- What is HIPAA?
- Who is affected by HIPAA?
- What is PHI?
- What kind of research and researchers are affected by the HIPAA regulations?
- Who will review research use of HIPAA-regulated information?
- What types of health information are there?
- What are the requirements for authorization when researchers wish to access patient information?
- What is needed to request a "Waiver of HIPAA Authorization?"
HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. The purpose of the Act was to increase the ease with which people could transfer their health care information from one insurer or provider to the next. Congress, as part of HIPAA, required the development of privacy regulations to protect the confidentiality of individually identifiable health care information. The final (HIPAA) privacy rule was issued on August 14, 2002.
Protected Health Information (PHI) is any information that pertains to:
- the physical or mental health or condition of an individual. This includes any information obtained in the past, in the present, or that which might be obtained in the future
- the health care plan for an individual
- any payment for the provision of health care to an individual
PHI may be information that is recorded electronically, on paper, or orally. PHI may concern living people or dead people (referred to in the law as "decedents"). PHI does NOT include de-identified information or biological tissue with no accompanying information that may be linked to an identifier, such as an accession number or code number.
All researchers (faculty, staff, or students) who access or create Protected Health Information (PHI) preceding or during the conduct of their research must comply with the HIPAA regulations.
Any research that is conducted under the purview of Montclair State University and acquires, creates, or uses protected health information (PHI) is affected by HIPAA regulations. This includes all research regardless of topic if any PHI is involved. Any researcher who is involved with projects that acquire, create, or use PHI are subject to HIPAA regulations.
HIPAA rules require that either a privacy board or an institutional review board review HIPPAA materials. At Montclair State University, the IRB will review the use of HIPAA related materials.
There are three categories of health information, and each must be handled differently. They are:
- Individually identifiable health information
- De-identified health information
- Limited dataset information
Please consult the IRB Adminstrator regarding the steps needed to acquire permission to use any of these categories of health information.
Authorization as described in the HIPAA regulations is a process by which participants give permission to researchers to access their Personal Health Information (PHI). Blanket authorizations are not permitted. The authorization must include the following information:
- a description of the purpose and use of information to be used in the research
- who can use and disclose the information
- who can receive the information
- a right to revoke permission
- right to refuse to sign or to release PHI
- expiration date
- participants signature and date
Please contact the IRB Administrator if you have any other questions regarding the requirements for access to PHI.
A waiver of HIPAA authorization requires extraordinary consideration by the IRB. In order to request such a waiver, the researcher will have to provide a clear justification. The justification should include but is not limited to the following:
- Detailed information about the types of health information that is to be used. This should include:
- Specifically how the information will be used
- Who will be able to access the information
- How and when the information will be destroyed
- What risks are posed by use of the information and the steps taken to mitigate the risks associated in using the information
- Rationale for access to the information and the impact on the research if the information is not accessible.
Please contact the IRB Administrator if you have any other questions regarding a Waiver of HIPAA Authorization.