The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an extensive piece of legislation that requires the standardization of electronic patient health, administrative, and financial data. Important to researchers, HIPAA created the Privacy Rule—a set of minimum standards for the use and disclosure of “protected health information” (PHI). The Privacy Rule protects individuals by safeguarding the privacy of any identifiable health information, yet many provisions ensure that the rule does not impede research or the mission of public health. Understanding the HIPAA Privacy Rule is important in protecting the dignity of an individual’s health information as well as in reducing unnecessary delays in designing and conducting research.
To fully understand the Privacy Rule, it is important to understand some key definitions. PHI is defined as individually identifiable health information that is created or received by a HIPAA-covered or hybrid entity. Health information includes any information, whether oral or recorded in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment of health care to an individual. PHI includes names, all geographic references smaller than a state, telephone numbers, Social Security numbers, medical record or health plan numbers, etc., (for a complete list see the chart at the bottom of this page). A covered entity is a health plan, a health care clearinghouse, or a health care provider which transmits health information in paper or electronic form in connection with a transaction for which HHS has adopted a standard.
Therefore, most universities are considered covered entities, as are units where such transactions occur, such as medical and nursing schools, health services, etc. Because the School of Public Health conducts research and other functions that might involve PHI, we need to be HIPAA compliant. Research at the University of Michigan is considered to involve PHI and thus be subject to HIPAA if all of the following conditions are met:
- the data include any of the identifiers below
- the data include health information
- the data are created or received by the School of Medicine, School of Nursing, University Health Services or any other unit within the covered entity.
It is important to note that compliance with the HIPAA Privacy Rule does not displace Institutional Review Board (IRB) approvals. In thinking about the relationship between HIPAA compliance and the IRB process, please note that HIPAA requires an authorization from any research subject (with few exceptions) to use or disclose PHI for purposes related to the research. The “minimum necessary” standard within the HIPAA Privacy Rule requires that treatment or research is conducted using the minimum necessary PHI to limit the intrusion on an individual’s health privacy rights. Therefore, any research on decedents, using or creating PHI about living individuals, recruitment of research subjects or research using a limited data set fall under the Privacy Rule. For research purposes, there should be few HIPAA problems when using data that are not individually identifiable.
Research conducted at the School of Public Health relies heavily on access to many sources of health information, from medical records and epidemiological databases to disease registries, hospital discharge records and vital and health statistics compiled by the government. Therefore, the Privacy Rule applies to clinical research, databases, and health services research—all of which make SPH an exemplary research and learning center. Completing the online HIPAA training and certification is essential to ensure the ongoing success of our researchers and faculty members. The inappropriate use or disclosure of PHI results in harsh consequences and therefore the candid reporting of such events and proper understanding of the comprehensive rights established by the legislation are fundamental duties of researchers.
Beyond the expectation of requiring HIPAA compliance for IRB approval, it is important to remember that the Privacy Rule in its very definition ensures the privacy of subjects’ research-related information. Although the Privacy Rule may appear cumbersome, as it adds an additional layer of regulation and enforcement, it also adds another layer of protecting the privacy for those who volunteer for research projects. In the end, such privacy safeguards will improve the participation and quality of research conducted at the University of Michigan.
Considered individually identifiable if it includes one more of the following:
- All geographic references smaller than a state, including:
- street address
- zip codes, geocodes
- Telephone & fax number
- E-mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- All elements of dates (except years) for dates related to an individual, including:
- birth date
- admission or discharge date
- date of death
- all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying numbers, characteristics, or codes
This site is for the exclusive use of School of Public Health students, faculty, staff, and SPH-related research.