Overview – Privacy Board
A Privacy Board is a review body that may be established to act upon requests for a waiver or an alteration of the Authorization requirement under the Privacy Rule for uses and disclosures of PHI for a particular research study. A Privacy Board may waive or alter all or part of the Authorization requirements for a specified research project or protocol. A covered entity may use and disclose PHI, without an Authorization, or with an altered Authorization, if it receives the proper documentation of approval of such alteration or waiver from a Privacy Board.
For research, the Privacy Rule permits covered entities to use and disclose PHI for research conducted:
- with individual authorization, or
- without individual authorization under limited circumstances;
- De-identify PHI.
- Limited Data Set with Data Use Agreement.
- Privacy Board waiver of Authorization requirement.
- Activity preparatory to research.
- Research is on decedents’ information.
- Research qualifies for the Transition Provisions.
|Current Members||Type of Membership|
|Deborah O’Connor||Director of Campus Compliance / Privacy Officer
|Thomas Conley||Information Security Officer|
|Stephanie Hanenberg RN, MSN, FNP-C||Executive Director of Health Services|
School of Public Affairs
|Grant Clayton||Assistant Professor
Curriculum and Instruction
|Paula Moyer, PharmD||Retired (non-affiliated)|
|Catie Bertrand||Compliance Paralegal
Cordant Health Solutions (non-affiliated)
|Tuesday June 20, 2017|
|Tuesday July 25, 2017|
|Tuesday August 29, 2017|
|Tuesday September 26, 2017|
|Tuesday October 31, 2017|
|Tuesday November 28, 2017|
|Tuesday December 19, 2017|
|Tuesday January 30, 2018|
|Tuesday February 27, 2018|
|Tuesday March 20, 2018|
|Tuesday April 24, 2018|
- Revoke their Research Authorization
- Accounting of Disclosures
- Give permission to allow certain uses and disclosures such as for research purposes
- File a Complaint
Standard Operating Procedures (PDF):
Privacy Board Standard Operating Procedures
Activities Preparatory to Research- Request for Waiver of Authorization
Principal Investigator Certification
Request for Waiver of Elements of Authorization or an Altered Authorization
Required Representations for Research on Decedent’s Information
Overview of Privacy and Research
Privacy Board Process
UCCS Privacy Officer
UCCS Security Officer
Frequently Asked Questions Related to Privacy and Research:
***Disclaimer*** These FAQs do not apply to the Student Health Center, as it is not considered a covered entity.
The Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 14, 2003, the Privacy Rule protects the privacy of certain individually identifiable health information by establishing conditions for its use and disclosure by health plans, health care clearinghouses, and certain health care providers. It is designed to improve the efficiency and effectiveness of the health care system and requires many things, including the standardization of electronic patient health, administrative and financial data. In response to the original HIPAA law, Health and Human Services (HHS) published an additional regulation referred to as the Privacy Rule that relates directly to organizations involved in health care operations that transmit health information electronically.
The HIPAA Privacy Rule:
• Establishes conditions under which PHI can be used within a Covered Entity and disclosed to others outside that entity;
• Grants individuals certain rights regarding their PHI;
• Requires that Covered Entities maintain the privacy and security of PHI.
HIPAA also establishes security and privacy standards for the use and disclosure of “protected health information” (PHI).
A covered entity is (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider (e.g., group practice, solo practitioner) that transmits any health information in electronic form in connection with health care transactions and (4) their business associates. The Privacy Rule allows covered entities to designate themselves as “hybrid entities” with selected parts subject to the requirements of the Privacy and Security Rules. University of Colorado is a covered entity that has chosen hybrid status. Therefore certain areas of the University have to comply directly with HIPAA. The UCCS HealthCircle Clinics are considered to be covered parts or covered healthcare components of the UCCS covered entity.
UCCS is a hybrid covered entity meaning that parts of it are covered by HIPAA and other parts are not. Much of the research conducted at the HealthCircle Clinics involves Protected Health Information (PHI). UCCS researchers using PHI as part of their research must comply with HIPAA. If the source of your research data is a covered entity, the data are considered PHI.
The HIPAA Privacy Rule affects research and researchers when either:
1. Research creates or generates PHI, or
2. Research requires access to and/or use of PHI.
The Privacy Rule applies to the following types of research activities when they involve PHI:
1. Research using or creating PHI about living individuals
2. Retrospective medical chart reviews
3. Existing biological samples
4. Activities preparatory to research
5. Research on decedents
7. Research using a limited data set
8. Collection of PHI of secondary subjects
No, the Privacy Rule permits only the minimum necessary information (minimum necessary standard) to be accessed under a waiver of authorization for research. You will have to list and justify what identifiable health information you need.
The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
The minimum necessary standard applies to all uses and disclosures for the purposes of payment, health care operations and research (it does not apply to treatment). Even if accessing PHI for research purposes pursuant to an authorization, the researcher must limit the amount of information requested in the authorization to the minimum necessary.
Under the HITECH Act it is further explains, if a covered entity does not comply with the minimum necessary standard it could be considered a Breach.
Health-related information is considered PHI if any of the following are true:
1. the researcher obtains the records directly from a health plan, health care clearing house, or health care provider;
2. the records were created by any of the entities (aka Covered Entities) in “1” and the researcher obtains the records from an intermediate source; OR
3. the researcher obtains it directly from the study subject in the course of providing treatment to the subject.
Reviews preparatory to research do not require subject authorization or a waiver of authorization. Covered entities may allow a researcher access to PHI without an individual’s authorization, a waiver of authorization, or a data use agreement and the activity does not require accounting of the disclosure. However, the covered entity must obtain from researcher representations that:
1. the use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research,
2. the PHI will not be removed from the covered entity in the course of review, and
3. the PHI for which use or access is requested is necessary for the research.
A covered entity can use and disclose PHI for Treatment, Payment and Health care Operations (TPO).
•Treatment generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
•Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:
- -Determining eligibility or coverage under a plan and adjudicating claims;
-Billing and collection activities;
-Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
-Utilization review activities; and
-Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).
•Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include:
- -Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
-Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
-Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims
-Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;
-Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
-Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. General Provisions at 45 CFR 164.506.
HIPAA does not consider Research part of health care operations and has created special rules for using PHI for research purposes.
The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.
Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).
Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.
In general, examples of proper disposal methods may include, but are not limited to:
• For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
• Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
For more information on proper disposal of electronic PHI, see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88, Guidelines for Media Sanitization.
Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).
For questions please contact:
UCCS Privacy Officer
UCCS Security Officer
HIPAA does allow PHI to be used for research purposes under the following circumstances:
Covered Entities may only use and disclose PHI for research purposes, even if they are their own patients:
1. with an Individual’s Authorization;
2. without an individual’s authorization under limited circumstances such as a waiver of authorization approved by a Privacy Board; or
3. if an exception applies
- a. Patient (Participant) authorization (Similar to current informed consent requirement)
b. Includes additional elements and statements pertaining specifically to data privacy
c. Can be combined with informed consent process
d. UCCS Privacy Board will provide a template for use in designing a valid authorization
e. For current research, if participant consent was obtained prior to April 14, 2003, research on PHI may continue without authorization.
4. Waiver of authorization by the Privacy Board
- a. Waivers may be approved when research cannot feasibly be conducted on de-identified data or authorization cannot practically be obtained from research participants
b. Researcher must have a plan for protecting the identifiers from improper use and disclosure;
c. Researcher must have a plan to destroy the identifiers at the earliest opportunity;
d. Researcher must provide written assurances that the identifiable health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the project or for other permitted research purposes
e. Must demonstrate that disclosure of PHI will involve no more than minimal risk to the privacy of the individuals
f. Must demonstrate adequate plans to protect the data from improper use and disclosure
5. Review preparatory to research
- a. For the purpose of study design and protocol development
b. Review must be essential for conduct of research
c. No PHI may be removed from the covered entity providing the data
6. De-identification is the removal of personally identifying information in order to protect an individual’s privacy. Data are considered de-identified if:
- a. Safe Harbor method;
b. Exclude all eighteen (18) HIPAA identifiers, or
c. Expert Determination method; data are statistically de-identified.
(See “What is de-identified data?”) De-identified data is not the same as “anonymous data” under the Common Rule.
7. Limited data set and data use agreement (See “What is a limited data set?”)
- a. Requires fewer identifiers be removed than de-identified data
b. Allows use of dates and ages, diagnoses, and other unique identifiers not mentioned above, except those that could easily be used to identify the individual
c. Must be used in conjunction with a Data Use Agreement (DUA), a document intended to assure the data provider that the data will only be used or disclosed for limited purposes as specified in the research protocol
d. There are no exceptions to the requirement of a DUA, but if the researcher is part of the covered entity a document such as confidentiality agreement will suffice. The document must still include the required elements.
e. Data use agreements may be obtained by contacting the Compliance Office at 719-255-3837
8. Research on decedents’ information is allowed by the Privacy Rule under certain circumstances. The Researcher must represent:
- a. Uses or disclosure are solely for research on decedents
b. PHI is necessary for research or the research could not practicably be done without PHI
c. Individuals are deceased (the researcher may have to provide documentation)
De-identified data are not subject to the requirements of the Privacy and Security Rules because the data are not individually identifiable and not considered PHI.
There are two ways to de-identify data:
- 1. Safe Harbor Method – in which all of the following 18 elements are removed from a data set:
- a. Names
b. Geographic info (including city and ZIP)
c. Elements of dates (except year), ages over 89 years
d. Telephone #s
e. Fax #s
f. E-mail address
g. Social Security #
h. Medical record, prescription #s
i. Health plan beneficiary #s
j. Account #s
k. Certificate/license #s
l. VIN and Serial #s, license plate #s
m. Device identifiers, serial #s
n. Web URLs
o. IP address #s
p. Biometric identifiers (finger prints)
q. Full face, comparable photo images
r. Unique identifying #s
If all of the 18 identifiers listed above are removed, the information is no longer
• individually identifiable,
• PHI, and
• Subject to HIPAA’s requirements.
2. Statistical Method – in which certification is provided by “a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable so that there is a ‘very small’ risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information.” For more information see HHS Guidance for De-identification of Protected Health Information.
A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data present a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.
“Anonymous” data are not necessarily considered de-identified under HIPAA. Anonymity under the federal Common Rule requires that individuals cannot be readily ascertained by the investigator and cannot be associated with the data. According to the Common Rule standard, anonymous data may retain dates of treatment. Under HIPAA’s more stringent requirements, however, such data would be considered identifiable data.
Some studies may need to retain a limited number of identifiers and, thus, not meet the strict HIPAA definition of “de-identified data.” However, these studies may present only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a “Limited Data Set” for research purposes. A Limited Data Set is PHI that excludes “direct identifiers” of the individual, relatives of the individual, employers, or household members.
- A limited data set must exclude all direct identifiers such as:
- 1. Names
2. Street Addresses or P.O. Box Numbers
3. Phone and Fax Numbers
4. Email Addresses
5. Social Security Numbers
6. Medical Record Numbers
7. Health Plan Numbers
8. Account Numbers
9. Certificate/Licenses Numbers
10. Vehicle Identifiers/License Plates
11. Device Identifiers
12. Web URLS
13. Internet Protocols (IP)
14. Full Face Photos
- A limited data set may include one or more of the following:
- 1. Towns
4. Zip Code and their equivalent geocodes. (Note that a zip code cannot be used if the area composing the zip code has less than 20,000 citizens.)
5. Dates including birth and death
6. Other unique identifying numbers, characteristics, or codes that are not expressly excluded as long as the unique identifier(s) cannot be used to identify a specific individual. (e.g. the four time NFL MVP would be a unique identifier that identifies only one individual, so could not be used)
7. Relevant medical information
A Limited Data Set may be used only for purposes of research, public health, or health care operations. Under the Privacy Rule, use or disclosure of limited data sets for research purposes requires a “Data Use Agreement.”
A Limited Data Set may be used only if the covered entity providing the data and the recipient of the data first enter into a Data Use Agreement. The investigator, the holder of the PHI, and their respective institutions, must sign Data Use Agreements, either for access to a Limited Data Set or for the release of a Limited Data Set. At UCCS, the Office of Legal Counsel and Compliance will assist with the completion of these agreements. These agreements must, among other things, establish the permitted uses and disclosures of the information included in the Limited Data Set and must provide that the recipient of the Limited Data Set will not identify the information or use it to contact individuals.
As with research conducted pursuant to an authorization, disclosure(s) of PHI that are part of a Limited Data Set need not be tracked for purposes of providing an accounting to an individual.
The Privacy Rule provides protections to living and deceased individuals. To use decedents’ PHI for research purposes, a researcher must provide all of the following:
1. Representation that the use or disclosure is solely for research involving the PHI of decedents (e.g., and not also the living relatives of decedents)
2. Representation that the PHI is necessary for the research
3. Documentation (at the request of the covered entity holding the PHI) of the death of the individuals whose PHI is sought.
Note: If the participant population contains both living and deceased individuals, the requirements for Authorization (or waiver or alteration) apply.
Under the HITECH Act, 50 years after an individual is deceased their personal health information is no longer covered under the HIPAA Privacy and Security Rules.
HIPAA considers recruitment, research. Consequently, the use of PHI to recruit an individual to participate in a research study must comply with HIPAA’s general requirement the use must be pursuant to an authorization or some exception, such as a waiver of HIPAA authorization.
Treating providers may not disclose PHI to a third party for purposes of recruitment in a research study without first obtaining authorization from the individual. A treating provider does, however, have the option to:
1. Discuss with his/her own patients the option of enrolling in a study.
2. Delegate recruitment to a member of the same Department/Division or Practice Plan
3. Obtain written authorization from the patient for referral into a research study.
4. Provide research information to the patient so that the patient can initiate contact with the researcher.
5. Provide information to a researcher when the researcher has obtained an approved Waiver of Research Authorization from an IRB for recruitment purposes.
HIPAA also applies to recruitment and research activities conducted via medical records and medical registry reviews. Investigators must obtain either a Research Authorization from the subject or a Waiver of HIPAA Authorization approved by the UCCS Privacy Board prior to commencing research recruitment activities from these sources. A Waiver of HIPAA Authorization for recruitment purposes only is referred to as a partial waiver. Researchers are required to obtain subjects’ Research Authorizations after recruiting and enrolling subjects via a partial waiver and prior to creating or using PHI during research procedures.
The collection or maintenance of PHI in databanks or repositories for future research purposes requires an IRB-approved protocol. In addition, research using data from these databanks and repositories must be conducted under an IRB-approved protocol. Since databanks and tissue repositories frequently survive beyond the lifespan of the initial IRB protocol in which the data/tissue is collected, researchers should normally submit the proposed data/tissue banking activities to the IRB in a separate protocol.
The HIPAA Privacy Rule affects activities such as research using identifiable or coded data or biological specimens such as human tissue, DNA, and blood where the researcher controls the coding. The HIPAA Privacy Rule requires an authorization from the subject about whom information is stored or a HIPAA Waiver of Authorization approved by the UCCS Privacy Board for the collection of PHI and prior to conducting subsequent studies using PHI. The IRB must review and approve all proposed uses of stored tissues, irrespective of whether or not the secondary use(s) of the banked tissues will include use of HIPAA identifiers.
Yes, genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse. See 45 C.F.R 160.103 and 164.501.
No. Your UCCS email account is not secure and encrypted therefore, when sending PHI, you must use FileLocker.
Here’s a link to UCCS’ FileLocker page: