HIPAA, PHI, & PII
If your study involves medical record (chart) review, including for recruitment purposes, the HIPAA Privacy Rule applies. Not all research is subject to HIPAA regulations; HIPAA only affects research that uses, creates, or discloses PHI. Protected Health Information (PHI) is any health information that includes any of the 18 elements identified by HIPAA. Personally Identifiable Information (PII) is defined as data used in research that is not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules.
What is the Health Insurance Portability and Accountability Act (HIPAA)
HIPAA stands for the Health Insurance Portability and Accountability Act, which protects patients from inappropriate disclosures of the patient’s protected health information (PHI) that could cause harm to their insurability, employability and/or their privacy through the Privacy Rule. The Privacy Rule establishes a category of health information, defined as protected health information (PHI), which a covered entity may only use or disclose to others in certain circumstances and under certain conditions.
HIPAA also sets standards for protecting the confidentiality, integrity and availability of electronic protected health information through the Security Rule.
HIPAA requires that either an IRB or a Privacy Board make determinations about the use of PHI in research. The Northwestern University IRB serves as the Privacy Board for research conducted at Northwestern Memorial HealthCare (NMHC) and Shirley Ryan Ability Lab (SRAlab). The Northwestern IRB Office Informed Consent Templates contain a combined consent/HIPAA authorization and more information is available on the dedicated Informed Consent and Waivers of Consent webpage.
Investigators may obtain approval to use and/or disclose PHI from research participants through the IRB. The IRB determines whether you can assess PHI by using one or both of the following methods:
- When approved, the research participant (or legally authorized representative) signs the Social Behavioral Consent Document with HIPAA Authorization (HRP-1721) and/or Biomedical Consent Document (HRP-592) which contain HIPAA authorization language. See our Biomedical & Social Behavioral Consent Templates webpage for the latest templates.
- The IRB grants a waiver of HIPAA authorization for the study.
The IRB approval letter will specify the approved method(s) of HIPAA authorization and/or HIPAA alteration or waiver.
The table below summarizes when HIPAA regulations may apply but there may be exceptions. Please contact the IRB Office with questions:
Table of when HIPAA regulations may apply
IF study data are …
|
THEN ...
|
- PHI derived from a medical record.
- Added to the hospital or clinical medical record.
- Created or collected as part of health care.
- Used to make healthcare decisions.
|
|
- Obtained from the participant, including interviews, questionnaires.
- Obtained from participants in a foreign country(ies) only.
- Obtained from records or data available to the public.
- Obtained from existing and previously IRB reviewed and/or approved research records.
|
- HIPAA regulations do not apply.
|
Note: Data that is not subject to HIPAA regulations is still regulated by other human research regulations and may also be subject to other privacy regulations.
When does HIPAA Apply?
HIPAA applies whenever you use protected health information (PHI) for research purposes. For example:
- Recruitment: reviewing PHI, such as information from the medical record or Enterprise Data Warehouse (EDW), for the purpose of either identifying individuals potentially eligible for a research study and/or contacting individuals to seek their participation in the research study. This includes checking to see if any of tomorrow’s clinic patients are eligible for a research study.
- You record and/or access data from the medical record or Enterprise Data Warehouse (EDW) for research purposes.
If HIPAA applies to the research study, the Privacy Rule requires an individual to provide signed permission, known as an Authorization, for any use or disclosure of protected health information (PHI). Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals. Under certain circumstances, however, the Privacy Rule allows for the use or disclosure of PHI for research without an individual’s Authorization by obtaining a waiver of HIPAA Authorization or an alteration of HIPAA Authorization by the NU Institutional Review Board. See the below sections on Waiver or Alteration of HIPAA Authorization for details on the process to apply for a HIPAA waiver.
HIPAA applies whenever you use protected health information (PHI) for research purposes:
- Recruitment: reviewing PHI, such as information from the medical record or Enterprise Data Warehouse (EDW), for the purpose of either identifying individuals potentially eligible for a research study and/or contacting individuals to seek their participation in the research study.
- You record and/or access data from the medical record for research purposes
- You check to see if any of tomorrow’s clinic patients are eligible for a research study
HIPAA allows for research personnel to access and use PHI when necessary to conduct research. Not all research is subject to HIPAA regulations; HIPAA only affects research that uses, creates or discloses PHI. Please refer to Data That Is Not Subject to HIPAA Regulations below. Data that is not subject to HIPAA regulations is still regulated by other human research regulations and may also be subject to other privacy regulations.
What is Protected Health Information (PHI)
Protected Health Information, or PHI, is any health information that includes any of the 18 elements identified by HIPAA and maintained by a covered entity or any information that can be reasonably used to identify a person.
PHI is information created or received by a healthcare provider relating to:
- The past, present or future physical or mental health or condition of a patient;
- The provision of healthcare to an individual; or
- or the past, present, or future payment for the provision of healthcare to an individual until fifty (50) years following the date of death of the individual.
HIPAA's 18 Identifiers
HIPAA defines the 18 identifiers that create PHI when linked to health information. The following identifiers are those of the individual or of relatives, employers, or household members of the individual.
- Names;
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Phone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
NOTE: Per HHS' November 26, 2012,
Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, parts or derivatives of any of the listed identifiers are considered identifiers, and their use would not meet the requirement of the Safe Harbor method for de-identification.
What is Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is defined as data used in research that is not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules. The key distinction between PII and PHI is that PHI is associated with or derived from a healthcare service event, i.e. the provision of care or payment for care. PII may be derived directly from the participant (survey, interview) and is covered by other state and federal laws for privacy and confidentiality of research health information.
Examples of PII
Some studies use individually identifiable health information elements that are included in the above list of 18 identifiers; however, the elements are not considered PHI because the data is not:
- Obtained or generated as part of a health care service (treatment, payment, operations, medical records)
- Entered into a medical record, or
- Used to make treatment decisions
Note: Data that is not subject to HIPAA regulations is still regulated by other human research regulations and may also be subject to other privacy regulations.
HIPAA Authorization
Research that is using or disclosing Protected Health Information (PHI) must be conducted in accordance with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) and requires completion of the HIPAA authorization.
Obtaining an Individual’s HIPAA Authorization
For Studies Using PHI: Research that is using or disclosing Protected Health Information (PHI) must be conducted in accordance with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) and requires completion of the HIPAA authorization.
The Privacy Rule specifies core elements and required statements that must be included in an Authorization. The Northwestern IRB Office’s Informed Consent Form Templates contain a combined consent/HIPAA authorization, which contains all the required HIPAA Authorization Core elements. One of the HIPAA Authorization Core elements, which is included in the NU IRB Office template, is the signature of the individual and date.
Revocation of Authorization
At any time, a research participant may revoke their authorization in writing to the Principal Investigator. If the research involves the collection of mental health or developmental disability information, or the HIPAA authorization section of the consent form indicates “all information in the medical record” will be collected, the revocation of the participant’s authorization must also be witnessed and signed by a person who can attest to the identity of the research participant.
The IRB has a template, HIPAA Revocation Template Letter, available for investigators and participants to complete.
Please refer to the NMHC Policy on Research Privacy and Confidentiality and the Research Recruitment Guidelines FAQs for additional guidance on uses and disclosures not requiring authorization or an IRB waiver authorization that pertain to:
- Research on decedents
- Preparatory to research
- De-identified data
- Limited data sets
Waiver of HIPAA Authorization
Some studies may meet the criteria to either waive HIPAA authorization or alter the requirements of the authorization. The required HIPAA waiver/alteration criteria, referenced in HRP-441 – CHECKLIST HIPAA – Waiver Authorization, are:
- (A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- (1) an adequate plan to protect the identifiers from improper use and disclosure;
(2) an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
(3) adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
- (B) The research could not practicably be conducted without the waiver or alteration; and
- (C) The research could not practicably be conducted without access to and use of the protected health information.
Note: there is no distinction between the criteria for a full HIPAA waiver or an alteration of HIPAA authorization under 45 CFR 164.512(i)(2)(ii).
When may a waiver or alteration of HIPAA Authorization be granted?
The IRB may waive HIPAA authorization completely or issue a partial waiver. A waiver of authorization is most frequently sought when the research also qualifies for a waiver of consent. For example:
- A complete waiver of HIPAA may be granted when it is not possible to obtain the participants signature, and it is not possible to provide the participant with the authorization information, such as for a retrospective review of medical records.
- A partial waiver of HIPAA authorization may be granted when a study does not intend to obtain HIPAA authorization on behalf of the covered entity, but needs access to PHI for recruitment purposes (i.e., contact information from EDW).
An alteration of HIPAA authorization may include an omission of one or more required elements of HIPAA-compliant authorization. For example:
- an alteration to HIPAA may be granted when it is anticipated that the targeted participant population may not have access or skills to use technology that allows for an electronic signature, such as the elderly or people with limited resources, and it is not possible to obtain the written signature.
In such cases, the IRB also approves a waiver of documentation of consent, and the investigators must obtain verbal authorization instead of a written authorization. The verbal consent/authorization must contain all the required elements of consent plus HIPAA Authorization.
Requesting an Alteration or a Waiver of HIPAA Authorization
To apply for both the waiver of consent and waiver of authorization, the PI must demonstrate how the study meets all of the required waiver/alteration criteria, and include the justification within the protocol.