Research Repositories Final

8/8/2019 Research Repositories Final

1/12

Research Repositories, Databases,and the HIPAA Privacy Rule

Overview

Researchers in medical and health-related disciplines require access to many sources of healthinformation, from archived medical records andepidemiological databases to disease registries,tissue repositories, hospital discharge records, andgovernment compilations of vital and healthrecords. As the Privacy Rule is implemented,researchers are asking how these rules mightaffect research that uses records within data-bases and repositories.

As of April 14, 2003, the Privacy Rule requires

many health care providers and health insurersto obtain additional documentation fromresearchers before disclosing health informationto them, and to scrutinize researchers requestsfor access to health information more closely.Although the Privacy Rule introduces new rulesfor the use and disclosure of health informationby covered entities for research, researchers canhelp to enable their continued access to healthdata by understanding the Privacy Rule andassisting health care entities covered by the

Privacy Rule in meeting its requirements.

This fact sheet discusses the Privacy Rule andits potential to affect the creation of researchdatabases and repositories, and research thatuses identifiable health information in repositories and databases. Additional informationabout the Privacy Rules potential impact onother research activities, such as clinical re-search, health services research, institutionalreview boards (IRBs) and Privacy Boards can befound in related publications, including:

Protecting Personal Health Information inResearch: Understanding the HIPAAPrivacy RuleHealth Services Research and the HIPAAPrivacy RuleClinical Research and the HIPAAPrivacy RuleInstitutional Review Boards and the HIPAAPrivacy RulePrivacy Boards and the HIPAA Privacy Rule

Introduction to thePrivacy RuleIn response to a congressional mandate in theHealth Insurance Portability and Accountability Act of 1996 (HIPAA), the Department ofHealth and Human Services (HHS) issuedregulations entitled, Standards for Privacy ofIndividually Identifiable Health Information. Formost covered entities, compliance with theseregulations, known as the Privacy Rule, wasrequired as of April 14, 2003.

The Privacy Rule is a response to public concernover potential abuses of the privacy of healthinformation. The Privacy Rule establishes a categoryof health information, referred to as protected healthinformation (PHI), which may be used or disclosedto others only in certain circumstances or undercertain conditions. PHI is a subset of what is termedindividually identifiable health information. Withcertain exceptions, the Privacy Rule applies toindividually identifiable health information createdor maintained by a covered entity. Covered entities

are health plans, health care clearinghouses, andhealth care providers that transmit health information electronically in connection with certaindefined HIPAA transactions, such as claims oreligibility inquiries. Researchers are not themselvescovered entities, unless they are also health careproviders and engage in any of the covered electronictransactions. If, however, researchers are employeesor other workforce members of a covered entity(e.g., a covered hospital or health insurer), they mayhave to comply with that entitys HIPAA privacy

policies and procedures. Researchers who are notthemselves covered entities, or who are notworkforce members of covered entities, may beindirectly affected by the Privacy Rule if coveredentities supply their data. The HHS and the Foodand Drug Administrations (FDA) Protection ofHuman Subjects Regulations (45 CFR part 46 and21 CFR parts 50 and 56, respectively) may alsoapply to research involving the development or useof research repositories and associated data.

8/8/2019 Research Repositories Final

2/12

Overview of the PrivacyRules Impact onRepositories and DatabasesThe Privacy Rule was not intended to impederesearch using records within databases andrepositories that include individuals healthinformation, but the Privacy Rule does place newconditions on the use and disclosure of PHI bycovered entities for research. The creation of aresearch database or repository, and the use ordisclosure of PHI from a database or repositoryfor research, may each be considered a researchactivity under the Privacy Rule. For more specificinformation about how the Privacy Rule couldaffect health services research, refer to the relatedpublication, Health Services Research and theHIPAA Privacy Rule.

It is important to know that the Privacy Rulepermits covered entities, such as hospitals, clinics,and other health care providers to continueamassing information on their patients fortreatment, payment, and health care operationspurposes, and to enter this information into theirown databases without Authorization. The PrivacyRule also allows the disclosure of PHI to government-authorized public health authorities fordisease surveillance, disease prevention, and otherpublic health purposes, such as reporting disease

and injury. When required by law, other disclosures are permitted, for example, state-mandatedreporting to cancer registries. Covered entities mayalso continue to disclose PHI for adverse eventand related reports to FDA and others for publichealth purposes (see section 164.512 of thePrivacy Rule and additional information athttp://www.cdc.gov/mmwr/early_release.html). Thus,many databases that are now used for recordsresearch continue to be maintained and updated,and will remain available to records researchers,

although in some cases, under new terms.

The Privacy Rule permits a covered entity to useor disclose PHI for research under the followingcircumstances and conditions:

For reviews preparatory to research if certainrepresentations are obtained from the re-searcher

For research solely on decedents informationif certain representations are obtained from theresearcherIf the subject of the PHI has granted specificwritten permission through an AuthorizationIf the covered entity receives appropriatedocumentation that an IRB or Privacy Boardhas granted a waiver or an alteration of theAuthorization requirementIf the PHI has been de-identified in accordance with the standards set by the PrivacyRule (in which case, the health information isno longer PHI)If the information is released in the form of alimited data set, with certain identifiersremoved, and with a data use agreementbetween the researcher and the covered entityIf informed consent of the individual to

participate in the research, an IRB waiver ofsuch informed consent, or other express legalpermission to use or disclose the informationfor the research is grandfathered by thetransition provisions

For some records and database research, Authorization may not be needed. Some of the mostimportant exceptions to the Authorizationrequirement that pertain to research using repositories and databases are the waiver of Authorization and the limited data set.

Waiver or Alteration of theAuthorization Requirementby an IRB or Privacy BoardFor some types of research, it may be impracticable for researchers to obtain written Authorization from research participants, for example, forsome research conducted on existing databases orrepositories where no contact information isavailable. To address these situations, the PrivacyRule contains criteria for the waiver or alterationof the Authorization requirement by an IRB oranother review body called a Privacy Board. ThePrivacy Rule permits a covered entity to use ordisclose PHI for research purposes withoutAuthorization (or with an altered Authorization),if the covered entity received proper documentation that an IRB or Privacy Board has granted awaiver (or an alteration) of the Authorization

2

8/8/2019 Research Repositories Final

3/12

requirement for the research use or disclosure ofPHI. The Privacy Rule establishes criteria to beevaluated by an IRB or Privacy Board in approvingan Authorization waiver or alteration. For acovered entity to use or disclose PHI under awaiver or alteration of the Authorization requirement, it must receive documentation of, amongother things, the IRB or Privacy Boards determination that the following criteria have been met:

The PHI use or disclosure involves no morethan a minimal risk to the privacy of individuals based on at least the presence of (1) Anadequate plan presented to the IRB or PrivacyBoard to protect PHI identifiers from improperuse and disclosure; (2) an adequate plan todestroy those identifiers at the earliest opportunity, consistent with the research, absent ahealth or research justification for retaining the

identifiers or if retention is otherwise requiredby law; and (3) adequate written assurancesthat the PHI will not be reused or disclosed toany other person or entity except (a) as requiredby law, (b) for authorized oversight of theresearch study, or (c) for other research forwhich the use or disclosure of the PHI ispermitted by the Privacy Rule.The research could not practicably be conducted without the requested waiver or alteration.The research could not practicably be con

ducted without access to and use of the PHI.

Additional information about waivers and alterations of Authorization can be found in thepublications:Institutional Review Boards and theHIPAA Privacy Ruleand Privacy Boards and theHIPAA Privacy Rule.

De-identified Data SetsThe Privacy Rule permits covered entities to releasedata that have been de-identified without obtaining an Authorization and without further restric

tions upon use or disclosure because de-identifieddata is not PHI and, therefore, not subject to thePrivacy Rule. A covered entity may de-identify PHIin one of two ways. The first way, the safe-harbormethod, is to remove all 18 identifiers enumeratedat section 164.514(b)(2) of the regulations.1 Datathat are stripped of these 18 identifiers are regarded

as de-identified, unless the covered entity hasactual knowledge that it would be possible to usethe remaining information alone or in combination with other information to identify the subject.

The second way is to have a qualified statistician2

determine, using generally accepted statistical andscientific principles and methods, that the risk isvery small that the information could be used,alone or in combination with other reasonablyavailable information, by the anticipated recipientto identify the subject of the information. Thequalified statistician must document the methodsand results of the analysis that justify such adetermination.

It is important to know that the Privacy Rulepermits a covered entity to assign to, and retain

with, the de-identified health information, a codeor other means of record re-identification if thatcode is not derived from or related to the information about the individual and is not otherwisecapable of being translated to identify the individual. For example, an encrypted individualidentifier (e.g., a social security number) wouldnot meet the conditions for use as a re-identification code for de-identified health informationbecause it is derived from individually identifiedinformation. (See 67 Federal Register53233,August 14, 2002.) In addition, the covered entity

may not (1) use or disclose the code or othermeans of record identification for any purposesother than as a re-identification code for the de-identified data, and (2) disclose its method of re-identifying the information.

Limited Data SetsWhere only certain identifiers are needed, it maybe permissible for a covered entity to provide aresearcher with a limited data set. Limited data setsare data sets stripped of certain direct identifiers

that are specified in the Privacy Rule. Limited datasets may be used or disclosed only for publichealth, research, or health care operations purposes. They are not de-identified informationunder the Privacy Rule. Importantly, unlike de-identified data, protected health information inlimited data sets may include the following:Addresses other than street name or street address

3

8/8/2019 Research Repositories Final

4/12

or post office boxes, all elements of dates (such asadmission and discharge dates) and unique codesor identifiers not listed as direct identifiers.3

Before disclosing a limited data set to a researcher,a covered entity must enter into a data use agreement with the researcher, identifying the re-searcher as the recipient of the limited data set,establishing how the data may be used anddisclosed by the recipient, and providing assurances that the data will be protected, among otherrequirements. If the covered entity learns that theresearcher has violated this agreement, the entitymust take reasonable steps to end or repair theviolation and, if such steps are unsuccessful, stopdisclosing PHI to the researcher and report theproblem to the HHS Office for Civil Rights.Additional information on limited data sets and

data use agreements can be found in the booklet,Protecting Personal Health Information in Research:Understanding the HIPAA Privacy Rule.

Activities Preparatory toResearchCovered entities may permit researchers to reviewPHI in medical records or elsewhere to prepare aresearch protocol, or for similar purposes preparatory to research. This review allows the researcherto determine, for example, whether a sufficient

number or type of records exists to conduct theresearch. Importantly, the covered entity may notpermit the researcher to remove any PHI from thecovered entity. To permit the researcher to conducta review preparatory to research, the covered entitymust receive from the researcher representationsthat:

The use or disclosure is sought solely to reviewPHI as necessary to prepare the researchprotocol or other similar preparatory purposes.No PHI will be removed from the coveredentity during the review.

The PHI the researcher seeks to use or access isnecessary for the research purposes.

Additional information on activities preparatoryto research can be found in the publications,Protecting Personal Health Information in Research:Understanding the HIPAA Privacy RuleandClinical Research and the HIPAA Privacy Rule.

Research InvolvingDecedents PHIA covered entity may provide access to decedentsrecords for research purposes if the covered entityreceives from the researcher: Representations thatthe decedents PHI is necessary for the research

and is being sought solely for research on the PHIof decedents (not, for example, living relatives ofdecedents); and, upon request of the coveredentity, documentation of the deaths of the studysubjects. No Authorization or alteration or waiverof Authorization by an IRB or Privacy Board isneeded for use or disclosure of PHI for researchonly on the PHI of deceased persons, if theseconditions are met.

Other Privacy Rule

Requirements

Minimum Necessary StandardWhen using or disclosing PHI for researchwithout an Authorization, a covered entity mustmake reasonable efforts to limit the PHI used ordisclosed to the minimum necessary amount toaccomplish the research purpose. If an IRB orPrivacy Board has granted the researcher a waiveror an alteration of Authorization, a covered entitymay reasonably rely upon the researchers request

consistent with the description of PHI in documentation from the IRB or Privacy Board as theminimum necessary amount of PHI for theresearch. Additional information on the mini-mum necessary standard can be found in thebooklet,Protecting Personal Health Information inResearch: Understanding the HIPAA Privacy Rule.

Right to an Accounting of

DisclosuresThe Privacy Rule grants individuals new rights,including the right to receive an accounting of

disclosures made for research by a covered entitywithout the individuals Authorization (e.g., undera waiver of Authorization), except for disclosuresof a limited data set. The individual has a right tosuch an accounting of disclosures made by acovered entity in the 6 years prior to the date onwhich the accounting is requested, not includingthe period prior to the compliance date. For such

4

8/8/2019 Research Repositories Final

5/12

disclosures, in general, individuals who requestan accounting must be told what PHI wasdisclosed, to whom it was disclosed, and thedate and purpose of the disclosure. Coveredentities must provide the address of the recipient, if known.

For certain research disclosures made by acovered entity, two other options exist forproviding an accounting. When multipledisclosures of PHI are made to the same personor entity for a single purpose, the accountingfor such disclosures may consist of the information described above for the first disclosure,plus the number or frequency of disclosures,and the date of the last disclosure during thetime period covered by the request.

If, during the period covered by the accounting, the covered entity has disclosed the recordsof 50 or more individuals for a particularresearch purpose, the covered entity mayprovide a more general accounting to therequestor. The covered entity would providethe following information in the generalaccounting:

The name and description of the protocolsfor which their PHI may have been disclosed

A brief description of the type of PHIdisclosedThe date or period of time of the disclosuresThe contact information of the researcherand the research sponsorA statement that the PHI of the individualmay or may not have been disclosed for aparticular protocol or research activity

Section 164.528(b)(4)(ii) of the Privacy Rulerequires that, upon request, the covered entity

must help the individual contact the sponsorand researcher when it is reasonably likely thatthe individuals PHI was disclosed for a particularprotocol. Additional information on accountingof disclosures can be found in the booklet,Protecting Personal Health Information in Research:Understanding the HIPAA Privacy Rule.

Frequently AskedQuestions and Answers

Q: Are tissue repositories covered entities?

A: Not unless the organization maintaining the

tissue repository conducts some other activitythat makes it a covered entity. For example,tissue repositories that conduct testing ofspecimens for the benefit of transplantrecipients based on another health careproviders orders would be covered providersunder HIPAA if they conduct electronictransactions for which the HHS has adoptedstandards.

Q: A researcher does not receive names, ad-dresses, social security or medical record

numbers, or other obvious identifiers fromdata sources. If the IRB has not consideredthis data to be individually identifiable in thepast, and thus, determined that the research

was not human subjects research under 45CFR part 46, or that the research wasexempt under 45 CFR 46.101(b), will thischange under the Privacy Rule?

A: No. The Privacy Rule does not change theapplicability or the requirements of the HHSand FDA Protection of Human SubjectsRegulations. However, where the informationsought by the researcher is held by a coveredentity, the covered entitys use or disclosure ofthat information is subject to the PrivacyRule, unless the information is de-identifiedby the Privacy Rules standards. The PrivacyRules de-identification safe-harbor method islikely more stringent than what has beenapplied in the past to render information nolonger identifiable for research purposes. De-identification under the Privacy Rules safe-

harbor standard may be accomplishedthrough the removal of all 18 identifiers(section 164.514(b)(2) of the Privacy Rule).

Alternatively, fewer identifiers may need to beremoved for health information to be de-identified if a qualified statistician determinesthat the risk of re-identification is very small(section 164.514(b)(1) of the Privacy Rule).

5

8/8/2019 Research Repositories Final

6/12

The Privacy Rule also permits a coveredentity to retain, with the de-identifiedhealth information, a code for re-identification as long as the code is not related to orderived from information about the individual and is not otherwise capable of beingtranslated to identify the individual, and aslong as the covered entity does not discloseits method of re-identification or use ordisclose its code for other purposes (section164.514(c) of the Privacy Rule). For ex-ample, a randomly assigned re-identificationcode would not make the de-identifiedinformation to which it is assigned PHI,because a random code would not bederived from or related to informationabout the individual.

Where a researcher needs data elements thatwould render the information identifiableunder the Privacy Rule, but where certaindirect identifiers (set forth in section164.514(e)) are not needed, a limited dataset may be sufficient for the research. Alimited data set is information stripped ofonly the direct identifiers listed at section164.514(e), which include, but are notlimited to, the name and street address ofthe individual. To use or disclose a limiteddata set, the covered entity must enter into a

data use agreement with the recipient of theinformation.

In practice, this means that records researchthat may not require IRB approval underthe HHS Protection of Human SubjectsRegulations, still may require an Authorization or a waiver of Authorization under thePrivacy Rule, or be subject to a data useagreement if a limited data set is used ordisclosed.

Q: How may a covered entity use or disclosePHI for the creation of a research repositoryor database when it is unknown at the timeof collection what specific protocols willmake use of the repository or database in thefuture?

A: There are two separate activities to consider:(1) The use or disclosure of PHI for creating aresearch database or repository and (2) Thesubsequent use or disclosure of PHI in thedatabase for a particular research protocol.

A covered entitys use or disclosure of PHI

to create a research database or repository,and use or disclosure of PHI from thedatabase or repository for a future researchpurpose, are each considered a separateresearch activity under the Privacy Rule. Ingeneral, the Privacy Rule requires Authorization for each activity, unless, for example,an IRB or Privacy Board waives or alters theAuthorization requirement. (See Overviewof Privacy Rules Impact on Repositoriesand Databases.) Documentation of a waiver

or an alteration of Authorization to use ordisclose PHI to create a research databaserequires, among other things, a statementthat an IRB or Privacy Board has deter-mined that the researcher has providedadequate written assurances that PHI in thedatabase will not be further used or disclosed except as permitted by the PrivacyRule (e.g., for research uses and disclosureswith an Authorization or waiver). A coveredentity also could use or disclose a limiteddata set to create a research repository or

database under conditions set forth in adata use agreement.

For subsequent use or disclosure of PHI forresearch purposes from a repository ordatabase maintained by the covered entity,the covered entity may:

Obtain the individuals Authorization forthe research use or disclosure of PHI asspecified under section 164.508Obtain documentation of an IRB or

Privacy Boards waiver of the Authorizationrequirement that satisfies section164.512(i)Obtain satisfactory documentation of anIRB or Privacy Boards alteration of theAuthorization requirement as well as thealtered Authorization from the individualUse or disclose PHI for reviews preparatoryto research with representations that satisfy

6

8/8/2019 Research Repositories Final

7/12

section 164.512(i)(1)(ii) of the PrivacyRuleUse or disclose PHI for research ondecedents PHI with representations thatsatisfy section 164.512(i)(1)(iii) of thePrivacy RuleProvide a limited data set and enter into adata use agreement with the recipient asspecified under section 164.514(e)Use or disclose PHI based on permissionobtained prior to the compliance date ofthe Privacy Ruleinformed consent ofthe individual to participate in theresearch, an IRB waiver of such in-formed consent, or Authorization orother express legal permission to use ordisclose the information for the researchas specified under section 164.532(c) of

the Privacy Rule

A covered entity may also use or disclose PHIfrom databases and repositories for otherpurposes without Authorization as permittedby the Privacy Rule, such as if required by lawor to a public health authority for a publichealth activity (e.g., disclosures to cancerregistries). Covered entities may also de-identify PHI according to standards set forthin the Privacy Rule so that its use and disclosure are not protected by the Privacy Rule.

Q: May a single Authorization permit a coveredentity to use or disclose PHI for multipleactivities of a specific research study, including the collection and storage of tissues foronly that study? Does the option for using asingle Authorization differ if a research studyalso collects and stores PHI as part of acentral repository for future research?

A: A single Authorization may cover uses anddisclosures of PHI for multiple activities of aspecific research study, including the collectionand storage of tissues for that study. Inaddition, where two different research studiesare involved, such as where a research studycollects information for the study itself, andcollects and stores PHI in a central repositoryfor future research, the Privacy Rule generallywould permit them to be combined into asingle, compound Authorization form.

However, a compound Authorization is notallowed where the provision of research-relatedtreatment, payment, or eligibility for benefitsis conditioned on only one of the Authorizations, and not the other. See section164.508(b)(3)(iii) of the Privacy Rule. Forexample, a covered entity that conducts aninterventional clinical trial that also involvescollecting tissues and associated PHI forstorage in a central repository for futureresearch would not be permitted to obtain acompound Authorization for both researchpurposes if research-related treatment isconditioned upon signing the Authorizationfor the clinical trial. Any compound Authorization must clearly specify the differentresearch studies covered by the Authorizationso the individual is adequately informed.

Q: How could the Privacy Rule affect researchinvolving data from repositories ordatabases that were created prior to thePrivacy Rules compliance date (April 14,2003)?

A: The Privacy Rule contains a transition provision that, under certain conditions, allowscovered entities to continue to use or disclosePHI without an Authorization, or waiver oralteration of the Authorization requirement, in

connection with ongoing research, includingresearch involving repositories or databases.For many such uses and disclosures of PHI inconnection with ongoing research, a coveredentity may rely on any one of the followingthat was obtained prior to the compliancedate:

An Authorization or other express legalpermission from an individual to use ordisclose PHI for researchThe informed consent of the individual to

participate in the researchA waiver by an IRB of informed consent inaccordance with applicable laws andregulations governing informed consent,unless informed consent is sought after thecompliance date

If the transition provisions do not apply andthe information is not de-identified, subse-

7

8/8/2019 Research Repositories Final

8/12

quent uses and disclosures of PHI fromdatabases and repositories held by coveredentities generally require an individualsAuthorization unless otherwise permitted bythe Privacy Rule (e.g., with a waiver of Authorization or as a limited data set).

In addition, if the database or repository,which is held or maintained by a coveredentity, contains only de-identified healthinformation (which may include a re-identification code) meeting the Privacy Rulesrequirements at section 164.514(a)-(c), thePrivacy Rule does not apply.

Q: Does the Privacy Rule apply if a coveredentity maintains and conducts research ona database of pre-existing specimens and

data that are considered exempt from theHHS Protection of Human SubjectsRegulations?

A. Yes, if the database contains PHI, the PrivacyRule applies. The covered entity, however, mayde-identify the data by either: (1) Removingthe 18 identifiable data elements listed atsection 164.514(b)(2) of the Privacy Rule andhaving no actual knowledge that the information could be used, alone or in combinationwith other information, to identify the subject;

or (2) having a qualified statisticians certification, with appropriate documentation, thatthere is a very small risk of identification by ananticipated recipient. If the information is notde-identified, subsequent uses and disclosuresof PHI from databases and repositories held bycovered entities generally require anindividuals Authorization unless otherwisepermitted by the Privacy Rule (e.g., with awaiver of Authorization or as a limited dataset).

Q: A covered entity has a research repository anddatabase of individually identifiable data for

which the IRB waived informed consent forits creation and subsequent uses and disclosures of identifiable data prior to April 14,2003. Is the covered entity required to obtain

Authorization for research use and disclosureof PHI from the repository or database after

April 14, 2003?

A: No, because the waiver, as described, meets thetransition provisions of the Privacy Rule at164.532(c). However, if informed consent isbeing sought from specimen donors after thecompliance date, Authorization by the donorswill be needed unless an IRB approves awaiver of the Authorization requirement, oranother permitted use or disclosure applies.

Q: Does the Privacy Rule apply to databasesheld by covered entities that only receive de-identified participant data?

A: No, so long as the health information is de-identified according to the Privacy Rule, thePrivacy Rule does not apply to the database orto future uses and disclosures of de-identifieddata from the database.

Q: May ongoing longitudinal studies continueafter April 14, 2003?

A: Yes. Permissions or waivers obtained prior tothe Privacy Rules compliance date of April 14,2003, for ongoing longitudinal studies aregrandfathered by the Privacy Rule if they meetthe transition provisions at 164.532(c). Formany such uses and disclosures of PHI inconnection with ongoing research, a coveredentity may rely on any one of the following

that was obtained prior to the compliancedate:

An Authorization or other express legalpermission from an individual to use ordisclose PHI for researchThe informed consent of the individual toparticipate in the researchA waiver by an IRB of informed consent inaccordance with applicable laws andregulations governing informed consent,unless informed consent is sought after thecompliance date

Q: A researcher requests data that assigns a codederived from the last four digits of the socialsecurity number. This code is necessary tolink individual records from different datasources. The data contain none of the otherlisted HIPAA identifiers at section164.514(b)(2). Are the data de-identifiedunder the Privacy Rule?

8

8/8/2019 Research Repositories Final

9/12

A: No. Under the Privacy Rule, a de-identifieddata set may not contain unique identifyingcodes, except for codes that have not beenderived from or do not relate to informationabout the individual and that cannot betranslated so as to identify the individual. Acode derived from part of a social securitynumber, medical record number, or otheridentifier does not meet this test.

Q: Does the Privacy Rule permit a coveredentity to de-identify health information orcreate a limited data set without obtaining

Authorization, waiver of the Authorizationrequirement from an IRB or Privacy Board,or representations for reviews preparatory toresearch?

A: Yes. In the Privacy Rule, creating de-identifiedhealth information or a limited data set is ahealth care operation of the covered entity, andthus, does not require the covered entity toobtain an individuals Authorization, a waiverof the Authorization requirement, or representations for reviews preparatory to research. If abusiness associate is hired by a covered entityto de-identify health information or create alimited data set, such activity must be conducted in accordance with the businessassociate requirements at sections 164.502(e)

and 164.504(e).

Q: What is a limited data set, and what are itsadvantages?

A: A limited data set is PHI that does not includea specified list of direct identifiers. The limiteddata set is not considered to be de-identifiedinformation, and unlike de-identified information, a limited data set may include identifierssuch as ZIP codes, elements of dates, andunique identifiers not listed as direct identifi

ers at section 164.514(e). The advantage of alimited data set is that even though it is notde-identified, it can still be used or disclosedfor research purposes without an Authorization or a waiver of the Authorization requirement. A covered entity must, however, enterinto a data use agreement with the recipient ofthe limited data set before using or disclosingit. (See section 164.514(e) of the PrivacyRule.)

Q: What types of information (direct identifiers)must be omitted from PHI in order toqualify the information as a limited dataset?

A: All the following direct identifiers of the

individual or of relatives, employers, orhousehold members of the individual must beremoved:

NameStreet name or street address or post officebox (i.e., not including city, state, or ZIPcode)Telephone and fax numbersEmail addressSocial security numberCertificate/license numbersVehicle identifiers and serial numbers

URLs and IP addressesFull-face photos and other comparableimagesMedical record numbers, health planbeneficiary numbers, and other accountnumbersDevice identifiers and serial numbers.Biometric identifiers, including finger andvoice prints

Q: What is the difference between a de-

identified data set and a limited data set?

A: A de-identified data set is one in which either:(1) The 18 identifiers specified in164.514(b)(2)(i) have been removed and thecovered entity does not have actual knowledgethat the information could be used alone or incombination with other information toidentify the individual (safe harbor method);or (2) a person with appropriate knowledge ofand experience with generally acceptedstatistical and scientific principles and methodsfor rendering information not individuallyidentifiable, determines the risk is very smallthat the information could be used by therecipient, alone or in combination with otherreasonably available information, to identifyan individual (section 164.514(b)(1)), anddocuments the basis for such determination. Ade-identified data set is not protected by thePrivacy Rule and may be used and disclosedwithout restriction.

9

8/8/2019 Research Repositories Final

10/12

A limited data set is one that excludes thedirect identifiers in 164.514(e)(2). Unlike ade-identified data set, a limited data set is PHIbecause it may include dates, city, state, andZIP codes, and other unique identifying codesor characteristics not listed as direct identifiers.A limited data set may be used or disclosed,without Authorization, for research, publichealth, or health care operations purposes, inaccordance with section 164.512(e), only if thecovered entity and limited data set recipiententer into a data use agreement. However, ifthe use or disclosure could be made underanother provision of the Privacy Rule, such asfor public health purposes in accordance withsection 164.512(b), such agreement is notrequired.

Q: Are an individuals initials considered to beidentifiers under the Privacy Rule?

A: Yes, because an individuals name is an identifierand initials are derived from the individualsname, initials are considered identifiers under thePrivacy Rule. Thus, for information to be de-identified using the safe harbor method of thePrivacy Rule, an individuals initials must bestripped from the information. However, it maybe possible for initials to remain as part of de-identified information if the statistical method

for de-identification at section 164.514(b)(1)allows it.

Q: May a limited data set include the geographicsubdivision code with the five-digit ZIP code(or a nine-digit ZIP code)?

A: Yes, the limited data set may include thefive-digit or nine-digit ZIP code plus anyother geographic subdivision, such as state,county, city, precinct, and their equivalentgeocodes, except for street name or street

address or post office box.

Q: May a covered entity use or disclose PHI tolocate or identify the whereabouts of aresearch participant (e.g., subjects who arelost to follow-up)?

A: A covered entity is permitted to use ordisclose PHI to identify or locate the

whereabouts of a research participantduring the study as long as the use ordisclosure is not limited in the individualsAuthorization (or grandfathered priorpermission, if relevant) or waiver or alteration of Authorization. In addition, suchuse or disclosure is permissible if, forexample, it is necessary for treatment of theindividual or for a permissible public healthpurpose.

Q: What special requirements apply toresearch involving PHI from mentalhealth providers?

A: The Privacy Rule provides individualsspecial protection for psychotherapy notes,which are notes recorded by a mental health

provider that document or analyze counseling session conversations, and are maintained separately from the medical record.Unless the covered provider obtained, priorto the compliance date, the individualsinformed consent or other express legalpermission for the research or an IRBwaiver of informed consent for the research,a covered entity may not use or disclosethese notes for research without theindividuals written Authorization. Information in the medical record and certain types

of information, even if maintained separately from the medical record (e.g., information about test results, length andfrequency of treatment, diagnosis, symptoms,or progress), is excluded from the definition ofpsychotherapy notes and may be released toresearchers who obtain an Authorization or awaiver of Authorization from an IRB orPrivacy Board, as part of a limited data set, orif appropriate, for reviews preparatory toresearch or for research involving decedentsinformation where required representations areobtained. Special requirements also apply tocompound authorizations involving the use ordisclosure of psychotherapy notes. (See section164.508(b)(3)(ii) of the Privacy Rule.) Variousstate laws governing the use or disclosure ofmental health records, including psycho-therapy notes, which are more stringent thanthe Privacy Rule provisions, may also apply.

10

8/8/2019 Research Repositories Final

11/12

Q: How does the Privacy Rule apply toresearch involving blood or tissuesamples?

A: Under the Privacy Rule, neither blood nortissue, in and of itself, is considered indi

vidually identifiable health information;therefore, research involving only thecollection of blood or tissue would not besubject to the Privacy Rules requirements.Remember, however, blood and tissue areoften labeled with information (e.g.,admission date or medical record number)that the Privacy Rule considers individuallyidentifiable and thus, PHI. A coveredentitys use or disclosure of this informationfor research is subject to the Privacy Rule.In addition, the results from an analysis of

blood and tissue, if containing or associatedwith individually identifiable information,would be PHI.

Q: Do the transition provisions apply to asurgical consent obtained by a coveredprovider that was signed or agreed to prior tothe removal of tissues that were later addedto a repository?

A: Yes, the transition provisions would apply inthis case if, in the surgical consent or otherexpress legal permission, the individualspecifically agreed to the use and disclosure ofPHI for research.

Q: Do the transition provisions at section164.532(c) of the Privacy Rule apply toinformed consent or waiver of informedconsent to store and use PHI in a repositoryor database that was obtained before thecompliance date?

A: Yes. HHS has stated, some express legalpermissions and informed consents have notbeen study-specific and sometimes authorizethe use or disclosure of information for futureunspecified research. Furthermore, some IRB-approved waivers of informed consent havebeen for future unspecified research. There-fore, the final Rule at [section] 164.532

permits covered entities to rely on an expresslegal permission, informed consent, or IRB-approved waiver of informed consent forfuture unspecified research, provided the legalpermission, informed consent or IRB-approved waiver was obtained prior to thecompliance date. (See 67 Federal Register53226, August 14, 2002.)

Q: Does the Privacy Rule limit, to specific typesof research studies, disclosures permitted aspreparatory to research or for research ondecedents information?

A: No. The Privacy Rule does not limit the typesof research studies that may rely upon theprovisions for reviews preparatory to researchor for research on decedents information set

forth at section 164.512(i). However, representations made to satisfy these provisionsmust include, among other requirements atsections 164.512(i)(1)(ii) and164.512(i)(1)(iii), a statement that the use ordisclosure of protected health information isnecessary for the research purposes.

Q: Does the Privacy Rule restrict access forresearch purposes to information held by theMedicaid or SCHIP programs?

A: Yes. Local and state Medicaid authorities arecovered entities under HIPAA, as are the StateChildrens Health Insurance Program (SCHIP)programs. These agencies or programs arecovered under the Privacy Rule because theyare listed in the Privacy Rules definition of ahealth plan. All SCHIP programs and stateMedicaid agencies must consequently complywith the Privacy Rule; if they are hybridentities, they must ensure that their designatedhealth care components comply with thePrivacy Rule. These government units will

have some mechanism (a privacy officer, aPrivacy Board, and/or an IRB) for controllingaccess to PHI for research purposes. A re-searcher will need to identify the responsibleparty and discuss with that office or officialthe ways in which access to PHI may begranted for research.

11

8/8/2019 Research Repositories Final

12/12

Q: In conducting records research, will a re-searcher who is a covered entity still berequired to comply with state laws relating tomedical records privacy, such as state HIV/

AIDS confidentiality laws?

A: Probably. If the state law does not conflict withthe Privacy Rule, the state law is not preempted by HIPAA, and the covered entity willbe required to comply with both the state lawand the Privacy Rule. If the state law conflictswith a provision of the Privacy Rule, thePrivacy Rule has a preemption provision thatallows state medical privacy laws to remain inplace, if they are more stringent than thefederal privacy standards. The Privacy Ruledoes not prohibit states from adopting privacyprotections that are more stringent than the

federal privacy standards.

Q: I am a researcher, and my research datasource is asking me to sign a business associate agreement. Is this necessary?

A: Business associates are persons who performcertain services for, or functions or activities onbehalf of, the covered entity that require accessto PHI, but who are not part of the workforceof the covered entity. If the data source is not acovered entity, no business associate contract isrequired because the Privacy Rule only appliesto covered entities.

If the data source is a covered entity, whether abusiness associate contract is required dependson the services, functions, or activities that theresearcher is providing to or performing for thecovered entity. Researchers are not business

12

associates solely by virtue of their own researchactivities (although they may become businessassociates in some other capacity, e.g., if de-identifying PHI on behalf of a covered entity).A business associate agreement will typically bea legally enforceable contract, so a researchermay wish to consult legal counsel beforesigning one.

Q: Does a covered entity need to account fordisclosures of PHI contained in a limiteddata set?

A. No. The accounting requirement does notapply to limited data set disclosures.

1 The following identifiers of the individual or of relatives,employers, or household members of the individual must be

removed: (1) Names; (2) all geographic subdivisions smaller than astate, except for the initial three digits of the ZIP code if thegeographic unit formed by combining all ZIP codes with the same

three initial digits contains more than 20,000 people; (3) all

elements of dates except year, and all ages over 89 or elementsindicative of such age; (4) telephone numbers; (5) fax numbers; (6)

email addresses; (7) social security numbers; (8) medical record

numbers; (9) health plan beneficiary numbers; (10) accountnumbers; (11) certificate or license numbers; (12) vehicle

identifiers and license plate numbers; (13) device identifiers and

serial numbers; (14) URLs; (15) IP addresses; (16) biometric

identifiers; (17) full-face photographs and any comparable images;(18) any other unique, identifying characteristic or code, except as

permitted for re-identification in the Privacy Rule.2 A person with appropriate knowledge of and experience with

generally accepted statistical and scientific principles and methodsfor rendering information not individually identifiable.3 The following direct identifiers must be removed for PHI toqualify as a limited data set: (1) Names; (2) postal address

information, other than town or city, state, and ZIP code; (3)

telephone numbers; (4) fax numbers; (5) email addresses; (6) socialsecurity numbers; (7) medical record numbers; (8) health plan

beneficiary numbers; (9) account numbers; (10) certificate or

license numbers; (11) vehicle identifiers and license plate numbers;(12) device identifiers and serial numbers; (13) URLs; (14) IP

addresses; (15) biometric identifiers; and (16) full-face photographand any comparable images.

NIH Publication Number 04-5489 January 2004