The Health Insurance Portability and Accountability Act (HIPAA) is the Federal legislation that authorized the Department of Health and Human Services Secretary to write the Federal medical privacy regulations known as the “Privacy Rule.” The Privacy Rule governs all uses and disclosures of Protected Health Information (PHI) by persons and entities subject to these regulations.
HIPAA protects the PHI of both living individuals and deceased persons (“decedents”). By contrast, the federal Common Rule that governs activities involving human subjects in research pertains to the living only.
Under the Privacy Rule, PHI is defined as individually identifiable health information that is created or received by a “covered entity.”
The Privacy Rule defines a covered entity as the following: a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with any of the HIPAA standard transactions, which include billing and claims verification.
Note that a provider, such as an individual practitioner or small clinic, which does not personally conduct HIPAA electronic transactions, is nonetheless a covered entity if the provider contracts with a billing agency or other entity that performs standard transactions on the provider’s behalf.
The Privacy Rule defines both:
The Privacy Rule permits organizations such as New York University which engage in both health care and other functions to designate which components of the organization are covered by the Privacy Rule, and to limit compliance with the Privacy Rule to only these covered “health care components.”
The University has elected to treat itself as a “hybrid entity” and has designated the School of Medicine, College of Dentistry and University Health Center as its "covered" components. These covered components must comply with the Privacy Rule, which includes regulations to prevent the unauthorized disclosure of PHI from a covered to a non-covered component.
The Privacy Rule specifies all permitted uses and disclosures of PHI by a covered entity, including the circumstances under which information may be disclosed to another entity. Specifically, a covered entity may only use and disclose PHI without a patient’s written permission (“authorization”) for certain routine purposes (treatment, payment, and health care operations) as required by law, and for certain regulatory, law enforcement, public health, and other purposes.
If a particular use or disclosure of PHI does not fit one of the permitted categories or HIPAA exceptions, the covered entity may not make the use or disclosure without written patient authorization in a specified form.
The Privacy Rule includes specific provisions for the use and disclosure of PHI for research purposes. These requirements place responsibilities on the:
To meet these regulatory requirements, covered entities must require researchers who wish to create or use PHI in research to:
In the case of applicants to the UCAIHS planning to use PHI derived from or through a cooperating institution that is a covered entity with an IRB / Privacy Board, it is likely that the HIPAA application and approval process will take place as part of the IRB review at the cooperating institution.
An investigator, however, may need to provide, on request of the UCAIHS, affirmative evidence beyond an IRB approval that the use of PHI has been approved by the IRB / Privacy Board of the cooperating institution. The investigator may also be requested to provide additional information on the use of PHI as part of the application to the UCAIHS for approval of activities involving human subjects.
Although the HIPAA Privacy Rule defines research in the same way as the Common Rule governing activities involving human subjects, the Privacy Rule is a separate regulation and places new and different conditions upon the use and disclosure of PHI by covered entities for research purposes.
Such information may only be revealed for research with a subject’s written authorization unless:
The School of Dentistry, which is one of the University’s covered components under HIPAA, presents a special case for researchers who plan to use Protected Health Information (PHI).
In most cases, these investigators will make application for both human subjects and HIPAA approval through the IRB at the New York University School of Medicine. However, a researcher at the NYU School of Dentistry whose proposed research involves “merely the collection or study of existing data, documents, records, pathological or diagnostic specimens, where publicly available, or where the information is private but identifiers are not recorded,” need only apply to the UCAIHS and should include a request for a Waiver of HIPPA Authorization as part of the application.
The request for the Waiver of Authorization form may be obtained from the Associate Dean for Research at the School of Dentistry.
Next Chapter: What process does the University use for implementing the regulations?