Skip to Main Content
 Search | Directories | Reference Tools
UW Home > UWIN > Research > HSD 
Human Subjects Division
Visit HSD's Metrics Page
FOR: | | | |
Frequently Asked Questions
sitemap | contact hsd | glossary


 

HIPAA FAQs

What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. The purpose of the Act was to increase the ease with which people could transfer their health care information from one insurer or provider to the next. Congress, as part of HIPAA, required the development of privacy regulations to protect the confidentiality of individually identifiable health care information. The final (HIPAA) privacy rule was issued on August 14, 2002. As of April 14, 2003, The University of Washington is in compliance with the Privacy Rule.

Who is affected by HIPAA?

All researchers (faculty, staff, or students) at the UW who access or create Protected Health Information (PHI) preceding or during the conduct of their research must comply with the HIPAA regulations.

What is PHI?

Protected Health Information is any information pertaining to:

  • the past, present, or future physical or mental health or condition of an individual;
  • the provision of health care to an individual; or
  • the past, present, or future payment for the provision of health care to an individual.

PHI may be information that is recorded electronically, on paper, or orally. PHI may concern living people or dead people (referred to in the law as "decedents"). PHI does NOT include de-identified information or biological tissue with no accompanying information, such as an accession number or code number, that may be linked to an identifier.

What kind of research and researchers are affected by the HIPAA regulations?

Any kind of research conducted under the auspices of the UW and UW Medicine that creates or uses protected health information is subject to the HIPAA regulations. This includes such research activities as clinical trials, chart reviews, epidemiological studies, behavioral, and social science studies, as well as basic science research activities. It includes research that involves the provision of treatment as well as research that provides neither treatment nor diagnosis.

All researchers, whether or not they are directly connected with UW Medicine, who wish to conduct research involving protected health information must complete HIPAA training before they will be allowed to have access to individually identifiable health information in any form.

Who will review research use of HIPAA-regulated information?

HIPAA rules require a Privacy Board or Institutional Review Board (IRB) to review the research use of HIPAA-regulated health information. All studies involving creation or use of Protected Health Information (PHI) must be reviewed and approved in advance by an IRB Committee with the UW's Human Subjects Division (HSD).

What types of health information are there?

There are three categories of health information. The authorization requirements for use are different for each.

  1. Individually Identifiable Health Information (IIHI) includes any subset of health information, including demographic information collected from an individual, that:
    • Is created or received by a health care provider, health plan, employer, or health care clearinghouse (an organization that codes health data);
    • Relates to the past, present or future physical or mental health or condition, the past, present or future provision of care to an individual, or the past, present or future payment for the provision of health care to an individual; and,
    • Identifies the individual (or there is a reasonable basis to believe that the information can be used to identify the individual).

    An authorization signed by the research subject is almost always required for the disclosure of individually identifiable health information. However, if the use meets the requirements for a waiver of authorization, the IRB Committees may approve such a waiver.

  2. De-Identified Information: Health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual. Information is considered de-identified if 18 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject of the information. The identifiers include the following:
    1. names,
    2. geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code if the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people
    3. all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89,
    4. telephone numbers,
    5. fax numbers,
    6. electronic mail addresses,
    7. Social Security numbers,
    8. medical record numbers,
    9. health plan beneficiary numbers,
    10. account numbers,
    11. certificate/license numbers,
    12. vehicle identifiers and serial numbers, including license plate numbers,
    13. device identifiers and serial numbers,
    14. Web Universal Resource Locator (URL),
    15. biometric identifiers, including finger or voice prints,
    16. full face photographic images and any comparable images,
    17. Internet Protocol address numbers
    18. any other unique identifying number characteristic or code

    The IRB Committees may allow waivers of authorization for access to de-identified health information.

  3. Limited Data Set is information disclosed by a covered entity to a researcher who has no relationship with the individual whose information is being disclosed. The covered entity is permitted to disclose PHI, with direct identifiers removed, subject to obtaining a data use agreement from the researcher receiving the limited data set. A data use agreement specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the data or contact with the individuals.

    4. The PHI in a limited data set may not be used to contact subjects. The Human Subjects Review Committees may allow waivers of authorization for use of limited data sets in research. If the data are to be removed from the hospital, the researchers must sign a data use agreement with the hospital.

    Direct identifiers that must be removed from the information for a limited data set are:

    1. name,
    2. address information (other than city, state, and zip code),
    3. telephone and fax numbers,
    4. e-mail address,
    5. Social Security number,
    6. certificate/license number,
    7. vehicle identifiers and serial numbers,
    8. URLs and IP addresses,
    9. full face photos and other comparable images,
    10. medical record numbers, health plan beneficiary numbers, and other account numbers,
    11. device identifiers and serial numbers,
    12. biometric identifiers including finger and voice prints.

    Identifiers that are allowed in the limited data set are:

    1. admission, discharge and service dates,
    2. birth date,
    3. date of death,
    4. age (including age 90 or over),
    5. geographical subdivisions such as state, county, city, precinct and five digit zip code.

What are the requirements for authorization when researchers wish to access patient information?

The HIPAA regulations use the term "authorization" to describe the process through which a patient allows researchers to access protected health information (PHI). The information must include:

  • a description of the information to be used for research purposes;
  • who may use or disclose the information;
  • who may receive the information;
  • purpose of the use or disclosure;
  • expiration date or event (if the information will be kept indefinitely, the authorization states that there is no expiration date);
  • individual's signature and date;
  • right to revoke authorization;
  • right to refuse to sign authorization (if this happens, the individual may be excluded from the research and any treatment associated with the research);
  • if relevant, that the research subject's access rights are to be suspended while the clinical trial is in progress, and that the right to access PHI will be reinstated at the conclusion of the clinical trial.

Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization.

What is needed to request a "Waiver of HIPAA Authorization?

The UW IRB Committees use specific criteria in reviewing requests for a waiver of HIPAA authorization for research. In completing the Human Subjects Review Application (UW 13-11), researchers should explain how:

  • The use or disclosure of protected health information involves no more than minimal risk to the privacy, safety, and welfare of the individual;
  • The research could not practicably be conducted without the waiver or alteration;
  • The research could not practicably be conducted without access to the protected health information;
  • There is an adequate plan to protect the identifiers from improper use or disclosure;
  • There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  • There are adequate written assurances that the protected health information will not be re-used or disclosed to a third party except as required by law, for authorized oversight of the research, or as permitted by an authorization signed by the research subject

In requesting this waiver, researchers should also provide the following information:

  • Detailed information about the types of protected health information that will be used, including how it will be used, who will have access to it, and when it will be destroyed;
  • What risks are posed by the use of the data, and how they have been minimized
  • The justification for access to the data and why they are necessary to conduct the research.