The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an extensive piece of legislation that requires the standardization of electronic patient health, administrative, and financial data. Important to researchers, HIPAA created the Privacy Rule—a set of minimum standards for the use and disclosure of "protected health information" (PHI) . The Privacy Rule protects individuals by safeguarding the privacy of any identifiable health information, yet many provisions ensure that the rule does not impede research. Understanding the HIPAA Privacy Rule is important in protecting the dignity of an individual's health information as well as in reducing unnecessary delays in designing and conducting research.

To fully understand the Privacy Rule, it is important to understand some key definitions. PHI is defined as individually identifiable health information that is created or received by a HIPAA-covered or hybrid entity. Health information includes any information, whether oral or recorded in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment of health care to an individual. PHI includes names, all geographic references smaller than a state, telephone numbers, Social Security numbers, medical record or health plan numbers, etc., (for a complete list see the list at the bottom of this page). A covered entity is a health plan, a health care clearinghouse, or a health care provider which transmits health information in paper or electronic form in connection with a transaction for which HHS has adopted a standard.

Therefore, most universities are considered covered entities, as are units where such transactions occur, such as nursing departments, health services, etc. Because the School of Health Professions and Studies conducts research and other functions that might involve PHI, we need to be HIPAA compliant. Research at the University of Michigan-Flint is considered to involve PHI and thus be subject to HIPAA if all of the following conditions are met:

  • data include any of the identifiers listed at the bottom of this page
  • data include health information
  • data are created or received by the Department of Nursing, Department of Physical Therapy, Department of Public Health and Health Sciences, Urban Health and Wellness Center, or any other unit within the covered entity.

It is important to note that compliance with the HIPAA Privacy Rule does not displace Institutional Review Board (IRB) approvals. In thinking about the relationship between HIPAA compliance and the IRB process, please note that HIPAA requires an authorization from any research subject (with few exceptions) to use or disclose PHI for purposes related to the research. The "minimum necessary" standard within the HIPAA Privacy Rule requires that treatment or research is conducted using the minimum necessary PHI to limit the intrusion on an individual's health privacy rights. Therefore, any research on decedents, using or creating PHI about living individuals, recruitment of research subjects or research using a limited data set fall under the Privacy Rule. For research purposes, there should be few HIPAA problems when using data that are not individually identifiable.

Research conducted at the School of Health Professions and Studies relies heavily on access to many sources of health information, from medical records and epidemiological databases to disease registries, hospital discharge records and vital and health statistics compiled by the government. The Privacy Rule applies to clinical research, databases, and health services research. Completing the online HIPAA training and certification is essential to ensure the ongoing success of our researchers and faculty members. The inappropriate use or disclosure of PHI results in harsh consequences and therefore the candid reporting of such events and proper understanding of the comprehensive rights established by the legislation are fundamental duties of researchers.

Beyond the expectation of requiring HIPAA compliance for IRB approval, it is important to remember that the Privacy Rule in its very definition ensures the privacy of subjects' research-related information. Although the Privacy Rule may appear cumbersome, as it adds an additional layer of regulation and enforcement, it also adds another layer of protecting the privacy for those who volunteer for research projects. In the end, such privacy safeguards will improve the participation and quality of research conducted at the University of Michigan-Flint.