HIPAA Questions and Answers Relating to Research

February 2015

I.  The Basics

Question 1: As an employee of the JHM covered entity, how does the HIPAA Privacy Rule affect my research?

Answer: Under the HIPAA Privacy Rule you must meet certain requirements before using or disclosing individually identifiable health information for research. (These HIPAA requirements are in addition to IRB requirements under federal regulations for the protection of human subjects.)

The HIPAA Privacy Rule defines “individually identifiable” broadly, to include information such as name, address, or SSN, as well as “indirect identifiers” such as zip codes or date of birth, when attached to any health information.

A covered entity and its employees may not use or disclose individually identifiable health information (called “protected health information,” or “PHI”) for research, except in one of the following circumstances:

i) The patient has signed a written Authorization containing all the elements specified in the Privacy Rule;
ii) An IRB has waived or altered the requirement for HIPAA Authorization;
iii)The covered entity has “de-identified” the data prior to its use or disclosure for research; or
iv) The data are in the form of a “limited data set” containing no HIPAA “direct identifiers,” and” and the researcher has signed a HIPAA Data Use Agreement.

Question 2: What is the difference between HIPAA “Authorization” and informed consent?

Answer: Informed consent is required under federal research regulations for the protection of human subjects.  The HIPAA Privacy rule, a different regulation, separately requires that patients give written Authorization before a covered entity may use or disclose patients’ protected health information for research.  There are different requirements for the content of informed consent and HIPAA Authorization; however both may be combined in one form (see templates on the HIPAA forms page).  An IRB may waive both consent and Authorization if the research meets all of the waiver criteria established by each of the applicable regulations.

Question 3: I plan to use de-identified information in my research.  Do I still need to submit an eIRB application?

Answer: The answer depends upon whether the data already exist in de-identified form.  If your research involves only the analysis of pre-existing data that have been fully de-identified to the HIPAA standard, you do not need to submit an application in eIRB, because such research involves neither PHI nor an identifiable human subject.

If, however, you wish to extract de-identified data from medical records or other identifiable sources, for use in your research or to create a de-identified database for future research, you must submit an Exempt Research Application and an Application for Waiver of HIPAA Privacy Authorization in eIRB.  (See the JHM IRB guidance on Research Databases for additional information)

Question 4: Are outside parties involved in a research study "business associates" of Hopkins, and do we need a Business Associate Agreement with these parties?

Answer: No. Under the HIPAA Privacy Regulations, a business associate is a person or entity that receives protected health information ("PHI") from a covered entity and performs certain functions or activities on behalf of the covered entity. For example, The Johns Hopkins Hospital is a covered entity under HIPAA and its outside lawyers, consultants, and most contractors who receive PHI from JHH are business associates doing something on JHH's behalf. The HIPAA Privacy Regulations require Hopkins to enter into Business Associate Agreements with these entities. Although these entities are not covered entities themselves, they agree to treat the PHI they receive as if they were covered entities under HIPAA.

Although this analysis might seem to apply to some parties in a research context, it now is widely accepted that persons and entities who receive PHI from research organizations in the course of an approved research project are not the business associates of the research organization. For example, if a Johns Hopkins protocol has two sponsors and an entity performing the lab work for the study, these parties are not deemed to be acting on Johns Hopkins' behalf and are not its business associates. Rather, these entities all are parties necessarily involved in the common enterprise of the research project. In a clinical trial, these parties must be listed on the HIPAA Privacy Authorization as parties to whom PHI may be disclosed in the course of the study. If the IRB waives Authorization, all these parties must be listed in the IRB waiver application so that the IRB is aware that these parties will receive PHI and can assure that a proper plan is in place to protect the privacy of the PHI. In either case, Hopkins does not need to have a Business Associate Agreement with these parties.

Question 5: When might I need a HIPAA Data Use Agreement in connection with my research?

Answer: A Data Use Agreement is needed when a researcher wants to share PHI in the form of a Limited Data Set (defined as a data set that contains no identifiers other than certain "indirect identifiers") with someone not otherwise involved in the research protocol (i.e., someone who is not mentioned as receiving PHI in the Authorization or in the waiver of Authorization approved by the IRB). If the person or entity at the other site is part of the trial and is included in the Authorization or waiver of Authorization approval for the trial, you do not need a Data Use Agreement. Rather, a Data Use Agreement is used when, for example, you want to share a Limited Data Set of research data with a colleague at another institution not involved in the trial, or with a private registry not involved in the study. The JHM IRB must be notified if you plan to share a limited data set with a person not named in the original IRB application.  If you disclose a Limited Data Set to another JHM researcher, that person must sign the one page Data Use Agreement on the JHM IRB website.  If you will disclose a Limited Data Set to a non-JHM researcher, the recipient must sign the full JHM Data Use Agreement before research data containing PHI are shared.

Question 5(a): What about sharing data with a researcher at JHBSPH, or including JHBSPH faculty or students as members of my research team?

Answer: The HIPAA Privacy Rule permits a covered entity to exclude from covered status any of its components that do not perform “covered functions” (e.g., billing for clinical services).  The SOM and JHBSPH have agreed that because JHSPH faculty do not perform covered functions for the JHBSPH, JHBSPH will be excluded from the JHM covered entity.  This means, however, that when JHM PHI is shared with someone from the JHBSPH, this sharing is a “disclosure” of PHI and must be treated as any other disclosure of PHI to an outside entity.  The SOM PI must track all disclosures of PHI to the JHBSPH to permit the SOM to account for these disclosures if required to do so under the Privacy Rule.

There is an exception to this general rule for disclosures to JHBSPH faculty or students who are formal members of a research team led by a SOM PI and have completed all required SOM HIPAA training.  For the purpose of performing their responsibilities as research team members, such JHBSPH faculty/students are considered to be members of the SOM HIPAA “workforce” if they are acting under the direct control of the PI.  SOM workforce members must abide by all JHM HIPAA policies, but the PI does not need to track disclosures of PHI to them.

Also, if the JHBSPH faculty and/or students are listed in the research authorization form as parties with whom the SOM PI will share PHI, the SOM PI does not need to track these disclosures.

Question 6: I am a researcher who has obtained a Certificate of Confidentiality for my study. Do I need a HIPAA Privacy Authorization when I already have a Certificate of Confidentiality?

Answer: Yes. Certificates of Confidentiality (CoCs) may protect the identities of research participants from compulsory disclosure in certain legal proceedings. However, COCs do not prevent voluntary disclosures of research information, nor do they negate the fact that researchers collect PHI from participants and that many persons both inside and outside of Hopkins will or may see the PHI (e.g., auditors, IRBs, investigators from governmental agencies, sponsors, etc.) Accordingly, the HIPAA Privacy Authorization must inform participants that, although JHM will keep their identifiable information confidential, there are certain people in and outside of Hopkins who will or may need to see the information, and that, because some of those people are not covered by the Privacy Rule, we cannot guarantee that they will all maintain the confidentiality of the information.

Question 7: How is the HIPAA Privacy Rule related to the HIPAA Security Rule?

Answer: Each is a separate regulation under the HIPAA statute. The Privacy Rule applies to all health information obtained or created by a covered entity, regardless of medium. The Security Rule applies to protected health information created or stored in an electronic form.  The Security Rule establishes standards for how covered entities store, transmit, and safeguard “ePHI.”  A researcher who fails to protect the security of PHI, by failing to follow JHM information security policies (e.g., password protection, encryption) may be violating both the Privacy Rule and the Security Rule. For more information about Security Rule requirements, contact the JH Information Security services.

[back to top]

II.  Recruitment

Question 1: At what point in recruitment may we gather information about a potential participant (i.e., a potential participant calls our office after seeing a flier, may we screen that person/ ask them about their history, or do we need him or her to complete a written privacy Authorization prior to screening)?

Answer: If the IRB has approved your recruitment plan, including a partial waiver of Authorization to permit you to collect PHI for screening without written Authorization, you may take the person’s contact and screening information.  You will need to advise the person that in order to evaluate whether he or she is a candidate for the research, you will need to share the caller’s information, and the caller may need to share information, with a limited number of others who staff the study.  If the person is deemed to be a qualified candidate, then he/she will be asked to come in to sign an informed consent/privacy Authorization. 

 If the person is not deemed to be qualified, their information should be destroyed and not used for any other purpose, unless the IRB has waived authorization to permit the research team to retain information required by the sponsor or by FDA regulations.  

Question 2: When a potential participant calls after seeing a flier, may we take a history from the participant to determine eligibility prior to receiving a written privacy Authorization if we do not record (either in a database or written form) the PHI given to us by the participant?

Answer: The answer is the same as in #1, above.  Receipt of PHI occurs whether the information is written, electronic or verbal.  The IRB must approve the recruitment plan to permit phone screening for eligibility. The PI or research team must receive the follow-up written Authorization before they may use the PHI for research.

Question 3: When the potential participant calls our office, may the staff member who took the call have another staff member (same research team) send materials to/contact the potential participant?

Answer: Yes. Anyone on the research team or staff may use the contact information to send materials to prospective subjects and to obtain the Authorization.

Question 4: If the clinician is also a researcher and he/she meets a potential participant for their study, can that clinician/researcher have one of his/her staff members screen the patient/potential participant’s chart?

Answer: Yes.

Question 5: Is it possible to get a waiver from the JHM-IRB to screen patient charts without having each patient first sign a privacy Authorization form?  If yes, what forms need to be filed with the JHM-IRB?

Answer: Yes. The form is HIPAA IRB Form 4, Application for IRB Waiver of HIPAA Privacy Authorization.  The waiver must be granted by the IRB before charts are screened.

[back to top]

III.  “Grandfathering” under HIPAA

Question 1: I know that the HIPAA Privacy Rule grandfathers some studies in which participants enrolled prior to 4/14/03 (or for which the IRB granted a waiver of consent prior to that date).  Please define the term “enrolled” in reference to a participant being enrolled in a study prior to 4/14/2003.  Does this mean that the participant must have signed a consent form prior to that date? Or can it mean that the participant and family have been entered into the database by that date?

Answer: “Enroll” means to have the participant sign an informed consent within the meaning of the Common Rule. If a participant signed an informed consent prior to 4/14/03, the participant does not need to sign a HIPAA privacy Authorization for the same study.  However, after 4/14/03, a participant who is signing an informed consent (whether a new participant, or an old participant who is being re-consented) also must sign a privacy Authorization and/or an IRB approved new combined consent/HIPAA authorization document.

Question 2: Is the continuation of a study (i.e. new grant funding) using the same protocol number considered a “new” study under HIPAA guidelines?

Answer: No. HIPAA does not address what would make a study a new study.  If the study is a new study under JHM practices or the Common Rule, then both a new informed consent and privacy Authorization, or an IRB approved waiver of consent/privacy authorization, would be required. If the study is not a new study under these criteria, then no new informed consent/privacy Authorization would be required.

Question 3: If we have information in a database that was collected with the written consent of the participants in the database prior to 4/14/2003, do we need a HIPAA waiver to maintain the database?

Answer: No. Any form of written consent obtained prior to 4/14/2003 will “grandfather” the data accumulated in the research database prior to that date.  The consent does not need to meet the privacy Authorization criteria and no waiver by the IRB is needed.  If, however, a researcher wishes to add patients to the database who did not sign a consent form prior to 4/14/2003, those patients must sign both a consent form and a HIPAA Authorization (may be combined in a single form; see IRB website), unless the IRB grants a waiver of consent and HIPAA Authorization.

[back to top]

IV.  De-Identification and Re-Identification

Question 1: When does a unique identifying number become PHI?  Is it always considered PHI?

Answer: HIPAA permits the use of unique identifying numbers in a de-identified data set, provided that the recipient of the data (e.g., the researcher), has no access to the linking code and no means of re-identifying the data.  If a unique identifying number is kept to link otherwise de-identified data to the individuals in the study, the unique identifying number is and remains PHI with respect to anyone who can access the code key or re-identify the data subjects.  If the unique identifying number is destroyed, the health information would thereafter be de-identified for all purposes (assuming all other HIPAA identifiers and links to identifiers are removed).

Question 2: HIPAA has many identifiers that must be removed to “de-identify” health information.  Is any one of these identifiers, all by itself, PHI?

Answer: Not necessarily. PHI is information about the health of an individual, the health condition of an individual or the payment for health services rendered to an individual.  If we just had a DOB and that DOB was not linked to any other health information and could not be sourced to a provider (e.g., JHM), the DOB alone would not be PHI.  But if the DOB is coupled with other information, such as “was a patient at JHH,” or “was one of 15 enrollees in a particular study,” this combination would be PHI.  We have taken the position that if we gain any information linked to a person’s status as a patient or a participant in a study, that information is PHI.  (Note that if DOB is the only identifier coupled with health information or research data, the researcher could aggregate the DOBs into ranges, which would de-identify the information/data.)

[back to top]

V.  Accounting for Disclosures

Question 1:  As per the HIPAA regulations, we need to keep a log of all persons who have viewed PHI in our database in order to provide a list of disclosures, if and when a participant requests it.  Do we need to log a new entry each time a member of our research team views the data, or do we only need to enter a new entry in the log when someone outside of the team views the data?

Answer:  A “disclosure” is providing PHI outside the Hopkins’ workforce (NOTE: JH Bloomberg School of Public Health employees are not members of the Hopkins workforce unless they hold joint appointments and are conducting SOM research, or are faculty/students who are formal members of a research team led by an SOM PI (see Question 5a, above.  Workforce members must complete all required SOM HIPAA training.)  All Hopkins members of the research team may view the PHI without keeping a disclosure log.  If, however, a researcher from another institution (or JHSPH) will receive JH PHI, that person’s accessing or viewing of the PHI will generally be a disclosure.  This is not the case if the outside researcher meets criteria for a “workforce member” (contact the JH Privacy Office for more information).

HIPAA IRB Forms 8.1, 8.2, and 8.4 are required for disclosures of PHI outside of Hopkins’ workforce.  The applicable form must be completed and a disclosure log kept unless one of the following applies:  (1)  the recipient of the PHI is a member of the JHM workforce, as described above; (2) the subject(s) have signed a HIPAA Authorization (or combination consent/authorization) naming the outside researcher(s) as recipients of PHI;  or (3) the disclosure contains no identifiers other than the “indirect identifiers” permitted in a HIPAA Limited Data Set, and the recipient has signed the JHM Data Use Agreement with the outside researcher. 

[back to top]

VI. Subject Requests for Access to Research Data or Test Results

Question 1: Do the HIPAA requirements allow for participants to request a copy of any structured interviews they completed/responded to as part of the study?  What about the results of research laboratory tests?

Answer: Individuals have a right to a copy of their “designated record set”.  This is defined as

Designated record set means:

(1)   A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals

(2)   For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

We are taking the position that a research record is not part of the “designated record set” and that only information that is entered into an individual’s medical record during the course of the research would be part of the “designated record set”.  Of course, if the research involves treatment of a patient and there is only one “record”, the research and medical record could be the same.

This does not mean that the research record does not contain protected health information or PHI.  In your question, if the interview included questions about health status or history, this would be PHI.  But we do not believe it meets the above definition of “designated record set”, which requires providing a copy upon request by an individual.  Also, the HIPAA Privacy Rule recognizes that under CLIA, research laboratories that do not have CLIA certification may not disclose the results of laboratory research tests to patients or their providers (see Organization Policy No. 101.2 "Research Laboratory Testing Results" .

You should know that this is not a settled area of the law.  Different experts have different opinions.  But until there is further clarification, this is our position on this issue.  Consult OHSR about specific requests for provision of copies of research records or information to non-Hopkins entities.

[back to top]

VII. Access to PHI Created or Maintained by Non-JHM Providers

Question 1: I am enrolling subjects in a clinical study.  If adverse events occur and my subjects are treated by a non-JHM provider, how may I obtain information about the subjects’ treatment?

Answer: A subject must sign an Authorization that allows the non-JHU provider to disclose PHI  to you for the purposes of research involving that subject.  It is helpful to obtain the subject’s express permission for such a disclosure in the Authorization form that the subject signs for your research study.  The non-JHM provider may rely upon such Authorization; alternatively, the provider may ask the patient to sign the provider’s own Authorization, or may disclose the records directly to the patient.

[back to top]

VIII. International Research

Question 1: How does the HIPAA Privacy Rule affect international research?

Answer: The extent to which HIPAA applies to international research is currently a matter of debate; however, once identifiable health information is received by a covered entity, that information becomes PHI (with a narrow exception for overseas foreign nationals receiving health care from US agencies). This means that when a researcher sends identified health information collected internationally across a JHM network or stores such information on a JHM computer or server, the information becomes PHI.

Because HIPAA concepts can be difficult to translate in international studies, researchers have several options.  The first is to ask the IRB to approve a simpler form of the required authorization language either within the body of the written consent itself or separately as the standalone form ["HIPAA Statement for International Research” form] and/or request approval to obtain Authorization in oral form.  Another option, where cultural barriers are significant, is to request permission to exclude HIPAA language from the consent form and process. This may be most appropriate where no data will be transferred to the U.S. and subject to HIPAA protection.

[back to top]