Health Insurance Portability and Accountability Act (HIPAA) is a complex regulation that may affect researchers at UNC Asheville. HIPAA is designed to protect the use and disclosure of individually identifiable health information (also defined as Protected Health Information or PHI).
Under the HIPAA privacy regulations, a UNC Asheville investigator must obtain a written authorization (a HIPAA Research Authorization from his or her research subjects) in order to use and/or disclose any individually identifiable protected health information (”PHI”) of these subjects that is created or maintained by, or obtained from, a person or entity covered under HIPAA. Alternatively, a researcher can apply for an IRB waiver of authorization.
Waiver of Authorization
A waiver of authorization is documentation that an IRB has reviewed the proposed research and use of PHI and has approved a waiver of all or part of the authorization requirement for obtaining and using individually identifiable PHI in the research. The waiver of authorization is based solely on an assessment of the privacy risks in the proposed research use of individually identifiable PHI.
Covered Entities
Examples of entities covered under HIPAA are hospitals; physicians, and practices in psychology, psychotherapy, or social work; health insurers, HMOs, and health plans; and certain community clinics and social service and mental health agencies.
UNC Asheville is not an entity directly covered by HIPAA. Investigators are therefore not covered under the HIPAA privacy regulations unless, in order to conduct research, they are using or disclosing patient or client information that they (a) create or receive when acting as HIPAA–covered health care providers, (b) create or receive as members of the workforce of a HIPAA-covered entity, or (c) obtain from a HIPAA-covered entity. For example, UNC Asheville faculty or students who conduct or assist with research may also be employees or trainees in hospital or social service settings that are covered by HIPAA and may be using data obtained from those settings in research. Researchers may also be collaborating with co-investigators who are covered by HIPAA.
Forms Required
When a study requires use or disclosure of health information from or by a covered entity or its employees or trainees, the UNC Asheville researcher should complete the HIPAA Research Authorization form or IRB waiver application and submit it to the IRB for review. Researchers should take care to ensure that all necessary uses and disclosures of health information are described accurately and completely.
The HIPAA Research Authorization form is separate from, and does not replace, the informed consent form that researchers may be required to have participants in their human subjects research sign.
HIPAA Identifiers
PHI is defined as any of the 18 HIPAA recognized identifiers in combination with health information.
HIPAA recognized identifiers:
- Names;
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images;
- Any other unique identifying number, characteristic, or code.