HIPAA is a federal privacy law that protects Protected Health Information (PHI). PHI is individually identifiable health information created or received by a Covered Entity\/Component.<\/p>\n
How research data is classified matters in the following ways:<\/p>\n
Whether human subjects research data is PHI covered by HIPAA or not, if it is possible to identify any subject, then it will be considered Restricted Use Data under BU\u2019s Data Classification Policy<\/a>. Researchers must follow all IT policies related to Restricted Use Data in either event. See https:\/\/www.bu.edu\/policies\/minimum-security-standards\/<\/a><\/p>\n Below are examples of BU and external sources of research information that are, and others that are not, Covered Entities\/Components. Note that each Covered Component is considered to be a separate entity from each other Covered Component. Research by the workforce members of any of these components using patient data from that component likely is subject to HIPAA.<\/p>\n This Policy does not attempt to list all non-BU entities that are Covered Entities, but commonly encountered Covered Entities external to BU include:<\/p>\n Covered Entities will require either a patient Authorization or a waiver of Authorization to release their PHI to a BU researcher. However, once released to researchers outside the Covered Entity, the data will be subject to HIPAA only if it is disclosed to another Covered Entity. For example:<\/p>\n The following BU components have some health information, and may provide clinical services, but have not been designated as HIPAA Covered Components by BU; therefore, BU researchers using data from these sources will not have HIPAA obligations:<\/p>\n Records from these sources when used in research are subject to privacy restrictions found in professional standards and human subjects research standards, but are not subject to HIPAA standards.<\/p>\n Other sources of health data external to BU that are not subject to HIPAA include:<\/p>\n Records from these sources used in research are not subject to HIPAA standards but may be subject to other restrictions.<\/p>\n See separate HIPAA policy on research using Decedents’ information. 5.4, 5.5<\/a> HIPAA does not protect health information of persons who have been deceased over 50 years because health information of a person deceased for 50+ years is excluded from the definition of PHI.<\/p>\n A Limited Data Set under HIPAA is a data set that does not contain any of the following elements:<\/p>\n If a researcher obtains from a Covered entity\/Component only a Limited Data Set, the Covered Entity\/Component may release that data pursuant to a Data Use Agreement. Limited Data Sets are PHI, but instead of being subject to HIPAA, their disclosure to the researcher is subject to a Data Use Agreement with the Covered Entity\/Component, rather than general HIPAA rules.<\/div>\n<\/div>\n\n <\/div>\n<\/div>\n\n <\/a><\/p>\n <\/div>\n<\/div>\n\n There are some types of health information that are not protected as PHI, even if they clearly identify the individual:<\/p>\n <\/div>\n<\/div>\n\n Any researcher who works with Human Subjects must complete the BU specific HIPAA training module, which can be found on the CITI platform under the name “HIPAA in BU Research (CRC).” Researchers must repeat this training every 3 years.<\/p>\n Researchers on the BU medical campus can find their training requirements here<\/a>.<\/p>\n <\/div>\n<\/div>\n\n The use and\/or disclosure of PHI in research must have the appropriate authorizations. Generally, a Covered Entity\/Component may disclose PHI to a researcher when the researcher obtains either:<\/p>\n When the researcher has ruled out using de-identified data, a limited data set, or decedents\u2019 data, the researcher must obtain Authorizations or Waivers, as described below:<\/p>\n Activities preparatory to research include reviewing medical records of a Covered Entity or Component to determine whether a sufficient number of patients likely to qualify for the recruitment can be found in those records; reviewing medical records to obtain information useful in designing the research proposal or study; and any other similar activities which are undertaken in anticipation of or preparation for a research study. HIPAA permits access to PHI for these purposes only with patient authorization or with a Waiver granted by the Covered Entity. The HIPAA Contact at each Covered Entity can provide a waiver, if certain conditions are met.<\/p>\n NOTE: The IRBs do not manage Waivers Preparatory to Research.<\/p>\n This may seem like an unnecessary hurdle to researchers, but it is not. HIPAA requires the waiver because HIPAA also requires Covered Entities\/Components to track disclosures of all PHI for any purpose other than treatment, payment, health care operations and disclosures pursuant to patient authorization, and to include them in an accounting of disclosures, in the event a patient exercises his\/her right to request an accounting. The Privacy Rule permits a covered entity to include an individual’s PHI in a clinical research recruitment database provided the individual has given permission through a written Authorization. The Authorization must inform the individual of the purpose for which (e.g., for the pre-screening log for one or more clinical trials) and what PHI will be used and meet the other requirements of the Privacy Rule. Contact the CRC IRB if you wish to create a new clinical data repository with patient Authorization.<\/p>\n For the IRB to grant a waiver or an alteration of Authorization to create a research database requires, among other things, a statement that an IRB has determined that the researcher has provided adequate written assurances that PHI in the database will not be further used or disclosed except as permitted by the Privacy Rule (e.g., for research uses and disclosures with an Authorization or waiver).<\/p>\n Whenever possible, a researcher creating a clinical data repository should limit the elements captured to a De-identified data or a Limited Data Set. The Privacy Rule permits the covered entity to insert in the Authorization form a statement by which the subject agrees to the suspension of right to access his\/her PHI during the clinical trial until completion of the research. While written patient Authorization always allows a researcher to contact potential study subjects, that is rarely feasible, as patients will not know about the study until contacted. This option may be available if, in setting up a Data Repository, written Authorization was given (and not revoked) for the purpose of patient recruitment.<\/p>\n A health care provider may discuss with his\/her patient possible enrollment in clinical research, without first obtaining the patient’s written Authorization. This applies to research studies conducted by either the treating provider or any other provider in the treating provider\u2019s component.<\/p>\n A provider may also discuss with patients of his or her Covered Entity\/Component participation in a study that is being conducted by a different Covered Entity. In that case, the provider may discuss participation in a trial with the patient and give the patient the researcher’s contact information so the patient may contact the researcher directly. However, the physician may not disclose the patient\u2019s PHI to the researcher from another Covered Entity\/Component unless the patient provides a written Authorization, or unless other conditions that satisfy the Privacy Rule are met.<\/p>\n Often, the researcher is granted a Partial Waiver of Authorization for recruitment purposes by the IRB. In order to obtain the Partial Waiver, the researcher must assure the IRB of the following:<\/p>\n Note this waiver will apply only to recruitment, i.e., using demographic data from the patient\u2019s PHI in order to contact the patient about the research study. If the patient declines to enroll, the researcher must cease contact with the patient and follow the terms of the Waiver in returning\/deleting the patient\u2019s contact information. <\/div>\n<\/div>\n\n Clinical research will not generally qualify for a waiver of the Authorization if a clinical research participant will be asked to sign an informed consent before entering the study. Waiver of Authorization is used primarily in research that involves retrospective data studies.<\/p>\n <\/div>\n<\/div>\n\n <\/p>\n If you have any question on how the rules apply to your research, please contact the HIPAA Privacy Officer<\/a> or HIPAA Security Officer<\/a>.<\/p>\n Other policies you must follow to protect PHI are found here:<\/p>\n Everyone involved in Research, and everyone at BU with access to PHI, is obligated to report any potential breach to the HIPAA Privacy Officer.<\/p>\n Report Potential Breach<\/a><\/p>\n Please report to the HIPAA Privacy Officer directly via phone at 617-348-3124 or email at hipaa@bu.edu<\/a>.<\/p>\n If the incident involves PHI in electronic form, please also report to irt@bu.edu<\/a>.<\/p>\n BU will not retaliate against any employee who reports a possible violations of law or of BU HIPAA policies in good faith.<\/p>\n A “breach” under HIPAA is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the BU Privacy Officer demonstrates that there is a low probability that the protected health information has been compromised.<\/p>\n Security Incidents are possible breaches of electronic PHI. If you become aware of or suspect a possible Security Incident, please contact the BU Incident Response Tean<\/a> immediately.<\/p>\n <\/div>\n<\/div>\n\n <\/p>\n For access to records, contact the BU Medical Campus IRB<\/a> for guidance and the records administrator for assistance.<\/p>\nWhich sources of data are covered by HIPAA?<\/h3>
These sources of data are covered by HIPAA<\/h4>\n
\n<\/a><\/p>\nBU HIPAA covered components:<\/h5>\n
\n
Non-BU sources of PHI for research<\/h5>\n
\n
\n
These sources of data are not covered by HIPAA<\/h4>\n
BU components not covered by HIPAA<\/h5>\n
\n
Non-BU sources not covered by HIPAA<\/h5>\n
\n
Special Circumstances<\/h4>\n
Health information of Decedents who have been deceased for at least 50 years<\/h5>\n
Limited Data Sets<\/h5>\n
\n
Examples of PHI subject to HIPAA<\/h3>
\nGenerally speaking, research data will be PHI subject to HIPAA protections in the following circumstances:<\/p>\n\n
\n
\n
Protected Health Information (PHI)<\/h2>\n
What is PHI?<\/h3>
\n
What is not PHI?<\/h3>
\n
Training for working with PHI<\/h3>
Access to PHI in Research<\/h2>\n
\n
\n
Pathways to access at each stage of research<\/h3>\n
Most Common: Authorization<\/h4>
\nHaving a patient sign a HIPAA Authorization when consenting to participate in research is the most common pathway for access in clinical research. The Authorization may be combined with the study subject Consent, in which case the combined document must be approved by the IRB. If you do not combine the HIPAA Authorization with the Consent, you must have the IRB approve the Consent, and use the approved HIPAA Authorization form. If you wish to alter the approved HIPAA Authorization in any way, please contact the BU Privacy Officer. You can find the approved Authorization here.
\n<\/div>\n<\/div>\n\nActivities Preparatory to Research<\/h4>
\n<\/div>\n<\/div>\n\nHIPAA rules when creating a clinical data repository with patient Authorization<\/h4>
Written Authorization by Patient following approval by IRB<\/h6>\n
Creating a clinical data repository when patient Authorization is not feasible<\/h6>\n
\n<\/div>\n<\/div>\n\nIndividuals\u2019 Right to Access and\/or an Accounting of Disclosures Pursuant to a Waiver<\/h4>
Study subjects\u2019 right to access their research records during the course of a clinical trial<\/h6>\n
\n<\/div>\n<\/div>\n\nRecruiting Research Subjects<\/h4>
Recruitment Pursuant to Patient Written Authorization<\/h6>\n
Recruitment by Health Care Provider<\/h6>\n
Partial Waiver of Authorization for Recruitment<\/h6>\n
\n
\n
\n<\/div>\n<\/div>\n\nUse of PHI for Research When Patients do not Personally Participate<\/h4>
\nFor use or disclosure of PHI for research purposes from a repository or database maintained by the covered entity, and for retrospective studies based solely on medical records, the researcher has the following options to comply with HIPAA:<\/p>\n\n
Using PHI in a Data Repository<\/h4>
\nUse of the PHI is a separate activity from creating a database; thus, the researcher must either obtain Written Authorization; Waiver by IRB; use de-identified data; or use a Limited Data Set pursuant to a Data Use Agreement.<\/p>\nQuestions<\/h2>\n
Reporting Potential Breaches<\/h2>\n
How to Report<\/h3>\n
What is considered a breach?<\/h3>
After a potential breach is reported<\/h3>
\nThe HIPAA Privacy Officer or HIPAA Security Officer will determine if an incident is a “breach” under HIPAA; that is not a judgment a researcher is authorized to make. If the circumstance is determined to be a breach, BU will be required to provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, the media. This process is managed by the HIPAA Privacy Officer and HIPAA Security Officer.
\n<\/div>\n<\/div>\n\nAdditional Resources & Contacts<\/h2>\n
BU Medical Campus HIPAA-covered component or Boston Medical Center<\/h4>\n
Charles River Campus HIPAA-covered component<\/h4>\n