HIPAA Key Points
- The HIPAA Privacy Rule regulates how healthcare "covered entities" manage protected health information (PHI) including the use or disclosure of PHI for research.
- For use or disclosure of PHI, a researcher must provide documentation (typically an IRB-approved protocol) stating how the covered entity will rely on the researcher to comply with the HIPAA requirements and limitations.
- Use or disclosure of PHI for research must adhere to the "minimum necessary" requirement meaning that the data are limited to "the information reasonably necessary to accomplish the purpose."
- PHI may be used or disclosed for research with a patient's direct authorization, or if an IRB or a Privacy Board has waived the need for authorization because the data request meets specified criteria.
- The HIPAA Privacy Rule defines criteria for de-identifying PHI. Previously deidentified data is not PHI and not subject to HIPAA regulations.
- PHI that is de-identified except for service dates and geographical information is called a limited data set (LDS). A covered entity may allow use or disclosure of an LDS through a Data Use Agreement between the covered entity and a researcher.
- HIPAA Privacy Rule restrictions and limitations apply when a covered entity uses PHI to create either a de-identified data set or a limited data set for research.
- A researcher may use PHI on site for activities preparatory to research and must notify the Sentara Health Research Center in writing to do so.
Read about the Research and HIPAA Privacy Rule