health information (medical/database record reviews). In practical terms, the major changes are as follows: New authorization requirements: In addition to informed consent requirements, investigators will need starting April 14, 2003 to obtain an authorization from the research subject, with more detailed information, in order to use and release identified Protected Health Information for research. This new authorization needs to be submitted to IRB for approval. NU has developed a specific form called "Research Subject Authorization, Confidentiality & Privacy Rights" available on the IRB web site. It is the Investigator's responsibility to be certain that this form is signed by each research subject enrolled on or after April 14, 2003 in addition to the informed consent form. Investigators must be certain this requirement is fulfilled. Otherwise, investigators may not be able to use or disclose subjects' protected information or any related research data, and will have violated their rights under HIPAA. This authorization requirement does not apply when research subjects were enrolled in studies prior to April 14, 2003 and are not required to be reconsented after this date. Waiver of authorization Waiver of authorization may be granted by the IRB, but must satisfy specific following criteria: the research could not feasibly be conducted without the waiver, the research could not feasibly be conducted without access to the PHI, the use or disclosure plan involves no more than minimal risk to a subject's privacy, and includes: a plan to protect identifiers, a plan to destroy identifiers at the earliest opportunity that's consistent with the goals of the study, unless there is a health or research justification for retaining them, and written assurances that you won't reuse PHI. NU has developed a "Request for Waiver of Authorization" Form available on the IRB web site. Exceptions Exceptions from HIPAA authorization may be approved by the IRB, if one of the following applies: Information being used or disclosed is "de-identified" as defined by HIPAA Information being used or disclosed constitutes a Limited Data Set All use of individual health information is solely for preparation for research and no identifying information will be recorded or removed from the source All research involves decedents and their information only All research involves educational records or student health records. NU has developed a "Exception from HIPAA Authorization" form available on the IRB Web site. OPRS Home ... IRB Home ... HIPAA ... What is HIPAA?
	Northwestern Home .:. Calendar: Plan-It Purple .:. Sites A-Z .:. Search Mailing address: Office for the Protection of Research Subjects : Rubloff Hall, 7th Floor, 750 N. Lake Shore Drive, Chicago, IL 60611-3078 Chicago: 312-503-9338 .:. Evanston: 847-467-1723 .:. Comments: irb@northwestern.edu Last modified 02.19.07 .:. World Wide Web Disclaimer and University Policy Statements \| Š 2007 Northwestern University