Human
Investigation Committee
Yale University
School of Medicine
47 College Street,
Suite 204
New Haven, CT
06520-8010 USA
Phone:
(203) 785-4688
Fax:
(203) 785-2847
 |
 |
 |
 |
 |
 |
 |
|||||
Yale University
Researchers' Guide to HIPAA Privacy
Health Insurance Portability and Accountability Act of 1996
Handbook
Table of Contents
I. |
|
|
||||||||||||||||||||||||||||||||||||||||||
II. |
|
HIPAA's Impact On Research Protocols
|
||||||||||||||||||||||||||||||||||||||||||
III. |
|
Patient's Rights Provisions in Research Studies
|
||||||||||||||||||||||||||||||||||||||||||
IV. |
|
|||||||||||||||||||||||||||||||||||||||||||
V. |
|
|||||||||||||||||||||||||||||||||||||||||||
VI. |
|
INTRODUCTION
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA requires many things, including the standardization of electronic patient health, administrative and financial data. It also establishes security and privacy standards for the use and disclosure of "protected health information" (PHI).
The HIPAA Privacy Rule:
- Establishes conditions under which PHI can be used within an institution and disclosed to others outside it;
- Grants individuals certain rights regarding their PHI;
- Requires that institutions maintain the privacy and security of PHI.
This guide addresses HIPAA's requirements related to uses and disclosures of PHI for research purposes. It does not cover HIPAA's requirements related to uses and disclosures of PHI for other purposes (such as treatment, payment, or health care operations). If you need guidance on these issues, please refer to http://hipaa.yale.edu.
What is PHI?
HIPAA’s regulatory provisions apply to the use and disclosure of protected health information (PHI). PHI is defined as individually identifiable health information that is created or received by a HIPAA “covered entity” (see definition below).
Health information includes any information, whether oral or recorded in any form, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for health care to an individual.
PHI is considered individually identifiable if it includes one or more of the following identifiers:
1. |
|
Names |
||||||||||||||||
2. |
|
All geographic subdivisions smaller than a State, including:
|
||||||||||||||||
3. |
|
Telephone numbers |
||||||||||||||||
4. |
|
Fax numbers |
||||||||||||||||
5. |
|
E-mail addresses |
||||||||||||||||
6. |
|
Social Security numbers |
||||||||||||||||
7. |
|
Medical record numbers |
||||||||||||||||
8. |
|
Health plan beneficiary numbers |
||||||||||||||||
9. |
|
Account numbers |
||||||||||||||||
10. |
|
All elements of dates (except year) for dates related to an individual, including:
|
||||||||||||||||
11. |
|
Certificate/license numbers |
||||||||||||||||
12. |
|
Vehicle identifiers and serial numbers, including license plate numbers |
||||||||||||||||
13. |
|
Device identifiers and serial numbers |
||||||||||||||||
14. |
|
Web Universal Resource Locators (URLs) |
||||||||||||||||
15. |
|
Internet Protocol (IP) address numbers |
||||||||||||||||
16. |
|
Biometric identifiers, including finger and voice prints |
||||||||||||||||
17. |
|
Full face photographic images and any comparable images |
||||||||||||||||
18. |
|
Any other unique identifying numbers, characteristics, or codes |
HIPAA applies to "covered entities," which are defined as health plans, health care clearinghouses, and health care providers that transmit health information related to insurance coverage electronically. At Yale, such transactions occur in the School of Medicine (YSM), School of Nursing (YSN), University Health Services (UHS), and the Department of Psychology Clinics. These units of the University are considered to be part of the Yale University covered entity. Other segments of the University, such as the Faculty of Arts and Sciences, are not subject to HIPAA. Although not all of YSM and YSN are involved in the requisite electronic transactions, they have been included as a whole within the covered entity. This decision was based on an analysis of the projected impact of HIPAA's administrative requirements related to transfer of information out of the covered entity and the concomitant barriers to communication inherent in further subdividing YSM and YSN under HIPAA.
What research activities are covered by HIPAA?
At Yale, research activities involve PHI and thus are subject to HIPAA if all of the following conditions are met:
- The data includes any of the identifiers listed above, AND
- The data includes health information, AND
- The data is created or received by YSM, YSN, YUHS, the Psychology Clinics or any other covered entity.
Yale has developed procedures to assist researchers in determining which research activities involve PHI. These procedures can be found at http://info.med.yale.edu/hic.
Return
to the Table of Contents
 |
 |
 |
 |
Last modified: Wednesday, 11-Feb-2009 15:41:35 EST. (JJ)