4. HIPAA and Health Information Privacy Laws | Human Subject Research Protection

HIPAA and Health Information Privacy Laws

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its privacy regulations create privacy obligations that may impact academic researchers conducting studies involving human subjects. The provisions apply to individually identifiable health information, or “protected health information,” in certain circumstances (discussed below). The HIPAA provisions add an additional layer of regulation to the Federal Policy for the Protection of Human Subjects (also known as the “Common Rule”) and to FDA regulations – HIPAA does not replace them.

State Law

HIPAA does not preempt state laws that set forth health information privacy standards that are more stringent than those established by HIPAA.

Identifying HIPAA-Covered Studies

A researcher may be a HIPAA-covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, AND transmits any protected health information in electronic form in connection with a “standard transaction” (defined below). “Health care” is broadly defined under HIPAA and includes, but is not limited to, the following activities: preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling; physical therapy; occupational therapy; assessment or procedures with respect to the physical or mental condition or functional status of an individual or that affects the structure or function of the body. If a researcher’s study may involve the provision of health care, the researcher must describe the activities that may constitute health care within the Application for Approval for Use of Human Participants in Research.

HIPAA’s standard electronic transmissions include those involving health care claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury, and health claims attachments.

Individuals’ Access to Protected Health Information (PHI)

HIPAA allows individuals to access and amend the protected health information collected about them and requires accounting for disclosures of PHI upon an individual’s request. Such accountings can be done in a less detailed format where the individual is one of 50 or more study participants.