HIPAA

These sources of data are covered by HIPAA

Below are examples of BU and external sources of research information that are, and others that are not, Covered Entities/Components. Note that each Covered Component is considered to be a separate entity from each other Covered Component.

BU HIPAA covered components:

• Jessie and Albert Danielsen Institute
• BU Rehabilitation Services, including the Physical Therapy Center and the Neuro-Rehab Center
• Sargent Choice Nutrition Center
• GSDM’s Dental Clinics at 100 E. Newton and 930 Commonwealth Avenue
• BU Dental Plan
• BU Flexible Benefit Plan
• BU Health Plan

Research by the workforce members of any of these components using patient data from that component likely is subject to HIPAA.

Non-BU sources of PHI for research

This Policy does not attempt to list all non-BU entities that are Covered Entities, but commonly encountered Covered Entities external to BU include:

• Any medical practice belonging to the Boston University Medical Group
• Boston Medical Center
• Health care claims clearing houses
• Most health benefit plans
• Most health care clinics
• Most hospitals
• Other health care providers participating in the BMC Health Network

Covered Entities will require either a patient Authorization or a waiver of Authorization to release their PHI to a BU researcher. However, once released to researchers outside the Covered Entity, the data will be subject to HIPAA only if it is disclosed to another Covered Entity. For example:

• If BMC discloses PHI to a researcher at the BU School of Medicine or School of Public Health, it is Restricted Use Data under BU policy, but is not PHI.
• If a physician’s office releases PHI to researchers at the Danielsen Institute, that research remains PHI because both the physician’s office and the Danielsen Institute are HIPAA Covered Entities.

These sources of data are not covered by HIPAA

BU components not covered by HIPAA

The following BU components have some health information, and may provide clinical services, but have not been designated as HIPAA Covered Components by BU; therefore, BU researchers using data from these sources will not have HIPAA obligations:

• BU Occupational Health Center
• BU Student Health Services (records are protected under FERPA)
• Center for Anxiety Related Disorders (CARD)
• Faculty Staff Assistance Office
• Health information contained in BU employment records
• Health information that may have been PHI, but has been de-identified in accordance with BU’s HIPAA Policy on De-Identification.
• Sargent Academic Speech, Language and Hearing Center
• Sargent Aphasia Resource Center
• Sargent Center for Psychiatric Rehabilitation
• The Framingham Heart Study
• Vocational Therapy Center

Records from these sources when used in research are subject to privacy restrictions found in professional standards and human subjects research standards, but are not subject to HIPAA standards.

Non-BU sources not covered by HIPAA

Other sources of health data external to BU that are not subject to HIPAA include:

• Community research on health issues that relies on health data obtained from consented study subjects, and not from any covered entity
• Research on vital statistics data obtained from a governmental agency;
• Research using data from any other source not covered by HIPAA.
• Research using de-identified PHI from any source. If the data is properly de-identified, it is not PHI and HIPAA will not apply to the research.

Records from these sources used in research are not subject to HIPAA standards but may be subject to other restrictions.

Special Circumstances

Health information of Decedents who have been deceased for at least 50 years

See separate HIPAA policy on research using Decedents’ information. 5.4, 5.5 HIPAA does not protect health information of persons who have been deceased over 50 years because health information of a person deceased for 50+ years is excluded from the definition of PHI.

Limited Data Sets

A Limited Data Set under HIPAA is a data set that does not contain any of the following elements:

• Names;
• Postal address information, other than town or city, state, and zip code;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints; and
• Full face photographic images and any comparable images.

If a researcher obtains from a Covered entity/Component only a Limited Data Set, the Covered Entity/Component may release that data pursuant to a Data Use Agreement. Limited Data Sets are PHI, but instead of being subject to HIPAA, their disclosure to the researcher is subject to a Data Use Agreement with the Covered Entity/Component, rather than general HIPAA rules.

• If the research involves clinical care of patients by a BU Covered Component, HIPAA governs.
  • Contrast: If the researcher/provider uses only de-identified data derived from the clinical files, it is not PHI when used for research.
• If the research is performed by the Covered Entity/Component that created the clinical data, it is PHI. Examples:
  • The Danielsen Institute faculty use records of Danielsen patients to compare the efficacy of meditation versus cognitive behavioral therapy; the clinical data remains PHI during the research, unless it is de-identified.
  • The Danielsen Institute faculty use clinical data from the BU Center for Anxiety and Related Disorders (“CARD”), which is not a HIPAA Covered Component. That clinical data is not PHI at CARD and is not PHI when used in research by the Danielsen Institute.
  • A hospital has a research grant involving the use of the same hospital’s clinical data. That clinical data when used by the hospital’s researchers for research purposes remains PHI, until it is de-identified.
  • Sargent Choice Nutrition is collaborating on research with BU Physical Therapy (“BU PT”), both Covered Components. If Sargent Choice Nutrition discloses health information to BU PT, that health information remains PHI after being disclosed to Sargent because both entities are Covered Components.

• An individual’s past, present or future physical or mental health or condition,
• The past, present, or future payment for the provision of health care to anindividual, or,
• The provision of health care to an individual.

Health information that does not identify an individual or that cannot be used to identify an individual is not PHI, but great rigor is required to confirm that no identifier is present in the dataset. For example, a data set of vital signs by themselves do not constitute Protected Health Information. However, if the vital signs data set includes medical record numbers, then the data set has not been successfully deidentified, and must be protected as PHI.

There are some types of health information that are not protected as PHI, even if they clearly identify the individual:

• Information about an individual who has been deceased for more than 50 years: HIPAA does not protect this information.
• Information in BU’s Human Resources records about BU employees
• Information in education records or treatment records covered by FERPA
• Information in treatment records retained solely by units of BU that are not designated as Covered Components

Any researcher who works with Human Subjects must complete the BU specific HIPAA training module, which can be found on the CITI platform under the name “HIPAA in BU Research (CRC).” Researchers must repeat this training every 3 years.

Researchers on the BU medical campus can find their training requirements here.

Activities preparatory to research include reviewing medical records of a Covered Entity or Component to determine whether a sufficient number of patients likely to qualify for the recruitment can be found in those records; reviewing medical records to obtain information useful in designing the research proposal or study; and any other similar activities which are undertaken in anticipation of or preparation for a research study. HIPAA permits access to PHI for these purposes only with patient authorization or with a Waiver granted by the Covered Entity. The HIPAA Contact at each Covered Entity can provide a waiver, if certain conditions are met.

NOTE: The IRBs do not manage Waivers Preparatory to Research.

This may seem like an unnecessary hurdle to researchers, but it is not. HIPAA requires the waiver because HIPAA also requires Covered Entities/Components to track disclosures of all PHI for any purpose other than treatment, payment, health care operations and disclosures pursuant to patient authorization, and to include them in an accounting of disclosures, in the event a patient exercises his/her right to request an accounting.

Written Authorization by Patient following approval by IRB

The Privacy Rule permits a covered entity to include an individual’s PHI in a clinical research recruitment database provided the individual has given permission through a written Authorization. The Authorization must inform the individual of the purpose for which (e.g., for the pre-screening log for one or more clinical trials) and what PHI will be used and meet the other requirements of the Privacy Rule. Contact the CRC IRB if you wish to create a new clinical data repository with patient Authorization.

Creating a clinical data repository when patient Authorization is not feasible

For the IRB to grant a waiver or an alteration of Authorization to create a research database requires, among other things, a statement that an IRB has determined that the researcher has provided adequate written assurances that PHI in the database will not be further used or disclosed except as permitted by the Privacy Rule (e.g., for research uses and disclosures with an Authorization or waiver).

Whenever possible, a researcher creating a clinical data repository should limit the elements captured to a De-identified data or a Limited Data Set.

Study subjects’ right to access their research records during the course of a clinical trial

The Privacy Rule permits the covered entity to insert in the Authorization form a statement by which the subject agrees to the suspension of right to access his/her PHI during the clinical trial until completion of the research.

Recruitment Pursuant to Patient Written Authorization

While written patient Authorization always allows a researcher to contact potential study subjects, that is rarely feasible, as patients will not know about the study until contacted. This option may be available if, in setting up a Data Repository, written Authorization was given (and not revoked) for the purpose of patient recruitment.

Recruitment by Health Care Provider

A health care provider may discuss with his/her patient possible enrollment in clinical research, without first obtaining the patient’s written Authorization. This applies to research studies conducted by either the treating provider or any other provider in the treating provider’s component.

A provider may also discuss with patients of his or her Covered Entity/Component participation in a study that is being conducted by a different Covered Entity. In that case, the provider may discuss participation in a trial with the patient and give the patient the researcher’s contact information so the patient may contact the researcher directly. However, the physician may not disclose the patient’s PHI to the researcher from another Covered Entity/Component unless the patient provides a written Authorization, or unless other conditions that satisfy the Privacy Rule are met.

Partial Waiver of Authorization for Recruitment

Often, the researcher is granted a Partial Waiver of Authorization for recruitment purposes by the IRB. In order to obtain the Partial Waiver, the researcher must assure the IRB of the following:

1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
   • An adequate plan to protect the identifiers from improper use and disclosure.
   • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law.
   • Adequate written assurances that the PHI will not be reused or disclosed except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by the Privacy Rule.
2. The research could not practicably be conducted without the waiver or alteration.
3. The research could not practicably be conducted without access to and use of the PHI.

Note this waiver will apply only to recruitment, i.e., using demographic data from the patient’s PHI in order to contact the patient about the research study. If the patient declines to enroll, the researcher must cease contact with the patient and follow the terms of the Waiver in returning/deleting the patient’s contact information.

• Obtain the individual’s Authorization for the research use or disclosure; this is unusual, but may occur if in setting up a data depository, the researcher knew in advance how the data was going to be used and obtained patient Authorization, on a form approved by the IRB, at the time the information was collected.
• Obtain an IRB Waiver or Alteration of the Authorization requirement.
• Use De-Identified Data
• Use a Limited Data Set, which will be subject to a Data Use Agreement rather than general HIPAA requirements.

Clinical research will not generally qualify for a waiver of the Authorization if a clinical research participant will be asked to sign an informed consent before entering the study. Waiver of Authorization is used primarily in research that involves retrospective data studies.

A “breach” under HIPAA is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the BU Privacy Officer demonstrates that there is a low probability that the protected health information has been compromised.

Security Incidents are possible breaches of electronic PHI. If you become aware of or suspect a possible Security Incident, please contact the BU Incident Response Tean immediately.