May 2, 2003

Memorandum

To:BarryUniversity Faculty, Staff & Student Researchers

From: Deborah Jones

Date:March 26, 2003

Re:Privacy Rule Application to Research

DearBarryUniversity Faculty & Student Researchers,

As of April 14, 2003, research at BarryUniversity will fall under the regulations of the Health Information Portability and Accountability Act (HIPAA). As part of HIPAA, the IRB may be designated a “privacy board”, ensuring that the regulations regarding the maintenance of participant privacy are followed. HIPAA requires our researchers, both faculty and students, to follow new guidelines regarding protected health information (PHI) of research participants. PHI under HIPAA is individually identifiable health information. Identifiable refers not only to data that is explicitly linked to a particular individual. It also includes health information with data items that could allow individual identification. The definition of PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act, and employment records held by a covered entity (health care provider) in its role as employer.

Any research, both new and ongoing, that includes the collection of information from participants containing “unique identifiers” must include a HIPAA authorization, a data use agreement from their participants, and may require an additional IRB certification before beginning data collection after April 15, 2003. Currently, the IRB is reviewing HIPAA procedures that may be implemented to respond to the HIPAA regulations.

Data that is not PHI does not require a HIPAA authorization from the participant. Any data shared with persons outside the project or person named on the Informed Consent must be fully de-identified, or must be HIPAA authorized for use by participants (authorizations must be retained for a minimum of 6 years). Information is considered fully de-indentified if all identifiers listed below have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person. The Informed Consent, stored separately and linked to the data with an identifying number not associated with the participant in any way, does not qualify the data as PHI.

Potential identifiers include obvious ones like name and social security number, and also:

  • all geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • voice and fax telephone numbers;
  • electronic mail addresses;
  • medical record numbers, health plan beneficiary numbers, or other health plan account numbers;
  • certificate/license numbers;
  • vehicle identifiers and serial numbers, including license plate numbers;
  • device identifiers and serial numbers;
  • Internet Protocol (IP) address numbers and Universal Resource Locators (URLs);
  • biometric identifiers, including finger and voice prints;
  • full face photographic images and any comparable images; and
  • any other unique identifying number, characteristic, or code.

Thus, according to sections 45 CFR 160.102, 164.104 & 164.500 of the HIPAA Privacy Regulation text

“A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter” which include “...financial and administrative activities related to health care” are bound by the privacy rule. According to this definition most researchers are not “covered entities” and not bound by the privacy Rule.

Also, according to section 164.508(a)(1) of the regulation text and the update to the final Rule of August 14th, 2002 (pgs 52319-52320) authorizations are required when obtaining protected health information (PHI) from a covered entity or when a covered entity is disclosing PHI. Researchers neither gathering PHI from any covered entity nor are disclosing any PHI gathered should not re should require authorizations of their participants.

Finally, according to the update to the final Rule of August 14th, 2002 (pgs 53232-53233) and section 164.514(c) of the regulation text “A covered entity may assign a code or other means of record identification to allow for information de-identified under this section to be re-identified by the covered entity...”. Analyzable datasets using coded Informed Consents meet the definition of a “de-identified dataset” are therefore not considered PHI. If data is not PHI, then data-use agreements and disclosure accountings do not need to be made.

For those researchers who are not a covered entity, do not gather PHI from a covered entity, and do not disclose PHI, a HIPAA authorization forms may be unnecessary and could expose the confidentiality of your participants. Those studies collecting unique identifiers or planning to do so are asked to contact the IRB as soon as possible for review and to read the requirements of the new regulations detailed in the links listed below.

This information is derived from a variety of sources, including the Public Law 104-191, August 21, 1996, Health Insurance Portability and Accountability Act of 1996, the University of Miami School of Medicine Bioethics Program and Privacy Office, the Department of Health and Human Services, the Federal Regulation, 45CFR Parts 160 and 164, and David Lydston, Privacy Officer, University of Miami School of Medicine.

For more information, you may contact the IRB Chair (305 899 4576), or refer to the following links:

All information presented is intended for education purposes only. It is not intended as legal advice and does not replace the advice of legal counsel. Links to third-party sites and associated content are provided solely for the convenience of users. They are not intended as endorsements or guarantees of accuracy of the content of third-party web sites.

1