Revised on 7/31/2021
The federal HIPAA Privacy Rule went into effect April 14, 2003. The law generally prohibits health care entities such as health care providers, hospitals, nursing facilities, and clinics from using or disclosing protected health information without written authorization from the individual (HIPAA authorization). The Privacy Rule is in Title 45 of the Code of Federal Regulations, in Part 160 and in Subparts A and E of Part 164. More information about the Privacy Rule can be found at the Health Information Privacy site of the Office for Civil Rights (OCR).
Protected health information (PHI) is any identifiable health information relating to the individual’s past, present, or future physical or mental health condition, including payment for health care. When health information is individually identifiable and held by a “covered entity” it is likely to be PHI. A covered entity is a healthcare provider, healthcare clearinghouse, or health plan that transmits health information electronically. The HIPAA rule governs the use of individually identifiable health information when it is PHI.
HIPAA and Research
HIPAA regulations apply to research that involves the use and/or creation of protected health information (PHI). Investigators who obtain, use or create PHI must comply with HIPAA requirements during all phases of the research, from the initial identification of potential participants to the storage of data after the research ends. Investigators must limit their use and disclosure of PHI to the minimum necessary to achieve the stated goals of the research.
HIPAA regulations identify 18 elements that could be used to identify an individual
- Patient names
- Dates (except year) directly related to an individual (such as date of birth, death, hospital admission, and discharge)
- Patient postal addresses including city, state, and zip code
- Patient telephone numbers
- Patient fax numbers
- Patient e-mail addresses
- Patient social security numbers
- Patient medical record numbers
- Patient health plan ID numbers
- Account numbers
- Certificate/license numbers belonging to a patient
- Patient vehicle identifiers
- Device identifiers and/or device serial numbers specific to a particular patient
- URLs
- IP address numbers
- Biometric identifiers, including finger and voice prints, belonging to a patient
- Full face photos and other comparable images of a patient
- Any other unique patient-identifying characteristic or code
HIPAA requirements apply when investigators obtain information containing any of these identifiers from a covered entity. Creation of PHI requires that investigators obtain an authorization from subjects.
- If a hospital lab, CLIA-certified lab, or any other facility that is HIPAA-covered is involved in the generation of the health information, HIPAA authorization from subjects is required.
Investigators can obtain and use PHI for research in the following situations:
- When participants sign a written HIPAA research authorization allowing access to their PHI
- Research participants authorize use of their PHI by signing the “USC HIPAA Authorization to Use Health Information for Research” form. Participants sign the HIPAA authorization form at the same time they sign the informed consent. USC requires that the two forms be separate.
The HIPAA authorization form (in English and Spanish) and instructions for completing the form are available on the HRPP website. This form is prepared by the USC Office of Compliance, and the form cannot be modified except as described in the instructions. If a sponsor wishes to change or add language in the form, the investigator must submit the proposed changes to the USC Office of Compliance for review and approval before the form can be used.
State and federal laws limit the disclosure of certain PHI, even with a HIPAA authorization. Under California law, a covered entity cannot release HIV test results to a researcher unless the participant gives specific permission. Release of information about mental health treatment also requires specific permission. Federal law limits the disclosure of information about alcohol and drug treatment from medical records unless the participant gives specific permission. Participants can give specific permission for these disclosures by initialing the applicable section of the USC HIPAA authorization form.
- When the IRB grants a waiver or alteration of HIPAA authorization, allowing PHI to be used in research without written authorization from participants
Under HIPAA regulations, IRBs and Privacy Boards have the authority to grant a partial or full waiver of the requirement for written authorization by research participants. A partial waiver of HIPAA authorization allows investigators to use PHI to identify, screen, and recruit potential participants. A full waiver of HIPAA authorization allows investigators to use PHI for all study activities without getting authorization from participants. Investigators request full or partial HIPAA waivers when they complete the iStar application. Under the Privacy Rule (45 CFR 164.512(i)(1)(i)), the IRB can grant HIPAA waivers if the following
- The use or disclosure of protected health information involves no more than minimal risk to the individuals or their privacy, based on:
- An adequate plan to protect identifiers from improper use and disclosure,
- An adequate plan to destroy the identifiers at the earliest opportunity (unless there is a health or research justification for retaining identifiers or such retention is otherwise required by law), and
- Adequate assurances that the protected health information will not be reused or disclosed to any other person or entity except as required by law, for authorized oversight of the research project, or for other research permitted under this policy
- The research could not be practicably conducted without the alteration or waiver, and
- The research could not be conducted without access to and use of the protected health information
If the HIPAA waiver is granted, the IRB correspondence to the investigator will document and explain the waiver.
- When the investigator obtains only de-identified health information
HIPAA regulations allow a covered entity to use or disclose health information that has been de-identified. Health information that has been de-identified is not considered protected health information. De-identification involves removal of the 18 identifiers of the individual or the individual’s relatives, employers, or household members (listed above). When investigators obtain only de-identified health information for research, HIPAA requirements do not apply; no written authorization or waiver is needed to conduct the research.
- When the investigator obtains a limited data set containing only selected identifiers
The Privacy Rule allows investigators to obtain and use a “limited data set” for research without authorization from the participant or a waiver of authorization. In a limited data set, 2 of the 18 HIPAA identifiers remain but the other 16 identifiers are removed. Limited data sets can include the following identifiers of participants and their relatives, household members, or employers:
- Dates (date of birth, date of death, and dates of service, such as hospital admission and discharge)
- Age
- City, state, and ZIP code
- The use or disclosure of protected health information involves no more than minimal risk to the individuals or their privacy, based on:
Investigators must sign a Data Use Agreement to obtain and use a limited data set. The Data Use Agreement is an agreement between the covered entity holding the PHI and the investigator who receives the limited data set. The agreement explains how the data will be used and protected and identifies the obligations of the investigator using the limited data set. The USC Data Use Agreement is available at: http://policy.usc.edu/hipaa.
- When the investigator obtains information about deceased individuals
The Privacy Rule protects identifiable health information after an individual die. An investigator who wishes to obtain PHI of deceased people for research purposes can obtain the PHI only if certain conditions are met. The investigator must certify that the PHI is being sought solely for research on the PHI of decedents, that the PHI is necessary for the research, and that documentation of the death of each individual will be provided if requested by the covered entity. If these conditions are met, the PHI can be used without a written authorization or waiver of authorization. Investigators must complete the form “Researcher Request for Decedents’ Protected Health Information” to obtain the PHI.
- When the investigator obtains information about deceased individuals
NOTE: HIPAA regulations have a “Preparatory to Research” provision that permits researchers to obtain and use PHI to prepare a research proposal. Under this provision, researchers are not allowed to remove PHI from the covered entity. Because Keck Hospital of USC and LA General Medical Center are different covered entities, the preparatory to research provision is not practical for a study conducted at both sites. Investigators should request a partial waiver of HIPAA authorization for recruitment and screening.
The USC IRB acts as the Privacy Board for Keck Medicine of USC and LA General Medical Center. In this capacity, the IRB will consider and make determinations about partial or full waivers of HIPAA authorization. The IRB reviews the HIPAA sections of the iStar application and advises investigators about HIPAA applicability and the need for written authorization. Only the IRB Chair or other reviewer as designated by the Chair, may approve a waiver of HIPAA authorization for a research study that meets specific criteria. However, the Privacy Officer in the USC Office of Compliance is responsible for the content of HIPAA authorization forms. The USC Office of Compliance is also responsible for HIPAA training and oversight of HIPAA compliance at USC.
For more detailed information regarding HIPAA policies, forms, procedures, and training, please go to the Office of Culture, Ethics, and Compliance website. HIPAA authorization forms for non-research activities such as fundraising, marketing, and public relations are also available at this website.