5. Exceptions to HIPAA’s Authorization Requirement
Exceptions to HIPAA’s Authorization Requirement
When health information is collected in the course of a study where health care, as discussed above, is provided, it is possible to use the health information for research purposes without individuals’ authorizations if the records are de-identified, are modified to constitute “limited data sets” (and used only pursuant to a Data Use Agreement), or are used and disclosed pursuant to an IRB waiver (only in exceptional cases).
Use or Disclosure of “De-Identified” Health Information
- De-identified health information is exempt from HIPAA and may be used or disclosed for research purposes without an Informed Consent and Health Information Use and Disclosure Authorization.
- Identifiers include the individual and the individual’s employer, relatives and household members that must be removed include: names; geographic subdivisions smaller than a state; zip codes; dates directly related to an individual; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images; and any other number, characteristic or code that could be used to identify the individual.
- Re-identification Code. The de-identified information may be assigned a code that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that, the key to such a code is not accessible to the researcher requesting to use or disclose the de-identified health information.
- Researchers using de-identified data must certify that they have de-identified the data as described.
Limited Data Set
- A researcher may use or disclose a Limited Data Set for any research purpose without an Informed Consent and Health Information Use and Disclosure Authorization.
- A “Limited Data Set” is defined as PHI that may include any of the following direct identifiers:
- Town, city, State and zip code;
- All elements of dates directly related to an individual, including birth date, admission date, discharge date, and date of death.
- A Limited Data Set must exclude all of the following direct identifiers of the individual or of the individual’s relatives, employers, or household members of the individual: names; postal address information other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and any other number, characteristic or code that could be used to identify the individual.
- A Limited Data Set may be used or disclosed only if there is a Data Use Agreement between Northeastern University and the recipient of the limited data set.