Learn about how HIPAA affects research
Model HIPAA Authorization Form for guardians of children and and developmentally disabled adults in research
A Word About HIPAA
Excerpted from: Fisher, C.B. (2003). Decoding the Ethics Code: A Practical Guide for Psychologists. Thousand Oaks, CA: Sage Publications. www.sagepub.com
In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in response to the increasing costs associated with transmitting health records lacking standardized formatting across providers, institutions, localities, and states. Recognizing that uniform standards for creating, transmitting, and storing of health care records would require additional patient protections, Congress included in HIPAA regulations standards giving patients greater access to and control of their records.
Below a brief overview of the new regulations and relevant terminology is provided. Readers can also obtain more detailed information about HIPAA from:
» the U.S. Department of Health and Human Services (http://www.hhs.gov/ocr/hipaa/finalreg.html and http://aspe.hhs.gov/admnsimp/)
» the American Psychological Association Insurance Trust (www.apait.org/hipaa)
» or the American Psychological Association Practice Directorate (www.apa.org/practice)
HIPAA standards. HIPAA has three components: (1) Privacy standards for the use and disclosure of individually identifiable private health information (Privacy Rule, effective April 14, 2003); (2) Transaction standards for the electronic exchange of health information (Transaction Rule, effective October 16, 2003); and (3) Security standards to protect the creation and maintenance of private health information (Security Standards, effective April 21, 2003; compliance date April 21, 2005). These rules seek to protect individually identifiable health information through regulations that:
» Standardize the format of electronically transmitted records related to individually identifiable health information
» Secure the electronic transaction and storage of individually identifiable health information
» Limit the use and release of individually identifiable health information
» Increase patient control of use and disclosure of private health information » Increase patients access to their health records » Establish legal accountability and penalties for unauthorized use and disclosure of health information and violation of transaction and security standards
» Identify public health and welfare needs that permit use and disclosure of individually identifiable health information without patient authorization
To what does HIPAA apply? HIPAA regulations apply to protected health information (PHI), defined as oral, written, typed, or electronic individually identifiable information related to (1) a person s past, present, or future physical or mental health; (2) provision of health care to the person; or (3) past, present, or future payment for health care. For health information to come under the definition of PHI, it must be createdby an employer or by the following covered entities: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with financial or administrative activities related to health care. Educational records covered by the Family Educational Rights and Privacy Act (FERPA), employment records held by a covered entity in its role as employer, and de-identified records (in which all individually identifiable information has been removed) are not considered PHI.
What do covered entities need to do to comply with HIPAA? Under HIPAA, covered entities must (1) provide information to patients about their privacy rights and how this information can be used, called a notice of privacy practices; (2) permit patient access to records and upon patient request provide an accounting of disclosures of PHI made to others over the past 6 years; (3) obtain patient authorization for use and disclosures to others in a manner and for purposes specified in the regulations; (4) implement clear privacy procedures for electronic transmission and storage of PHI; (5) designate a privacy officer; (6) implement security procedures that prevent unauthorized access to health records;(7) train and ensure employees comply with privacy, transaction, and security procedures; (8) reasonably ensurethat business associates, individual contractors, consultants, collection agencies, third-party payors, and researchers with whom PHI is shared comply with privacy and transaction rules; and (9) attempt to correct violations by these other entities if they occur or cease the relationship.
Are researchers, industrial-organizational, or consulting psychologists affected by HIPAA? Most researchers or members of their team who create, use, or disclose PHI as part of a randomized clinical trial or other forms of health relevant intervention research will be considered covered entities. Researchers who are not involved in intervention research, but who plan to use in their research or consultant services PHI created by a covered entity, must provide to the covered entity written assurance that they will comply with HIPAA standards.