Health Insurance Portability & Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (1996) (HIPAA) applies to both clinical care and research. It was created, in part, to establish minimum privacy standards to protect health information, while permitting health information to be shared for health care treatment.

The HIPAA Privacy Rule, which had a compliance date of 04/14/03, established minimum standards for safeguarding how covered entities handle individually identifiable health information, known as protected health information (PHI). Covered entities include health plans (e.g., insurance companies, HMOs, Medicare, Medicaid), health care clearinghouses (e.g., billing services, community health management information systems), and, if they electronically transmit health information in connection with transactions (e.g., billing and payment for services or insurance coverage), health care providers (e.g., doctors, clinics, dentists, psychologists, pharmacies, nursing homes). CHA is a covered entity.

PHI is any health information that identifies an individual. More specifically, PHI is directly or indirectly individually identifiable health information that is created, received, maintained or transmitted by a covered entity that relates to past, present, or future health information.

The HIPAA Security Rule establishes standards to protect individuals' electronic PHI (ePHI) that is created, received, used, or maintained by a covered entity. It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

A covered entity may use and disclose PHI without a person's permission only for the purposes of treatment, payment, or health care operations (e.g., public health reporting).

Access to PHI for research is outside of the scope of treatment, payment, or health care operations. As a result, PHI may be used and disclosed for research purposes only through one of the following methods:

  1. The data are de-identified
  2. A review preparatory to research is performed
  3. A limited data set is involved
  4. Data are from decedents
  5. A HIPAA waiver of authorization is granted by the IRB
  6. Signed HIPAA authorization is given by an individual
Please refer to this quick reference chart of the 5 exceptions above that do not require signed authorization for the use and disclosure of PHI in human research.
  • De-Identification

    A researcher at CHA can use or disclose health information without restriction if the data are de-identified. This is a common method to satisfy HIPAA in human research. HIPAA defines 18 identifiers.

    One method of de-identifying data is referred to as the “safe harbor method.” It means that all 18 HIPAA identifiers must be removed from data:

    1.  Names
    2. Geographic subdivisions smaller than a State
    3. Dates (except year) directly related to patient
    4. Telephone numbers
    5. Fax numbers
    6. E-mail addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers
    13. Device identifiers and serial numbers
    14. Web URLs
    15. Internet Protocol (IP) address numbers
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographic images and any comparable images
    18. Any other unique identifying number, characteristic, or code, except as permitted under HIPAA to re-identify data

    Greater explanation of the terms above, other common terms and definitions, and a summary of the Privacy Rule is available from the Office for Civil Rights.

    The other method to de-identify data is by “expert determination.” That means instead of removing all 18 identifiers, statistical methods are used to establish de-identification. For more information on this method, please contact the

    Please refer to the CHA policy on the use and disclosure of PHI for research purposes (StaffNet access required).

  • Review Preparatory to Research

    HIPAA review preparatory to research permits review of PHI, such as medical records, in order to prepare or develop a research protocol or for similar purposes preparatory to research, such as recruitment.

    In a review preparatory to research, a researcher is prohibited from removing PHI from the covered entity.

    A review preparatory to research must be reviewed and approved by the IRB prior to initiating a review preparatory to research. Written information from the researcher to CHA's IRB that must be provided for review include:

    1. 1. The PHI to be accessed,
    2. Confirmation that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research,
    3. The researcher will not remove any PHI from CHA, and
    4. The PHI for which access is sought is necessary for the research purpose.

    Please refer to the CHA policy on the use and disclosure of PHI for research purposes (StaffNet access required) or contact or (617)806-8702 for guidance.

  • Limited Data Set

    limited data set is a data set that contains PHI, but its identifiers are limited to certain dates and elements of geography (e.g., city; state; ZIP code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers). Such a data set consists of PHI that excludes 16 of the HIPAA identifiers.

    It is important to note that in some instances, dates and geographic information associated with an individual could make the information potentially identifiable.

    Limited data sets may be used or disclosed for research purposes, public health, or health care operations. Because limited data sets may contain identifiable information, they are PHI.

    A limited data set may not include:

    1. Names.
    2. Postal address information, other than town or city, state, and ZIP Code.
    3. Telephone numbers.
    4. Fax numbers.
    5. Electronic mail addresses.
    6. Social security numbers.
    7. Medical record numbers.
    8. Health plan beneficiary numbers.
    9. Account numbers.
    10. Certificate/license numbers.
    11. Vehicle identifiers and serial numbers, including license plate numbers.
    12. Device identifiers and serial numbers.
    13. Web universal resource locators (URLs).
    14. Internet protocol (IP) address numbers.
    15. Biometric identifiers, including fingerprints and voiceprints.
    16. Full-face photographic images and any comparable images.

    If a limited data set is used for research, a Data Use Agreement (DUA) must be executed between the party providing the data and the party receiving the data. CHA has created a template Data Use Agreement for use. A DUA establishes how the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes.

    Please refer to the CHA policy on the use and disclosure of PHI for research purposes (StaffNet access required).

  • Data from Decedents

    To use or disclose PHI of deceased persons for research purposes, it's not required that a covered entity obtain signed Authorizations from the personal representative or next of kin. However, the researcher who is seeking access to decedents' PHI must provide the following to the IRB:

    1. Written confirmation that the use and disclosure is sought solely for research on the PHI of decedents,
    2. Written confirmation that the PHI for which use or disclosure is sought is necessary for the research purposes, and
    3. If requested by the IRB, documentation of the death of the individuals whose PHI is sought by the researcher.

    Please refer to the CHA policy on the use and disclosure of PHI for research purposes (StaffNet access required) or contact or (617)806-8702 for guidance.

  • HIPAA waiver of authorization

    Similar to a DHHS consent waiver or alteration granted by the IRB, a HIPAA waiver or alteration of signed authorization may be granted by the IRB. The process and criteria for obtaining a HIPAA waiver of authorization is similar to the process and criteria for waiving informed consent in research. In general, if a human research study qualifies for a waiver of consent, a HIPAA waiver would also be indicated.

    Please refer to the CHA policy on the use and disclosure of PHI for research purposes (StaffNet access required).

    A HIPAA waiver, or alteration of authorization, must satisfy the following criteria:

    1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
      1. An adequate plan to protect identifiers from improper use and disclosure.
      2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or retention is required by law.
      3. Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
    2. The research could not practicably be conducted without the waiver or alteration.
    3. The research could not practicably be conducted without access to and use of the PHI.

    Additional information and resources related to HIPAA waivers or alterations of authorizations are available on the NIH website and the DHHS website.

    As a reminder, databases that contain PHI as resources for future research require CHA IRB approval, as well as a signed HIPAA authorization from each subject whose data is placed in the database, or a HIPAA waiver must be granted by the CHA IRB at the time of IRB approval.

    When a HIPAA waiver is granted to a researcher, s/he must apply the “minimum necessary requirement.” This means that only the minimum PHI required by the researcher to carry out the study objectives may be used, disclosed, or requested. Please refer to the CHA policy on this matter (StaffNet access required).

    If a HIPAA waiver is granted by the IRB, the researcher is responsible for fulfilling associated accounting requirements. Please refer to CHA policy (StaffNet access required) for additional information, refer to the HIPAA Disclosure Tracking/Accounting site on StaffNet, or contact the CHA HIPAA Privacy Officer (617-591-4820).

  • Signed HIPAA authorization

    A HIPAA Authorization is an individual study participant's signed permission to allow a CHA researcher to use or disclose the subject's PHI. The authorization is to include an explanation of the purposes of the use/disclosure and state who will receive the PHI.

    HIPAA Privacy Rule
     specifies core elements and required statements that must be included in an Authorization. At CHA, HIPAA Authorization language is included in the CHA research informed consent form template. The template is available on the CHA IRB website.

    Some reminders about signed HIPAA Authorizations:

    • The Authorization must be written in plain language.
    • A copy of the signed Authorization must be provided to the individual signing it.

    Please refer to the CHA policy on the use and disclosure of PHI for research purposes (StaffNet access required).

Contact Us

Ida Rego
Office Contact
P: 617-806-8702
F: 617-806-8710
IRB office mailing address
Cambridge Health Alliance
Institutional Review Board Office
1493 Cambridge Street
Cambridge, MA 02139
J. Glover Taylor
Institutional Official
Chief Compliance Officer

Sarah E. Nelson, PhD
IRB Chair
Erica Dwyer, MD, PhD
IRB Vice-Chair
Michelle Ewahi
Manager, Human Subject Protection and Research Integration
Mercedes Hasan
IRB Analyst

Affiliated with:
Teaching hospital of: