HIPAA, PHI, & PII

HIPAA applies whenever you use protected health information (PHI) for research purposes. For example:

• Recruitment: reviewing PHI, such as information from the medical record or Enterprise Data Warehouse (EDW), for the purpose of either identifying individuals potentially eligible for a research study and/or contacting individuals to seek their participation in the research study. This includes checking to see if any of tomorrow’s clinic patients are eligible for a research study.
• You record and/or access data from the medical record or Enterprise Data Warehouse (EDW) for research purposes.

If HIPAA applies to the research study, the Privacy Rule requires an individual to provide signed permission, known as an Authorization, for any use or disclosure of protected health information (PHI). Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals.  Under certain circumstances, however, the Privacy Rule allows for the use or disclosure of PHI for research without an individual’s Authorization by obtaining a waiver of HIPAA Authorization or an alteration of HIPAA Authorization by the NU Institutional Review Board.  See the below sections on Waiver or Alteration of HIPAA Authorization for details on the process to apply for a HIPAA waiver.

HIPAA applies whenever you use protected health information (PHI) for research purposes:

• Recruitment: reviewing PHI, such as information from the medical record or Enterprise Data Warehouse (EDW), for the purpose of either identifying individuals potentially eligible for a research study and/or contacting individuals to seek their participation in the research study. 
• You record and/or access data from the medical record for research purposes
• You check to see if any of tomorrow’s clinic patients are eligible for a research study

HIPAA allows for research personnel to access and use PHI when necessary to conduct research. Not all research is subject to HIPAA regulations; HIPAA only affects research that uses, creates or discloses PHI.  Please refer to Data That Is Not Subject to HIPAA Regulations below.  Data that is not subject to HIPAA regulations is still regulated by other human research regulations and may also be subject to other privacy regulations.

HIPAA defines the 18 identifiers that create PHI when linked to health information. The following identifiers are those of the individual or of relatives, employers, or household members of the individual. 

1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census:
   1. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people;  and
   2. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

Some studies use individually identifiable health information elements that are included in the above list of 18 identifiers; however, the elements are not considered PHI because the data is not:

• Obtained or generated as part of a health care service (treatment, payment, operations, medical records)
• Entered into a medical record, or
• Used to make treatment decisions

Note: Data that is not subject to HIPAA regulations is still regulated by other human research regulations and may also be subject to other privacy regulations.  

For Studies Using PHI:  Research that is using or disclosing Protected Health Information (PHI) must be conducted in accordance with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) and requires completion of the HIPAA authorization.

The Privacy Rule specifies core elements and required statements that must be included in an Authorization.  The Northwestern IRB Office’s  Informed Consent Form Templates contain a combined consent/HIPAA authorization, which contains all the required HIPAA Authorization Core elements.  One of the HIPAA Authorization Core elements, which is included in the NU IRB Office template, is the signature of the individual and date.

At any time, a research participant may revoke their authorization in writing to the Principal Investigator. If the research involves the collection of mental health or developmental disability information, or the HIPAA authorization section of the consent form indicates “all information in the medical record” will be collected, the revocation of the participant’s authorization must also be witnessed and signed by a person who can attest to the identity of the research participant.

The IRB has a template, HIPAA Revocation Template Letter, available for investigators and participants to complete.

Please refer to the NMHC Policy on Research Privacy and Confidentiality and the Research Recruitment Guidelines FAQs for additional guidance on uses and disclosures not requiring authorization or an IRB waiver authorization that pertain to:

• Research on decedents
• Preparatory to research
• De-identified data
• Limited data sets

The IRB may waive HIPAA authorization completely or issue a partial waiver. A waiver of authorization is most frequently sought when the research also qualifies for a waiver of consent. For example:

• A complete waiver of HIPAA may be granted when it is not possible to obtain the participants signature, and it is not possible to provide the participant with the authorization information, such as for a retrospective review of medical records.
• A partial waiver of HIPAA authorization may be granted when a study does not intend to obtain HIPAA authorization on behalf of the covered entity, but needs access to PHI for recruitment purposes (i.e., contact information from EDW).

An alteration of HIPAA authorization may include an omission of one or more required elements of HIPAA-compliant authorization. For example:

• an alteration to HIPAA may be granted when it is anticipated that the targeted participant population may not have access or skills to use technology that allows for an electronic signature, such as the elderly or people with limited resources, and it is not possible to obtain the written signature.

In such cases, the IRB also approves a waiver of documentation of consent, and the investigators must obtain verbal authorization instead of a written authorization. The verbal consent/authorization must contain all the required elements of consent plus HIPAA Authorization.

To apply for both the waiver of consent and waiver of authorization, the PI must demonstrate  how the study meets all of the required waiver/alteration criteria, and include the justification within the protocol.