HIPAA Privacy Rule and Marketing: When Covered Entities Cant Use or Disclose PHI Without Authorization

Protected Health Information (PHI) is any identifiable health information transmitted or maintained in any form or medium by a covered entity. Covered entities are healthcare providers, health plans, and healthcare clearinghouses. The Privacy Rule, implemented by the Health Insurance Portability and Accountability Act (HIPAA), requires covered entities to protect PHI, including using and disclosing it only for specific purposes. One of those purposes is research. This article will discuss how covered entities can use and disclose PHI for research and comply with the Privacy Rule.

Under HIPAA, covered entities, including individuals, organizations, and agencies, must comply with the Privacy and Security Rules to safeguard the confidentiality of health information and ensure certain patient rights. Suppose a covered entity hires a business associate to assist with healthcare activities. In that case, they must establish a written contract outlining the business associate's responsibilities and ensure they comply with the HIPAA privacy Rules to protect patient information. Business associates are also held accountable for adhering to particular provisions of the HIPAA privacy Rules and their contractual obligations.

The Privacy Rule permits covered entities to use and disclose PHI for research purposes, provided that certain conditions are met.

Those conditions include the following:

Obtaining Authorization: A covered entity must obtain valid authorization from an individual before using or disclosing ePHI for research purposes. The authorization must be written in plain language and include specific elements required by the Privacy Rule.

Waiver of Authorization: A covered entity may use or disclose PHI for research purposes without obtaining authorization if the Institutional Review Board (IRB) or Privacy Board (if applicable) grants a waiver of consent. The IRB or Privacy Board must determine that the research meets specific criteria, including minimal risk to individuals and no practicable alternative to using or disclosing PHI.

Limited Data Set: A covered entity may use or disclose PHI for research without obtaining authorization if it creates a limited data set. A limited data set is PHI that has had specific identifiers removed. The covered entity must enter into a data use agreement with the recipient of the limited data set, which requires the recipient to use the data only for the research purposes specified in the contract.

De-identification: A covered entity may use or disclose ePHI for research without obtaining authorization if it has de-identified it. De-identification removes all 18 specific identifiers specified by the Privacy Rule, so the data is no longer individually identifiable.

The HIPAA Privacy Rule doesn't mandate an expiration date for determining whether a dataset or the method generated is considered de-identified information. However, experts acknowledge that technology, social conditions, and data availability are constantly changing, and therefore, some de-identification practitioners use time-limited certifications. They evaluate the expected changes in computational capabilities and data sources accessibility and determine a suitable time frame during which health information will remain reasonably protected from identification.

Information previously deemed de-identified may still be sufficiently de-identified even after reaching the certification limit. The expiration of the certification timeframe doesn't automatically mean that the data that has already been disclosed is no longer adequately protected in compliance with the de-identification standard. Covered entities must seek expert guidance to assess whether future data releases to the same recipient (e.g., monthly reporting) require additional or alternative de-identification processes to meet the low-risk requirement.

Documentation plays a crucial role in the de-identification process, particularly in identifying which values in health data correspond to PHI and the systems that manage it. Failing to provide complete and precise documentation, including the use of esoteric notation and incomplete descriptions, can lead to the unnecessary redaction of information or failure to redact when necessary, especially if only a select few employees of a covered entity can understand the meaning of specific acronyms.

On the other hand, when adequate documentation is available, it makes it easier to accurately identify and redact the appropriate fields in the data. Therefore, covered entities must ensure that their documentation is complete, clear, and easily understandable by those overseeing the de-identification process.

In addition to meeting one of the above conditions, covered entities must comply with other requirements when using and disclosing PHI for research purposes. Those requirements include the following:

• Implementing reasonable safeguards to protect the privacy of ePHI.
• Limiting the use and disclosure of PHI to the minimum necessary for the research purpose.
• Obtaining a data use agreement with the recipient of the PHI, if applicable.
• Providing individuals with an opportunity to opt out of future research studies.
• Reporting any breaches of unsecured PHI to the affected individuals, the Secretary of Health and Human Services, and, in some cases, the media.

All the covered entities must comply with specific conditions and requirements when using and disclosing PHI for research purposes. The Privacy Rule provides flexibility in how covered entities can use and disclose PHI for research but also imposes strict requirements to protect the privacy and security of individuals' PHI. Covered entities must carefully evaluate each research project and ensure they comply with all applicable requirements before using or disclosing PHI for research purposes.