The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is a federal law that regulates how your protected health information (PHI) is disclosed, used, and exchanged. In 2003, Congress authorized the U.S. Department of Health and Human Services (DHHS) to set specific rules to protect the privacy of PHI. These standards are known as the Privacy Rule.
The Privacy Rule is intended to strike a balance between limiting disclosure of PHI and providing researchers with access to information necessary to support medical research. According to HIPAA, PHI is considered anything that involves a patient's personal health information—such as medical charts, billing information, or test results—when that information is held or transmitted by a healthcare provider. PHI also includes identifiable health information about subjects of clinical research.
In most cases, researchers can access PHI by obtaining a patient’s written authorization, but there are circumstances when the authorization requirement can be waived if permitted by a review board.
In this guide we provide an overview of the Privacy Rule, who it applies to, and how it affects medical research.
The Privacy Rule permits healthcare provider organizations referred to as “covered entities” to disclose PHI with authorization either from the patient or an internal review board (IRB). But first, to understand the Privacy Rule as it relates to PHI, it’s important to outline what HIPAA considers a covered entity.
According to HIPAA, a covered entity is anyone who provides treatment, payment, or operations in healthcare, as well as business associates who have access to patient information and provide support in treatment, payment, and operations. Subcontractors and any other related businesses associates are also considered covered entities and must comply with the Privacy Rule.
These entities include:
- Doctors’ offices, dental offices, and clinics
- Nursing homes
- Hospitals or home healthcare agency
- Health plans, insurance companies, HMOs
- Government programs that pay for healthcare
- Health clearinghouses
As you can see from the list above, HIPAA’s Privacy Rule can impact a range of industries and jobs, specifically those with jobs in healthcare, human resources, and information technology. For this reason, it’s extremely important for anyone who works in these fields to understand the ins and outs of this rule. Most healthcare management, human resource management, and information technology degree programs, like the ones offered at WGU, will cover this topic in detail. There’s also much that can be learned through independent research and supplementary self-education, such as professional development and continuing education courses in your respected field.
Despite the benefits patients receive through the HIPAA Privacy Rule, there are some challenges the research community faces when attempting to comply with all the different requirements of the Privacy Rule. This has led to concerns among organizations and the research community.
Some of those concerns about the Privacy Rule’s impact on research are...
It can cause confusion.
The ambiguity of HIPAA’s Privacy Rule can lead to misinterpretation among the research community and confusion for both the patient and researcher.
It can be costly.
In order to stay compliant, organizations have to maintain large quantities of detailed information on every patient and research participant and have it readily and easily accessible to fulfill requests at any time. In some cases, more staff is needed to maintain and manage this information, which can add financial strain on an organization.
It can delay research.
In some instances, the Privacy Rule creates additional obstacles in obtaining PHI for medical studies which can contribute to a slower pace of research.
In regard to obtaining PHI for medical study, the Privacy Rule outlines two standards that must be followed in order for researchers to obtain authorization for disclosure of medical research. Those standards are further outlined below.
One way HIPAA protects PHI is by giving patients the opportunity to agree to their health information being used and disclosed. For example, if you sign up for a clinical study, two things must happen in order for your PHI to be used for medical research: first, you’ll have to review documents to ensure you have a full understanding of the study. If you decide to move forward, you’ll then need to provide written authorization. These authorizations for disclosure, required by the Privacy Rule, are known as Informed Consent and Research Authorization. These documents are reviewed by the Institutional Review Board (IRB), which acts as a Privacy Board (required by HIPAA) to review the authorization for disclosure of PHI.
Before obtaining PHI for medical research, the researcher must have the participant’s Informed Consent and a Research Authorization Form.
What is Informed Consent?
A document that outlines the details of the study, any potential risks, the timeline, and healthcare coverage over the course of the study.
According to HIPAA’s Privacy Rule, the following information must be conveyed in an Informed Consent document:
- A statement that the study involves research, an explanation of the purposes of the research and the expected duration of the subject’s participation, a description of the procedures to be followed, and identification of any procedures which are experimental
- A description of any foreseeable risks or discomforts
- A description of any benefits to the subject which might be expected from the research
- A disclosure of alternative procedures or courses of treatment
- A statement describing the extent to which confidentiality of records identifying the subject will be maintained
- For research involving more than minimal risk, an explanation as to whether any compensation and medical treatments are available if injury occurs
- An explanation of who to contact for answers to questions about the research, and research subjects’ rights, and who to contact in the event of a research-related injury
- A statement that participation is voluntary, refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled, and the subject may discontinue participation at any time without penalty
What is a Research Authorization Form?
This authorization is a specific, detailed document requesting patient-subject permission for the use of covered PHI.
The written authorization must include:
- A specific description of what PHI will be used/disclosed
- The names of persons or organizations who may use or disclose PHI
- The names of persons or organizations to whom PHI will be disclosed
- A statement of the purpose of the use/disclosure
- A statement of how long the use or disclosure will continue (no expiration date is permitted for research purposes; however, this must be specifically stated in the authorization form and justification must be noted in the protocol)
- A statement that the authorization may be revoked
- A statement regarding the potential for re-disclosure to others not subject to the Privacy Rule
- A notice that the covered entity may or may not condition treatment or payment on the individual's signature
- The individual’s signature and date
Up until 1991, there was no singular policy or procedure put into place to protect human research subjects. That changed with the introduction of the Common Rule. This rule is a federal policy which regulates how research is conducted and supported. Since 1991, there have been several revisions to this rule but the overall protections for research subjects are as follows:
- Risks to subjects are minimized
- Risks to subjects are reasonable
- The selection of subjects is equitable
- Informed consent will be sought
- Informed consent will be appropriately documented
- Adequate provision for monitoring the data collected, to ensure the safety of subjects
- Adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data
More information about the Common Rule and the rights of research subjects can be found on the DHHS website.
One important standard set by the Privacy Rule is to ensure that researchers have an adequate data management and protection plan in place. This plan must outline how the data will be stored, transported, analyzed, and destroyed once research is complete.
Under the Privacy Rule, HIPAA has outlined the following standards related to data management:
- Policies and procedures that allow only authorized individuals to access PHI
- Hardware or software that records and monitors access to systems that contain PHI
- Procedures to maintain that PHI is not altered, destroyed, or tampered with
- Security measures that protect against unauthorized access to PHI that’s being transmitted over an electronic network
Due to the uptick in cyber security breaches, today’s researchers and healthcare organizations must be especially vigilant in protecting the privacy and confidentiality of research subjects and research data.
Whether you’re already working in healthcare, or aspire to, WGU has a variety of programs and resources to help deepen your understanding of HIPAA and how it impacts your industry.