Human Research Protection Program

HIPAA FAQs

Q1: What are the identifiers of protected health information under HIPAA?

Under HIPAA, health information that has one or more of the following 18 identifiers associated with the individual is considered protected health information (or PHI):

  1. Names
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if, according to the current publicly available data from the Bureau of the Census:
    1. the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
    2. the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  1. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death. Note: for people over 89, all elements of dates (including year) are considered identifiers – information may be aggregated into a single category of age 90 or older;
  2. Telephone numbers
  3. Fax numbers
  4. Electronic mail (email) addresses
  5. Social Security numbers
  6. Medical record numbers
  7. Health plan beneficiary numbers
  8. Account numbers
  9. Certificate/license numbers
  10. Vehicle identifiers and serial numbers, including license plate numbers
  11. Device identifiers and serial numbers
  12. Web Universal Resource Locators (URLs)
  13. Internet Protocol (IP) address numbers
  14. Biometric identifiers, including finger and voice prints
  15. Full face photographic images and any comparable images
  16. Any other unique identifying number, characteristic, or code

Q2: Is there individually identifiable health information that is not covered by HIPAA?

Yes. HIPAA excludes individually identifiable information in employment records that a covered entity maintains in its capacity as an employer.  Education and related records falling under the Family Educational Rights and Privacy Act (FERPA) are also not covered.  In these cases, the IRB follows the requirements of applicable laws regarding these types of records.  See FAQ related to student health records below.
Information that is disclosed or self-reported by research participants (such as in surveys, questionnaires, interviews) during the course of the research and will be kept only in the researcher’s records is not PHI.
HIPAA also excludes individually identifiable health information regarding a person who has been deceased for more than 50 years.

Q3: Does HIPAA apply to student health records at UGA’s Health Center?

No.  Even if the Health Center is a HIPAA Covered Unit, UGA students’ health and medical records at the Health Center are considered “education records” and as such, are covered by FERPA (Family Educational Rights and Privacy Act) not by HIPAA.   As defined by HIPAA, PHI does not include: health or medical records of students used only in connection with the treatment of the student (or treatment records).
“Treatment records” are records on a student which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not shared except for further treatment purposes.

Type of Student Health or Medical Records FERPA HIPAA
Records used only for treatment but not shared (or unshared treatment records) No No
Records used only for treatment but shared ( or shared treatment records) Yes No

For more information on FERPA and HIPAA, see https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa.

Q4: Are the health records of an individual who is both a student and an employee of UGA receiving health care from the University Health Center subject to the privacy provisions of FERPA or those of HIPAA?

The individual’s health records would be considered “education records” protected under FERPA and, thus, excluded from coverage under the HIPAA Privacy Rule.  FERPA defines “education records” as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution.  While FERPA excludes from this definition certain records relating to employees of the educational institution, to fall within this exclusion, such records must, among other things, relate exclusively to the individual in his or her capacity as an employee, such as records that were created in connection with health services that are available only to employees.  Thus, the health or medical records that are maintained by a university as part of its provision of health care to a student who is also an employee of a university are covered by FERPA and not the HIPAA Privacy Rule.

Q5: What are the HIPAA covered units at UGA?

UGA is a hybrid entity whose activities include both covered and non-covered functions under HIPAA.  The following units at UGA are designated as HIPAA covered units:

  1. The Center for Counseling of the College of Education
  2. The ASPIRE Clinic of the Franklin College of Arts & Sciences  Department
  3. The Medication Access Program of the College of Pharmacy
  4. The Psychology Clinic of the Franklin College of Arts and Sciences
  5. The School Psychology Clinic of the College of Education
  6. The University Health Center
  7. The University of Georgia Speech and Hearing Clinic
  8. The Wellness Clinic of the College of Pharmacy

Q6: What are the criteria to obtain a Waiver or Alteration of HIPAA Authorization Requirements?

The researcher can request a waiver or alteration (i.e., removes some, but not all required elements) of the HIPAA Authorization from the IRB if all of the following criteria have been met:

  1. The research could not practicably be conducted without access to and use of the PHI.
  2. The research could not practicably be conducted without the requested waiver or alteration.
  3. The PHI use or disclosure involves no more than minimal risk to the privacy of individuals based on at least the presence of:

3.1 an adequate plan presented to the IRB to protect PHI identifiers from improper use and disclosure;

3.2 an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and,

3.3 adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (i) as required by law, (ii) for authorized oversight of the research study, or (iii) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule.

Q7: What are the criteria for use or disclosure of PHI without Authorization for activities preparatory to research?

A researcher can request IRB approval for use or disclosure of PHI without Authorization for activities preparatory to research (e.g., preparing a research protocol, developing a research hypothesis, or identifying prospective research participants who would meet the eligibility criteria for enrollment into a research study) if all the following criteria have been met:

  1. The use or disclosure is requested solely to review PHI as necessary to develop a research protocol or for similar purposes preparatory to research.
  2. The PHI will not be removed from the covered entity in the course of review.
  3. The PHI for which use or access is requested is necessary for the research.

Q8: What is a limited data set (LDS)?

Authorization from the participant for research use of PHI isn’t required for a limited data set (LDS). A limited data set is described as health information that excludes certain direct identifiers (see below). These direct identifiers apply both to information about the individual and to information about the individual’s relatives, employers, or household members. The following identifiers must be removed from health information if the data are to qualify as a limited data set:

  1. Names;
  2. Postal address information, other than town or city, State, and zip code;
  3. Telephone numbers;
  4. Fax numbers;
  5. Electronic mail addresses;
  6. Social security numbers;
  7. Medical record numbers;
  8. Health plan beneficiary numbers;
  9. Account numbers;
  10. Certificate/license numbers;
  11. Vehicle identifiers and serial numbers, including license plate numbers;
  12. Device identifiers and serial numbers;
  13. Web Universal Resource Locators (URLs);
  14. Internet Protocol (IP) address numbers;
  15. Biometric identifiers, including finger and voice prints; and
  16. Full face photographic images and any comparable images.

Q9: What are the criteria to use or disclose a limited data set (LDS) without an Authorization?

An LDS may be used or disclosed without a patient’s authorization if all the following criteria are met:

  1. The purpose of the use or disclosure may only be for research, public health or health care operations, and,
  2. There must be a data use agreement. For information on Data Use Agreement, see FAQ below.

Q10: What are the requirements for a HIPAA Data Use Agreement?

A Data Use Agreement must:

  1. establish the permitted uses and disclosures of the limited data set;
  2. identify who may use or receive the information;
  3. prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law;
  4. require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
  5. require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware;
  6. require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information will agree to the same restrictions as provided in the agreement;
  7. prohibit the recipient from identifying the information or contacting the individuals; and
  8. be approved and signed by a UGA official who has the appropriate delegated signature authority.

Note: The IRB does not approve the data use agreement, but needs to maintain a copy with the study record. Contact the Office of Research Legal Counsel for more information.