What
Is HIPAA?
What Is The Privacy Rule?
Who Has To Comply With The Privacy Rule?
What Data Is Protected By The Privacy Rule?
How Can Investigators Access And Use Protected Data Under
HIPAA?
Links to HIPAA Resources
What Is
HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996.
A major component of HIPAA addresses the privacy of health information
by establishing a nation-wide federal standard concerning the privacy
of health information and how it can be used and disclosed.
What Is
The Privacy Rule?
The Privacy Rule is a regulation issued by the U.S. Department of Health
and Human Services (DHHS) to implement the privacy protections of HIPAA.
The Privacy Rule became effective on April 14, 2003.
Who Has
To Comply With The Privacy Rule?
The Privacy Rule directly applies to three categories of health care entities
called "Covered Entities": (1) health plans, (2) health care
clearinghouses, and (3) health care providers who transmit any health
information in electronic form in connection with a transaction covered
by HIPAA.
The Privacy Rule does not directly regulate researchers unless they treat patients or work within "Covered Entities." However, many researchers rely on Covered Entities to provide them with patient health information needed to conduct research and must comply with HIPAA to obtain such data.
What Data
Is Protected By The Privacy Rule?
The Privacy Rule limits the disclosure and use of patient information
called "Protected Health Information" (PHI) that is individually
identifiable. Under the Privacy Rule, "health information" generally
means information relating to an individual's past, present, or future
physical or mental health or condition, provision of health care to an
individual, and past, present, or future payment for the provision of
health care to an individual.
How Can
Investigators Access And Use Protected Data Under HIPAA?
Researchers who want access to Protected Health Information
maintained by a Covered Entity must comply with HIPAA requirements
relating to disclosure for research use. HIPAA allows PHI
to be released and used by researchers under the following
methods:
1. a written authorization; (Informed Consent with HIPAA Authorization);
2. de-identification of an individual's health information
as defined by HIPAA;
3. de-identification through a "Limited Data Set" (only certain data can be identifiable);
4. preparatory work for a research project;
5. use of PHI of deceased persons;or
6. an approved waiver of authorization by the UNT IRB.