HIPAA Privacy & Research
The HIPAA Privacy Rule requirements for those engaged in research are different than the general Privacy Rule requirements for clinicians and employees of a covered entity. Under the Privacy Rule, a researcher using or disclosing identifiable health information must (in addition to IRB and informed consent requirements) fulfill one of six allowable “HIPAA research pathways.”
Research - is defined as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Protected Health Information (PHI) - Any individually identifiable health information, whether oral, written, electronic, transmitted, or maintained in a form or medium that:
Is stored at, created or received by a health care provider such as the Medical College of Wisconsin, a health plan, or a health care clearinghouse (Covered entities are organizations and not buildings - so identifiable health information accessed, collected, or created by MCW researchers in the community is also considered PHI); and
Relates to an individual's past, present, or future physical or mental health condition, health care treatment, or the past, present, or future payment for health care services to the individual;
That either identifies an individual (for example, name, social security number, or medical record number) or can reasonably be used to find out the person's identity (address, telephone number, birth date, e-mail address, and names of relatives or employers).
For purposes of the Privacy Rule, genetic information is considered to be health information.
Research Privacy Board - The HIPAA Privacy Rule allows and encourages the local Institutional Review Board (IRB) to function as the Privacy Board for research activities. The Medical College of Wisconsin/Froedtert Hospital IRB fulfills this function for the Medical College of Wisconsin (MCW) and Froedtert Hospital (FH). In most ways, the IRB and HIPAA regulations are aligned so that the IRB can ascertain that the researcher is using the appropriate Privacy Rule pathway when the IRB reviews the study.
Other terms relevant to the HIPAA Privacy Rule are defined in MCW Corporate Policy HIPAA Privacy Definitions (AD.HP.010). Additionally, please refer to the MCW Corporate Policy Use and Disclosure of PHI in Research (AD.HP.060). These and all MCW Corporate Policies are available on MCW’s intranet site. If you have access to InfoScope, search for keyword “HIPAA” to view complete details.