HIPAA Information

HIPAA Privacy Rule

HIPAA (the Health Insurance Portability and Accountability Act of 1996) went into effect on April 14, 2003. The purpose of the Privacy Rule is to establish minimum Federal standards for safeguarding the privacy of individually identifiable health information. It does not replace or modify the Common Rule or FDA regulations. The intent of the Privacy Rule in the context of clinical research is to enhance human subjects protections.

The Privacy Rule protects one type of health information, which it calls protected health information (PHI).  PHI is health information plus an identifier held by a covered entity.  A covered entity can be a person or an institution.  The Privacy Rule defines 18 identifiers:  Names, all geographic subdivisions smaller than a State (street address, city, county, precinct, zip code), all elements of date (birth date, admission date, discharge date, date of death), telephone numbers, fax numbers, email addresses, Social Security numbers, medical records and prescription numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, VIN and serial numbers, license plate numbers, device identifiers and serial numbers, Web URLs, IP address numbers, biometric identifiers (fingerprints), full face and comparable photo images, and unique identifying numbers, unless otherwise permitted for re-clarification.

Under the Privacy Rule, a researcher needs written authorization from the study participants to use their PHI.  St John Hospital and Medical Center has a standard form entitled “Authorization to Use and Disclose Protected Health Information (PHI)”, which is contained in the IRB Model Consent and Authorization Template .

Some research may not require study participants to give their authorization if the PHI has been de-identified.  This means that all 18 identifiers have been removed from the PHI.  In addition, authorization is not needed for research screening or recruitment if no PHI will be removed from the institution and the researcher is a part of the institution.  For further information regarding the Privacy Rule, please contact the St John Hospital and Medical Center IRB staff.