health insurance portability and accountability act hipaa and human research n.
Skip this Video
Loading SlideShow in 5 Seconds..
Health Insurance Portability and Accountability Act (HIPAA) and Human Research PowerPoint Presentation
Download Presentation
Health Insurance Portability and Accountability Act (HIPAA) and Human Research

Loading in 2 Seconds...

play fullscreen
1 / 16

Health Insurance Portability and Accountability Act (HIPAA) and Human Research - PowerPoint PPT Presentation

  • Uploaded on

Health Insurance Portability and Accountability Act (HIPAA) and Human Research. Vanderbilt University Medical Center Education Module. Vanderbilt as a Hybrid Entity.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Health Insurance Portability and Accountability Act (HIPAA) and Human Research

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
health insurance portability and accountability act hipaa and human research

Health Insurance Portability and Accountability Act (HIPAA) and Human Research

Vanderbilt University Medical Center

Education Module

vanderbilt as a hybrid entity
Vanderbilt as a Hybrid Entity

HIPAA is a federal law that protects the privacy and security of an individual’s health information held by a “Covered Entity.” HIPAA supplements the Common Rule and the FDA’s protections for human subjects. For purposes of HIPAA, “Covered Entity” includes health care providers, health care plans, and health care clearinghouses that conduct specified transactions electronically.

Vanderbilt University is engaged in both Covered Entity functions and other activities that are not Covered Entity functions and is therefore considered a Hybrid Entity.

HIPAA regulations only apply to the Covered Entity functions.

hybrid entity covered entity designation
Hybrid Entity Covered Entity Designation

As of March 30, 2005 the Vanderbilt Covered Entity (VCE) includes:

  • Vanderbilt University Medical Center hospitals, clinics, and practices
  • Vanderbilt Medical Group (VMG)
  • Vanderbilt School of Medicine (SOM)
  • Vanderbilt School of Nursing (SON)
  • Vanderbilt Health Plan
  • VUMC Administration

for covered functions that involve the use and disclosure of PHI.

Whether a Vanderbilt function or individual’s activity on behalf of VU is included in the VCE is hereafter determined based not upon any particular dept/unit, but instead upon the data being used and/or disclosed.

data categories
Data Categories
  • Individually Identifiable Health Information (IIHI) –

information collected from an individual that is created or received by a health care provider, employer, plan, or clearinghouse and relates to the past, present, or future physical or mental condition of the individual; the provision of health care to an individual; or the past, present, or future payment for the provision of care; and identifies the individual or can reasonably be used to identify the individual.

  • Protected Health Information (PHI) – IIHI transmitted or maintained in any form by a covered function within the Vanderbilt covered entity. This specifically excludes education and employment records, as well as research health information.
data categories1
Data Categories
  • Research Health Information (RHI) – a term used by Vanderbilt to identify Individually Identifiable Health Information (IIHI) used for research purposes that is not PHI, and thus is NOT subject to the HIPAA privacy and security regulations. RHI is created in connection with research activity and is not created in connection with patient care activity. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI and is subject to HIPAA.

IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher subject to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA.

phi rhi prepared by daniel masys m d
PHI <-> RHI(prepared by Daniel Masys, M.D.)

Internal disclosure





converts PHI to RHI

whose use is governed

by terms of authorization

or IRB waiver

Subject to

HIPAA requirements

(and potentially, penalties)



Researchcreatesnew information added to medical records

data categories2
Data Categories
  • De-identified Data – IIHI that has been stripped of the 18 identifiers of the individual or relatives, employers, or household members of the individual as defined in the HIPAA regulations. Fully de-identified data is no longer considered PHI and therefore is not subject to HIPAA requirements.
  • Limited Data Set (LDS) -PHI that excludes direct identifiers of the individual or relatives, employers, or household members of the individual with certain exceptions including city, state, zip code, elements of dates, and other numbers, characteristics or codes not listed as direct identifiers.
hipaa defined identifiers that must be removed from phi to be a limited data set
HIPAA Defined Identifiers That Must be Removed from PHI to be a Limited Data Set
  • Names;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers & serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images.
Identifiers That Must Be Removed In Addition to Those Required for a LDS if the Data is to be Fully De-Identified
  • All geographic subdivisions smaller than a State, including street address, county, precinct, and their equivalent geocodes, except for the initial three digits of a zip code under certain circumstances;
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all individual ages over 89;
  • Any other unique identifying number, characteristic, or code, except as permitted under the implementation specifications for re-identification.
uses and disclosures for research
Uses and Disclosures for Research

HIPAA and VUMC policy generally limit the use and disclosure of PHI to treatment, payment, and administrative operation (TPO) functions, unless proper authorization is secured from the patient. Research falls outside of TPO and will always require specific authorization or other protections.

PHI can be used or disclosed for research purposes if one of the following conditions is met:

With a specific authorization signed by the patient

With an IRB waiver of this authorization

Under the “Preparatory to Research” criteria in IRB Policy X.A

As a limited data set in conjunction with a Data Use Agreement

As fully de-identified data

For research on decedents

Disclosures related to FDA-regulated products.


Requirements for Use or Disclosure of Data for Human Research


Limited Data Set

De- identified Data



Exempt research, no PHI

IRB Exemption

IRB waiver

Patient Authorization

Waiver from IRB


Data Use Agreement

Accounting of disclosure is NOT required

Accounting of disclosure is NOT required

Accounting of disclosure NOT required

Disclosure Accounting


requirements for use or disclosure of data for research

Requirements for Use or Disclosure of Data for Research

The table below shows, generally, how the HIPAA rules apply to the IRB oversight of human research.

use of phi for research requires patient authorization or waiver of authorization from the irb
Use of PHI for Research Requires Patient Authorization or Waiver of Authorization from the IRB
  • PHI may be disclosed to a researcher who is also a health care provider pursuant to patient authorization or IRB Waiver
  • Use of PHI with proper patient authorization does NOT require disclosure tracking.
  • Use of PHI through an IRB Waiver of Authorization DOES require disclosure tracking (even for use by a Vanderbilt researcher)
  • Disclosure Tracking may be done for each record through the online system accessed through StarPanel; or a direct link on the HIPAA website; or in batch using a Disclosure Template available from the Privacy Office
use of a limited data set
Use of a Limited Data Set
  • HIPAA allows the VCE to disclose partially de-identified data – called a limited data set – for research purposes without obtaining patient authorization or an IRB waiver of authorization.
  • Use of a Limited Data Set does NOT trigger the requirement for disclosure tracking.
  • Use of a Limited Data Set always requires a Data Use Agreement.
  • The IRB application forms contain the required elements of a Data Use Agreement for use and disclosure of data within Vanderbilt University in the Section labeled Intra-Vanderbilt Data Use Agreement.
  • A stand alone external Data Use Agreement must be prepared whenever the LDS will be shared for use or disclosure by a person or entity not employed by Vanderbilt University. This language can be obtained from the Office of Grants and Contract Management or the Privacy Office.
research activities without irb review
Research Activities Without IRB Review

HIPAA permits researchers to conduct certain research activities that are not subject to IRB review.

  • Use of PHI consistent with the “Preparatory to Research” criteria defined in IRB Policy X.A
  • Use of PHI for research on decedents.

HIPAA requires researchers requesting data for such research activities to provide written representations that:

  • the information is being used only for such purposes;
  • is necessary; and
  • will not be removed from VUMC; or
  • only involves deceased individuals, as applicable.

Managers of areas that release data for these research purposes will manage the collection of these representations when a request for data is made.

contact information
Contact Information
  • Questions related to HIPAA requirements for research may be directed to the Privacy Office at 936-3594 or email
  • Questions related to IRB requirements may be directed to the IRB Office at 322-2918.