The Health Insurance Portability and Accountability Act (HIPAA) is a federal law signed in 1996 with the primary purpose of improving the efficiency and effectiveness of the health care system. HIPAA included provisions that required the U.S. Department of Health and Human Services to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. Congress recognized that advances in electronic technology could erode the privacy of health information and  consequently, incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

HIPAA Privacy Rule

  • Established national standards for the protection of individually identifiable health information (collectively defined as “protected health information” or PHI) by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.

HIPAA Security Rule

  • Established national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.

HIPAA Enforcement Rule

  • Contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

HIPAA Breach Notification Rule

  • Requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

Omnibus Rule

  • Implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA.

In the research context, HIPAA establishes the conditions under which PHI may be created, obtained, used or disclosed by covered entities for research purposes and contains specific requirements for research with human subjects and their PHI.

For example: 

  • Studies that involve review of medical records as a source of research information.
  • Studies where data is added to medical records or data is used to make health-care decisions.
  • Studies that create new medical records since a health-care service is being performed as part of the research, for example the testing of a new drug to treat a medical condition.
  • Sponsored clinical trials that submit data to the US Food and Drug Administration (FDA).
  • Human biological specimen data which includes PHI.

All individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral is PHI.

PHI includes:

  • Information that identifies an individual or might reasonably be used to identify an individual.
  • Information that relates to the past, present, or future physical or mental health or condition of an individual.
  • The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.

Covered entities include health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.

A covered entity must comply with HIPAA. Georgetown University is a hybrid covered entity because activities include both HIPAA covered and non-covered functions.

A PHI use is the sharing, employment, application, utilization, examination, or analysis of such information within the entity or health care component (for hybrid entities) that maintains such information. A PHI disclosure is the release, transfer, access to, or divulging of information in any other manner outside the entity holding the information.

HIPAA allows the use and disclosure of PHI for research purposes, but these have to follow the HIPAA guidance and be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB).

The HIPAA Privacy Rule is mainly concerned with the information created in the course of providing health care services,  however, HIPAA recognizes and endorses the fact that research may create, use, and disclose PHI. To determine if HIPAA rules apply to a research project, it is important to first determine if the activity is considered research. HIPAA uses the same definition as the federal Common Rule (45 CFR 46), which defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge”.

HIPAA allows the use or disclosure of PHI for research purposes if the following conditions apply:

  • The subject of the PHI has granted written permission through an Authorization for use of their PHI. 
  • The IRB has granted a waiver of HIPAA authorization for the use of PHI.
  • The PHI has been de-identified prior to being obtained and utilized in accordance with HIPAA standards.
  • The information is released as part of a limited data set with an established data use agreement between the researcher and the covered entity.
  • The PHI is used for activities considered “preparatory to research”.
  • The research involves the use of a decedent’s PHI.

A Limited Data Set is PHI that does not include the following direct Identifiers of the individual or of relatives, employers, or household members of the individual:

  • Names;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers, fax numbers, electronic mail addresses;
  • Social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers (including license plate numbers);
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs), Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images

Covered entities and investigators can agree to use a Limited Data Set for research purposes by establishing a Data Use Agreement between both parties. In these cases, a limited data set may be used or disclosed for research purposes without obtaining either an Authorization or Waiver.

A data use agreement is the means by which covered entities obtain satisfactory assurances that the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes. Even if the person requesting a limited data set from a covered entity is an employee or otherwise a member of the covered entity’s workforce, a written data use agreement meeting the Privacy Rule’s requirements must be in place between the covered entity and the limited data set recipient.

The HIPAA Privacy Rule requires a data use agreement to contain the following provisions:

  • Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the Privacy Rule).
  • Identify who is permitted to use or receive the limited data set.
  • Stipulations that the recipient will:
    • Not use or disclose the information other than permitted by the agreement or otherwise required by law.
    • Use appropriate safeguards to prevent the use or disclosure of the information, except as provided for in the agreement, and require the recipient to report to the covered entity any uses or disclosures in violation of the agreement of which the recipient becomes aware.
    • Hold any agent of the recipient (including subcontractors) to the standards, restrictions, and conditions stated in the data use agreement with respect to the information.
    • Not identify the information or contact the individuals.

Please contact Tracy Bruehs at tlb23@georgetown.edu to obtain a data use agreement if needed for your study.

Additional considerations:

This process is distinct from the Georgetown Institutional Review Board (IRB) whose primary role is to safeguard the rights and welfare of all human subjects who participate in research studies conducted by Georgetown faculty, staff, and students. Research using Georgetown administrative data must be reviewed and approved/exempted by the IRB. Official IRB approval or exemption is required before any data are released.

The investigator is responsible for:

HIPAA training is required for all personnel working on research covered by HIPAA. For instructions on registering and completing the training, please see the CITI training page. 

As outlined in the Belmont principle of respect for persons, the individual’s consent to use their PHI for research should be obtained if feasible.  Consent for use of PHI is defined by HIPAA as an Authorization. The following elements are required to be included in an Authorization to use PHI for research purposes:

  • A description of the information to be used or released,
  • The name of the individual or group of individuals who will use the information,
  • The name of individuals or organizations to whom PHI will be released,
  • Expiration date or event that ends the authorization to use PHI, or a statement that authorization does not expire,
  • A statement that research participants have the right to revoke authorization,
  • A statement notifying research participants that if information is disclosed to other organizations the information may no longer be protected,
  • A notification that research participants may inspect or copy their records. 

PLEASE NOTE: Along with the implementation of the new IRB system and associated documents, the HIPAA Authorization form has been incorporated into the ICF template. There is no longer a need for a separate HIPAA Authorization Form unless otherwise instructed due to special circumstances.

If feasible, it is preferable for researchers to obtain consent to use an individual’s PHI, however, HIPAA does allow research using PHI without obtaining consent by requesting a Waiver of HIPAA Authorization.  To obtain this waiver, the research must be reviewed and approved by the Georgetown University Institutional Review Board (IRB). As a HIPAA requirement, IRBs must review the study to ensure it meets the following criteria:

  • The use or disclosure of PHI for the study involves no more than minimal risk.
  • Granting the waiver will not adversely affect the privacy rights and welfare of the individuals whose PHI will be used.
  • The study could not reasonably be conducted without the waiver.
  • The study could not reasonably be conducted without the use of PHI.
  • The privacy risks are reasonable relative to the anticipated benefits of research.
  • The research proposal includes a suitable plan to protect identifiers from improper use and disclosure.
  • The research proposal includes a suitable plan to destroy the identifiers at the earliest opportunity, or the proposal includes a justification for retaining identifiers.
  • The research proposal includes written assurances that PHI will not be re-used or disclosed for other purposes.
  • If appropriate, research participants will be provided with pertinent information after participation.

De-identified health information is a record in which the identifying information has been removed and the health information is no longer subject to HIPAA’s Privacy Rule. Since this information is not PHI, investigators may use or disclose the de-identified health information without restrictions.

However, if the information is being used as part of a research study, it must be de-identified prior to it being received by the investigators.  Usually, the de-identification process is completed by the covered entity before releasing it for use. The covered entity must determine the information has been appropriately de-identified either by removal of all 18 identifiers that could be used to identify the individual or the individual’s relatives, employers, or household members, or through the use of statistical methods which requires the assistance of a qualified expert.

Covered entities may allow researchers to review PHI in medical records or elsewhere during reviews preparatory to research. For example, these reviews would allow the researchers to determine if there is a sufficient number of records to conduct the research. For these activities preparatory to research, PHI may be used or disclosed to  a researcher without an individual’s authorization, a waiver or an alteration of authorization, or a data use agreement. However, this access must be requested before the actual review or use as part of the IRB application.

In order to allow the researcher to conduct activities preparatory to research, the Georgetown University IRB must receive the following representations from the researcher:

  1. The use or disclosure of PHI is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research; 
  2. PHI will not be removed from the covered entity in the course of the review; 
  3. The PHI for which use or access is requested is necessary for the research.

Requests to conduct reviews preparatory to research must be approved by the covered entity. For more information, please contact the IRB Office.

In all cases where PHI is being disclosed or used for research purposes, researchers should use the minimum information that is necessary to conduct the research (“minimum necessary standard”).

For research on decedent’s information, the covered entity may release PHI for

decedents if they obtain the following:

  1. A representation that the use or disclosure is sought solely for research on the PHI of decedents;
  2. Documentation, at the request of the covered entity, of the death of such individuals; 
  3. A representation that the protected health information for which use or disclosure is sought is necessary for the research purposes.

Requests to conduct research with decedent’s information must be approved by the covered entity. For more information, please contact the IRB Office.

In all cases where PHI is being disclosed or used for research purposes, researchers should use the minimum information that is necessary to conduct the research (“minimum necessary standard”).

  1. Review and approve HIPAA Written Authorizations when they are combined with an informed consent document.
  2. Approve and document determinations regarding waiver or alteration of the requirements for written Authorization. For example, requesting an alteration for verbal authorization when using the short form for non-english speaking participants.
  3. Receive HIPAA Attestation from investigators who propose to use PHI without an authorization including:
  1. In addition to its regulatory responsibilities, the IRB will ensure that a stand-alone HIPAA Authorization Template that is HIPAA-compliant, will be available for use by researchers. For example, to use in external studies. 

HIPAA requires that an IRB or a Privacy Board make determinations about the use of PHI in research. Georgetown University IRBs and MHRI-GU Oncology IRB act as Privacy Boards for those studies for which it provides IRB oversight at Georgetown University Hospital  (GUH) and other MedStar institutions.

If you conduct research at covered entity sites outside MedStar Health, Inc. including GUH, please contact those covered entities directly and provide GU IRB with copies of HIPAA Authorization and/or HIPAA Waivers approved by their Privacy Boards.