The Hipaa Minimum Necessary Standard Applies Citi

Under HIPAA, "retrospective research" (a.k.a., data mining) on collections of PHI generally ...

HHS has reiterated in its guidance that use or disclosure of PHI for retrospective research studies may be done only with patient authorization -- or with a waiver, alteration, or exception determination from an IRB or Privacy Board. However, remember that you generally cannot proceed on your own without some approval from an IRB, Privacy Board, or other designated governing entity.

A covered entity may use or disclose PHI without an authorization, or documentation of a waiver or an alteration of authorization, for all of the following EXCEPT:

If the data in question meet the definition of PHI and are being used for purposes that fall within HIPAA's definition of research, HIPAA generally requires explicit written authorization (consent) from the data subject for research uses. However, HIPAA provides several alternatives that can bypass such authorizations: The research involves only minimal risk. The research is used solely for activities preparatory to research. Only deceased persons' information is used. Only de-identified data is used. Only a "limited data set" is used, under an approved "data use agreement." It is "grandfathered" research where all legal permissions were in place before HIPAA took effect.

If you're unsure about the particulars of HIPAA research requirements at your organization or have questions, you can usually consult with:

If you are unsure about the particulars, consult with your organization's IRB, Privacy Board, or privacy official. For data security issues, consult with your organization's security official. Consulting with an experienced colleague can always be helpful, but their advice is not authoritative. Do not assume that a representative of the funder will know all the rules, or that the generic advice of a professional association will be applicable to your organization's particular rules.

HIPAA's protections for health information used for research purposes...

Under HIPAA, a "disclosure accounting" is required:

HIPAA's relatively new data-focused protections, which took effect starting in 2003, supplement Common Rule and FDA protections; they are not a replacement. Institutional Review Board (IRB) protocol reviews using Common Rule and FDA criteria remain as before, including aspects related to data protection. IRBs may have the responsibility for addressing HIPAA's additional requirements in their reviews when those apply; or some responsibilities may be given to another kind of body that HIPAA permits (a Privacy Board) or to an institutional official that HIPAA requires (a privacy officer). These federal standards complement states' and accreditation bodies' requirements.

In addition to being limited to external disclosures, disclosure accounting is not required for disclosures made under authority of a consent/authorization, on the theory that the data subjects are aware of what they have expressly permitted for that research. Neither is an accounting required for disclosures to the data subject directly about him/herself. Nor is it required for limited data set disclosures subject to a data use agreement. Nor, finally, is any accounting required for de-identified information that no longer qualifies as PHI.