HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that was passed by Congress in 1996 and protects the privacy and security of individuals' health information (Protected Health Information, PHI).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates safeguarding patients' privacy and making sure patient data is adequately secured, with the requirements put in by the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003.
HIPAA requires covered entities (health plans, health care clearinghouses, and health care providers that conduct certain standard electronic transactions) and their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. The requirement applies to all forms of PHI, including electronic, paper, oral, etc.
The GW Privacy Office conducts periodic reviews of the university's activities involving the collection and use of individuals' identifiable health information, to determine whether any of our Departments or Clinics are subject to HIPAA requirements. We work closely with the GW community to reduce the risks to health information by assessing and classifying individuals' health information and applying appropriate security and privacy safeguards, in accordance with applicable privacy laws.
Pursuant to our periodic HIPAA applicability assessments, we determined that the neither the university nor any of its Departments or Clinics are HIPAA Covered Entities, though some university Departments may act as HIPAA Business Associates, supporting the GW Medical Faculty Associates.
GW sponsors a Health and Welfare Benefit Plan, offered to eligible faculty and staff members. The Plan is subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and the related regulations (collectively, “HIPAA”), and therefore to compliance with the university's HIPAA Policy. The policy informs employees how their protected health information (PHI) may be used and disclosed by the George Washington University Health and Welfare Benefit Plan and explains how participants can obtain access to their PHI.
- Protected Health Information (PHI)
Any personally identifiable demographic information, whether oral or recorded in any form or medium, that can be used to identify a patient.
HIPAA identifies the following PHI identifiers:
- Names
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- Dates (other than years) directly related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers including finger, retinal and voice prints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code.
- Limited Data Set (LDS)
A limited data set is PHI that excludes 16 categories of the direct identifiers noted above but may include: city, state, ZIP code, elements of date and other numbers, characteristics or codes not listed as direct identifiers. These direct identifiers apply both to information about the individual and to information about the individual's relatives, employers or household members.
- Covered Entity (CE)
HIPAA regulation defines a covered entity as healthcare providers, health plans, and healthcare clearinghouses involved in the transmission of protected health information (PHI). This transmission can take place for the purpose of payment, treatment, operations, billing, or insurance coverage. Covered entities can include organizations, institutions, or persons.
Health Care Providers include:
- Doctors
- Clinics
- Psychologists
- Dentists
- Chiropractors
- Nursing Homes
- Pharmacies
... only if they transmit any information in electronic form, in connection with a transaction for which HHS has adopted a standard.
Health Plans include:
- Health Insurance Companies
- HMOs
- Company Health Plans
- Government Programs that pay for healthcare (Medicaid, Medicare and military and veterans health care programs)
- Healthcare Clearinghouses
Healthcare Clearinghouses include entities that process non-standard health information which they receive from another entity, into a standard (i.e. standard electronic format or data contact) or vice versa.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.
- HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
- HIPAA Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
More information on HHS.gov website.
As a researcher at GW, you may receive PHI (Protected Health Information) from a HIPAA covered entity, and therefore you must understand your obligations to ensure that PHI is released to you in a manner that complies with HIPAA and that you appropriately protect the data once received.
HIPAA allows the use and disclosure of PHI for research purposes, but such uses and disclosures must adhere to HIPAA regulations and be part of a research plan that is reviewed and approved by the Institutional Review Board (IRB).
- Research and the HIPAA Privacy Rule
The HIPAA Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. Research is defined in the Privacy Rule as, “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” (45 CFR 46)
The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their PHI for research purposes, and their rights to access information about them held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research under the following circumstances and conditions:
- The research subject has granted specific written permission for the use of PHI for research through an authorization.
- The Institutional Review Board (IRB) has granted a waiver of the authorization requirement.
- The information is released in the form of a Limited Data Set. A covered entity may release a LDS without written patient authorization if two conditions are met:
- The purpose of the disclosure is for research, public health or health care operations and
- The party disclosing the information signs a DUA (Data Use Agreement) with the data recipient, that binds the LDS recipient to use or disclose the LDS only for limited, specified purposes. The DUA must establish who is permitted to use or receive the LDS and must also require recipients to use appropriate safeguards to protect the LDS from unauthorized disclosure and not attempt to identify or contact the individuals whose PHI is contained in the LDS. A Limited Data Set is still PHI.
- De-identified data: The PHI has been de-identified (by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members) in accordance with the standards set by HIPAA (45 CFR 164.502(d), and 164.514(a)-(c) of the Privacy Rule), and, therefore, no longer meets the definition of PHI. See Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with HIPAA for further details.
Decedent PHI - According to federal policy, research involving deceased individuals is not considered human subjects research and therefore does not require IRB oversight unless the research study includes both living and deceased individuals. Per 45 CFR 46.102(f): A human subject is a living individual about whom an investigator conducting research obtains data through intervention or interaction with the individual or identifiable private information. The HIPAA Privacy Rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual. The Privacy Rule explicitly excludes from the definition of PHI individually identifiable health information regarding a person who has been deceased for more than 50 years.
- Research and the HIPAA Security Rule
The HIPAA Security Rule requires that research involving PHI use physical, technical and administrative safeguards to protect confidentiality. GW PIs must comply with the GW Data Classification and Protection Guide when conducting research with HIPAA protected information. Researchers must implement secure storage solutions, such as locked filing cabinets for paper records containing PHI. When using electronic systems, password-protected access, encryption, and audit trails are required to track who accesses and uses ePHI.
Security requirements for Limited Data Sets (LDS) focus on removing direct identifiers and establishing a Data Use Agreement (DUA) that prohibits re-identification and mandates appropriate safeguards from the recipient. Technical measures include encryption, access controls, audit logs, firewalls, and data loss prevention.
HIPAA doesn't set specific security requirements for de-identified data, as de-identified data is no longer considered protected health information (PHI) and therefore falls outside the HIPAA Privacy and Security Rules' direct requirements. However, for a de-identified data set to be compliant, it must not contain any of the 18 HIPAA identifiers, and the researcher(s) using it must have no actual knowledge that the remaining information could be used to identify an individual.
GW researchers must document robust and compliant Data Management Plans, outlining outline how PHI (and/or as LDS) will be managed and documented throughout a research project, including the appropriate security and privacy controls for complying with data use agreements. For assistance with documenting a Data Management Plan for your research project, contact the GW Data Services Librarians.
- Resources
Online training
Various HIPAA training modules are available for medical students and residents, researchers and any staff and faculty members interested in learning about this law, in Talent@GW. These modules include : HIPAA Training for Covered Entities and Business Associates, HIPAA Security Training and HIPAA Training for researchers. Click here to review the list of all available online HIPAA training modules.
Additional Training Materials are offered by the US Department of Health & Human Services.