The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
For additional information on FERPA, see the IRB Guidance Document G-17: Guidance on FERPA in Human Subjects Research Studies, or check out the U.S. Department of Education.
The Health Insurance Portability and Accountability Act of 1996 includes mandated standards for the secure electronic storage and transmission of health care information. To comply with these standards, the Department of Health and Human Services issued two new regulations, administered and enforced by the Office for Civil Rights: the Privacy Rule and Security Rule.
The U.S. federal regulation commonly referred to as "HIPAA" or the "Privacy Rule" establishes a foundation of protection for the privacy of individual health information. This rule does not replace any other Federal, State or local law that grants even greater privacy protections, and health care entities are free to be more protective.
The Privacy Rule:
- Gives patients more control over who has access to their health information including immediate family members
- Sets boundaries on the use and release of health records
- Establishes safeguards that must be achieved to protect the privacy of protected health information
- Holds privacy violators accountable with civil and criminal penalties
- Strikes a balance when public responsibility supports disclosure of some information, for example, to protect public health
Further development of the HIPAA regulations include the "Security Rule" that addresses administrative, physical and technical safeguard requirements for electronic health information.
HIPAA Brief History
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, U.S. Public Law 104-191, includes requirements to develop and adopt national standards for privacy protection of individually identifiable personal health information in storage and as transmitted by electronic means to specified covered entities.
The privacy protection standards that were developed by the U.S. Department of Health and Human Services (DHHS) and the Office of Civil Rights (OCR), were published in December of 2000 and modified into a final rule in August of 2002 after extensive public comment. The final rule, "Standards for Privacy of Individually Identifiable Health Information," required compliance by April 14, 2003 for so-called "covered entities" which include licensed health care providers, health plans, and health care clearinghouses. GVSU is not a covered entity, it is a hybrid entity. This means only some component offices and programs are subject to HIPAA protection assurances. These include the counseling center, student health center, and nurse managed care centers.
Researchers who collect as part of their research what would otherwise be classified as protected health information (PHI) are not subject to the HIPAA protection requirements.
Researchers who conduct research on patients existing medical records such as chart review studies, are covered under the HIPAA privacy Rule provisions.
This regulation is codified in 45 CFR 164 Security and Privacy, Subpart E Privacy of Individually Identifiable Health Information, 164.500 - 164.534.
These regulations were modified and expanded in February of 2003. A new section was added to 45 CFR 165: Subpart C, Security Standards for the Protection of Electronic Protected Health Information, 164.302-164.318. This Subpart is commonly referred to as the "Security Rule" or "Security Standard" and required compliance by April 20, 2005.
Implications For Research
HIPAA provisions sets the standards for how protected health information (PHI) flows from covered entities such as health care providers, health plans, and health care clearinghouses for purposes of patient care, record keeping and payment of insurance claims for services provided. Researchers requiring use and access of such PHI information for research purposes must receive either individual authorizations from each affected study participant, or a waiver of same from a privacy board or IRB responsible for safeguarding the PHI records.
Researchers will be required to obtain documented permission to use and access PHI from these covered entities in the following ways:
- Secure signed and dated valid authorization forms signed by the individual participants, OR
- Obtaining approval of an Institutional Review Board or Privacy Board for an alteration or waiver of required authorization OR
- Contract with a covered entity for a limited data set with selected and specified data for a specified purpose and final disposition of the data when the research is completed. These agreements are typically available if one of more of the following conditions pertain to the proposed research study:
- There is a documented approved Data Use Agreement for the PHI OR
- Provide evidence that the research use is allowed without authorization because
- All study subjects are deceased
- The data required does not identify the subjects (it is "de-identified")
- They researchers are employed by the covered entity and (I) are preparing to do or to support research by conducting "feasibility inquiries or other investigatory preparations prior to the conduct of research.
What it Means for Researchers and IRB Members:
- The IRB reviews HIPAA related research protocols at the same time as the regular IRB review
- De-identification of health information before it is given to researchers is recommended by as the best way to ensure privacy
- Researchers must submit any needed HIPAA authorization forms with their application (or renewal / revision) form to the IRB
Why Should Researchers Be Aware of the HIPAA Privacy Rule?
The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, handle the individually identifiable health information known as protected health information (PHI). Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research. Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.
It is important to understand that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because they will not be covered entities. The Privacy Rule will not directly regulate researchers who are engaged in research within organizations that are not covered entities even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.
The General Data Protection Regulation (GDPR) is a European law, effective May 25, 2018, that establishes protections for the privacy and security of personal data about individuals in European Economic Area (EEA) countries. All researchers collecting personal data in, and/or transferring personal data from, European countries must operate in compliance with this new regulation.