|  | Healthcare Industry | Healthcare Management

HIPAA Regulations for Research Simplified

The privacy standards enacted in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) outline the circumstances as well as the types of information inside patient medical records that health care researchers can access to conduct medical studies.

  1. Patient Authorization

    • Researchers may request information inside a patient's medical file from a hospital if the individual has granted written permission for its release to the researcher by means of a signed authorization form. For example, a clinical trial participant may authorize her physician to provide a researcher specific information from her medical files. The research subject can write a letter revoking the authorization at any time, according to the privacy rule's regulations.

    Preparatory Research

    • Hospitals can allow researchers to review patient medical records to determine the feasibility of a proposed research project. A researcher can request access to patient records to determine the availability of enough records to pursue the investigation. However, although researchers can request access to patient medical information in the interests of identifying potential study participants, they cannot contact patients or remove any data from the hospital or clinic, as stipulated by the U.S. Department of Health & Human Services (HHS) in providing guidance on the privacy rule's requirements for researchers.

    IRB Approval

    • A hospital or health plan can allow a researcher access to patient medical information upon receipt of documentation that an Institutional Review Board (IRB), or a privacy board, has granted the researcher a waiver of the requirement to obtain individual authorization. The IRB, a committee formally designated by an institution to review research involving human subjects, can grant a waiver if it determines that the research project cannot proceed without the data, according to HHS.

    De-Identified Data

    • The HIPAA privacy rule allows researchers access to patient health information that has been de-identified through removal of 18 identifiers, including name, address, age, photograph and biometric identifiers.

    Limited Data Set

    • Hospitals also may enter into an agreement with a research group to allow sharing of limited data sets of patient health information. While a limited data set has more information than de-identified data, it excludes specific, direct individual identifiers and those of the patient's relatives, employers or household members. The researcher cannot use or disclose the information for purposes other than those stated in an agreement between the research group and the hospital, according to HHS. The research group must agree to use safeguards to protect the data from unauthorized disclosure and it cannot attempt to re-identify or contact the individual.

    Grandfathered Consent

    • Hospitals may share patient data if in possession of a legal document, informed consent or an IRB-approved waiver of informed consent obtained prior to the privacy rule compliance date that permits a researcher to use and disclose the patient's protected health information for specific research studies and any undetermined investigations included in the permission.

Healthcare Management - Related Articles