OHSU

HIPAA & Research

How does HIPAA Impact Research?

Principal investigators who wish to collect data that involve personal identifiers must go through the covered entity’s “HIPAA-jumps” to obtain data. For example,  Authorizations, he or she must seek to obtain Waiver of Authorization, Data De-identification or Limited Data Set.

 

For more information about HIPAA and Research, see the HIPAA Research Guidelines

 

Authorization

If the principal investigator will be using or collecting health information and personal identifiers from his or her research subjects, then he or she will be obtaining informed consent from them as well.  This authorization is required in addition to informed consent, however.

Waiver of Authorization

Principal Investigators may apply for a full waiver of authorization when a signed authorization cannot be reasonably obtained, such as for emergency medical records research. 

Data De-identification

The HIPAA Privacy Rule allows principal investigators to conduct research with health information that has been stripped of elements that could identify the research subject. However, under HIPAA, the list of “identifiers” is extensive. The following data elements must be stripped for HIPAA de-identification:

  • Names
  • Geographic subdivisions smaller than a state (i.e., no city, no zip code), except for the initial three digits of the zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit contains more than 20,000 people
  • Any date (except year; i.e., no month or day of month)
  • For subjects older than 89 years of age, specific age may not be mentioned
  • Telephone number
  • Fax number
  • E-mail address
  • Social security number
  • Medical record number
  • Health plan beneficiary number
  • Any other account numbers
  • Certificate or license numbers
  • Vehicle identification number
  • Medical device identification or serial number
  • Personal website URL
  • Internet protocol (IP) address
  • Fingerprint, voiceprint, or other biometric identifiers
  • Full-face photographic images
  • Any other unique identifying number, characteristic, or code



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

What is Protected Health Information (PHI)?

  • Medical Records:  Medical History, Diagnosis, Treatment
  • Payment Information: Bills,
  • Receipts, EOBs
  • Ancillary Services: X-Rays, Labs
  • Demographic Information: (When stored and maintained with health information): Date of Birth, Social Security Number