MIT is committed to conducting research in compliance with all applicable laws and regulations. To ensure this result, the Committee on the Use of Humans as Experimental Subjects (COUHES) is publishing this guidance document to assist the MIT research community in implementing the requirements of the HIPAA Privacy Rule, as they may apply to MIT research. It is important to note, however, that most research conducted at MIT is not subject to HIPAA. Researchers or persons assisting them should click here for a set of questions designed to help determine whether HIPAA applies to MIT research.
HIPAA, while not intended to regulate the conduct of research directly, imposes specific requirements on research that involves use or disclosure of protected health information (PHI) — that is, health information subject to HIPAA’s requirements. To the extent HIPAA applies to your research, this document outlines HIPAA’s basic requirements and how MIT researchers can comply with those requirements.
What is HIPAA?
“HIPAA” is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. Congress, as part of HIPAA, required the Department of Health and Human Services to promulgate privacy regulations to protect the confidentiality of individually identifiable health care information. These regulations have taken form in the so-called “Privacy Rule,” which specifies permissible uses and disclosures by entities subject to HIPAA, and the “Security Rule,” which specifies protections entities subject to HIPAA must place on information subject to HIPAA. Congress amended HIPAA in 2009 by enacting the Health Information Technology for Economic and Clinical Health Act (HITECH). References to “HIPAA” in this guidance document reflect the current version of HIPAA, including the Privacy Rule and Security Rule, and as amended by the HITECH Act and its implementing regulations.
Key Concepts and Definitions
Business Associate: A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a Covered Entity. Employees of a Covered Entity are not themselves Business Associates. Business Associates are subject to the same requirements regarding the security and privacy of PHI as Covered Entities.
Covered Entity: A Health Plan, a Health Care Clearinghouse, or a Health Care Provider that transmits electronic information for certain transactions, is each a Covered Entity under HIPAA. For example, MIT Medical Department is a Covered Entity.
HIPAA Privacy Rule: A set of regulations that address the use and disclosure of individuals’ health information by certain types of health care organizations. The Privacy Rule also specifies standards for individuals to understand and control the use of their health information.
HIPAA Security Rule: A set of regulations that address protections that entities subject to HIPAA must have in place to safeguard individuals’ health information.
Individually Identifiable Health Information: Includes any subset of health information, including demographic information collected from an individual, that:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse (an organization that codes health data);
- Relates to the past, present or future physical or mental health or condition, the past, present or future provision of care to an individual, or the past, present or future payment for the provision of health care to an individual; and
- Identifies the individual (or there is a reasonable basis to believe that the information can be used to identify the individual).
Minimum Necessary: The Privacy Rule restricts use and disclosure of PHI by Covered Entities and their Business Associates. However, it does contain exceptions granting access to PHI in certain circumstances. Underlying all the exceptions, however, is the principle that any access to PHI should be limited to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure. The default minimum necessary standard for PHI is a “limited data set.”
For MIT research purposes, this standard requires a MIT researcher subject to HIPAA to evaluate the needs of his or her study and to request access only to those pieces of information that are necessary for the complete and accurate development of the research. This is advisable (although not required) as ethical research practice, even if a research subject permits more information to be used or disclosed.
Protected Health Information: Protected Health Information is individually identifiable health information that is transmitted or maintained in any form or medium by a Covered Entity or a Business Associate.
Role of COUHES: COUHES is responsible for overseeing human subjects research at MIT and ensuring to the extent possible that all such research complies with applicable laws. When necessary, COUHES will require researchers to obtain authorizations for the release of PHI to, or use of PHI by, MIT researchers in connection with any research at MIT that is subject to HIPAA.
Who is subject to HIPAA?
HIPAA applies to the use or disclosure of PHI by only Covered Entities and their Business Associates. It is important to note that not all research that entails the access to or use or disclosure of health information will be subject to HIPAA.
Research conducted by Covered Entities at MIT (such as MIT Medical or the MIT Health Plans) that involves use or disclosure of PHI is subject to HIPAA. Research subject to HIPAA may include clinical research, behavioral, and social science studies, as well as basic science research activities. Research subject to HIPAA may also include research that involves the provision of treatment as well as research that provides no treatment or diagnosis.
All MIT studies involving the use or disclosure of PHI must be reviewed and approved in advance by COUHES. In addition, researchers at MIT subject to HIPAA must complete HIPAA training before they will be allowed to have access to individually identifiable health information in any form. We do not expect researchers at MIT to function as Business Associates of Covered Entities. However, should a health care provider, health plan or other Covered Entity outside MIT seek your assistance in analyzing, assessing or otherwise reviewing PHI, please contact Judith Medeiros-Adams by emailing firstname.lastname@example.org or by calling 617-253-6787.
The research subject must sign a valid authorization for the use or disclosure of the subject’s PHI by or to an entity that is a “Covered Entity” under HIPAA.
The authorization must include:
- A specific and meaningful description of the PHI to be used for research purposes;
- Designation of who may make the requested use or disclosure of the PHI;
- The purpose of uses or disclosures specific to the current research study;
- The expiration date or expiration event for the authorization (if the information will be kept indefinitely, the authorization must state that there is no expiration date);
- An explanation of the research participant’s right to revoke his or her authorization;
- An explanation of the research participant’s right to refuse to sign the authorization (if this happens, the individual may be excluded from the research and any treatment associated with the research); and
- If relevant, an explanation of any limitations on research subjects’ access rights to their PHI while the research is in progress.
The authorization will generally be part of the informed consent process, and COUHES will review the authorization as part of its review of the informed consent proposed by the researcher. A template standard HIPAA authorization form is available from the COUHES website.
Note that blanket authorizations for general research to be conducted in the future are not permitted under HIPAA. Further, any new research use of PHI beyond that described in an initial HIPAA authorization generally requires independent and specific authorization from research subjects.
In general, subjects are not allowed to participate in a research study if they do not sign an authorization for release of their PHI in connection with the research. An alternative to asking each research subject for an authorization is to ask COUHES, as part of the COUHES application process, for a waiver of authorization or an alteration of the standard elements of an authorization in accordance with special exceptions allowed under HIPAA. If the use of individually identifiable health information by a Covered Entity or a Business Associate meets the requirements for a waiver of authorization, then COUHES may approve such a waiver.
The criteria COUHES applies in approving requests for a waiver of authorization are as follows:
- The use or disclosure of PHI must involve no more than minimal risk to the privacy, safety, and welfare of the individual;
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to the PHI.
COUHES must also consider if the researcher has provided:
- An adequate plan to protect personal identifiers from improper use or disclosure;
- An adequate plan to destroy personal identifiers at the earliest opportunity, unless retention of identifiers is required by law or is justified by research or health issues; and
- Adequate written assurance that the PHI will not be used by or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject
When is an authorization from the research subject or a COUHES waiver not required?
Reviews Preparatory to Research: In certain circumstances when a researcher subject to HIPAA is preparing a protocol utilizing PHI, HIPAA and MIT policy allow for access to PHI without an authorization from the individual or a waiver from COUHES. However, the researcher must document that:
- The access is only to prepare a protocol;
- No PHI will be removed from MIT; and
- The PHI accessed is necessary for the preparatory review.
This access is granted only to MIT researchers; non-MIT researchers may not access MIT data.
Research on Decedents' Information: Research subject to HIPAA involving a deceased person’s PHI is permitted if the researcher:
- Represents that the use or disclosure is sought solely for research on the PHI of decedents;
- Obtains documentation, at the request of COUHES, of the death of such individuals; and
- Represents that the PHI for which use or disclosure is sought is necessary for the research purposes.
Researchers should document these facts in writing when conducting research subject to HIPAA involving use of PHI of decedents.
What types of Health Information used in research do not require use of a HIPAA authorization form?
As stated above, it is important to keep in mind that not all research that entails the access to or use or disclosure of health information will be subject to HIPAA. To the extent research may involve PHI subject to HIPAA, there are two ways researchers can avoid the need for a HIPAA authorization form — by using PHI that has been de-identified or using a Limited Data Set.
De-Identified Information: Health information is considered de-identified when it does not identify an individual, and the Covered Entity has no reasonable basis to believe that the information can be used to identify an individual. De-identified health information is not subject to HIPAA’s authorization requirements, even when used or disclosed by a Covered Entity or a Business Associate.
Information is considered de-identified if 18 identifiers are removed from the health information and if the remaining health information cannot be used alone, or in combination, to identify a subject of the information. The identifiers include:
- Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code for geographic areas containing more than 20,000 people;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates referring to ages over 89, except for a single aggregate category of age 90 and over;
- Telephone numbers;
- Fax numbers;
- Email addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers or serial numbers;
- Internet Protocol (IP) address numbers;
- Universal Resource Locators (URLs);
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code.
Limited Data Set: Sometimes Covered Entities will disclose a “limited data set” as defined by HIPAA to a researcher who has no relationship with the individual whose information is being disclosed. The limited data set option is a less restrictive option than complete de-identification in that it allows the inclusion of health information with certain identifiers. A limited data set contains PHI but includes only the following types of identifiers: admission, discharge, and service dates; birth date; date of death; age (including 90 or over) in years, months, days, or hours; and geographical subdivisions such as state, county, city, precinct and five digit zip code. HIPAA permits Covered Entities to disclose PHI in a limited data set for research purposes subject to the execution of a data use agreement, which requires the researcher receiving the limited data set to observe security safeguards.
A data use agreement specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure of the data set, and prohibits re-identification of the data or contact by the researcher with the individuals whose information is included in the data set.
What is the relationship between HIPAA and the "Common Rule"?
A primary source of regulation of research is the Federal Policy for Human Subject Protection, known as the Common Rule. This federal regulation has been adopted by 17 federal departments and agencies, as the basis for protection of human subjects in research.
HIPAA does not modify the Common Rule. However, HIPAA contains several provisions that either resemble provisions of the Common Rule or reference the Common Rule. HIPAA also contains specific requirements for the composition of a Privacy Board, which, for MIT research purposes, will be COUHES.
COUHES and researchers must comply with all of the requirements of the Common Rule in addition to, where applicable, HIPAA.
What information does COUHES require from researchers?
As part of completing their COUHES application, researchers must provide details about the types of information they will use in their research, how the information will be used, who will have access to the information, and when the information will be destroyed. Specifically, researchers are asked:
- What risks are posed by the use of the data and how have these risks been minimized?
- What is the justification for access to the data and why are the data necessary to conduct the research?
- What plan does the researcher have to protect personal identifiers from improper use or disclosure?
- What is the researcher's plan to destroy the personal identifiers? If it is not possible to destroy the identifiers, what is the health, legal, or scientific justification for non-destruction?
- Has the researcher provided adequate written assurance that PHI, to the extent involved in the research, will not be used or disclosed to a third party except as required by law or permitted by an authorization signed by the research subject?
As discussed above, researchers must submit additional information to COUHES to the extent they wish to seek a waiver of HIPAA’s authorization requirement from COUHES.
What rights do research subjects have under HIPAA?
Right to an accounting: When a research subject signs an authorization to disclose PHI, the Covered Entity is not required to account for the authorized disclosure. Nor is an accounting required when the disclosed PHI is contained in a limited data set or a de-identified data set. However, an accounting is required for research disclosures of identifiable information obtained under a waiver or exception of authorization granted by COUHES. Research subjects may request an accounting of such disclosures going back for up to six years prior to the date of the request.
Right to revoke authorization: A research subject has the right to revoke his or her authorization for the use or disclosure of their PHI for research purposes unless the researcher has already acted in reliance on the original authorization. Covered Entities may continue to use or disclose PHI collected prior to any revocation as necessary to maintain the integrity of a research study. Examples of permitted post-revocation disclosures of PHI, to the extent the disclosed PHI was collected prior to revocation, include: submission of marketing applications to the FDA, reporting of adverse events, accounting of the subject's withdrawal from the study and investigation of scientific misconduct.
What other obligations do researchers have under HIPAA?
Data Breach Notification: Covered Entities and their Business Associates must notify individuals affected by a breach of unsecured PHI. A breach is defined as an unauthorized use, disclosure, access, or acquisition of unsecured PHI that poses a significant risk of financial, reputational or other harm to the individual whose information was impermissibly disclosed. PHI is considered to be unsecured if it has not been encrypted or otherwise rendered unusable, indecipherable or unreadable.
Data breach notification requirements also apply to Covered Entities and Business Associates that hold limited data sets, if it is determined that there is a high risk of re-identification and harm to the affected individuals. However, limited data sets that omit dates of birth and zip code information are deemed to pose a low risk of re-identification and Covered Entities and Business Associates that hold these types of data sets are not subject to the breach notification requirement.
If a Covered Entity determines that a breach has occurred, the holder of the PHI must notify each affected individual no later than 60 days after the discovery of the breach. In addition, notice must be provided to prominent media outlets in each state in which more than 500 individual residents are believed to have been affected by the breach. If a Business Associate determines that a breach of PHI has occurred, the Business Associate must notify the Covered Entity from which the Business Associate received the PHI within 60 days of discovery of the breach.
What about studies that commenced prior to the HIPAA effective date?
A transition provision was included in the HIPAA Privacy Rule that has significant impact on the research community by "grandfathering" certain research studies that are underway at the compliance date mandated for the Privacy Rule.
The Privacy Rule allows for use and disclosure of PHI created or received for research, either before or after April 14, 2003, if one of the following was obtained prior to that date:
- An authorization or other express legal permission from the individual to use or disclose his or her information for research,
- The legally effective informed consent of the individual to participate in the research, OR
- A valid waiver of informed consent from COUHES.
However, if a subject is asked for informed consent (or asked to re-consent) for the use of PHI in research on or after April 14, 2003, an authorization must be obtained at that time.
Summary of Transition Provisions:
- Waiver of informed consent obtained prior to April 14, 2003: No action necessary. The waiver is deemed a "waiver" for Privacy Rule purposes for the duration of the research study
- Informed Consent obtained prior to April 14, 2003: Information obtained pursuant to an informed consent signed prior to April 14, 2003, even if the information is not obtained until after April 14, 2003, is "grandfathered" under the Privacy Rule. However, if the subject is "re-consented," that is, asked for a new informed consent on or after April 14, 2003, to the extent the use or disclosure of PHI is required, a valid, HIPAA-compliant authorization must be obtained.
- Informed Consent obtained on or after April 14, 2003: Must include a separate HIPAA authorization form or must obtain waiver of authorization from COUHES. Note that if subjects will be asked to give their informed consent to participate in the research, it is unlikely that COUHES will grant a waiver of authorization.
Who can provide more information?
COUHES will continue to provide guidance to its research community. Questions regarding this guidance and requests for further information should be directed to Judith Medeiros-Adams by emailing email@example.com or by calling 617-253-6787.