Purdue University has adopted University Policy IV.2.1, Compliance with HIPAA Privacy Regulations. Purdue is a "hybrid entity" with "covered components" which must comply with the new federal privacy regulations. The current designated covered components for Purdue University include the following:

Healthcare Provider Covered Components

1. Purdue Student Health Center
2. Purdue Pharmacy
3. Family Health Clinic of Carroll County (FHCC)
4. Audiology and Speech Sciences Department
5. Counseling and Psychological Services (CAPS)

Health Plan Covered Components

1. Medical Benefits Plan(s)
2. Vision Plan
3. Pharmacy Plan(s)
4. Health Care Flexible Spending Account Plan

Business Support Covered Components

1. Accounts Receivable
2. Accounting
3. Central Files
4. Internal Audit
5. Information Technology at Purdue
6. Public Records Office
7. Printing Services

The HIPAA Privacy Regulations will impact research projects involving protected health information, if the information is obtained from one of Purdue's "covered components" or from another covered entity outside Purdue University, such as a hospital or pharmacy. These guidelines are designed to assist researchers who are affected by the HIPAA Privacy Regulations.

Covered Entities under the HIPAA Privacy Regulations include the following entities: 1) health plans; 2) healthcare clearinghouses; and 3) healthcare providers who conduct certain electronic transactions, including billing and claims. Therefore, "covered entities" will include hospitals, skilled nursing facilities, pharmacies, most physician practices and most other healthcare providers. Entities such as Purdue may also be covered entities, even if the entity's primary purpose is not the provision of healthcare services, if the entity has a unit that is a health plan, healthcare clearinghouse or healthcare provider. Such entities are referred to as "hybrid entities" under the regulation.

HIPAA is the Health Insurance Portability and Accountability Act of 1996, which mandates significant change in the laws and regulations governing the provision of health benefits, the delivery and payment of healthcare services, and the security and confidentiality of individually identifiable, protected health information in written, electronic or oral formats.

Hybrid Entity is a covered entity whose business activities include both covered and non-covered functions, and that designates those healthcare components that must comply with the HIPAA Privacy Regulations.

Personal Representative is the person who is legally entitled to act on behalf of the individual and may include the following: a parent of an unemancipated minor, a court appointed guardian, or the individual named to act on behalf of another through a power of attorney or health care representative.

Protected Health Information (PHI) means health information, in any form, collected or created as a consequence of the provision of healthcare if the information includes any information (including demographic information) that identifies or could be used to identify an individual. PHI includes information that is used for research purposes if that information identifies or could be used to identify a human research subject, including name, address, social security number, account numbers, treatment records, pharmacy records, lab reports, etc.

1. Basic Rule - Authorization Required

   The basic rule is that "research" is not part of "treatment," "payment" or "health care operations," and therefore the researcher must obtain a written authorization that complies with the requirements of the HIPAA Privacy Regulations.

2. Requirements Of A Valid Authorization
   1. Core elements: A valid authorization must be written in "plain language" and must contain certain "core elements," including:
      1. The name of the individual whose information will be used or disclosed.
      2. A meaningful and specific description of the information to be disclosed. A general statement of "all health information necessary for the study" is considered insufficient. The statement must describe with specificity the information to be used or disclosed, such as "laboratory results, x-rays," etc.
      3. The name or specific identification of the person or class of persons who are to receive the information. This is to permit the individual to reasonably identify who can receive the information. The identification should be specific and include specific names or a specific class of persons, such as "Dr. Smith" or the name of the research group, etc.
      4. A description of the purpose of the disclosure. This requirement can be met by providing a brief description of the research study and the goal of the research.
      5. An expiration date or expiration event. The Privacy Rule permits a research authorization to state "end of the study" or "none".
      6. The date and signature of the individual or the individual's "personal representative," (such as the parent of a minor, or the individual's attorney-in-fact or guardian).
   2. Additional Requirements. In addition to the "core elements," the authorization must contain statements concerning:
      1. The individual's right to revoke the authorization in writing, the exceptions to the right to revoke the authorization and a description of how the individual may revoke the authorization. In the research context, there are limitations on the effect of a revocation by a participant. Covered entities may continue to use and disclose health information obtained before (but not after) the authorization was revoked, to the extent it is necessary to maintain the integrity of the research, or if the disclosure is necessary to account to the FDA for a participant's withdrawal from the project, or to investigate scientific misconduct and report adverse events. Health information obtained after the authorization was revoked may not be used or disclosed by the covered entity for the research study.
      2. The ability (or inability) of the covered entity to make the treatment, payment, enrollment or eligibility for benefits conditional on the authorization. Generally a covered entity cannot make treatment conditional on the signing of an authorization. However, there is an exception for research involving clinical treatment of the patient. The covered entity may condition treatment that is part of a research study on the receipt of a signed authorization. In this context, the authorization may be combined with the informed consent.
      3. The potential for the information to be redisclosed by the recipient to others and to lose federal privacy protections concerning use and disclosure of the information.
      4. The participant must be given a copy of his/her authorization.

Authorization for Release or Use of Protected Health Information for Research Purposes

There are several exceptions to the authorization requirement in the research context. These include Institutional Review Board ("IRB") waivers, IRB modifications of authorization requirements, reviews preparatory to research, research involving a decedent's information, and "limited data set" disclosures.

1. Institutional Review Board Waivers and Modifications of Authorizations

   Application for Waiver or Modification of Authorization. The Privacy Rule permits a researcher to seek a waiver of the authorization requirements or a modification of the authorization requirements from an existing IRB. Although the waiver need not be given from the IRB associated with the covered entity, the Purdue University IRB will oversee waivers concerning research conducted by Purdue University researchers. The IRB may review the request under either normal (full board) or expedited review procedures (as defined in the Common Rule). In order to obtain a waiver, a researcher must satisfy the Purdue University IRB regarding the following three (3) criteria:

   1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals based upon the presence of the following elements:
      1. an adequate plan exists to protect the "identifiers" from disclosure or improper use;
      2. an adequate plan exists to destroy the identifiers at the earliest opportunity practical under the research, unless there is a health or research justification for retaining the identifiers or the retention is otherwise required by law; and
      3. adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except required by law, authorized oversight of the research project, or for other research conducted consistent with the requirements of the Privacy Rule.
   2. The research could not practicably be conducted without the waiver or alteration to the authorization; and
   3. The research could not practicably be conducted without access to and use of the protected health information.

   Application for Waiver of Authorization or Modification of Authorization under HIPAA Privacy Rule

   Approval of Waiver or Modification of Authorization by the IRB. If satisfied that the forgoing criteria are met, the Purdue University IRB must provide and maintain documentation of the waiver, and a covered entity may not disclose the protected health information without receiving documentation of all the following:

   1. Identification of the IRB (or Privacy Board) and the date on which the modification or waiver of authorization was approved;
   2. A statement that the IRB has determined that the modification or waiver of authorization, in whole or in part, satisfies the 3 criteria stated above;
   3. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB;
   4. A statement that the modification or waiver of authorization has been reviewed and approved under either normal or expedited review procedures; and
   5. The signature of the chair or other member, as designated by the chair of the IRB, as applicable.
2. Review preparatory to research.

   A covered entity may rely on a researcher's oral or written representation that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove the protected health information from the premises (including by electronic transmission), and that the use or disclosure is necessary for research purposes. This exception permits an employee of a covered entity or covered component to use the information to recruit prospective participants for a study by using the covered entity's protected information. However, an outside researcher could not use the information to contact recruits without the patient's authorization. This type of hardship on an outside researcher may support a partial IRB waiver to permit the researcher to use the information only to contact and recruit potential participants. Once contacted, a patient could choose to participate and could then sign an authorization to participate in the study. A copy of the certification form shall be provided to the Purdue University IRB.

   Certification of Compliance with HIPAA Privacy Rule Regarding Activities Preparatory to Research

   Application for Waiver of Authorization or Modification of Authorization under HIPAA Privacy Rule

3. Research on Decedents.

   A covered entity may rely on a researcher's oral or written representation that the use or disclosure of the protected health information is solely for research on the protected health information of a decedent, that the protected health information sought is necessary for the research, and, at the request of the covered entity, that documentation of the death of the affected individuals be provided. A copy of this form shall be provided to the Purdue University IRB.

   Certification of Compliance with HIPAA Provacy Rule for Research Involving Decedent's Information Only

4. De-Identified Information

   De-identified information is not "protected health information" as defined in the HIPAA Privacy Regulation. Information is considered de-identified if all of the following identifying information is removed:

   • Name
   • Geographic subdivision smaller than a state including street address, city, county, precinct, zip code
   • Any and all dates (except the year), including birth date, encounter date, and date of death
   • Telephone numbers
   • Fax numbers
   • Electronic mail addresses
   • Social Security number
   • Medical record numbers
   • Health plan beneficiary numbers and other identifying information
   • Account numbers
   • Certificate of license numbers
   • Vehicle identifiers and serial numbers to include license plate numbers
   • Device identifiers and serial numbers
   • Web Universal Resource Locators (URLs)
   • Internet Protocol (IP) address numbers
   • Full face photographic images and other comparable images
   • Any other unique identifying number, characteristic or codes

5. Limited Data Sets with a Data Use Agreement.

   The requirements of de-identifying information are so extensive, that often the data is of limited value to researchers. The Privacy Rule permits the use and disclosure of a "limited data set" in conjunction with a "data use agreement." With a limited data set, the "facial identifiers" must be deleted. These include all of the following:

   • Names
   • Postal address information (other than town or city, state and zip code)
   • Telephone numbers
   • Fax numbers
   • E-mail addresses
   • Social security numbers
   • Medical record numbers
   • Health plan beneficiary numbers
   • Account numbers
   • Certificate/license numbers
   • Vehicle identifiers & serial numbers, including license plate numbers
   • Device identifiers & serial numbers
   • Web Universal Resource Locators (URLs)
   • Internet Protocol (IP) address numbers
   • Biometric identifiers, including finger and voice prints
   • Full face photographic images and any comparable images

   The limited data set can be disclosed for purposes of research, public health and health care operations, but the researcher must first sign the "Data Use Agreement" with the covered entity which limits how the researcher may use the limited data set, ensures the security of the data and states that the researcher will not identify the information or use it to contact any individual. A copy of the Data Use Agreement shall be provided to the Purdue University IRB.

   Data Use Agreement

If the authorization requirement is waived by the IRB, requests for protected health information, and the use and disclosure of protected health information must be limited to the "minimum necessary to accomplish the intended purpose." Therefore, the researcher must consider and request access to only the minimum necessary to achieve the goals of the research project. Also, access to and use of the information should be limited to only those researchers or others who need access to protected health information to carry out their duties, and all protected health information must be maintained in a secure environment to ensure limited access to protected health information and to avoid incidental disclosures of protected health information.

The Privacy Rule requires covered entities to account for certain disclosures made after April 14, 2003, for a period of six (6) years, if requested to do so by an affected individual. However, the following disclosures do not need to be accounted for: disclosures for treatment, payment and health care operations; disclosures to person's involved in the individual's care (i.e. family members or friends involved in treatment or payment choices); disclosures to the individual or disclosures authorized by the individual pursuant to a valid authorization; and disclosures in a limited data set.

A covered entity must account for disclosures made pursuant to an IRB waiver. Patients/research subjects may request the covered entity to account for all research disclosures of the patient's protected health information that may have been disclosed for research pursuant to an IRB waiver or alteration of authorization. The response must include the name of the researcher, his/her contact information, the name of the study, a description of the purpose of the study and the type of protected health information sought, and the time frame of disclosures in response to the request. The covered entity must also assist the individual in contacting those researchers to whom disclosure was likely made, if requested to do so.

The Privacy Rule permits a covered entity to continue to use and disclose information based on an authorization from the patient received prior to the compliance date of April 14, 2003, even if the authorization does not meet the requirements of the Privacy Rule. A covered entity may also continue to use or disclose protected health information created or received for a specific research study authorized before the compliance date, if, prior to the compliance date, the covered entity obtained informed consent of the individual to participate in the research study or a waiver of informed consent by an IRB for the study in accordance with the Common Rule or the FDA's human subject protection regulations. If a prior study involves accrual of new subjects after April 14, 2003, the researcher will need to obtain a written authorization from the new subjects, or will need to seek a new application to the IRB for a waiver, if it is not possible to obtain authorization, or if the IRB has waived informed consent.