HIPAA's Data and Privacy Protection Requirements
Added on 2022-01-27
18 Pages3571 Words61 Views
Introduction
This module discusses data protection requirements for human subjects research that creates,
obtains, uses, or discloses health data, principally the protections that derive from the Health
Insurance Portability and Accountability Act (HIPAA).
Although HIPAA is the most prominent source, other federal and state laws as well as
professional and accrediting associations also establish requirements associated with the
protection of individual health information. Individuals with access to any individually
identifiable health information for any purpose must understand these constraints. If you use
such health information for human subjects research, you need to know the specific limitations
that apply to that activity, deriving from HIPAA and other regulations like 45 CFR 46,
Subpart A (also known as the Common Rule).
HIPAA's data-focused protections, which took effect starting in 2003, work together with the
Common Rule and U.S. Food and Drug Administration (FDA) protections; they are not a
replacement. Institutional Review Board (IRB) reviews using Common Rule and FDA criteria
remain as before, including aspects related to data protection. IRBs may share responsibilities for
addressing some of HIPAA's additional requirements in their reviews when those apply; or some
responsibilities may be allocated to another kind of body that HIPAA permits (a Privacy Board)
or to an institutional official that HIPAA requires (a privacy officer). These federal rules and
regulations provide a minimum standard of practice, complemented by states’ and
accreditation bodies’ additional requirements.
Learning Objectives
By the end of this module, you should be able to:
Summarize HIPAA’s additional privacy protections for individually identifiable health data
that are used for human subjects research, including authorizations and accountings of
disclosures.
Describe situations where full HIPAA privacy protections are required, and those which
can qualify for waivers, alterations, or exemptions with more limited requirements.
Explain the responsibilities of researchers and organizations for meeting HIPAA’s privacy
requirements and for appropriate data security protections that are necessary to protect
privacy.
HIPAA's Regulatory Scope
This module discusses data protection requirements for human subjects research that creates,
obtains, uses, or discloses health data, principally the protections that derive from the Health
Insurance Portability and Accountability Act (HIPAA).
Although HIPAA is the most prominent source, other federal and state laws as well as
professional and accrediting associations also establish requirements associated with the
protection of individual health information. Individuals with access to any individually
identifiable health information for any purpose must understand these constraints. If you use
such health information for human subjects research, you need to know the specific limitations
that apply to that activity, deriving from HIPAA and other regulations like 45 CFR 46,
Subpart A (also known as the Common Rule).
HIPAA's data-focused protections, which took effect starting in 2003, work together with the
Common Rule and U.S. Food and Drug Administration (FDA) protections; they are not a
replacement. Institutional Review Board (IRB) reviews using Common Rule and FDA criteria
remain as before, including aspects related to data protection. IRBs may share responsibilities for
addressing some of HIPAA's additional requirements in their reviews when those apply; or some
responsibilities may be allocated to another kind of body that HIPAA permits (a Privacy Board)
or to an institutional official that HIPAA requires (a privacy officer). These federal rules and
regulations provide a minimum standard of practice, complemented by states’ and
accreditation bodies’ additional requirements.
Learning Objectives
By the end of this module, you should be able to:
Summarize HIPAA’s additional privacy protections for individually identifiable health data
that are used for human subjects research, including authorizations and accountings of
disclosures.
Describe situations where full HIPAA privacy protections are required, and those which
can qualify for waivers, alterations, or exemptions with more limited requirements.
Explain the responsibilities of researchers and organizations for meeting HIPAA’s privacy
requirements and for appropriate data security protections that are necessary to protect
privacy.
HIPAA's Regulatory Scope
HIPAA’s protections focus on health information, specifically “individually identifiable health
information,” which HIPAA defines as information in “any form or medium” that “[r]elates to
the past, present, or future physical or mental health or condition of an individual; the provision
of healthcare to an individual; or the past, present, or future payment for the provision of health
care to an individual” (Security and Privacy 2013).
HIPAA’s protections reach only a subset of individually identifiable health information --
formally called protected health information or simply “PHI” -- created in or by what HIPAA
calls covered entities.
Covered entities include individual healthcare providers, healthcare provider organizations,
health plans, and health information clearinghouses that engage in electronic healthcare
transactions (see Health and Human Services Covered Entity Decision Charts). HIPAA’s
protections for PHI extend to non-U.S. citizens’ data as well.
information,” which HIPAA defines as information in “any form or medium” that “[r]elates to
the past, present, or future physical or mental health or condition of an individual; the provision
of healthcare to an individual; or the past, present, or future payment for the provision of health
care to an individual” (Security and Privacy 2013).
HIPAA’s protections reach only a subset of individually identifiable health information --
formally called protected health information or simply “PHI” -- created in or by what HIPAA
calls covered entities.
Covered entities include individual healthcare providers, healthcare provider organizations,
health plans, and health information clearinghouses that engage in electronic healthcare
transactions (see Health and Human Services Covered Entity Decision Charts). HIPAA’s
protections for PHI extend to non-U.S. citizens’ data as well.
Some identifiable health information used for research originates outside of covered entities, and
so may not be covered by HIPAA. However, you must check with your organization’s privacy
authorities before assuming your situation falls outside HIPAA’s scope.
What kinds of users and uses are covered?
HIPAA regulations set requirements for use and disclosure of PHI by covered entities, and by
extension on all members of a covered entity’s workforce that have contact with PHI. HIPAA’s
data protection requirements also apply “in the same manner” to business associates (and by
extension to the workforce of such business associates) that perform functions using PHI on a
covered entity’s behalf.
Researchers may be part of the workforce of a covered entity, or may be covered entities
themselves if they are also healthcare providers. If so, they are directly affected by the HIPAA’s
research rules. Researchers who meet neither of these conditions are still indirectly affected by
HIPAA rules if a covered entity is the source of their data and those data meet the definition of
PHI.
HIPAA’s rules on use and disclosure are generally “purpose-based” -- that is, the intended use
sets the rules more than the type of data itself. The research rules discussed here are different
than those for, say, treatment or treatment-related payments (relatively liberal), or for marketing
or fundraising (relatively strict). A few types of data, such as psychotherapy notes do receive
special protection under HIPAA. State laws also often have many categories of data with special
protections, with which you should be familiar (or be in contact with an organizational official
who has that knowledge).
What constitutes "research?"
Like the Common Rule, HIPAA defines research as a “systematic investigation, including
research development, testing, and evaluation, designed to develop and contribute to
generalizable knowledge” (Protection of Human Subjects 2018; Security and Privacy 2013).
Note that some kinds of investigative activities that use patient data are excluded in this
definition. For example:
so may not be covered by HIPAA. However, you must check with your organization’s privacy
authorities before assuming your situation falls outside HIPAA’s scope.
What kinds of users and uses are covered?
HIPAA regulations set requirements for use and disclosure of PHI by covered entities, and by
extension on all members of a covered entity’s workforce that have contact with PHI. HIPAA’s
data protection requirements also apply “in the same manner” to business associates (and by
extension to the workforce of such business associates) that perform functions using PHI on a
covered entity’s behalf.
Researchers may be part of the workforce of a covered entity, or may be covered entities
themselves if they are also healthcare providers. If so, they are directly affected by the HIPAA’s
research rules. Researchers who meet neither of these conditions are still indirectly affected by
HIPAA rules if a covered entity is the source of their data and those data meet the definition of
PHI.
HIPAA’s rules on use and disclosure are generally “purpose-based” -- that is, the intended use
sets the rules more than the type of data itself. The research rules discussed here are different
than those for, say, treatment or treatment-related payments (relatively liberal), or for marketing
or fundraising (relatively strict). A few types of data, such as psychotherapy notes do receive
special protection under HIPAA. State laws also often have many categories of data with special
protections, with which you should be familiar (or be in contact with an organizational official
who has that knowledge).
What constitutes "research?"
Like the Common Rule, HIPAA defines research as a “systematic investigation, including
research development, testing, and evaluation, designed to develop and contribute to
generalizable knowledge” (Protection of Human Subjects 2018; Security and Privacy 2013).
Note that some kinds of investigative activities that use patient data are excluded in this
definition. For example:
The regulations are complex. So, as with the covered entity status, a determination by an
organization’s IRB, designated privacy official(s), or legal counsel is usually required to assure
that an activity is “not research” and therefore subject to different HIPAA rules.
Who enforces the HIPAA research protections?
A covered entity may choose to rely on an IRB to assess compliance with both the FDA and
Common Rule requirements and HIPAA research requirements. Alternatively, HIPAA provides
organization’s IRB, designated privacy official(s), or legal counsel is usually required to assure
that an activity is “not research” and therefore subject to different HIPAA rules.
Who enforces the HIPAA research protections?
A covered entity may choose to rely on an IRB to assess compliance with both the FDA and
Common Rule requirements and HIPAA research requirements. Alternatively, HIPAA provides
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
HIPAA and Electronic Health Informationlg...
|4
|784
|211
Security Considerationslg...
|5
|868
|265
Guidelines of HIPAA in Preserving Patients' Data Confidentiality and Privacylg...
|4
|893
|173
Healthcare Information Systems Privacy and Security in KSAlg...
|9
|1966
|81
HIPAA Compliancelg...
|4
|775
|172
Hipaa Statues Information 2022lg...
|6
|1238
|19