HIPAA in Human Research

• Protected Health Information (PHI): Any of the 18 HIPAA-recognized identifiers in combination with health information transmitted or maintained in any form (electronic, paper, or oral) that relates to the past, present, or future physical or mental health or conditions of an individual.
• Covered Entity (CE): Any department (or institution in some cases) that provides services that meet the definition of health care provider, health plan, or health care clearinghouse. Ex. An entity, or its covered departments or colleges, that is regulated by HIPAA is called a Covered Entity (CE).
• De-identified Information: Health information that cannot be linked to an individual.
• Patient Authorization: A document signed by the subject that gives the researcher permission to use/disclose PHI collected during the research study for defined purposes. 
• Waiver of Authorization: A request to forgo the authorization requirement based on the fact that the disclosure of PHI is a minimal risk to the subject and the research cannot practically be done without access to/use of PHI.
• Limited Data Set: A limited data set is a subset of identifiers that contain the following elements: city, state, zip code, date of birth, death, or date of service. 
• Preparatory Work for Research:  PHI will be reviewed for the purpose of designing a research study or identifying potential subjects.
• Decedent Research: Research where PHI is collected from a subject(s) who is deceased before the initiation of the study.

1. Names;
2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes;
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death;
4. Telephone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images;
18. Any other unique identifying number, characteristic, or code.

Answer these questions or use the roadmap below so you don't get lost in the regs!

1. Does your research protocol involve creating, accessing, using, storing, or disclosing PHI?
   1. Yes, go to question two (2).
   2. No, STOP. Your research does not fall under HIPAA, but you must follow federal/state privacy laws and IRB requirements when dealing with patient/subject information.
2. Is your department listed as a University of Kentucky Covered Entity?
   1. Yes, complete the following steps. You must comply with all of UK’s regulations for creating, accessing, storing, and disclosing PHI.
   2. No, if you are accessing PHI from UK Medical Records or any other source of PHI within the CE, complete the HIPAA Application Form. You must comply with the UK’s HIPAA requirements for accessing PHI. Once PHI is removed from the CE, you must follow federal/state privacy laws and IRB requirements. If you are accessing PHI from another source, contact the Research Privacy Specialist to determine if HIPAA applies to your study.

HIPAA Roadmap

_{*HIPAA recognized identifiers; for questions about this or limited data sets (LDS), contact ORI's Privacy Team.}

_{**If you plan to send or receive any data outside of UK, please contact Ali Yankey in the Office of UK Innovate for assistance with a DUA/MTA.}

_{***CE is an entity regulated by HIPAA}

Which HIPAA form should be completed, if any? Where do you request/submit HIPAA documents?

• De-identified Information: HIPAA lists 18 specific identifiers that must be removed to qualify as de-identified data. The following identifiers can be recorded: initial three digits of the zip code if population is greater than 20K, age if less than 90, gender, and ethnicity.
  • If you are de-identifying protected health information (PHI) for your study and your department is in a Covered Entity, complete the de-identification certification form and take it to Medical Records to obtain PHI. Make a copy of the de-identification form and submit it with your IRB application.
  • If you are de-identifying PHI for your study and your department is NOT in a Covered Entity, complete the de-identification certification form and submit a Business Associate Agreement (BAA) to Medical Records to obtain PHI. Make a copy of the de-identification form and submit it with your IRB application.
  • Contact: Erin McMahon, Associate General Counsel, (859) 323-1161 for assistance with BAAs.
• Patient Authorization: An authorization should be signed by subjects when informed consent is obtained or when subjects are re-consented. If HIPAA Authorization is required for your research, you must use the Informed Consent/HIPAA Combined Template as a guide to develop your consent/authorization document and submit it with your IRB application.
  • For a copy of the template, see the IRB application, or contact the Research Privacy Specialist.
  • Take the IRB-approved authorization form signed by the subject to Medical Records to obtain PHI.
• Waiver of Authorization: Please complete the waiver of authorization form and submit it with your IRB application.
  • The IRB will issue you a waiver of authorization approval letter. Take this letter to Medical Records to obtain PHI.
  • For clinical trials only:  If you plan to review PHI to identify subjects for recruitment purposes and your sponsor requires you to give them a screening log with PHI (and you have not obtained informed consent or authorization), submit a waiver of authorization form with your application. Note: The waiver of authorization will only be for recruitment purposes.
• Limited Data Set: If your department is listed in the Covered Entity, a Data Use Agreement must be completed and submitted to Medical Records to obtain PHI.
  • If your department is NOT listed in the Covered Entity, a Data Use Agreement and a BAA must be completed and submitted to Medical Records to obtain PHI.
  • Contact: Erin McMahon, Associate General Counsel, (859) 323-1161 for assistance.       
• Preparatory Work for Research: Please go to Medical Records and complete their HIPAA Research Form to obtain PHI.
• Decedent Research: Please go to Medical Records and complete their HIPAA Research Form to obtain PHI.

HIPAA applies to you if your college or department uses Protected Health Information in connection with certain covered transactions. Legal counsel, with guidance from Deans and other UK leaders, has determined which colleges and departments engage in covered transactions and thus are covered by HIPAA. 

Because of its size and the range of its activities, the University of Kentucky (UK) is designated as a hybrid entity, which means that some departments/colleges are regulated by HIPAA and others are not. An entity, or its covered departments or colleges, that is regulated by HIPAA is called a Covered Entity (CE).

The University of Kentucky is a “covered entity.”

What makes the University of Kentucky a “covered entity?” The University of Kentucky is comprised of several groups that make it a “covered entity,” including, University of Kentucky Chandler Medical Center, medical benefit plans, human research, dental clinics, student health services, and athletics, among others.

• If you are employed in a UK Covered Entity component and create, access, or share Protected Health Information, HIPAA applies to your research.
• If, in your research, you collect Protected Health Information from a UK Covered Entity and your department/college is deemed outside of the Covered Entity, HIPAA applies to your access of the Protected Health Information.

Researchers not in the Covered Entity may need an authorization form:

1. to access PHI for their study; or,
2. if they are conducting part of their study in the Covered Entity.

To find out whether HIPAA covers your department/college, assistance with determining whether you are employed in a UK Covered Entity, or for more information, contact the Research Privacy Specialist for more information.

See below for an abbreviated list of UK covered entities

Note: There may be others not listed; please contact the Research Privacy Specialist for assistance.

• Entire College of Dentistry
• All Hospital Areas
• All Ky Clinic Operations
• College of Health Sciences
  • Business Office
  • Communication Disorders
  • Physician Assistant Studies
• College of Medicine
  • Clinical Affairs
    • Anesthesiology (Pain Mgmt Center)
    • Diagnostic Radiology
    • Emergency Medicine
    • Family Practice
    • Internal Medicine
    • Neurology
    • OB/GYN
    • Ophthalmology
    • Pathology and Lab Medicine
    • Pediatrics *UK's Children's Hospital)
    • Physical Medicine and Rehabilitation
    • Psychiatry
    • Radiation Medicine
    • Surgery
    • Orthopedics/Sports Medicine Center
  • Department
    • Dean's Office
    • Chief of Staff
  • Multidisciplinary Centers
    • Business Operations
    • Clinic Operation
    • Center for Minimally Invasive Surgery
    • Diagnostic Clinic (Neurology)
    • Gamma Knife Center
    • Gill Heart Center
    • KY Center for Rural Health Family Practice Clinic
    • Kentucky Neurosciences Institute
    • (Lucille Parker) Markey Cancer Center Clinical Activities
    • Rural Health Center Hazard
    • Transplant Center
    • Public Health
    • Preventive Medicine
• College of Pharmacy
  • Drug Information Services
• UK Campus
  • College of Social Work: CATS Clinic
  • Human Resource Services: Benefits
  • Human Resource Services: Employee Relations
  • Human Resource Services: The Plan/UKHMO-UKDC
  • Internal Audit
  • Legal Counsel
  • Office of Controller: Accounts Payable
  • Office of Controller: Benefits Financial Counseling
  • Public Relations

According to HIPAA requirements outlined in 45 CFR 164.508, researchers should obtain written authorization from subjects before using or collecting protected health information (PHI) whenever possible. Authorization should be obtained in writing from prospective subjects. 

Under HIPAA, the following core elements and statements must be included in the authorization document. 

• A description that identifies the individually identifiable protected health information to be used/disclosed in a specific and meaningful fashion (e.g., list the types of data to be collected from the medical record);
• The name of the person(s) or class of persons to whom the covered entity may make the requested use or disclosure (i.e., researchers must list all of the entities that might have access to the study’s PHI such as ORI/IRB, University of Kentucky/Hospital representatives, sponsors, Food and Drug Administration, data safety and monitoring board or any others given authority by law);
• A description for each purpose of the requested use or disclosure (e.g., list reasons why the PHI is collected, such as to be able to conduct the research and to ensure that the research meets legal, institutional, or accreditation requirements; list the purpose of the research);
• An expiration date or an expiration event that relates to the use or disclosure (i.e., length of time researchers plan to maintain the data).  The statement “end of research study”, “none”, or similar language is sufficient;
• A description of how the individual may revoke the authorization and the exceptions to the revocation; or a copy of the Privacy Notice, which explains how to revoke the authorization and the exceptions to the revocation (i.e., HIPAA gives subjects the legal right to revoke authorization. The subjects must be told how they can withdraw.  Any request for revocation must be in writing. Also, the subjects should be told that if they do revoke, they can no longer participate in research and that researchers may use the PHI already obtained to maintain the integrity of the data.);
• A statement that a subject’s treatment, payment, or enrollment in any health plan or their eligibility for benefits will not be affected if they refuse to sign the authorization;
• A statement that the subject may not participate in a research study if they refuse to sign the authorization;
• An explanation that information disclosed pursuant to the authorization may no longer be protected when re-disclosed by the recipient (i.e., if the researchers disclose the information collected to a third party, then the HIPAA protections may no longer be in place);
• A signature of the individual and date. If a personal representative signs the authorization, a description of the representative’s authority must be provided.
• Optional item: Under HIPAA, subjects have the right to access their PHI. In research, this right can be suspended while the research is in progress. However, subjects must be told in the authorization that this right has been suspended, and the conditions of the suspension must be listed. The subjects should also be informed that their right to access the PHI will be reinstated at the conclusion of the research study.
• The authorization must be written in plain language;
• The subject must be given a copy of the signed authorization.

If HIPAA Authorization is required for your research, you must use the Informed Consent/HIPAA Combined Template as a guide to develop your consent/authorization document. For a copy of the template, see the IRB application or contact the Research Privacy Specialist. 

Guidance for Requesting and Completing the Waiver of Authorization

A waiver of authorization is a request to forgo the authorization requirements because the disclosure of protected health information (PHI) for research purposes is minimal risk to the subject and the research can not practically be done without access to/use of the PHI. The investigator must develop a written plan to protect the subject’s protected health information.

Examples that would require a waiver of authorization:

1. Researchers in the Covered Entity (CE) would require a waiver of authorization to remove PHI from the CE (i.e., sharing PHI with the sponsor) for the purpose of identifying subjects for a research study.  The waiver would only be granted if:
   1. The investigator is submitting a screening log with PHI to a sponsor to identify potential subjects for a study; and
   2. The investigator has not obtained informed consent/authorization from the subject; and/or
   3. The screening log, which contains PHI, is disclosed to monitors or other agencies during the study.
2. Retrospective medical record reviews would require a waiver of authorization since it would be impractical to obtain authorization from the subjects.
3. Researchers not in the Covered Entity (CE) would require a waiver of authorization to remove PHI from the CE. The waiver would only be granted if:
   1. The investigator is removing PHI from the Covered Entity; and
   2. The investigator has not obtained informed consent/authorization from the subject.

The following identifiers can be recorded and removed from the CE without requesting a waiver of authorization:

• Initial three digits of the zip code if the population is greater than 20K
• Age if it is less than 90,
• Gender, and
• Ethnicity.

"Form K": Request for Waiver of HIPAA Authorization Form

• Business Associate Agreements
  • You (or your department) are not in the Covered Entity, and you are either de-identifying information or creating a limited data set.
  • You have an outside person/entity that performs a service on behalf of the healthcare provider (including a researcher) or the healthcare institution during which individually identifiable health information is created, used, or disclosed.
    
    The IRB does not consider research collaborators as business associates unless they sign a contract to perform certain duties/functions that involve the use and/or disclosure of PHI.
• NIH HIPAA Page
• Office for Civil Rights (OCR):
  • OCR HIPAA Page
  • OCR Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
    • The De-identification Standard
• UK Researchers - HIPAA Information: If you are a UK Medical Center employee, please access UKMC's intranet for policies on the release of Protected Health Information (PHI) for research purposes