Northwestern University NU Office for Research CCM | IACUC | IRB | ORD | ORI | ORIS | ORPFC | ORS | OSR | TTP
IRB Home | HIPAA | What is HIPAA?

What is HIPAA?

Download | A Microsoft Word Document Version of This Page

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended to improve the efficiency and effectiveness of the health care system by standardizing electronic data interchange.

HIPAA directly regulates three types of "Covered Entities":

  • Health care providers (including organizations and individuals):
  • Health plans (insurers and payers); and
  • Health care clearinghouses (billing services).

HIPAA has three main parts:

  • Insurance portability
  • Fraud enforcement (accountability)
  • Administrative simplification

The first 2 components portability and accountability-are already in effect.

Portability ensures that individuals moving from one health plan to another will have continuity of coverage and will not be denied coverage under preexisting condition clauses.

Accountability increases the federal government's fraud enforcement authority in several areas.

The third component, administrative simplification, was developed to provide privacy protection for health information, and is known as the Privacy rule.

In General, Research is not an activity to which HIPAA privacy standards apply. In addition, Northwestern University Personnel do not engage in treatment activities even when treatment is provided in conjunction with a Research study in which such personnel may be involved. Therefore when conducting research, Northwestern University Personnel are not "Covered Entities" subject to the HIPAA privacy standards and the corresponding sanctions for violation of those standards.

However, the HIPAA privacy standards do regulate a Provider Entity's disclosure of individual health information to Northwestern University for use and disclosure of such health information in connection with research.

Accordingly, Northwestern University has adopted a policy to address the HIPAA privacy obligations of Provider Entities relating to the disclosure of health information concerning subjects participating in Research and the role of Northwestern University and the Northwestern University IRB with respect to those obligations.

The HIPAA Research policy is available on the IRB web site.

What are the Objectives of the Privacy Rule?

  • To limit the use and disclosure of health information
  • To restrict most uses and disclosures of health information to the minimum necessary to carry out the intended purpose
  • To give patients the right to receive a notice of Privacy Practices describing how Northwestern University and its affiliates use and disclose their health information and give them the means to control this information.

The Privacy Rule establishes new requirements for access to health-related records by researchers and the use and further disclosure of protected health information.

Enforcement

Improper use or disclosure can result in criminal and civil penalties:

  • $25,000 for multiple violations in the same year,
  • $250,000 and/or up to 10 years imprisonment for knowingly misusing a person's protected health information.

What does the Privacy Rule protect?

The rule protects information acquired by NU researchers including demographic information, that could reasonably identify an individual and:
  • relates to the past, present, or future physical or mental health, condition or treatment of an individual; or
  • describes the past, present, or future payment for the provision of healthcare to an individual

What is Protected Health Information (PHI)?

Protected Health Information is identifiable health information that providers have acquired in the course of serving patients.

Data elements that make information individually identifiable include, but are not limited to the following:

  • Names
  • Addresses
  • Employers' names or addresses
  • Relatives' names or addresses
  • Dates
  • Telephone and fax numbers
  • E-mail addresses
  • Social Security numbers
  • Medical Record numbers
  • Certificate numbers (including device serial numbers for implants)
  • Member or account numbers
  • Voiceprints,
  • Fingerprints
  • Full face photos and comparable images
  • Any other characteristics that may be used,
  • individually or in combination, to identify the individual.

Essentially, individually identifiable information is anything that can be used to identify a subject. Releasing this information for reasons other than treatment, payment, or operations, without obtaining an authorization or a waiver is a violation of the privacy regulations.

Compliance Deadline

The compliance date for the Privacy Rule is April 14, 2003.

What are the major implications for NU Researchers as a result of the Privacy Rule?

Clinical research is one area that is uniquely impacted by the regulations.

From a clinical investigator perspective, the new regulations will affect how you access existing health information (medical/database record reviews).

In practical terms, the major changes are as follows:

New authorization requirements: In addition to informed consent requirements, investigators will need starting April 14, 2003 to obtain an authorization from the research subject, with more detailed information, in order to use and release identified Protected Health Information for research. This new authorization needs to be submitted to IRB for approval.

NU has developed a specific form called "Research Subject Authorization, Confidentiality & Privacy Rights" available on the IRB web site.

It is the Investigator's responsibility to be certain that this form is signed by each research subject enrolled on or after April 14, 2003 in addition to the informed consent form. Investigators must be certain this requirement is fulfilled. Otherwise, investigators may not be able to use or disclose subjects' protected information or any related research data, and will have violated their rights under HIPAA.

This authorization requirement does not apply when research subjects were enrolled in studies prior to April 14, 2003 and are not required to be reconsented after this date.

Waiver of authorization

Waiver of authorization may be granted by the IRB, but must satisfy specific following criteria:

  • the research could not feasibly be conducted without the waiver,
  • the research could not feasibly be conducted without access to the PHI,
  • the use or disclosure plan involves no more than minimal risk to a subject's privacy, and includes:
    • a plan to protect identifiers,
    • a plan to destroy identifiers at the earliest opportunity that's consistent with the goals of the study, unless there is a health or research justification for retaining them, and
    • written assurances that you won't reuse PHI.

NU has developed a "Request for Waiver of Authorization" Form available on the IRB web site.

Exceptions

Exceptions from HIPAA authorization may be approved by the IRB, if one of the following applies:

  • Information being used or disclosed is "de-identified" as defined by HIPAA
  • Information being used or disclosed constitutes a Limited Data Set
  • All use of individual health information is solely for preparation for research and no identifying information will be recorded or removed from the source
  • All research involves decedents and their information only
  • All research involves educational records or student health records.

NU has developed a "Exception from HIPAA Authorization" form available on the IRB Web site.


Northwestern University

Research Home  |  Research Administrative Offices  |  research@northwestern.edu

Office for Research - 633 Clark Street, Evanston, IL 60208-1108

The Office for Research promotes, facilitates and enhances research at Northwestern University.

© 2007-2009 Northwestern University

Northwestern Home | World Wide Web Disclaimer | University Policy Statements