Research and Innovation

Research and Innovation

HIPPA FAQs

Home / Compliance and Commercialization / Compliance / HIPAA / HIPPA FAQs
What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 and modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). HIPAA affects the healthcare and health insurance industries and has several goals.

One of the major objectives is to ensure that employees have uninterrupted health insurance coverage as they move from one job to another. Another part of the legislation directly affects healthcare providers. The goal of this section (referred to as Title II: Administrative Simplification) is to improve the efficiency of the healthcare system through the increased use of electronic information systems. The law requires the Department of Health and Human Services (“DHHS”) to develop regulations that set national standards for electronic transactions between healthcare providers and insurance companies.

An additional, fundamental goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information (“PHI”). DHHS sets and enforces national standards to accomplish this key objective. In general, the law defines protected health information as information created by a healthcare provider, for use in the treatment of an individual or to obtain payment for such treatment, that is likely to identify that individual. The DHHS requirements are incorporated into the University’s policies concerning the privacy, confidentiality, and security of protected health information.

“Covered entity” is the term that the HIPAA regulations use to describe the businesses and individuals in the health care industry that are subject to HIPAA regulations. Specifically, covered entities are health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with the following transactions: health care claims or encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment or disenrollment or eligibility information re health plans, health plan premium payments, referral certification and authorization, first report of injury, or health claims attachments.

Protected Health Information, or PHI, describes the specific health care information that HIPAA is intended to protect. PHI is information in any form that can be linked to a particular person that is created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to that person’s health or payment for their health care. PHI does not include individually identifiable health information in personnel records or education records covered by the Family Educational Right and Privacy Act (“FERPA”).

HIPAA regulations define using PHI not just in terms of who receives the information but how it may be used. Examples of HIPAA requirements include:

  • Strict standards for the physical and electronic security of PHI.
  • Restricted access to PHI for in-house personnel on a “need to know” basis.
  • Maintenance of a record of disclosures of PHI, to which an individual may obtain access.
  • Access to copies of his/her PHI for each individual patient, and a process for responding to patient requests for amendment of the PHI record.
  • Requirement to provide a notice of privacy practices to all patients.
  • Requirement to obtain authorization from an individual, or obtain a waiver of authorization from the Institutional Review Board, for the use and/or disclosure of that individual’s PHI for research purposes.

The following web sites offer comprehensive information about HIPAA:

For HIPAA questions specifically related to UMKC, contact the Research Compliance Office.

The HIPAA privacy regulations, codified as the Privacy Rule, only apply to covered entities (and Business Associates). The Privacy Rule regulates the way covered entities (and Business Associates) handle PHI and establishes the conditions under which covered entities (and Business Associates) may use or disclose PHI for many purposes, including research. Although not all research involving health information is subject to the Privacy Rule, the Privacy Rule can affect certain aspects of research. The Privacy Rule does affect research that relies upon the use or disclosure of PHI from covered entities, including clinical research, bio-repositories and databases, and health services research.

HIPAA requires that research study subjects, who will receive health care treatment as part of the study, sign a written authorization allowing for the use of their PHI for the research study – or that a privacy board or Institutional Review Board waive the authorization requirement. This authorization is separate from a research study subject’s consent for treatment. Where research-generated PHI may be applied to treatment decisions is subject to HIPAA’s medical record requirements.

HIPAA is a floor of personal health information protections for health care consumers. Individuals whose PHI is used in research are human subjects research participants and are therefore entitled to the identifiable private information protections of the Common Rule as well as the health information protections of HIPAA.

When a health care activity is performed within the research study itself -for example, a clinical trial or other clinical intervention study – any individual clinical record information that is generated within that research is PHI that is subject to all the HIPAA regulations that apply to PHI that becomes part of the health care treatment, payment and operations records of the health care provider, health plan and/or health care clearinghouse. For example, clinical information generated within a research study may be simultaneously entered into the clinical record of an individual patient and into the research data set intended to produce generalizable knowledge. The research use of the PHI and all protections of the privacy and security of the research data set must be in accord with the terms and conditions of the IRB approval, the informed consent, and the authorization as well as relevant institutional policies on data privacy and security.

  1. When there is no health care performed as an activity within the research study, and
  2. there is no billing for health care treatment within the research study, and
  3. the individually identifiable health information created within the study (by obtaining health information/health measurements directly from the human participant) is not expected to be shared by the researchers with the individual’s health care provider or health plan, nor included in the individual’s medical records, except in the unanticipated occurrence of a potential adverse event, then that individually identifiable health information is not PHI subject to HIPAA. One example of this might be an exercise study that collects personal health data directly from the research participant and performs some health screening testing (blood pressure measurements, etc.). In this case the study provides no provision of health care, does not bill for any health care treatment or service, and transmits no individual health information about participants to a medical record (although participants may personally transmit the information to their health care providers or others at their own discretion).

Three additional important points in this scenario:

  1. It must be made clear to research participants that the researchers do not intend to share the individually identifiable health information generated within the research study with the research participants’ health care providers or medical records or health plans except in the event of a potential adverse event requiring that the information be shared for appropriate health care for the individual. This clarification is particularly vital in research studies where the researcher also functions as a health care provider in other situations or where health measurements are performed by the researchers or where the study occurs in a setting that appears to be clinical.
  2. If the individually identifiable health information is shared with the individual’s health care provider either
  1. voluntarily by the individual or
  2. by the researcher in response to a potential adverse event, then the individually identifiable health information that was originally generated only within the research performance becomes PHI in the records of the health care provider but does not reach back to create PHI status for the same information originally generated in the separate research data set.
  1. Individually identifiable health information that is not PHI is still potentially sensitive personal information that should be treated with privacy and confidentiality protections commensurate with its sensitivity and the pledges made to the human participants about its use and disclosure.

Clinical treatment performed in the course of a clinical research study must be handled in accord with the appropriate medical practices regarding entry of the individual’s treatment data into the medical record. The research use of the information must be disclosed and authorized in the both the authorization and informed consent documents that the research participant signs. These documents should specify how PHI created in the course of a research study will be treated, for example:

  • how PHI will be used in the research study,
  • whether any of the data will be entered into the medical record, and
  • whether the information will be shared with any health plan for payment purposes for any activities included within the study participation.

A de-identified data set is PHI from which the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:

  • Names;
  • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
  • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
  • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code, other than dummy identifiers that are not derived from actual identifiers and for which the re-identification key is maintained by the health care provider and not disclosed to the researcher;

and

(ii) The covered entity may not consider the information de-identified if it has actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

An authorization is a document required by HIPAA that defines only the terms and conditions of permission to use specified PHI from specified health care providers for a specified research project. Except for authorizations to use psychotherapy notes in research, which must always be stand-alone documents, an authorization can be combined with the informed consent document. However, there are some features of an authorization that may be easier to handle as a separate document, including the requirements that the authorization be kept for six years following its last effective date and that it may only be revoked in writing, as well as the need to present a copy of the authorization to health care providers (or health plans or health care clearinghouses) to obtain the authorized access to PHI in their records.

De-identified data sets do not contain any individually identifiable health information, are not considered PHI, and are not subject to HIPAA. Neither authorization nor waiver of authorization nor a data use agreement is required by HIPAA for a covered entity to disclose de-identified data for use in research.

No. The de-identified information does not lose its de-identification status simply by virtue of identification of the disclosing site. This is true as long as one other HIPAA caveat is met: the disclosing covered entity does not have actual knowledge that the de-identified information could be used alone or in combination with other information available to individuals outside the covered entity to identify an individual who is the subject of the information.