Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) protects against the dissemination of PHI.
Contents
Description
HIPAA protects a subset of information called PHI, which largely is defined as any information created by a covered entity. These protections extend to all people, not just U.S. citizens.
The requirements set by the act apply to all research, not just the covered entity's workforce.
A covered entity is required to appoint a security official that is responsible for maintaining security for systems of record.
Explicit and written authorization is required for any use of PHI in research. The authorization form must be in "plain language" and describe the information that would be disclosed, as well as the purpose of disclosure. Authorization can also be revoked at any time.
Exemptions
A privacy board or privacy officer can waive authorization requirements for a covered entity. That is, the requirements cannot be waived if information will leave the covered entity. The activities must fall in one of these categories:
- research that poses none-to-minimal risk
- This is largely an assessment of plans for de-identification and data governance
- activities that are preparatory for research, such as identifying potential subjects
- research of deceased individuals' information
- research that was granted permission before the act was effective
Furthermore, if only de-identified data is used, or if only a limited data set as defined by a data use agreement is used, the research is exempt. Note that de-identified data is no longer considered PHI.
De-identification is subject to "Expert Determination".
Accounting of Disclosures
Individuals can request that an accounting of disclosures be produced for their PHI. This needs to cover all disclosures from the last six years.
This does not need to cover:
- access by the entity's workforce
- disclosures made with authorization
- disclosures to an individual about themself
- inclusion within limited data sets
Also recall that de-identified data is not PHI.
History
HIPAA is largely attributed to the work of Kassebaum and Kennedy, who introduced the Health Insurance Reform Act in 1995.
With alterations, it was passed as the Health Insurance Portability and Accountability Act in 1996 and signed by Clinton.
HHS published the regulations for HIPAA in waves:
the final rule for privacy was published in December 2000 and effective April 14, 2003
- the final rule for security was published in February 2003 and effective April 20, 2005; this is the relevant effective data for most research activities
- the final rule for enforcement was published in February 2006 and effective later that year on March 16
HIPAA was significantly amended by the HITECH Act in 2009.