HIPAA Research FAQs

To assist our investigators in applying the HIPAA regulations, we have developed the following Frequently Asked Questions. The questions and answers are listed according to the following categories:

• Authorization and Waivers
• De-identified Data and Limited Data Sets
  • Q: Could you define "biometric identifiers?" This is one of the 18 HIPAA identifiers. If one gives a presentation which included a copy of a patient's MRI scan with all dates, names, account numbers etc. removed, would the scan itself be considered a "biometric identifier" and therefore be subject to authorization?
  • A: The examples given in the regulations are fingerprints and voice prints i.e., those for which there is some database or comparison upon which to check (probably includes retinal scans and dental x-rays too). In other words the data is the identifier. MRIs or CTs are not in the same category for two reasons:
    1. While unique these do change over time (unlike fingerprints) and
    2. unless you had the original MRI for comparison, it would be next to impossible to identify a person. So, MRIs are in the category of health information, which can be de-identified with the removal of the 18 items on the list.
  • Q: I am a resident (fellow) of UR and would like to review medical records at the hospital at which I am assigned. I am not employed by that hospital, so I am not part the hospital's Covered Entity. How can I do this research under HIPAA?
  • A: There are two ways to do the research under HIPAA. If you need identified data to do the research, you would have to apply to the hospital IRB/Privacy Board for a HIPAA waiver. This would require meeting the requirements for a waiver of authorization. If granted, your research review/extraction would be considered a disclosure under HIPAA and the hospital would need to track whose records you accessed (you would have to comply with the hospital's policy on tracking). If, however, you only need de-identified data (data that does not include any of the 18 HIPAA identifiers) to do the research, you would need someone who is a hospital employee to de-identify the data for you (i.e., record the information you need). Release of de-identified data does not require authorization, waiver or tracking. A variation on this is the limited data set which allows dates and city/state to be included. If you need these items of information, you would also have to sign a data use agreement with the hospital before they could release the data. The difficulty, of course, in either of these routes is finding someone at the other facility who can/will do the de-identification or generate the limited data set. (Note: UR review requirements for human subjects research would also need to be satisfied)
  • Q: My study only uses de-identified data (i.e., none of the 18 HIPAA identifiers are present). Do I need to track disclosures?
  • A: No. De-identified data is not subject to HIPAA regulations. Only disclosures (release of information outside URMC/SH) made under a waiver or under representations (reviews preparatory to research or decedent research) require tracking.
  • Q: My study uses a limited data set (i.e., only dates and city/state/5 digit zip code are used, and none of the other 18 HIPAA identifiers are present). Do I need to track disclosures?
  • A: No. The HIPAA regulations specifically exempt limited data sets from the disclosure tracking rule. Only disclosures (release of information outside URMC/SH) made under a waiver or under representations (reviews preparatory to research or decedent research) require tracking.
  • Q: I have to send certain data to the FDA as part of my Investigational Device Exemption (IDE) approval. Do I need to create a Limited Data Set and have a Data Use Agreement with FDA? Do I need to track this disclosure?
  • A: No. Subjects in IDE studies have signed consent before April 14 and after that date will sign a consent with HIPAA authorization wording. In both cases, the FDA is listed as an oversight agency with which information might/would be shared. Therefore, you may continue to send this information to FDA because you have obtained permission to do so. Disclosures (sharing information outside of the Covered Entity) made with permission (consent and authorization) do NOT have to be tracked.
• Minimum Necessary Rule
  • Q: What does the HIPAA Minimum Necessary Rule mean for research.
  • A: The HIPAA regulations are designed to protect patient information. Part of that protection is to use the minimum amount of information that is necessary to accomplish the activity. It is standard URMC/SH policy that only the minimum necessary information be used in any activity. HIPAA will not change this. Investigators should be specific in protocol/study designs to list the data they will be obtaining.
  • Q: May a covered entity accept documentation of an external Institutional Review Board's (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary? (Note: this Q/A is from the DHHS/OCR web site)
  • A: Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher's documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR 164.512(i) that the information requested is the minimum necessary for the research purpose. See 45 CFR 164.514(d)(3)(iii). This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or from one that is associated with the covered entity.
• Reviews Preparatory to Research
  • Q: I looked up "Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164)." Under Permitted uses and disclosures (reviews preparatory to research), it states "No protected health information is to be removed from the covered entity by the researcher in the course of the review." I take this to mean that I could not physically remove the database from the building. Is that correct?
  • A: The HIPAA privacy regulations say that the information cannot be removed. That means more than just removing the physical records. It means that the information no matter how recorded cannot be removed. Thus, you cannot even write down the PHI and leave the facility with the information.
  • Q: At what point does activities "preparatory to research" cross over to "research" such as asking questions from the patient to see if they are eligible versus having patients sign a release of medical information so that you can look through their medical records to see if they are eligible?
  • A: At the point that interactions occur with the potential subject. I.E. chart review to obtain names for screening would be OK under Preparatory to Research. Once the contact is made, however, further information provision from interviews, tests or record reviews would be a screening procedure that would be part of conducting the research.
  • Q: I am getting access to PHI from another covered entity under the 'preparatory to research' rule. I have provided the other facility with a written representation as they require. Do I need to track disclosures?
  • A: You do not, but the other facility does. Disclosures (release of information outside a covered entity) made under representations (reviews preparatory to research or decedent research), as well as disclosures made under waivers, require tracking. So most likely you will have to satisfy the requirements established by that covered entity for tracking.
  • Q: I will be doing a research project that involves recruiting subjects from local health care providers. Some will be associated with the Strong Health/URMC covered entity and some will be outside the covered entity. How do I proceed?
  • A: In your application for IRB review, you should describe the recruitment process and any screening activities that will be done. Depending upon what you are proposing, a couple of different routes are available. 1) If you are not doing any screening and simply asking for referrals or to have a letter sent by the provider, HIPAA will not affect your study recruitment practices because you will have no access to PHI and no disclosures are being made. 2) If you are performing some type of screening process, you would ask for a waiver of authorization to have access to the PHI for screening/recruitment as part of the IRB review and approval process (authorization would be required for the actual enrollment of subjects unless it was also waived). Disclosures of PHI must be tracked if they are made under a waiver, so providers outside of the SH/URMC covered entity would have to track your access for accounting purposes. Your use of PHI inside the covered entity would not have to be tracked.
  • Q: I went to a conference and it seemed that they were saying that the Waiver or review preparatory to research document is considered a disclosure. I thought that this would be considered "use" because it was a covered entity. Could you clarify?
  • A: As you indicated, under HIPAA, when PHI is accessed, it falls into one of two categories - 'use' or 'disclosure.' In its simplest description, a use is when the PHI is accessed by someone within the covered entity (Strong Health/URMC); a 'disclosure' is when the PHI is accessed by someone outside the covered entity - that is, not included in the defined parts/organizational structure of the covered entity. Only disclosures that are made without permission are trackable / accountable. Uses of PHI by the covered entity are not required to be tracked for accounting purposes. So if you have a waiver or do a preparatory to research activity and all you do falls under use, no tracking is needed. If, however, you do any disclosure under that waiver or prepatory activity, then that would have to be tracked.

We will update the FAQs as we receive questions from the research community. If you have a question about HIPAA, please feel free to contact the RSRB Office by e-mail at RSRB@urmc.rochester.edu or by calling 275-2398.