|UM SPH Home > Faculty & Research > Health Insurance Portability and Accountability Act > Frequently Asked Questions|
Frequently Asked Questions
The complexity of the HIPAA legislations and its impact on the School of Public Health and research can be confusing. Below is a sample of Frequently Asked Questions that we have gathered to help you sort out the details and not delay your research process or concerns about improper disclosures, etc.
Questions compiled by the Office for Civil Rights at the U.S. Department of Health and Human Services
Question: Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
Answer: No. Disclosures from a covered entity to a researcher for research purposes do not require a business associate contract, even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf. A business associate agreement is required only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of “business associate”. However, the HIPAA Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity is only permitted to disclose protected health information to a researcher as permitted by Rule, that is, with an individual’s authorization, without an individual’s authorization as permitted, or as a limited data set provided that a data use agreement is in place as permitted.
Question: Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?
Answer: Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i). See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review Boards.
Question: By establishing new waiver criteria and authorization requirements, hasn't the HIPAA Privacy Rule, in effect, modified the Common Rule?
Answer: No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about the Common Rule.
Question: Is documentation of Institutional Review Boards (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual's authorization?
Answer: No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.
Question: What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?
Answer: The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.
By contrast, an “authorization” is required for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
Question: Are the HIPAA Privacy Rule’s requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?
Answer: Yes. The Privacy Rule does not require clinical laboratories that are also covered health care providers to provide an individual access to information if CLIA prohibits them from doing so. CLIA permits clinical laboratories to provide clinical laboratory test records and reports only to “authorized persons,” as defined primarily by State law. The individual who is the subject of the information is not always included as an authorized person. Therefore, the Privacy Rule includes an exception to individuals’ general right to access protected health information about themselves if providing an individual such access would be in conflict with CLIA.
In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories, if they are also a covered health care provider, to provide individuals with access to protected health information because doing so may result in the research laboratory losing its CLIA exemption.
Question: May a covered entity hire a business associate to create a limited data set, and may the public health authority be a business associate for that purpose, even if the public health authority is also the intended recipient of the limited data set?
Answer: A covered entity may enter into a business associate agreement with the public health authority for the sole purpose of creating a limited data set, even if the same public health authority is also the intended recipient of the information (45 CFR 164.514(e)(3)(ii)). For example, the covered entity may contract with the public health authority as a business associate for the exclusive purpose of reviewing medical charts and extracting the facially unidentifiable information needed for the particular public health surveillance activity. In these cases, the public health authority, as the covered entity’s business associate for purposes of creating a limited data set, must agree to return, destroy or not remove from the covered entity’s premises the protected health information that includes the direct identifiers, once the public health authority has completed the conversion of the information into a limited data set for its own public health use. Because the public health authority is not only the covered entity’s business associate for creating the limited data set, but also the intended recipient of the limited data set, the public health authority must enter into both a data use agreement and a business associate agreement. The data use agreement can be combined with the business associate agreement into a single agreement so long as the agreement meets the requirements of both provisions. See 45 CFR 164.504(e)(2) and 164.514(e)(4).
While there are two disclosures in this case – the disclosure to the public health authority in its role as the covered entity’s business associate in creating the limited data set, and the disclosure to the public health authority as the recipient of the limited data set – neither disclosure requires an accounting. A disclosure to a business associate for the purpose of creating a limited data set is a health care operation, as defined by the Rule at 45 CFR 164.501. Disclosures for health care operations and disclosures made as a limited data set are both excepted from the accounting requirement at 45 CFR 164.528(a)(1)(i) and (viii), respectively.
Question: Does the HIPAA Privacy Rule's public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)?
Answer: The definition of a “public health authority” requires that an agency’s official mandate include the responsibility for public health matters. The mandate can be responsibility for public health matters, generally, or it can be for specific public health programs. Furthermore, an agency’s official mandate does not have to be exclusively or primarily for public health. Therefore, to the extent a government agency has public health matters as part of its official mandate, it qualifies as a public health authority. For instance, various Department of Health and Human Service agencies, such as NIH and the Health Resources and Services Administration (HRSA), are authorized by law to assist the Secretary of Health and Human Services in carrying out the purposes of section 301 of the Public Health Service Act. Those agencies are public health authorities under the Rule, even if they have other non-public health mandates. To the extent a public health authority is authorized by law to collect or receive information for the public health purposes specified in the public health provision, covered entities may disclose protected health information to such public health authorities without authorization pursuant to the public health provision. See the fact sheet and frequently asked questions on this web site about the public health provision for more information.
Question: Can an individual revoke his or her Authorization?
Answer: Yes. The Privacy Rule gives individuals the right to revoke, at any time, an Authorization they have given. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid Authorization, or where the Authorization was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim under the policy or the policy itself.
The Privacy Rule requires that the Authorization must clearly state the individual’s right to revoke; and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it, since the revocation is not effective until a covered entity which had previously been authorized to make the disclosure receives it.