Health Insurance Portability and Accountability Act - Research that May Affect Privacy of Health Information

MIT is not considered a covered entity. Therefore, research conducted outside of MIT Health or MIT Health Billing is not subject to Health Insurance Portability and Accountability Act (HIPAA).

If your study involves health information about a research subject, then you may need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) and their implementing regulations. These laws are designed to protect individually identifiable health information known as protected health information (PHI), when this information is in the possession of entities subject to HIPAA. You will not necessarily need to comply with HIPAA if your study involves health information. HIPAA applies only to certain “covered entities” and, by derivation, to certain entities that receive health information from them.  Your application to COUHES will enable you to make a determination whether HIPAA applies to your study protocol.

If you plan to share or disclose a subject's PHI in connection with a research study that is indeed subject to HIPAA, you must first obtain the written permission of the subject. This permission, called an Authorization for Release of Protected Health Information, must specify precisely what information will be released, why it is being released, and from and to whom it is being released. A template for this form is provided in the Forms and Templates section of this website, which can be accessed from the main menu. This form must be appended to the informed consent form and completed by the subject at the same time the subject completes the informed consent form. A subject cannot participate in the research if he or she does not complete the Authorization. Additionally, the investigator must maintain a detailed record of each release of health information, and this record must be accessible under certain circumstances to the subject.

COUHES, however, may permit the disclosure of PHI subject to HIPAA without a subject's specific prior authorization, (1) if the research cannot be practically conducted without access to the PHI, and (2) the disclosure involves no more than minimal risk to the privacy of the subject. If you are requesting such a Waiver of Authorization, then you must complete the relevant portions of the COUHES standard application form.

HIPAA applies only to identifiable health information. If the health information is de-identified it is exempt from HIPAA’s requirements. To be completely de-identified, the data set must meet strict criteria and be stripped of all direct and indirect subject identifiers. As an alternative method, a researcher may choose to use a limited data set, which is less restrictive and excludes mostly direct subject identifiers. For use of a limited data set, the researcher must complete a formal data use agreement that sets forth permitted uses and disclosures of the limited data set information with the data source.

If HIPAA applies to your research study, any failure to comply with HIPAA will result not only in termination of your study and suspension of related research grants, but also potentially in criminal and/or civil penalties to you and MIT (for an individual, penalties may be as severe as $1,500,000 or 10 years imprisonment.).

A more detailed description of the HIPAA Privacy Rule requirements is contained in the COUHES HIPAA Guidance Document.