HIPAA - Fequently Asked Questions

HIPAA applies to research involving the collection and use of medical record information maintained by health care providers (e.g., hospitals, physicians offices, health care clearing houses, health care plans) and/or to research derived information that is placed in the medical records maintained by health care providers. If the research study does not involve the collection and use of such medical record information or the generation of information that is placed into such medical record information, it is not subject to the additional authorization/consent requirements imposed by HIPAA.

How do the HIPAA requirements affect how (or what form) I should request IRB approval for our study if we are serving as the data coordinating center for our project? We will not be recruiting or treating patients, just collecting this data from the participating clinical sites for data management and analysis?

The consent/HIPAA authorization forms being used at the clinical sites where the data is initially collected would be required to address all individuals (by name or class) to whom the subjects' research data (to include their collected medical record information) may be subsequently disclosed and purpose of such subsequent disclosure. Thus, the consent/authorization forms should specify that the subjects' data will be redisclosed to the data coordinating center at the University of Pittsburgh for the purpose of data collation and analysis. With such disclosure in the consent/authorization form, there is no need to de-identify the data transferred to you to be HIPAA compliant (i.e. remove the 18 identifiers). Note that the requirement to remove all 18 identifiers would only be necessary in order to use medical record information for research in the absence of obtaining prior consent/authorization from the patients-subjects. In the above scenario, consent/authorization is being obtained and the transfer of the subjects' identifiable information to the data coordinating center is addressed as part of such. Of course, to protect the confidentiality of the data transferred to the data coordinating center it is still recommended that the data be removed of information (e.g., names, SS#) that may permit direct identification of the subjects.

Is the data collected and stored at the local research site considered PHI? If yes, as I assume, then anyone who could potentially have contact with this specific identified data stored at the local clinic site should be included as a "sponsor", i.e. Local Research and Compliance office, FDA, etc.?

At the University of Pittsburgh, data that is generated and collected for research purposes is not considered PHI under HIPAA guidelines. The type of research data generated would include ALL research data, even health related data that could be collected over a period of many years and kept in a participant record at the research site, i.e., blood pressure, ECG, lab results, etc. HIPAA guidelines would apply to any information that is collected by the research study from medical records received from the participant's hospital, physician, etc. and would need to be addressed in the authorization (consent form). Research data that is generated at the research site and sent to the participant's physician (at the participant's request) is also considered PHI and must be addressed in the authorization as well. The above information may not be true for all institutions. This is determined by whether the institution is a hybrid institution that has separated their research from their health care provider activities. If these areas are not separate and research activities fall under health care provider provisions, all data generated, even for research only, would be considered PHI.

Is the data that is transmitted to the Coordinating Center and other sub-groups of the Coordinating Center also considered PHI (even though the only identifiers are those mentioned above) or would this be considered "de-identified Information"?

As described above, at the University of Pittsburgh, data that is generated for research purposes only is not considered PHI. Any data that is collected from the participant's hospital or physician records and is included in the participant's research record is considered PHI. For the DPPOS study, outside medical records are obtained and sent to the Coordinating Center for adjudication of disease diagnoses and death, thus the Coordinating Center and other Adjudicating Committees should be listed in the informed consent as entities, which may have access to the participant's medical records. This may be different for other institutions as described above.

If data that is transmitted to the Coordinating Center is considered PHI, how do we determine if our Coordinating Center may only be listed as a sponsor, or whether each separate entity must be included, such as the ECG reading center, Central lab, etc?

Not considered PHI (at University of Pittsburgh).

The standard consent language that we were given states "Your authorization to use and disclose your identifiable medical information for the purpose of this research study is completely voluntary. However, if you do not provide your written authorization for the use and disclosure of your identifiable medical information, you will not be allowed to participate in the research study". Is there any way around this, (i.e., may the language be modified in anyway?) or must participants withdraw from the study if they do not sign this consent?

If the DPPOS study group decides that outside medical record information is not an absolute requirement of participation in the study, the standard language may be modified to indicate this. A separate statement should be added to the end of the consent to provide the participant a place to decline participation in outside medical records collection, while continuing to take part in the overall study.

In the past, the participant, prior to obtaining medical record information, was required to sign a medical records request release form. Will such a form still be required once they have signed the consent including the HIPAA language? If so, will the University or UPMC provide an updated medical records release form?

This type of form will no longer be required. The signed authorization (consent form) will be all that is required to request a participant's hospital or physician's medical records, and will remain in effect until the end of the study (if that is the language that is used in the consent).

Is there a change in recruitment strategies due to HIPAA regulations?

Yes, the reference manual will be updated to include the following: Address the method by which research subjects will be initially contacted by the investigators to ascertain their interest in research study participation. Note that the University IRB prohibits "cold-calling" of potential research subjects. (Refer to the IRB Reference Manual for the Use of Human Subjects in Research, Chapter 5, section 5.1.2.) "Cold-calling" is the practice of investigators or research staff, who are unknown to the potential research subjects, initiating contact with the potential subjects based on their prior knowledge of confidential (e.g., medical record) information. To avoid a "cold-calling" scenario, the research study should be initially introduced to the potential research subject by an individual who, by virtue of his/her position, would normally have access to the potential subject's confidential information (e.g., the personal physician of the potential subject or a member of this physician's clinical staff). If the potential research subject indicates an interest in study participation, s/he should be instructed to contact directly the respective investigators or be asked to provide her/his consent:

  • for the individual, who initiated the discussion, to convey the potential subject's interest in study participation to the respective investigators; and
  • for these investigators to subsequently contact the potential subject.

The individual responsible for introducing the study to the potential subject should document this consent in his/her records. As per the new HIPAA privacy regulations, a health care provider may not share individually identifiable health information with research investigators in the absence of the written authorization of the patient. Hence, if the nature of the research study would result in the conveyance of the potential subject's health information and identity to research investigators, the consent of the potential subject for sharing this information must be in the format of a valid HIPAA authorization. A model of valid HIPAA authorization for sharing health information of potential research subjects with research investigators is available on the HIPAA page of the IRB website.

What are the identifiers that must be removed for data to be considered de-identified under HIPAA?

HIPAA "Safe Harbor" De-Identification of Medical Record Information requires that each of the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed from medical record information in order for the records to be considered de- identified:

  • Names
  • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial 3 digits of a zip code if, according to the currently publicly available data from the Bureau of Census: The geographic unit formed by combining all zip codes with the same 3 initial digits contains more than 20,000 people; and The initial 3 digits of a zip code for all such geographic units containing 20,000 or fewer people is changes to 000.
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  • Telephone numbers
  • FAX numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers; license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code, except a code to permit re-identification of the de-identified data by the Honest Broker.

Limited Data Sets

For Limited Data Sets, HIPAA requires that each of the following identifiers of the individual or of relatives, employers, or household members of the individual must be removed from medical record information.

  • Names
  • Postal address information, other than town or city, state, and zip code
  • Telephone numbers
  • FAX numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers; license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers
  • Full face photographic images and any comparable images