Definitions

Breach: The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

Disclosure: With regards to Protected Health Information (PHI), a disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information (45 CFR 46 160.103).

HIPAA Privacy Rule:  The Privacy Rule was issued by the U.S. Department of Health and Human Services (DHHS) and was designed to implement the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The Privacy Rule is a set of national standards for the protection of certain health information and describes the ways in which covered entities can use or disclose PHI, including for research purposes. The Privacy Rule applies directly to covered entities and is designed to protect individuals’ health information.

Protected Health Information (PHI): Individually identifiable health information. Information about the past, present, or future physical or mental health of an individual that identifies or could be used to identify the individual and is created or received by a Covered Entity.

Guidance

To protect patient privacy, “covered entities” (i.e., health plans, health care “clearinghouses,” or health care providers) must obtain specific, written authorization from a patient to use or disclose PHI. Patients must also be notified about their right to restrict the use and disclosure of such information. Covered entities must make reasonable efforts to limit the health information disclosed to the minimum necessary to accomplish the intended purposes.

Options for Conducting HIPAA-Compliant Research

1. Obtain HIPAA Authorization from individuals to use their protected health information (PHI)
2. Obtain an Alteration of (HIPAA) Authorization
3. Obtain an IRB Waiver of (HIPAA) Authorization
4. Use a de-identified Data Set that contains no PHI with an effective Data Use Agreement in place, as applicable
5. Use a Limited Data Set with an effective Data Use Agreement in place, as applicable
6. Preparatory to Research, and Research on Decedents’ Information

Local Institutional Review Boards (IRB) have the authority to make determinations about whether the proposed procedures of research under their purview meet Privacy Rule requirements.

OPTION 1: Obtain HIPAA Authorization from Individuals to use their PHI

An authorization may be combined with an informed consent document or other permission to participate in research. The University of Utah accepts either an authorization combined with the informed consent document or a separate authorization form if all the elements and required statements of a valid authorization are met. Sample language can be found on the Consent Document Checklist under HIPAA Authorization.

OPTION 2: Obtain an Alteration of (HIPAA) Authorization

Research that would have a waiver of documentation of consent (no signature on a consent document) under the Common Rule can be addressed under HIPAA as an alteration to the authorization. One of the core elements of a valid authorization under HIPAA is the signature of the individual (45 CFR 164.508(c)(vi)). If granted by the IRB, the Alteration of Authorization allows the researcher to omit one of the core elements of a valid authorization; in this case, the signature of the participant.  This will allow the researcher to use a consent cover letter (or, a consent document without a signature block) to obtain authorization instead of a full consent document, provided the research qualifies and can justify the alteration by satisfying all the criteria outlined in 45 CFR 164.512.

Investigators may request an Alteration of Authorization in ERICA. See Points to Consider for instructions on how to populate this form.

OPTION 3: Obtain an IRB Waiver of (HIPAA) Authorization

A Waiver of Authorization allows researchers to use or disclose PHI without obtaining individual authorization from research participants, under specific conditions. This is particularly useful when obtaining authorization is impracticable, such as in retrospective chart reviews or large-scale data studies.

If you choose to pursue a Waiver of Authorization, you must:

1. List the identifying information you plan to collect or keep a link to.
2. Explain why the PHI to be used/disclosed is the minimum necessary to accomplish the research objectives.
3. Explain why the research could not practicably be conducted without the waiver,
4. Describe your plan to protect the identifiers,
5. Describe how/when the identifiers will be destroyed, or justify their retention, and
6. Describe the measures you will take to ensure the PHI will not be reused or disclosed to unauthorized persons or entities.

Investigators may request an Waiver of Authorization in ERICA. See Points to Consider for instructions on how to populate this form. Waivers of Authorization for Recruitment are also available in ERICA.

OPTION 4: Use a De-identified Data Set That Contains No PHI

A De-Identified Data Set excludes the 18 PHI Identifiers. De-identified health information, as described in the Privacy Rule, is not PHI, and thus is not protected by the Privacy Rule. The Privacy Rule places no restrictions on the use or disclosure of de-identified health information. However, the University of Utah may require a Data Use Agreement for the disclosure of a de-identified data set to entities outside of the University of Utah covered entity. Investigators should contact the Center for Technology Licensing Office (TLO) to ensure compliance unless the agreement is covered in a contract with the Office of Sponsored Projects (OSP).

There are two ways to de-identify information:

1. A formal determination by a qualified statistician (i.e. “Statistical Analysis” De-Identification; The person certifying statistical de-identification must document the methods used as well as the result of the analysis that justifies the determination); or
2. The removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is only adequate if the covered entity has no knowledge that the remaining information could be used to identify the individual (i.e. “Safe Harbor” De-Identification).

Either option may be selected in the ERICA application on the HIPPA and the Covered Entity page. See the Points to Consider section for instructions.

OPTION 5: Use a Limited Data Set with a Data Use Agreement

HIPAA’s Privacy Rule makes provisions for a “limited data set,” authorized only for public health, research, and health care operations purposes (45 CFR § 164.514(e)(3)(i)). Because limited data sets may contain identifiable information, they are still PHI.

A limited data set must have all direct identifiers removed, including:

• name and social security number;
• street address, e-mail address, telephone and fax numbers;
• certificate/license numbers;
• vehicle identifiers and serial numbers;
• URLs and IP addresses;
• full face photos and any other comparable images;
• medical record numbers, health plan beneficiary numbers, and other account numbers;
• device identifiers and serial numbers; and
• biometric identifiers, including finger and voice prints.

A limited data set may include the following (potentially identifying) information:

• admission, discharge, and service dates;
• dates of birth and, if applicable, death;
• age (including age 90 or over); and
• five-digit zip code or any other geographic subdivision, such as state, county, city, precinct and their equivalent geocodes (except street address).

What is the Difference Between a “De-Identified” and a “Limited” Data Set?

A De-Identified Data Set excludes the 18 PHI Identifiers.

A Limited Data Set excludes 16 of the 18 PHI Identifiers but does not have to be fully de-identified.  A Limited Data Set may include dates (birth, death, admission, discharge, age), and limited geographic information (zip code, state, county, city, precinct and their equivalent geocodes except street address).  With a Data Use Agreement, a Limited Data Set may be used or disclosed for research purposes if it is stripped of most identifiers.

The following chart describes the information that must be eliminated from a database, registry, or any other data set for the data set to be considered “De-identified” or a “Limited Data Set”. Appropriately, De-identified Data Sets are not subject to the Privacy Rule. Limited Data Sets may be used or disclosed for research, public health, and other limited purposes, but only by those who sign a Data Use Agreement (DUA). Note that for each data element listed below, the information must be eliminated with respect to the patient and to any of the patient’s relatives, employers, or household members.

Even if HIPAA does not regulate the use of a dataset and permits its use or disclosure for research, federal regulations and University policies governing human subjects research may still apply.

A Data Use Agreement (DUA) is an agreement required by the Privacy Rule between the covered entity and the intended recipient of a limited data set. It establishes the ways in which the information in the limited data set may be used and how it will be protected.  The DUA is the means by which covered entities obtain satisfactory assurances that the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes.

Even if the person requesting a limited data set from a covered entity is an employee or otherwise a member of the covered entity’s workforce, a written data use agreement meeting the Privacy Rule’s requirements must be in place between the covered entity and the limited data set recipient. Investigators using a limited data set within the University’s covered entity will complete the Limited Data Set Statement and Assurance in ERICA. See the Points to Consider section for instructions on how to populate the statement and assurance.

The DUA must state that the recipient will use or disclose the information in the limited data set only for specific limited purposes. Covered entities must condition the disclosure of the limited data set on execution of a DUA, which

• Establishes the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research, public health, or health care operations;
• Limits who can use or receive the data; and
• Requires the recipient to agree not to re-identify the data or contact the individuals.

In addition, the DUA must contain adequate assurances that the recipient will use appropriate physical, technical and administrative safeguards to prevent use or disclosure of the limited data set other than as permitted by HIPAA and the data use agreement, or as required by law.

These assurances require the recipient to report to the covered entity any improper use or disclosures of which it becomes aware. Alternatively, if a covered entity becomes aware of a violation of the data use agreement, it must take reasonable steps to remedy the problem or, if unsuccessful, discontinue disclosure of PHI to the recipient and report the problem to DHHS.

The “minimum necessary” standard governs covered entities’ disclosures, and recipients’ uses, of limited data sets. The covered entity may place reasonable reliance that a requested disclosure is indeed the minimum necessary for the stated purposes or make its own determination that a lesser amount of information would be sufficient.

Note: if a study initially obtained consent to share data at a specific level of identifiability (e.g., a participant agreed to only de-identified data being disclosed), and a researcher later intends to share with any identifiers, an amendment must be submitted to the IRB to update the data sharing plan. The IRB may require notification of participants and/or obtaining re-consent.

Ensuring the Data Use Agreement (DUA) is Valid

If a researcher is using a Limited Data Set created by a person or entity outside of the University of Utah’s Covered Entity and you have received a Data Use Agreement (DUA)from that person or entity, then please contact the Center for Technology Licensing Office (TLO). TLO will forward the DUA to the IRB for signature.

If you are disclosing a de-identified data set or Limited Data Set to a person or entity outside of the University of Utah Covered Entity, please contact TLO to request a Data Use Agreement. TLO will forward the agreement to the IRB for signature.

For a DUA to be valid, it must be signed by the appropriate institutional officials. Use of a Limited Data Set without a valid Data Use Agreement in place is a violation of the Privacy Rule. Use of a de-identified data set without a valid Data Use Agreement is required by the University of Utah. Once the Data Use Agreement is signed by all parties, you may begin using the Limited Data Set. 

OPTION 6: Preparatory to Research, and Research on Decedents’ Information

Section 164.512 of the Privacy Rule also establishes specific PHI uses and disclosures that a covered entity is permitted to make for research without an Authorization, a waiver or an alteration of Authorization, or a data use agreement.  These limited activities are the use or disclosure of PHI preparatory to research and the use or disclosure of PHI pertaining to decedents for research.

For activities involved in preparing for research, covered entities may use or disclose PHI to a researcher without an individual’s Authorization, a waiver or an alteration of Authorization, or a data use agreement.  However, the IRB must obtain assurances from the researcher representations.

Researchers should note that any preparatory research activities involving human subjects research as defined by the HHS Protection of Human Subjects Regulations, which are not otherwise exempt, must be reviewed and approved by an IRB and must satisfy the informed consent requirements of HHS regulations. The University of Utah IRB Research Preparation Form must be completed and sent to irb@hsc.utah.edu.

To use or disclose PHI of the deceased for research, covered entities are not required to obtain Authorizations from the personal representative or next of kin, a waiver or an alteration of the Authorization, or a data use agreement. However, the IRB must obtain assurances from the researcher who is seeking access to decedents’ PHI. The University of Utah IRB Research on Decedents’ Information Form must be completed and sent to irb@hsc.utah.edu.

Documents and References

HHS Guidance regarding Methods for De-Identification of PHI

Points to Consider

Appendices

The 18 PHI Identifiers

1. Names
2. Geographic subdivisions smaller than a state if it contains less than 20,000 people (the initial three digits of the zip code are allowed). This includes street address, city, county, precinct, and zip code (or equivalent geocodes).
   • The initial three digits of a zip code may be included if, according to the currently publicly available data from the Bureau of Census the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to “000”
3. Dates
   • All elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, date of death), and all ages over 89 (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Telephone numbers
5. Fax numbers
6. E-mail addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers, serial numbers, and license plate numbers
13. Device identifiers and serial numbers
14. Internet Universal Resource Locators (URLs)
15. Computer Internet Protocol (IP) addresses
16. Biometric identifiers
17. Full-face photographs and comparable images
18. Any other unique identifying number, characteristic, or code, except as permitted for re-identification of the de-identified data

For a record (or research data set) to be considered de-identified, each of the above identifiers must be removed. This is applicable to identifiers of the individual, or of relatives, employers, or household members of the individual.

Footnotes

[1]      Even if all of the information listed in this column is removed, if the researcher knows that any remaining information in the data set could be used to re-identify a patient (e.g., a diagnosis code where the disease is very rare), then the data set is not considered de-identified.

[2]      If links must be maintained in the data set for potential later re-identification, they must be completely unrelated to any of the above elements.  For example, a patient’s initials or a scrambled social security number are not permitted in a de-identified data set.  A subject code that reflects the order in which subjects were enrolled into a trial would be permitted.