= Health Insurance Portability and Accountability Act = The '''Health Insurance Portability and Accountability Act''' ('''HIPAA''') protects against the dissemination of [[UnitedStates/InformationLaw/ProtectedHealthInformation|PHI]]. <> ---- == Description == HIPAA protects a subset of information called [[UnitedStates/InformationLaw/ProtectedHealthInformation|PHI]], which largely is defined as any information created by a '''covered entity'''. These protections extend to all people, not just U.S. citizens. The requirements set by the act apply to all research, not just the covered entity's workforce. A covered entity is required to appoint a '''security official''' that is responsible for maintaining security for systems of record. Explicit and written '''authorization''' is required for any use of PHI in research. The authorization form must be in "plain language" and describe the information that would be disclosed, as well as the purpose of disclosure. Authorization can also be revoked at any time. === Exemptions === A '''privacy board''' or '''privacy officer''' can waive authorization requirements for a covered entity. That is, the requirements cannot be waived if information will leave the covered entity. The activities must fall in one of these categories: * research that poses none-to-minimal risk * This is largely an assessment of plans for de-identification and data governance * activities that are preparatory for research, such as identifying potential subjects * research of deceased individuals' information * research that was granted permission before the act was effective Furthermore, if only de-identified data is used, or if only a '''limited data set''' as defined by a '''data use agreement''' is used, the research is exempt. Note that de-identified data is no longer considered PHI. De-identification is subject to "Expert Determination". === Accounting of Disclosures === Individuals can request that an '''accounting of disclosures''' be produced for their PHI. This needs to cover all disclosures from the last six years. This does not need to cover: * access by the entity's workforce * disclosures made with authorization * disclosures to an individual about themself * inclusion within limited data sets Also recall that de-identified data is not PHI. ---- == History == HIPAA is largely attributed to the work of [[UnitedStates/NancyKassebaum|Kassebaum]] and [[UnitedStates/TedKennedy|Kennedy]], who introduced the '''Health Insurance Reform Act''' in 1995. With alterations, it was passed as the '''Health Insurance Portability and Accountability Act''' in 1996 and signed by [[UnitedStates/BillClinton|Clinton]]. [[UnitedStates/DepartmentOfHealthAndHumanServices|HHS]] published the regulations for HIPAA in waves: * the [[UnitedStates/CodeOfFederalRegulations|final rule]] for privacy was published in December 2000 and effective April 14, 2003 * the final rule for security was published in February 2003 and effective April 20, 2005; this is the relevant effective data for most research activities * the final rule for enforcement was published in February 2006 and effective later that year on March 16 HIPAA was significantly amended by the [[UnitedStates/InformationLaw/HealthInformationTechnologyForEconomicAndClinicalHealthAct|HITECH Act]] in 2009. ---- CategoryRicottone