University of Chicago, Social Behavioral Sciences (SBS) IRB December 2024: Guidance on Health Insurance Portability and Accountability Act (HIPAA)

Updated with the assistance of UChicago Medicine’s Privacy Office

I. Overview

The Privacy Rule, at 45 CFR parts 160 and 164, establishes Individually Identifiable Health Information and the category of health information, defined as protected health information (PHI). This requires an individual to provide written permission, known as an Authorization that satisfies the Privacy Rule, before a Covered Entity can use or disclose the individual’s PHI for research purposes.

Under certain circumstances, the Privacy Rule permits a Covered Entity to use or disclose PHI for research without an individual’s Authorization. One way a Covered Entity can use or disclose PHI for research without an Authorization is by obtaining proper documentation of a waiver of the Authorization requirement by an IRB or Privacy Board.

An update to the HIPAA Privacy rule effective on June 25, 2024 recognizes certain prohibitions about how Reproductive Health Care and Information may be used or disclosed for certain non-health care purposes and additional written attestation requirements. These non-health care purposes are related to health oversight activities, judicial or administrative proceedings, law enforcement or regarding decedents, when disclosures are made to coroners and medical examiners.

Authorizations and waivers of Authorizations will only permit the use or disclosure for the specific research study for which they were obtained.

The Privacy Rule applies to Covered Entities and Business Associates but it may still affect researchers who are not part of a Covered Entity because their access to PHI may be from a data provider or data owner who is a Covered Entity or Business Associate. An entity described as a Business Associate provides certain contractual services but those services do not involve research; however, a Covered Entity may engage Business Associates to assist in de-identifying PHI, to prepare de-identified data or a Limited Data Set, or other data analytics services

Serving as a privacy board under Section 164.512 of the Privacy Rule the Crown Family School/CHC IRB reviews all projects in Crown Family School and Chapin Hall (unless another privacy board or IRB reviews a project) that may contain PHI or other health data received from a covered entity or business associate.

II. Researchers’ Access to Protected Health Information

1. Research Use/Disclosure with Individual Authorization

The Privacy Rule permits Covered Entities to use and disclose PHI for research purposes when a research participant provides a valid, written authorization, as described in the regulation, for the use or disclosure of information about themselves. In most cases it is preferred to use the authorization form of the covered entity.  Below are special provisions apply specifically to research authorizations.

            Unlike other authorizations, an authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or the authorization continues until the “end of the research study,” and;

             An authorization for the use or disclosure of PHI for research may be combined with a consent to participate in the research, or with other legal permission related to the research study.

2. Research Use/Disclosure without Authorization

PHI can be used or disclosed for research if a Covered Entity receives documentation that an IRB or Privacy Board has waived the requirement for Authorization or allowed an alteration. The IRB or Privacy Board must follow the requirements of the Common Rule, including normal review procedures. The Privacy Board must review the proposed research at convened meetings at which a majority of the privacy board members are present, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure. A Privacy Board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the PHI for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the Privacy Board, or by one (1) or more members of the privacy board designated by the chair.

Researchers may request a waiver or alteration of Authorization in a protocol study and the IRB must provide in return:

  • Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
  • A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the three criteria in the Privacy Rule;
  • A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
  • A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
  • The signature of the chair or other member, as designated by the chair, of the IRB or the Privacy Board, as applicable

These three criteria must be satisfied for an IRB or Privacy Board to approve the waiver of authorization under the Privacy Rule:

  • The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals based on the presence of the following elements:
    • An adequate plan to protect the identifiers from improper use and disclosure;
    • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    • An adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this subpart;
  • The research could not practicably be conducted without the waiver or alteration; and;
  • The research could not practicably be conducted without access to and use of the PHI
3. PHI or Health Information that Does Not Identify Individuals

De-identifying PHI. Covered Entities may use or disclose health information that is deidentified without restriction under the Privacy Rule. Covered Entities or Business Associates seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification or by removing certain pieces of information from each PHI record.

Non-identifiable data must meet one of the following two criteria:

  • Only fully de-identified data are used as determined by the Safe Harbor method (removal of 18 types of identifiers) or determined by an statistician expert who applies statistical or scientific principles under §164.514; or
  • A Limited Data Set is obtained under an approved Data Use Agreement, which must be signed by an Institutional Official. The Date Use Agreement (DUA) must:
    • Establish the permitted uses and disclosures of the limited data set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the HIPAA Rule if done by the covered entity.
    • Limit who is permitted to use or receive it; and
    • Require the recipient to agree to the following:
      • Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law;
      • Use safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement;
      • Assurance to report to the Covered Entity of any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware;
      • Assurance that any named subcontractor, to whom the recipient provides the Limited Data Set, agrees to the same restrictions and conditions that apply to the recipient; and
      • Not to identify the information or contact the individuals.
      • Promptly report breaches or other incidents to the Covered Entity or Business Associate
4. PHI Use is Solely for Preparatory to Research

Activities involved in preparing for research, Covered Entities may use or disclose PHI to a researcher without an individual’s Authorization, a waiver or an alteration of Authorization or a data use agreement.

The Covered Entity must obtain from researchers the following statements:

  • A written or oral request that will be presented to the Covered Entity’s designated official noting the access to PHI is soley for research protocol preparation (e.g., for identifying potential subjects or protocol development);
  • Acknowledgement that the researchers are not permitted to remove any PHI from the Covered Entity;
  • The PHI for which use or access is requested is necessary for the research.
5. Research on Decedents’ PHI

To use or disclose PHI of the deceased for research, who have not yet been deceased for 50 years, Covered Entities are not required to obtain Authorizations from a personal representative or family member, a waiver or an alteration of the Authorization, or a data use agreement. However, the Covered Entity must receive from the researcher who is seeking access to decedents’ PHI the following:

  • Oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents;
  • Oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes,; and
  • Documentation, at the request of the Covered Entity, of the death of the individuals whose PHI is sought by the researchers.

III. Key Definitions

Covered Entity: Covered Entity is a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.

Business Associate: Business Associate provides services limited to legal, actuarial, accounting, consulting, data aggregation, and management as required under a Covered Entity and Business Associate contract.

Health Information: Health Information is any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health, condition or future payment of an individual for the provision of health care to an individual.

Individually Identifiable Health Information (IIHI): IIHI is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a Covered Entity and (2) relates with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI): PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.

De-Identified Health Information: De-identified Health Information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to deidentify protected health information; either: (1) a formal determination by a qualified statistician;

Limited Data Set: A Limited Data Set is a dataset of PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed (16 out of 18 type of identifiers as defined by HIPAA). A Limited Data Set may be used and disclosed for research, health care operations, or public health purposes, provided the recipient of the Limited Data Set enters into a data use agreement signed by an Institutional Official.

State Laws for Private Health Records Illinois: State Laws relating to private identifiable health information also govern research when applicable (e.g., Personal Information Protection Act, Mental Health and Developmental Disabilities Confidentiality Act, HIV Confidentiality Act, and Alcoholism and Other Drug Abuse and Dependency Act). or (2) the removal of specified 18 identifiers (Safe Harbor method).

Non-Research Permitted Uses and Disclosures without Authorization: (1) PHI released to the individual patient, or provided for an opportunity for the individual (or legally authorized representative) to agree or object or object to the use or disclosure; (2) PHI used for treatment, payment, and health care operations (including Business Associate contracts); (3) PHI disclosed for public health situations and needs; (4) PHI disclosed when compelled by law; and (5) Business Associate contractual services.

Reproductive Health Care and Information: Reproductive Health Care and Information means health care that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. The definition is not to be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.