Medical Records & HIPAA

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Act requires The Department of Health and Human Services to develop regulations to protect the privacy and security of identifiable health information. Two sets of regulations, referred to as the Privacy Rule and Security Rule, outline the requirements that must be followed when entities subject to the rules use and share health information. When research involves the use or disclosure of PHI by entities subject to the regulations, the rules will apply.

The rules apply to protected health information (PHI), which is defined as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.

  • In most instances, health information is considered individually identifiable when any of the following identifiers are included with the information:
    • Names
    • Telephone numbers
    • Fax numbers
    • Email addresses
    • Social Security numbers
    • Medical record numbers
    • Health plan beneficiary
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Account numbers
    • Certificate/license numbers
    • Device identifiers and serial numbers
    • Web Universal Resource Locators (URLs)
    • Internet Protocol (IP) addresses
    • Biometric identifiers, including finger and voice prints
    • Full-face photographs and any comparable images
    • Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
    • The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

One of the main purposes of HIPAA is to require health plans to accept electronic transactions from health care providers. The Privacy and Security Rules are means to the risk to individual privacy when the electronic transactions are processed. The Rules apply to all PHI held by covered entities, which are health plans (health insurance companies), health care providers and health care clearing houses (companies that facilitate electronic transactions. Einstein School of Medicine and Montefiore Medical Center are health care providers and is a covered entity under HIPAA.

When research involves the use or disclosure of PHI by entities subject to the regulations, the rules will apply. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. In most instances, the Privacy Rule requires an authorization from the individual or a waiver of authorization from an IRB or Privacy Board before a covered entity can access, use or disclose PHI for research purposes. In general, there are two types of human research that would involve PHI:

  • Studies involving review of medical records as a source of research information.
  • Studies that create new medical information because a health care service is being performed as part of the research.

What Is Required for Research in order to access, use or disclose Protected Health Information (PHI)?

Researchers may access, use, and/or disclose PHI for research purposes from the Electronic Medical Record (EMR) once there is an approved waiver from an IRB or other applicable authority or a signed HIPAA Authorization from the patient. UC Davis Health acknowledges that all information placed into the Electronic Health Record system (EPIC) by Marshall Medical Center (MMC) is the proprietary information of MMC, and shall not be accessed, used, and/or disclosed by UC Davis Health unless MMC specifically authorizes such.

Waiver criteria:
  1. Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements:
    1. An adequate plan to protect health information identifiers from improper use or disclosure.
    2. An adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them.
    3. Adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule.
  2. Research could not practicably be conducted without the waiver or alteration.
  3. Research could not practicably be conducted without access to and use of PHI.

Health Insurance Portability and Accountability Act (HIPAA) Authorization

  • The Privacy Rule establishes the right of an individual, such as a research subject, to authorize a covered entity to use and disclose his/her PHI for research purposes. This requirement is in addition to the informed consent to participate in research required under the HHS Protection of Human Subjects Regulations and other applicable Federal and State law.
  • HIPAA Authorization for Research (Version 2017) are available at the Office of Research website.

In most instances, researchers at our institution use the Einstein HIPAA Research Authorization to use and share PHI for research purposes. However, in some instances, the Privacy Rule allows an IRB to waive the requirement for a signed authorization from the individual for use of PHI in research. Montefiore Einstein researchers complete the applicable section of the electronic Initial Review Application when they need access to PHI without obtaining an authorization from the individual.

It is always preferred to obtain authorization to use an individual’s PHI. In order to waive the requirement for an authorization, the IRB must determine that the study meets the following criteria:

  • The use or disclosure of the identifiers involves no more than minimal risk (An adequate plan to protect identifiers from improper use and disclosure must be included in the research proposal)
  • There is an adequate plan to destroy the identifiers at the earliest opportunity.
  • The project could not practicably be conducted without a waiver
  • The project could not practicably be conducted without use of PHI
  • The IRB receives written assurances that PHI will not be re-used or disclosed for other purposes