HIPAA Key Points
- The HIPAA Privacy Rule regulates how healthcare "covered entities" manage protected health information (PHI) including the use or disclosure of PHI for research.
- For use or disclosure of PHI, a researcher must provide documentation (typically an IRB-approved protocol) stating how the covered entity will rely on the researcher to comply with the HIPAA requirements and limitations.
- Use or disclosure of PHI for research must adhere to the "minimum necessary" requirement meaning that the data are limited to "the information reasonably necessary to accomplish the purpose."
- PHI may be used or disclosed for research with a patient's direct authorization, or if an IRB or a Privacy Board has waived the need for authorization because the data request meets specified criteria.
- The HIPAA Privacy Rule defines criteria for de-identifying PHI. Previously deidentified data is not PHI and not subject to HIPAA regulations.
- PHI that is de-identified except for service dates and geographical information is called a limited data set (LDS). A covered entity may allow use or disclosure of an LDS through a Data Use Agreement between the covered entity and a researcher.
- HIPAA Privacy Rule restrictions and limitations apply when a covered entity uses PHI to create either a de-identified data set or a limited data set for research.
- A researcher may use PHI on site for activities preparatory to research and must notify the Sentara Health Research Center in writing to do so.