Protected Health Information (PHI)

In 2001, new regulations governing the use or disclosure of Protected Health Information (PHI), were issued at Title 45 Code of Federal Regulations Part 142 (45 CFR 142) to satisfy elements of the Health Insurance and Portability and Accountability Act (HIPAA) of 1996. The PHI regulations were made final in August 2002, with an effective date of April 14, 2003 (see HHS Fact Sheet). The HHS Office for Civil Rights will enforce the PHI regulations.

For detailed information, see Office for Civil Rights—HIPAA

The UIUC IRB currently requires all researchers who will use or disclose PHI to comply with the regulations by either (a) obtaining a valid authorization for the use or disclosure of PHI from each research subject or (b) obtaining a waiver of the authorization requirements from the UIUC IRB. A valid authorization may be incorporated into a legally effective consent form to be signed by the research subject whose PHI will be used or disclosed in the research. Specific requirements are outlined below:


Covered Entities
 The rules apply to entities covered by HIPAA (the Health Insurance Portability and Accountability Act of 1996). This generally means they cover health information created or maintained by most health providers, health plans, and health care clearinghouses that perform certain transactions electronically.

Information Protected
Protected Health Information (PHI) includes individually identifiable health information used or disclosed by a covered entity in any form. Individually identifiable health information is information, including demographics, that is created or received by a covered entity; relates to the health, condition, or health care of an individual or to the payment for health care to an individual; and that identifies or could be used to identify the individual.

PHI does not include individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA), including records on students at postsecondary institutions, which are kept by a physician or other professional and used in connection with the treatment of the student (45 CFR �164.501). All other medical records and other individually identifiable health information used or disclosed by a covered entity in any form are PHI.

Minimum Necessary Rule
The general rule requires that only the minimum necessary information may be disclosed to accomplish the intended purpose.

Personal Representatives
 A covered entity must treat a personal representative as the individual (whose PHI is being used or disclosed) for purposes of these rules.

Authorization for Uses and Disclosures
A covered entity may not use or disclose PHI for research purposes without an authorization that is valid under these rules. A valid authorization may be incorporated into the research consent form that is already required for IRB purposes, and it must have these specific elements:

  1. A specific and meaningful description of the information to be used or disclosed (e.g., "your records related to gastric bypass surgery");
  2. The specific identity of the person(s) authorized to make the requested use or disclosure (e.g., "Dr. Jane Smith");
  3. The specific identity of the person(s) to whom the information will be disclosed (e.g., "Professor John Doe");
  4. A description of the specific purpose for using or disclosing the information (e.g., "for the research study described here");
  5. A specific expiration date or event terminating the use or disclosure, or an explicit statement that the use will be for an indefinite time;
  6. A statement that, within limits, the individual has a right to revoke the authorization, along with a description of how this can be accomplished;
  7. Information making it clear that the covered entity may not condition the individual's treatment on their decision to provide the authorization;
  8. A statement that information used or disclosed may be subject to redisclosure by the recipient and thus no longer protected by the rule;
  9. Signature of the individual, or, if the authorization is signed by a personal representative, a description of their authority to act for the individual;
  10. The authorization must be written in language understandable to the individual and a copy of it must be provided to the individual.

Top

Waiver of Authorization
A covered entity may use or disclose PHI for research without an individual patient's authorization, provided that an IRB approves a waiver or modification of authorization. That waiver must be documented with the following information, outlined at 45 CFR �164.512(i):

(i) Identification and Date of Action. A statement identifying the IRB and the date on which the waiver of authorization was approved;

(ii) Waiver Criteria. A statement that the IRB has determined that the waiver, in whole or in part, of authorization satisfies the following criteria:

  1. The use or disclosure of protected health information involves no more than minimal risk to the individuals;
  2. The waiver will not adversely affect the privacy rights and the welfare of the individuals;
  3. The research could not practicably be conducted without the waiver;
  4. The research could not practicably be conducted without access to and use of the protected health information;
  5. The privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;
  6. There is an adequate plan to protect the identifiers from improper use and disclosure;
  7. There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and
  8. There are adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.

(iii) Protected Health Information Needed. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB has determined, pursuant to paragraph (i)(2)(ii)(D) of this section;

(iv) Review and Approval Procedures. A statement that the waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows: (A) An IRB must follow the requirements of the Common Rule.

(v) Required Signature. The documentation of the waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB, as applicable.

State Laws
Federal law under HIPAA preempts state laws that are in conflict with Privacy Rule requirements or those that provide less stringent privacy protections. Those states that have more stringent privacy laws would preempt Federal law. The Georgetown Privacy Project has assembled a comprehensive summary of these state laws at: http://www.healthprivacy.org/resources/statereports/contents.html.

Top