HIPAA or Not HIPAA? Is it PHI?
HIPAA is a federal privacy law that protects Protected Health Information (PHI). PHI is individually identifiable health information created or received by a Covered Entity/Component.
How research data is classified matters in the following ways:
- Safeguarding Data: The classification of the data under BU’s Data Classification Guide tells you what safeguards you need to make sure are in place at all times during your research. Restricted Use data is the most sensitive form of data, and it applies to both PHI and any identifiable health information—even if it is not HIPAA covered. You can find BU’s standards for protecting Restricted Use data here. PHI under HIPAA is subject to additional safeguards by IT such as audits and other security measures; there is nothing you need to do about that.
- Reporting a Potential Breach: If your research data is lost, or disclosed in an unauthorized manner, or used in an unauthorized manner, you must tell the IRB. If it is an electronic information security matter (such as a hacking, lost unencrypted laptop, or other information security incident, you must also immediately alert firstname.lastname@example.org. If it is PHI, you must also inform the HIPAA privacy and security officers at HIPAA@bu.edu.
- Consequences of HIPAA Breach: If the data is subject to HIPAA and is breached, the BU HIPAA Privacy Officer and Security Officer will need to notify the patients whose data was breached, and the federal department of Health and Human Services, and if over 500 persons are affected, the media.
- Access to PHI: If you wish to access PHI from a HIPAA covered entity, see the section below on Access.
Researcher Obligations Under HIPAA and BU Policy to Secure Human Subjects Data
Whether human subjects research data is PHI covered by HIPAA or not, if it is possible to identify any subject, then it will be considered Restricted Use Data under BU’s Data Classification Policy. Researchers must follow all IT policies related to Restricted Use Data in either event. See http://www.bu.edu/policies/information-security-home/data-protection-standards/minimum-security-standards.
Which sources of data are covered by HIPAA?
These sources of data are covered by HIPAA
Below are examples of BU and external sources of research information that are, and others that are not, Covered Entities/Components. Note that each Covered Component is considered to be a separate entity from each other Covered Component.
BU HIPAA covered components:
- Jessie and Albert Danielsen Institute
- BU Rehabilitation Services, including the Physical Therapy Center and the Neuro-Rehab Center
- Sargent Choice Nutrition Center
- GSDM’s Dental Clinics at 100 E. Newton and 930 Commonwealth Avenue
- BU Dental Plan
- BU Flexible Benefit Plan
- BU Health Plan
Research by the workforce members of any of these components using patient data from that component likely is subject to HIPAA.
Non-BU sources of PHI for research
This Policy does not attempt to list all non-BU entities that are Covered Entities, but commonly encountered Covered Entities external to BU include:
- Any medical practice belonging to the Boston University Medical Group
- Boston Medical Center
- Health care claims clearing houses
- Most health benefit plans
- Most health care clinics
- Most hospitals
- Other health care providers participating in the BMC Health Network
Covered Entities will require either a patient Authorization or a waiver of Authorization to release their PHI to a BU researcher. However, once released to researchers outside the Covered Entity, the data will be subject to HIPAA only if it is disclosed to another Covered Entity. For example:
- If BMC discloses PHI to a researcher at the BU School of Medicine or School of Public Health, it is Restricted Use Data under BU policy, but is not PHI.
- If a physician’s office releases PHI to researchers at the Danielsen Institute, that research remains PHI because both the physician’s office and the Danielsen Institute are HIPAA Covered Entities.
These sources of data are not covered by HIPAA
BU components not covered by HIPAA
The following BU components have some health information, and may provide clinical services, but have not been designated as HIPAA Covered Components by BU; therefore, BU researchers using data from these sources will not have HIPAA obligations:
- BU Occupational Health Center
- BU Student Health Services (records are protected under FERPA)
- Center for Anxiety Related Disorders (CARD)
- Faculty Staff Assistance Office
- Health information contained in BU employment records
- Health information that may have been PHI, but has been de-identified in accordance with BU’s HIPAA Policy on De-Identification.
- Sargent Academic Speech, Language and Hearing Center
- Sargent Aphasia Resource Center
- Sargent Center for Psychiatric Rehabilitation
- The Framingham Heart Study
- Vocational Therapy Center
Records from these sources when used in research are subject to privacy restrictions found in professional standards and human subjects research standards, but are not subject to HIPAA standards.
Non-BU sources not covered by HIPAA
Other sources of health data external to BU that are not subject to HIPAA include:
- Community research on health issues that relies on health data obtained from consented study subjects, and not from any covered entity
- Research on vital statistics data obtained from a governmental agency;
- Research using data from any other source not covered by HIPAA.
- Research using de-identified PHI from any source. If the data is properly de-identified, it is not PHI and HIPAA will not apply to the research.
Records from these sources used in research are not subject to HIPAA standards but may be subject to other restrictions.
Health information of Decedents who have been deceased for at least 50 years
See separate HIPAA policy on research using Decedents’ information. 5.4, 5.5 HIPAA does not protect health information of persons who have been deceased over 50 years because health information of a person deceased for 50+ years is excluded from the definition of PHI.
Limited Data Sets
A Limited Data Set under HIPAA is a data set that does not contain any of the following elements:
- Postal address information, other than town or city, state, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
If a researcher obtains from a Covered entity/Component only a Limited Data Set, the Covered Entity/Component may release that data pursuant to a Data Use Agreement. Limited Data Sets are PHI, but instead of being subject to HIPAA, their disclosure to the researcher is subject to a Data Use Agreement with the Covered Entity/Component, rather than general HIPAA rules.
Examples of PHI subject to HIPAA
- If the research involves clinical care of patients by a BU Covered Component, HIPAA governs.
- Contrast: If the researcher/provider uses only de-identified data derived from the clinical files, it is not PHI when used for research.
- If the research is performed by the Covered Entity/Component that created the clinical data, it is PHI. Examples:
- The Danielsen Institute faculty use records of Danielsen patients to compare the efficacy of meditation versus cognitive behavioral therapy; the clinical data remains PHI during the research, unless it is de-identified.
- The Danielsen Institute faculty use clinical data from the BU Center for Anxiety and Related Disorders (“CARD”), which is not a HIPAA Covered Component. That clinical data is not PHI at CARD and is not PHI when used in research by the Danielsen Institute.
- A hospital has a research grant involving the use of the same hospital’s clinical data. That clinical data when used by the hospital’s researchers for research purposes remains PHI, until it is de-identified.
- Sargent Choice Nutrition is collaborating on research with BU Physical Therapy (“BU PT”), both Covered Components. If Sargent Choice Nutrition discloses health information to BU PT, that health information remains PHI after being disclosed to Sargent because both entities are Covered Components.
Protected Health Information (PHI)
What is PHI?
- An individual’s past, present or future physical or mental health or condition,
- The past, present, or future payment for the provision of health care to anindividual, or,
- The provision of health care to an individual.
What is not PHI?
Health information that does not identify an individual or that cannot be used to identify an individual is not PHI, but great rigor is required to confirm that no identifier is present in the dataset. For example, a data set of vital signs by themselves do not constitute Protected Health Information. However, if the vital signs data set includes medical record numbers, then the data set has not been successfully deidentified, and must be protected as PHI.
There are some types of health information that are not protected as PHI, even if they clearly identify the individual:
- Information about an individual who has been deceased for more than 50 years: HIPAA does not protect this information.
- Information in BU’s Human Resources records about BU employees
- Information in education records or treatment records covered by FERPA
- Information in treatment records retained solely by units of BU that are not designated as Covered Components
Training for working with PHI
Any researcher who works with Human Subjects must complete the BU specific HIPAA training module, which can be found on the CITI platform under the name “HIPAA in BU Research (Charles River Campus).” Researchers must repeat this training every 3 years.
Researchers on the BU medical campus can find their training requirements here.
Access to PHI in Research
The use and/or disclosure of PHI in research must have the appropriate authorizations. Generally, a Covered Entity/Component may disclose PHI to a researcher when the researcher obtains either:
- An individual written patient Authorization, or
- Waiver or Alteration of Patient Authorization, which may be in one of three forms: Waiver Preparatory to Research; Partial Waiver; Full Waiver.
- Activities preparatory to research
- Conducting clinical research
- Conducting retrospective studies
- Creating Data Repositories
- Recruiting research subjects
- Using information from a Data Repository
Pathways to access at each stage of research
When the researcher has ruled out using de-identified data, a limited data set, or decedents’ data, the researcher must obtain Authorizations or Waivers, as described below:
Most Common: Authorization
Activities Preparatory to Research
Activities preparatory to research include reviewing medical records of a Covered Entity or Component to determine whether a sufficient number of patients likely to qualify for the recruitment can be found in those records; reviewing medical records to obtain information useful in designing the research proposal or study; and any other similar activities which are undertaken in anticipation of or preparation for a research study. HIPAA permits access to PHI for these purposes only with patient authorization or with a Waiver granted by the Covered Entity. The HIPAA Contact at each Covered Entity can provide a waiver, if certain conditions are met.
NOTE: The IRBs do not manage Waivers Preparatory to Research.
This may seem like an unnecessary hurdle to researchers, but it is not. HIPAA requires the waiver because HIPAA also requires Covered Entities/Components to track disclosures of all PHI for any purpose other than treatment, payment, health care operations and disclosures pursuant to patient authorization, and to include them in an accounting of disclosures, in the event a patient exercises his/her right to request an accounting.
HIPAA rules when creating a clinical data repository with patient Authorization
Written Authorization by Patient following approval by IRB
The Privacy Rule permits a covered entity to include an individual’s PHI in a clinical research recruitment database provided the individual has given permission through a written Authorization. The Authorization must inform the individual of the purpose for which (e.g., for the pre-screening log for one or more clinical trials) and what PHI will be used and meet the other requirements of the Privacy Rule. Contact the CRC IRB if you wish to create a new clinical data repository with patient Authorization.
Creating a clinical data repository when patient Authorization is not feasible
For the IRB to grant a waiver or an alteration of Authorization to create a research database requires, among other things, a statement that an IRB has determined that the researcher has provided adequate written assurances that PHI in the database will not be further used or disclosed except as permitted by the Privacy Rule (e.g., for research uses and disclosures with an Authorization or waiver).
Whenever possible, a researcher creating a clinical data repository should limit the elements captured to a De-identified data or a Limited Data Set.
Individuals’ Right to Access and/or an Accounting of Disclosures Pursuant to a Waiver
Study subjects’ right to access their research records during the course of a clinical trial
The Privacy Rule permits the covered entity to insert in the Authorization form a statement by which the subject agrees to the suspension of right to access his/her PHI during the clinical trial until completion of the research.
Recruiting Research Subjects
Recruitment Pursuant to Patient Written Authorization
While written patient Authorization always allows a researcher to contact potential study subjects, that is rarely feasible, as patients will not know about the study until contacted. This option may be available if, in setting up a Data Repository, written Authorization was given (and not revoked) for the purpose of patient recruitment.
Recruitment by Health Care Provider
A health care provider may discuss with his/her patient possible enrollment in clinical research, without first obtaining the patient’s written Authorization. This applies to research studies conducted by either the treating provider or any other provider in the treating provider’s component.
A provider may also discuss with patients of his or her Covered Entity/Component participation in a study that is being conducted by a different Covered Entity. In that case, the provider may discuss participation in a trial with the patient and give the patient the researcher’s contact information so the patient may contact the researcher directly. However, the physician may not disclose the patient’s PHI to the researcher from another Covered Entity/Component unless the patient provides a written Authorization, or unless other conditions that satisfy the Privacy Rule are met.
Partial Waiver of Authorization for Recruitment
Often, the researcher is granted a Partial Waiver of Authorization for recruitment purposes by the IRB. In order to obtain the Partial Waiver, the researcher must assure the IRB of the following:
- The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
- An adequate plan to protect the identifiers from improper use and disclosure.
- An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law.
- Adequate written assurances that the PHI will not be reused or disclosed except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by the Privacy Rule.
- The research could not practicably be conducted without the waiver or alteration.
- The research could not practicably be conducted without access to and use of the PHI.
Note this waiver will apply only to recruitment, i.e., using demographic data from the patient’s PHI in order to contact the patient about the research study. If the patient declines to enroll, the researcher must cease contact with the patient and follow the terms of the Waiver in returning/deleting the patient’s contact information.
Use of PHI for Research When Patients do not Personally Participate
- Obtain the individual’s Authorization for the research use or disclosure; this is unusual, but may occur if in setting up a data depository, the researcher knew in advance how the data was going to be used and obtained patient Authorization, on a form approved by the IRB, at the time the information was collected.
- Obtain an IRB Waiver or Alteration of the Authorization requirement.
- Use De-Identified Data
- Use a Limited Data Set, which will be subject to a Data Use Agreement rather than general HIPAA requirements.
Using PHI in a Data Repository
Clinical research will not generally qualify for a waiver of the Authorization if a clinical research participant will be asked to sign an informed consent before entering the study. Waiver of Authorization is used primarily in research that involves retrospective data studies.
Other policies you must follow to protect PHI are found here:
Reporting Potential Breaches
Everyone involved in Research, and everyone at BU with access to PHI, is obligated to report any potential breach to the HIPAA Privacy Officer.
How to Report
Please report to the HIPAA Privacy Officer directly via phone at 617-348-3124 or email at email@example.com.
If the incident involves PHI in electronic form, please also report to firstname.lastname@example.org.
BU will not retaliate against any employee who reports a possible violations of law or of BU HIPAA policies in good faith.
What is considered a breach?
A “breach” under HIPAA is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the BU Privacy Officer demonstrates that there is a low probability that the protected health information has been compromised.
Security Incidents are possible breaches of electronic PHI. If you become aware of or suspect a possible Security Incident, please contact the BU Incident Response Tean immediately.
After a potential breach is reported
Additional Resources & Contacts
BU Medical Campus HIPAA-covered component or Boston Medical Center
For access to records, contact the BU Medical Campus IRB for guidance and the records administrator for assistance.
Charles River Campus HIPAA-covered component
For access to records, contact the HIPAA-covered component’s records administrator (who may consult with the BU Privacy Officer or the BU Office of the General Counsel).
Covered Entities external to BU
For access to records, contact the covered entity’s records administrator or Privacy Officer.
HIPAA Policies & Resources
Additional HIPAA policies the researcher should be aware of and follow:
- HIPAA Privacy Policies
- HIPAA Security Policies
- Data Protection Standards
- BU Data Protection – Release of Electronic Protected Health Information
- If you are using PHI from an entity external to BU, be sure to become familiar with that entity’s policies.