Under HIPAA, health information that has one or more of the following 18 identifiers associated with the individual is considered protected health information (or PHI):
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if, according to the current publicly available data from the Bureau of the Census:
- the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers
- Fax numbers
- Electronic mail (email) addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Yes. HIPAA excludes individually identifiable information in employment records that a covered entity maintains in its capacity as an employer. Education and related records falling under the Family Educational Rights and Privacy Act (FERPA) are also not covered. In these cases, the IRB follows the requirements of applicable laws regarding these types of records. See FAQ related to educational records below.
Information that is disclosed or self-reported by research participants (such as in surveys, questionnaires, interviews) during the course of the research and will be kept only in the researcher’s records is not PHI.
HIPAA also excludes individually identifiable health information regarding a person who has been deceased for more than 50 years.
No. Even if the Health Center is a HIPAA Covered Unit, UGA students’ health and medical records at the Health Center are considered “education records” and as such, are covered by FERPA (Family Educational Rights and Privacy Act) not by HIPAA. As defined by HIPAA, PHI does not include: (1) education records covered by FERPA, and (2) health or medical records of students used only in connection with the treatment of the student (or treatment records).
The term “education records” is defined under FERPA to mean those records that are: (1) directly related to a student; and (2) are maintained by an educational agency or institution or by a party acting for such agency or institution. FERPA also excludes from the definition of “education records” a subset of records called “treatment records.”
“Treatment records” are records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.
|Type of Student Health or Medical Records||FERPA||HIPAA|
|Records used only for treatment but not shared (or unshared treatment records)||No||No|
|Records used only for treatment but shared ( or shared treatment records)||Yes||No|
For more information on FERPA and HIPAA, see http://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa.
The individual’s health records would be considered “education records” protected under FERPA and, thus, excluded from coverage under the HIPAA Privacy Rule. FERPA defines “education records” as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. While FERPA excludes from this definition certain records relating to employees of the educational institution, to fall within this exclusion, such records must, among other things, relate exclusively to the individual in his or her capacity as an employee, such as records that were created in connection with health services that are available only to employees. Thus, the health or medical records that are maintained by a university as part of its provision of health care to a student who is also an employee of a university are covered by FERPA and not the HIPAA Privacy Rule.
UGA is a hybrid entity whose activities include both covered and non-covered functions under HIPAA. The following units at UGA are designated as HIPAA covered units:
- The Center for Counseling of the College of Education
- The Employee Benefits Division of the Human Resources Department
- The Medication Access Program of the College of Pharmacy
- The Psychology Clinic of the Franklin College of Arts and Sciences
- The School Psychology Clinic of the College of Education
- The University Health Center
- The University of Georgia Speech and Hearing Clinic
- The Wellness Clinic of the College of Pharmacy
The researcher can request a waiver or alteration (i.e., removes some, but not all required elements) of the HIPAA Authorization from the IRB if all of the following criteria have been met:
- The research could not practicably be conducted without access to and use of the PHI.
- The research could not practicably be conducted without the requested waiver or alteration.
- The PHI use or disclosure involves no more than minimal risk to the privacy of individuals based on at least the presence of:
3.1 an adequate plan presented to the IRB to protect PHI identifiers from improper use and disclosure;
3.2 an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and,
3.3 adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (i) as required by law, (ii) for authorized oversight of the research study, or (iii) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule.
A researcher can request IRB approval for use or disclosure of PHI without Authorization for activities preparatory to research (e.g., preparing a research protocol, developing a research hypothesis, or identifying prospective research participants who would meet the eligibility criteria for enrollment into a research study) if all the following criteria have been met:
- The use or disclosure is requested solely to review PHI as necessary to develop a research protocol or for similar purposes preparatory to research.
- The PHI will not be removed from the covered entity in the course of review.
- The PHI for which use or access is requested is necessary for the research.
A limited data set is described as health information that excludes certain direct identifiers (see below); it may include: city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers. These direct identifiers apply both to information about the individual and to information about the individual’s relatives, employers, or household members. The following identifiers must be removed from health information if the data are to qualify as a limited data set:
- Postal address information, other than town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
An LDS may be used or disclosed without a patient’s authorization if all the following criteria are met:
- The purpose of the use or disclosure may only be for research, public health or health care operations, and,
- There must be a data use agreement. For information on Data Use Agreement, see FAQ below.
A Data Use Agreement must:
- establish the permitted uses and disclosures of the limited data set;
- identify who may use or receive the information;
- prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law;
- require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement;
- require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware;
- require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information will agree to the same restrictions as provided in the agreement;
- prohibit the recipient from identifying the information or contacting the individuals; and
- be approved and signed by a UGA official who has the appropriate delegated signature authority.
Note: The IRB does not approve the data use agreement, but needs to maintain a copy with the study record.