Tutorial Chapter 5: What do HIPAA regulations entail and how do they relate to the regulations governing human subjects?

The Health Insurance Portability and Accountability Act (HIPAA) is the Federal legislation that authorized the Department of Health and Human Services Secretary to write the Federal medical privacy regulations known as the “Privacy Rule.” The Privacy Rule governs all uses and disclosures of Protected Health Information (PHI) by persons and entities subject to these regulations.

HIPAA protects the PHI of both living individuals and deceased persons (“decedents”). By contrast, the federal Common Rule that governs activities involving human subjects in research pertains to the living only.

Under the Privacy Rule, PHI is defined as individually identifiable health information that is created or received by a “covered entity.”

The Privacy Rule defines a covered entity as the following: a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with any of the HIPAA standard transactions, which include billing and claims verification.

Note that a provider, such as an individual practitioner or small clinic, which does not personally conduct HIPAA electronic transactions, is nonetheless a covered entity if the provider contracts with a billing agency or other entity that performs standard transactions on the provider’s behalf.

The Privacy Rule defines both:

The Privacy Rule permits organizations such as New York University which engage in both health care and other functions to designate which components of the organization are covered by the Privacy Rule, and to limit compliance with the Privacy Rule to only these covered “health care components.”

The University has elected to treat itself as a “hybrid entity” and has designated the School of Medicine, College of Dentistry and University Health Center as its "covered" components. These covered components must comply with the Privacy Rule, which includes regulations to prevent the unauthorized disclosure of PHI from a covered to a non-covered component.

The Privacy Rule specifies all permitted uses and disclosures of PHI by a covered entity, including the circumstances under which information may be disclosed to another entity. Specifically, a covered entity may only use and disclose PHI without a patient’s written permission (“authorization”) for certain routine purposes (treatment, payment, and health care operations) as required by law, and for certain regulatory, law enforcement, public health, and other purposes.

If a particular use or disclosure of PHI does not fit one of the permitted categories or HIPAA exceptions, the covered entity may not make the use or disclosure without written patient authorization in a specified form.

The Privacy Rule includes specific provisions for the use and disclosure of PHI for research purposes. These requirements place responsibilities on the:

  • researcher
  • covered entity which is being asked to provide or release the PHI
  • organization with which the researcher may be affiliated.

To meet these regulatory requirements, covered entities must require researchers who wish to create or use PHI in research to:

  • comply with HIPAA policies and procedures
  • submit HIPAA documentation and forms for review and approval in connection with a research study.

In the case of applicants to the UCAIHS planning to use PHI derived from or through a cooperating institution that is a covered entity with an IRB / Privacy Board, it is likely that the HIPAA application and approval process will take place as part of the IRB review at the cooperating institution.

An investigator, however, may need to provide, on request of the UCAIHS, affirmative evidence beyond an IRB approval that the use of PHI has been approved by the IRB / Privacy Board of the cooperating institution. The investigator may also be requested to provide additional information on the use of PHI as part of the application to the UCAIHS for approval of activities involving human subjects.

Although the HIPAA Privacy Rule defines research in the same way as the Common Rule governing activities involving human subjects, the Privacy Rule is a separate regulation and places new and different conditions upon the use and disclosure of PHI by covered entities for research purposes.

Such information may only be revealed for research with a subject’s written authorization unless:

The School of Dentistry

The School of Dentistry, which is one of the University’s covered components under HIPAA, presents a special case for researchers who plan to use Protected Health Information (PHI).

In most cases, these investigators will make application for both human subjects and HIPAA approval through the IRB at the New York University School of Medicine. However, a researcher at the NYU School of Dentistry whose proposed research involves “merely the collection or study of existing data, documents, records, pathological or diagnostic specimens, where publicly available, or where the information is private but identifiers are not recorded,” need only apply to the UCAIHS and should include a request for a Waiver of HIPPA Authorization as part of the application.

The request for the Waiver of Authorization form may be obtained from the Associate Dean for Research at the School of Dentistry.

Chapter Review

Question 1

HIPAA is the Federal legislation that contains medical privacy regulations, known as the Privacy Rule.

Question 2

HIPAA protects the PHI of living and deceased people, unlike the Common Rule that governs activities involving human subjects in research that pertains only to the living.

Question 3

The Privacy Rule includes specific provisions for the use and disclosure of PHI for research purposes and these requirements place responsibilities on the (select all that apply):

  • researcher
  • covered entity being asked to provide or release the PHI
  • organization with which the researcher may be affiliated
  • none of the above

Question 4

According to the Privacy Rule, using PHI for research purposes requires written authorization from the subject unless (select all that apply):

  • the information has been de-identified
  • the disclosure is preparatory to research
  • the disclosure concerns information on a decedent
  • the subject is not personally known to the researcher

Next Chapter: What process does the University use for implementing the regulations?

Human Subjects Tutorial

  • Introduction
  • Chapter 1: Why are human subjects research regulations necessary?
  • Chapter 2: What are the basic elements of the research code of ethics?
  • Chapter 3: What are the current regulations concerning human subjects research?
  • Chapter 4: Do you need to apply to the UCAIHS?
  • Chapter 5: What do HIPAA regulations entail and how do they relate to the regulations governing human subjects?
  • Chapter 6: What process does the University use for implementing the regulations?
  • Chapter 7: What are the investigator’s responsibilities?
  • Chapter 8: What are the categories of application?
  • Chapter 9: What information must investigators give to the UCAIHS?
  • Chapter 10: What criteria does the Committee use when evaluating applications?
  • Chapter 11: How should researchers select and recruit subjects?
  • Chapter 12: What is informed consent and how is it documented?
  • Chapter 13: How must researchers deal with protected populations?
  • Chapter 14: How do researchers protect subject privacy and confidentiality?
  • Chapter 15: What are researchers’ obligations when cooperating institutions are involved?
  • Chapter 16: What are researchers’ obligations when doing research in foreign countries?
  • Chapter 17: What types of decisions can the UCAIHS make?
  • Chapter 18: What should investigators do during the application process and the course of their projects?
  • Take the Certification Exam!
  • Glossary
  • References