HIPAA and Human Subject Research

Institutional Review Board

Human Research Protections (HRP)

 


HIPAA and Human Subject Research
Version October 25, 2024

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996. HIPAA required the Secretary of Health and Human Services (HHS) to issue privacy regulations governing individually identifiable health information if Congress did not enact privacy legislation within three years of the passage of HIPAA. Because Congress did not enact privacy legislation, HHS developed a proposed rule and released it for public comment on November 3, 1999. The Department received over 52,000 public comments. The final regulation, the Privacy Rule1, was published December 28, 2000.

  • covered entity is the organization that must comply with HIPAA. The University of California is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities, it also has other organizational activities such as education and research.
  • The HIPAA Privacy Rule governs PHI which is defined as information that can be linked to a particular person (i.e., is person-identifiable) that arises in the course of providing a health care service.

What does the Privacy Rule1 do?

The Privacy Rule protects the confidentiality and security of personally-identifiable information that arises in the course of providing health care. The intention of HIPAA is to protect patients from inappropriate disclosures of Protected Health Information (PHI) that can cause harm to a person’s insurability, employability, etc.  HIPAA sets rules and limits on who can look at and receive patient health information. When PHI is communicated inside of a covered entity, this is called a use of the information. When PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure.

 

HIPAA allows both use and disclosure of PHI for research pursuant to the  following conditions. The red rows below are human subject research activities and require prospective UCI IRB review. The green rows may not involve human subject research. The researcher may confirm these points as part of the Self-Determination of Non-Human Subject Research.

What does the IRB have to do with this? 

The UCI IRB acts as a Privacy Board (required by HIPAA) to review the use/disclosure of PHI and to determine whether the subjects should sign a HIPAA research authorization (an addendum to the consent to participate in research) or if a waiver of authorization (roughly analogous to a Waiver of Consent under the Common Rule) may be granted. When the IRB determines that subjects should sign a HIPAA research authorization in order to use or disclose PHI for research, subjects are to sign the UC HIPAA research authorization as a part of the informed consent process for participation in the study. Note:  The UC HIPAA research authorization is  not the same as the Notice of Privacy Practices.

Prospective UCI IRB review and approval required

No UCI IRB review required

  • Review, access, or use of medical records as part of a preparatory to human subject research activity (e.g., screening medical records to determine potentially eligible participants for a UCI IRB approved protocol)
    • At UCI, many departments establish a “recruitment registry” for this purpose
  • Review, access to, or use of medical records as part of determining patient treatment
  • Review, access or use of, or adding to medical records as part of a human subject research activity (e.g., adding research data to the medical chart, using a UCI Health service that requires creation of medical chart)
  • Receipt of a de-identified data set from the UCI Health Honest Broker (evidence of a self-determination of non-human subject research will be required to release the data)
  • Creation of new medical information due to a health care service being performed as part of the research
  • Accessing TriNetX, PCORnet®, or the upcoming ENACT for cohort discovery or exploration
  • Decedent data:
    • California law requires IRB approval for any research using individually identifiable information from death data files held by the State Registrar, local registrars, and county recorders
    • When accessing the PHI of a decedent, the HIPAA Privacy Rule protects the individual for 50 years following the date of death
  • Decedent data:
    • HIPAA Authorization is not required for research on the decedent’s information provided that the covered entity obtains specific confirmations from the Investigator
  • Use of SlicerDicer as a cohort discovery tool. This discovery tool resides in EPIC, which involves PHI
  • Observing clinical care encounters for the intended purpose of human subject research
  • Most clinical trials

[1] The Privacy Rule allows for “representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research” without prospective IRB review and approval; however, at UCI, this is currently not allowed.

Stay informed! Sign up for our HRP / IRB Listserv: To subscribe to HRP News & Announcements, send a blank email to: or-irb-hrp+subscribe@uci.edu

 

 

Scroll to Top