United States Department of Veterans Affairs
United States Department of Veterans Affairs

VA Information Resource Center
virec logo

Research Implications of the Health Insurance Portability & Accountability Act (HIPAA)
    right arrow  Cost
    right arrow  Data Quality
    right arrow  HIPAA Privacy and Security
    right arrow  Inpatient Care
    right arrow  Laboratory
    right arrow  Long Term Care
    right arrow  Mortality
    right arrow  Outpatient Care
    right arrow  Pharmacy
    right arrow  Polytrauma Research and Data Resources

Overview

The Administrative Simplification provisions of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) were established to improve the efficiency and effectiveness of the nation's health care system. The intent of the law is to assure health insurance portability, reduce healthcare fraud and abuse, guarantee security and privacy of health information, and enforce standards for health information.

The HIPAA Privacy Rule, which is now in effect, provides greater protection of patient records and greater patient rights over their medical information. The HIPAA Security rule had a compliance deadline of April 21, 2005. It mandates the safeguarding of electronic protected health information (PHI) through physical, technical, organizational and procedural safety measures.

See also the following information published by VIReC:

Watts PL, Hynes DM, & Kopp A. "Research Implications of the Privacy Standards Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)." VIReC Insights 2003; 4 (2). PDF file

Web Site Sources of Information

There are many Web sites concerning the HIPAA privacy and security regulations. Listed here are some links to information about privacy and security that are relevant to the VA researcher. VIReC's focus is Web sites that address the VHA interpretation of the rule.

VA Sites

http://www1.va.gov/vhapublications/ViewPublication.asp?pub_ID=1423 PDF file

Information on VHA Privacy Policies is found in the VHA Handbook 1605.1. This is the primary statement of policy on privacy and release of information for VHA. Its provisions take into account not only the HIPAA Privacy Rule but also several other laws and regulations under which VHA is required to conduct its business.

http://www.research.va.gov/programs/pride/training/default.cfm

This is the official guidance from the VHA's Office of Research and Development (ORD). While certain provisions of the Rule specifically concern research and may affect research activities, the Privacy Rule recognizes that the research community has legitimate needs to use, access, and disclose protected health information (PHI) to carry out a wide range of health research protocols and projects. The Privacy Rule protects the privacy of such information while providing ways in which researchers can access and use PHI when necessary to conduct research.

Other Government Sites

http://privacyruleandresearch.nih.gov/

This link is to general guidance on application of the Privacy Rule for research, published by the National Institutes of Health. This document should be considered "reference only" as VHA policy may be different. VA Researchers must comply with the VHA policies.

http://www.cms.hhs.gov/default.asp?hipaa/

The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing various unrelated provisions of HIPAA, therefore HIPAA may mean different things to different people. Here's a directory of CMS's business activities with regard to HIPAA

http://privacyruleandresearch.nih.gov/research_repositories.asp

The Department of Health and Human Services (DHHS) has issued clarifications on how the federal health care privacy rule affects medical records used in databases for research. The guidance is posted on the NIH website. It is NIH Publication Number 04-5489, dated January 2004. It includes DHHS's answers to frequently asked questions. This document should be considered "reference only" as VHA policy may be different. VA Researchers must comply with the VHA policies.

http://www.hhs.gov/ocr/hipaa/finalreg.html

This page is hosted by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the office with primary responsibility for the Privacy Rule. Here you can view the complete regulation relating to HIPAA Privacy and Security standards.

http://www.hhs.gov/ocr/hipaa/guidelines/research.pdf PDF file

In addition, OCR has published guidance on HIPAA Privacy for researchers. However, any guidance from agencies external to the VHA should be viewed as reference only, as VHA policy may differ from other agencies' interpretations. VHA policy will govern the conduct of research in VHA.

virec logo