HIPAA Guidance – Use of Protected Health Information in Human Subjects Research at UNT

Frequently Asked Questions

What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. A major component of HIPAA addresses the privacy of health information by establishing a nation-wide federal standard concerning the privacy of health information and how it can be used and disclosed.

What Is The Privacy Rule?
The Privacy Rule is a regulation issued by the U.S. Department of Health and Human Services (DHHS) to implement the privacy protections of HIPAA. The Privacy Rule became effective on April 14, 2003.

Who Has To Comply With The Privacy Rule?
The Privacy Rule directly applies to three categories of health care entities called "Covered Entities": (1) health plans, (2) health care clearinghouses, and (3) health care providers who transmit any health information in electronic form in connection with a transaction covered by HIPAA.

The Privacy Rule does not directly regulate researchers unless they treat patients or work within "Covered Entities." However, many researchers rely on Covered Entities to provide them with patient health information needed to conduct research and must comply with HIPAA to obtain such data.

What Data Is Protected By The Privacy Rule?
The Privacy Rule limits the disclosure and use of patient information called "Protected Health Information" (PHI) that is individually identifiable. Under the Privacy Rule, "health information" generally means information relating to an individual's past, present, or future physical or mental health or condition, provision of health care to an individual, and past, present, or future payment for the provision of health care to an individual.

How Can Investigators Access And Use Protected Data Under HIPAA?
Researchers who want access to Protected Health Information maintained by a Covered Entity must comply with HIPAA requirements relating to disclosure for research use. HIPAA allows PHI to be released and used by researchers under the following methods:
1. a written authorization;(Template G: Faculty/Staff Investigator with HIPAA Authorization); (Template H: Student Investigator with HIPAA Authorization);
2. de-identification of an individual's health information as defined by HIPAA;
3. de-identification through a "Limited Data Set" (only certain data can be identifiable);
4. preparatory work for a research project;
5. use of PHI of deceased persons;or
6. an approved waiver of authorization by the UNT IRB.

Links to HIPAA Resources
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
Office for Civil Rights HIPAA Web site
HIPAA & Institutional Review Boards
NIH Sample HIPAA Authorization