Quick Guide: HIPAA & Research

The Health Information Portability and Accountability Act (HIPAA) establishes national standards for protecting the privacy and security of health information and provides individuals with basic rights with respect to their health information.  HIPAA’s Privacy Rule regulates how covered entities may use and disclose individually identifiable health information called protected health information (PHI), regardless of its form (i.e., paper, electronic, or oral), including delineating the conditions under which PHI may be used or disclosed for research purposes.  

What is a “covered entity”?

A covered entity includes health plans and any health care provider that electronically transmits any health information as a part of billing.  Examples include hospitals, academic medical centers, and health providers that electronically submit claims to health plans or third-party administrators of health plans. 

Is Stanford University a “covered entity”?

Stanford University is considered a hybrid entity because certain components, those that fall into Stanford University’s HIPAA Components (SUHC), fall within the definition of covered entity under HIPAA, while many others fall outside the definition.  For example, nearly all parts of the School of Medicine (SoM), including Research IT, fall within the SUHC. For more information about SUHC, please visit the University Privacy Office website. 

What constitutes “PHI”?

PHI is any health information that includes any one of the following 18 identifiers:

  • Name
  • Geographic information smaller than state
  • Dates more precise than year, and all ages greater than or equal to 90 years of age
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Account numbers
  • Certificate or license number
  • Vehicle identifiers and serial numbers including license plate
  • Device identifiers and serial numbers
  • URLs
  • IP address numbers
  • Biometric identifiers
  • Full face photographic images and comparable images
  • Health plan beneficiary numbers
  • Any other unique identifying number, characteristic, or code

If my research involves the use of PHI, what steps do I take next?

If you are a researcher seeking to access, obtain, or use PHI from a HIPAA covered entity for research purposes, then HIPAA generally requires that you obtain a signed authorization for that use from the patient/participant, or otherwise justify an exception from that requirement.  In either case, you will be required to have an IRB-approved protocol.

What are the exceptions to the HIPAA authorization requirement?

To avoid obtaining the patient/participant’s authorization, you may:

  1. Request from the IRB a partial (for recruitment purposes) or a full waiver of the Authorization requirement;
  2. Request access to PHI through use of a limited data set;
  3. Request access to PHI in preparation to research; or
  4. Request access to PHI solely of decedents. 

Further, you may request access to a de-identified data set.  "De-identified" means that the data has been stripped of the 18 identifiers and there is no reasonable basis to believe that the remaining information could be used to identify the individual.  No authorization is required to access a de-identified data set; however, because PHI could be embedded in many places through the EMR, it can often be difficult to create a truly de-identified data set.

For more information on exceptions to the HIPAA authorization requirement, including the required criteria for each category, visit the IRB’s human subject research website.