Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) protects against the dissemination of PHI.
Description
HIPAA protects a subset of information called PHI, which largely is defined as any information created by a covered entity. These protections extend to all people, not just U.S. citizens.
The requirements set by the act apply to all research, not just the covered entity's workforce.
Explicit and written authorization is required for any use of PHI in research.
Exemptions
A privacy board or privacy officer can waive authorization requirements for a covered entity. That is, the requirements cannot be waived if information will leave the covered entity. The activities must fall in one of these categories:
- research that poses none-to-minimal risk
- This is largely an assessment of plans for de-identification and data governance
- activities that are preparatory for research, such as identifying potential subjects
- research of deceased individuals' information
- research that was granted permission before the act was effective
Furthermore, if only de-identified data is used, or if only a limited data set as defined by a data use agreement is used, the research is exempt.
History
HIPAA is largely attributed to the work of Kassebaum and Kennedy, who introduced the Health Insurance Reform Act in 1995.
With alterations, it was passed as the Health Insurance Portability and Accountability Act in 1996 and signed by Clinton.
HHS published the regulations for HIPAA in waves:
the final rule for privacy was published in December 2000 and effective April 14, 2003
- the final rule for security was published in February 2003 and effective April 20, 2005; this is the relevant effective data for most research activities
- the final rule for enforcement was published in February 2006 and effective later that year on March 16
HIPAA was significantly amended by the HITECH Act in 2009.