UC Davis Health
Compliance and Privacy Services

HIPAA and Research/Beyond HIPAA​ | Compliance and Privacy Services | UC Davis Health

HIPAA and Research/Beyond HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules address how protected health information (PHI) can be accessed and utilized for research purposes.  

Note: Microlearning videos on topics covered on this web page are available here: Research Privacy Education Center - UC Davis Clinical Research Guidebook - Confluence

Access to certain links may require logging into the UC Davis Health Intranet or Electronic Policy Management System. For more information, please contact us.

The HIPAA Privacy and Security Rule apply to covered entities. As a health care provider, UC Davis Health is a covered entity which must comply with HIPAA.

Under HIPAA, covered entity means:

  1. A health plan.
  2. A health care clearinghouse.
  3. A health care provider who transmits any health information in electronic form.

HIPAA includes a provision for a covered entity which also engages in activities that are not subject to HIPAA to declare itself a hybrid covered entity by defining the activities that occur within the covered entity and those that occur external to the covered entity.

The UC Board of Regents designated the University of California as a HIPAA hybrid covered entity, declaring that the conduct of research is not a HIPAA-covered function.

As a result, research health information that is not associated with a health care service in a UC Davis Health patient care area is not subject to the HIPAA Privacy and Security Rules. More specifically, health-related information generated during the conduct of research outside of patient care areas or in a dedicated research space is not subject to HIPAA.

UC Davis Health further distinguishes this concept in Policy 2382, Research Subjects Patient Registration, Healthcare Information Collection, Sharing and Maintenance.

Other state and federal laws similarly govern privacy, confidentiality, and security of personal health information obtained in research. For more details, please refer to the "Beyond HIPAA: Privacy and Security for Researchers" section below.

As established at UC, a researcher’s access to or use of protected health information (PHI) solely for a research purpose is a disclosure external to the covered entity. Workforce members must consider why they are accessing protected health information before the access occurs to ensure an appropriate business need. The examples below illustrate considerations for researchers.

Examples:

  1. A researcher, also a member of the care team, accesses PHI for purposes of providing health care in a patient care area as required for a clinical trial.
  2. A researcher accesses PHI to abstract data from a patient’s medical record to complete case report forms for a clinical trial or other research project.
    • The access is for the purpose of research, a disclosure external to the covered entity.
    • The access may occur only after the researcher obtains study-specific written permission.

UC Davis Health, as a covered entity, creates and maintains patient information which meets HIPAA’s definition of PHI. 

Heath Information

HIPAA defines Health Information to be related to the individual’s past present, or future:

  • Physical health, mental health, or condition,
  • Provision of health care, including the individual’s relationship to UC Davis Health as a patient, or
  • Claims and payment information for the provision of health care.

HIPAA Definition of PHI

  1. Protected health information means individually identifiable health information held by UC Davis Health as a health care provider:
    • Transmitted by electronic media;
    • Maintained in electronic media; or
    • Transmitted or maintained in any other form or medium.
  2.  Protected health information excludes individually identifiable health information found in:

Note: as a hybrid covered entity, UC research health information that is not associated with a health care service in a UC patient care area is not PHI and is not protected by HIPAA.

Individually Identifiable Information

HIPAA defines 18 Identifiers which, when combined with health information held by a covered entity, result in individually identifiable health information, or PHI.

Most Recognized

1. Names

2. Medical Record Numbers

3. Dates: All elements of dates related to an individual.

  • Includes: date of birth, date of death, health care admission and discharge dates (i.e. dates of service) and all ages over 89.
  • Excludes: ages or birth year for ages over 89 aggregated to a single category of age 90 or over.

4. Social Security Numbers

5. Telephone Numbers

6. Addresses: Geographic subdivisions smaller than a state.

  • Includes: street address, city, county, precinct, 5-digit zip code, and equivalent geocodes.
  • Excludes: Initial three digits of a zip code which encompasses a population greater than 20,000 people based on Bureau of Census data.
  • Excludes: Initial three digits of a zip code changed to 000 for population of 20,000 or less.

Numbers

7. Account Numbers

8. Health Plan Beneficiary Numbers

9. Certification License Numbers

10. Device Identifiers & Serial Numbers

11. Vehicle Identifiers & Serial Numbers, including license plate numbers

12. Fax Numbers

Technology

13. Web Universal Resource Locators (URLs)

14. Electronic Mail Addresses

15. Internet Protocol (IP) Addresses

Characteristic of People

16. Biometric Identifiers, including fingers & voice prints

17. Full Face Photographic Images & any Comparable Images

Other

18. Any other Unique Identifying Number, Characteristic, or Code:

  • Includes: codes with elements derived from information about the individual, including those derived from any of the 18 HIPAA identifiers, such as the patient’s initials (alone or combined with a random number, for instance).
  • Includes: unique characteristics, to include unique health condition(s) or unique combinations of health data element(s). To address health data as a unique characteristic, UC Davis Policy 320-40, Data Administration Policy, establishes standards for data sets which include small cell sizes of fewer than 10 individuals.

HIPAA holds no restrictions on the use or disclosure of de-identified health information which neither identifies nor provides a reasonable basis to identify an individual. Therefore, fully de-identified health information may be disclosed to a researcher without patient authorization or a waiver of authorization issued by an IRB.

Note: Other laws and UC or UC Davis Health policies set standards for confidentiality and security of research data, to include de-identified patient information.  For more details, please refer to the "Beyond HIPAA: Privacy and Security for Researchers" section below.

HIPAA allows two methods of de-identification of health information:

Expert Determination:

  • Performed by an individual extensively trained and experienced in statistical or other scientific methods of data de-identification, and
  • Very small risk the recipient could identify an individual; or

Safe Harbor:

  • Removal of all 18 HIPAA Identifiers of the individual, the individual’s relatives, household members, and employers, and
  • The covered entity (i.e. the UC Davis Health workforce) has no actual knowledge that the remaining information could be used to identify the individual.

For more information: Methods for De-identification of PHI | HHS.gov and 45 CFR 164.514 – De-identification

Once de-identified, the health data is no longer PHI. However, any information in the data set that is re-identified meets the definition of PHI and is, again, protected by HIPAA. For more information, please refer to the UC Davis IRB webpage:

De-identification poses challenges. Expert Determination can be cost-prohibitive, and the Safe Harbor method may limit the usefulness of the data. Given these limitations, the use of PHI may be necessary to perform the research as designed.

HIPAA provides for use of a code to permit the covered entity to re-identify the de-identified data. A code is typically maintained when de-identified health data will be provisioned in batches. Disclosure of a re-identification code or other re-identification method is a disclosure of PHI.

Standards for a re-identification code

The re-identification code cannot be derived from or related to information about the individual and cannot be translated to identify the individual.

Examples of permitted codes:

  • Random codes assigned sequentially.
  • Sequential codes assigned randomly.

Examples of codes not permitted:

  • Subject’s initials alone or combined with a random code.
  • Digits of a patient’s medical record number.

Definitions for Provision of De-identified Health Data

De-identified: The covered entity assigns a re-identification code and maintains a re-identification key to support provision of subsequent batches of de-identified data.

Anonymized: The covered entity does not assign a re-identification code for the provisioned de-identified data; typically for a one-time data extraction.

HIPAA provides that PHI may be used for research with prior study-specific written approval as follows: 

  • With a HIPAA authorization signed by the participant or their legal representative; 
  • With a waiver of authorization from an IRB; 
  • With a limited data set and a data use agreement; 
  • For preparatory to research purposes approved by Compliance; or 
  • For research on decedent data approved by Compliance. 

Note: a permission described above is not required for a researcher to obtain de-identified health information.

A HIPAA authorization form signed by the research participant, or their legally authorized representative, is required when the IRB-approved research plan requires access to and use of PHI and an IRB has not issued a waiver of authorization for the access.

The UC Davis Health HIPAA Authorization Form, available in English and translated languages, can be downloaded from the UC Davis IRB Forms webpage.

UC Davis IRB Forms

A microlearning video series designed to aid researchers in preparing, presenting, and obtaining signatures on the HIPAA authorization form is available at the link below.

Research Privacy Education Center - UC Davis Clinical Research Guidebook - Confluence 

HIPAA establishes criteria under which an IRB may waive the requirement for signed authorization. When the criteria are met, the IRB of record or the local Reliance IRB may issue a partial or full waiver of authorization (Waiver) for the research when requested by the researchers.

  • Partial Waiver: a partial Waiver allows researchers to access PHI without the patient’s signed authorization for a defined subset of study activities. Signed HIPAA authorization is required for access to PHI for components of the research outside the scope of the partial Waiver.
  • Full Waiver: a full Waiver allows the researchers to access PHI without the patient’s signed authorization for all study activities. Signed HIPAA authorization is not required for a study for which a full Waiver has been issued.

Researchers who access PHI under the permission of a Waiver must complete Accounting of Disclosure. See separate section below.

HIPAA allows a covered entity to disclose a limited data set (LDS) for purposes of research, public health, or health care operations if the covered entity enters into a data use agreement (DUA) with the limited data set recipient. The UC Davis Office of Research is delegated the authority to sign data use agreements on behalf of the covered entity.

Transfer Research Material or Data - Office of Research (ucdavis.edu)

The DUA must stipulate:

  • Who is permitted to receive and use the LDS; and
  • Contractual terms to ensure the LDS recipient will:
    • Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
    • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
    • Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
    • Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
    • Not identify the information or contact the individuals.

Identifiers allowed with a LDS:

  • Town or city, State, and zip code; and
  • Dates related to the individual.

Note: all remaining HIPAA identifiers must be excluded.

A HIPAA-covered entity such as UC Davis Health may allow researchers to review PHI without written authorization for preparatory to research purposes (e.g., to develop a protocol or study budget, to determine the feasibility of a research study). To gain access to PHI under this provision, the researcher must complete an application and certify that:

  • The review of PHI is solely to prepare a research protocol or for similar purposes preparatory to research;
  • The PHI to be reviewed is necessary for the research purpose;
  • No PHI will be removed or retained by the researcher; and
  • Potential research subjects will not be contacted as part of the preparatory to research process.

Information excluded from this provision:

  • HIV test results;
  • Psychotherapy notes; and
  • Care related to inpatient admission for an acute mental health condition.

Preparatory to Research Application form

Note: researchers who receive a Preparatory to Research approval from the Privacy Officer may access PHI as described in the approval notification.

The HIPAA Privacy Rule protects individually identifiable health information about a decedent for 50 years following the individual’s date of death. UC Davis Health may disclose PHI for research on the PHI of decedents, if the researcher provides that: 

  • Access to PHI is solely for research on the PHI of decedents; 
  • The PHI for which use or access is sought is necessary for the research purpose; and 
  • Only PHI of Decedents, not of living persons, will be accessed and used. 

The researcher should be prepared to provide documentation of the death of the individuals whose PHI will be used for the research.  

Information excluded from this provision: 

  • HIV test results; 
  • Psychotherapy notes; and 
  • Records related to inpatient admission for an acute mental health condition. 

A researcher seeking to access PHI for decedent research must first obtain approval from the from the Privacy Officer.  

Research on PHI of Decedents Application form

The Privacy Rule requires covered entities such as UC Davis Health to record the access to or use of patient information without a patient’s authorization in certain situations. See Policy 2446, Tracking Disclosures of Protected Health Information. Specific to research, an accounting must be made by the researcher when patient information is accessed under:

  • A waiver of authorization issued by an IRB,
  • A Preparatory to Research approval issued by the Privacy Officer, or
  • A Decedent Research approval issued by the Privacy Officer.

There are two tools for completing Accounting for Disclosure:

  • Disclosure Tracking Database (Accessible from the Health Information Management (HIM) intranet webpage (HIM Tools); or
  • Quick Disclosure Activity located in the patient’s electronic medical record.

Resources:

Accounting for Access with a Waiver or Exception: Accounting of Disclosure - UC Davis Clinical Research Guidebook - Confluence

Quick Disclosure and Screen Patient (ucdavis.edu)

The HIPAA Security Rule covers electronic protected health information (ePHI) that a covered entity such as UC Davis Health or business associate creates, receives, maintains, or transmits.  The Security Rule includes administrative, physical, and technical safeguards to protect electronic health information (ePHI).

See HIPAA Security Program for additional information:

UCDMC HIPAA Security Home Page (ucdavis.edu)

Additional resources:

Summary of the HIPAA Privacy Rule (hhs.gov) (PDF)

HIPAA Privacy Compliance | UCOP

HIPAA Security Compliance | UCOP

University of California Office of the President (UCOP), UC Davis Health policies, and State and Federal law require all members of the UC Davis Health workforce to secure Protected Health Information (PHI) or Personally Identifiable Information (PII). PHI or PII without the proper safeguards can place UC Davis Health, personnel, patients, and research subjects personally, at risk. Additionally, proper safeguards are necessary to protect the security and integrity of research data. This section addresses these concerns and provides references to resources that aid researchers in applying appropriate safeguards.

UC Statement of Privacy Values and Principles (ucop.edu) (PDF)

Privacy policies and references | UCOP

UC Davis Health Policy Standards for Data Security as Applicable to Research

Data security standards and the definitions of PHI and PII are described in Policy 1333, HIPAA and PI Data Integrity.

UC Research Data Policy

UC issued the Research Data Policy in 2022, clarifying UC ownership of Research Data generated or collected in the course of University Research.

Resources:

Frequently Asked Questions about UC's Research Data Policy | UCOP

Research Data Guidance - UC Davis Office of Research