What is HIPAA and are researchers subject to it?
HIPAA is a federal law that, among other things, governs the privacy and security of personal health information managed by “covered” entities. The law provides guidelines for “covered entities” regarding how electronic health information must be protected. Covered entities include three groups: insurance companies (Health Plans), Health Plans Clearing Houses, and most health care providers. It is this third group that is relevant to investigators conducting research with clinical populations. Generally, researchers would be subject to HIPAA (i.e., must comply with HIPAA privacy and security regulations) if they provide care as part of their research and transmit electronic health information of research participants.
From HSS HIPAA FAQ – When is a researcher considered to be a Covered Health Care Provider under HIPAA?
“A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule. See 45 CFR 160.102, 160.103.
For example, a researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third party payer for payment, would be a covered health care provider under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf.”
Notably, working for a covered entity alone does not mean that a researcher’s work is subject to HIPAA. For example, researchers working at a medical center conducting research with non-patient populations are not technically subject to HIPAA when their research does not involve the provision of health care.
Some of you may be thinking that this information must be wrong because at your institution all research software must be HIPAA compliant and you have been told that your work is subject to HIPAA even though it does not meet the HSS definition above. For example, your IRB may have asked you if the software you plan to use to store participant data is HIPAA compliant, which implies that you are expected to comply with HIPAA.
Your institution may ask you to comply with HIPAA even when your research is not technically subject to it.
Most often the discrepancy between what HIPAA actually requires and institutional policies is simply a matter of preference by institutions to standardize security compliance and using HIPAA as the benchmark that the institution follows whether or not the researcher is technically subject to HIPAA. So your IRB may be asking you if your software is HIPAA compliant not because your work is subject to HIPAA but because their policy is that all research software used for sensitive participant information must be HIPAA compliant.
Yet, it is also common that IRB reviewers and some IT security administrators do not know the nuance as to who must comply with HIPAA and may assume that all research conducted with sensitive information is subject to HIPAA. Even in these cases, as a researcher, there is likely little you can do when they ask you to comply with HIPAA, especially when such practice has become the expectation by IRBs or IT security teams. When the IRB tells me to jump, I usually just jump! Nonetheless, complying with HIPAA regulations, even if you are not technically subject to it, is best practice in that you will have the assurance that you are following accepted protocols for protecting the security and privacy of your participants’ information.
In sum, do not assume that your research is subject to HIPAA just because you work at a covered entity. When in doubt, ask your compliance office about your specific use case and include information about the nature of your research and the participants.
What does it mean to be fully HIPAA compliant as a researcher?
If your research work is truly subject to HIPAA you must be fully HIPAA compliant. Maintaining full compliance is extremely important because violations will result in severe penalties to your institution. As you will see below, being fully HIPAA compliant is complex and not as simple as just using a “HIPAA-compliant” software. Using a HIPAA-compliant software does not, by itself, make you fully HIPAA compliant!
This may come as a surprise. When software is marketed as being “HIPAA compliant” that means that the software vendor meets specific administrative requirements defined by HIPAA and that the HIPAA-compliant software has all the security and features necessary that allow the user (the researcher) to meet HIPAA guidelines if used correctly. Yet, a researcher may easily violate HIPAA regulations even when using a “HIPAA compliant” software.
For example, your institution and the HIPAA compliant software provider must sign a contract called a “Business Associate Agreement” (BAA) as a requirement of compliance. You may think you are being HIPAA compliant when you purchased HIPAA compliant software with your research grant that was labeled as HIPAA compliant but you may not be fully compliant unless your institution signed a BAA with the HIPAA compliant software vendor.
What are the researchers’ responsibilities?
As mentioned above, HIPAA compliant software provides researchers with the tools to comply with HIPAA regulations if used correctly. However, using the software in a compliant manner is the responsibility of the research team. Here are common mistakes researchers make that make them non-compliant even when using HIPAA compliant software.
Giving access to participant data to unauthorized individuals. This may be in the form of giving unauthorized individuals access to the software and underlying data, sharing exported data with unauthorized individuals, or failing to use the software user permissions properly to limit which members of the research team have access to the data. In most cases, individuals who can legally access personally identifiable information have been approved explicitly by the IRB. Thus, disclosing such data to those not authorized is a violation of the HIPAA privacy rule.
Storing backup of data in non-HIPAA compliant software. This is likely one of the most common violations of HIPAA found at medical centers. A researcher may think they are being safe by creating a backup database of the participant information and saving this database in a password-protected Excel or SPSS file in the lab server. The problem is neither Excel nor SPSS is HIPAA compliant, and the server itself may also not be HIPAA compliant.
Sharing usernames. HIPAA requires that every data action (view, edit, delete) conducted on a piece of participant information be mapped to a specific individual user (who did what when). When users share an account, it is impossible to know which of the users is responsible for the data action. Researchers may be tempted to share accounts to save money in cases where the software changes per user, but by doing so the researcher would fall out of compliance.
Turning off automatic logoff and other security features. HIPAA compliant software includes a number of security settings, such as automatic logoff, automatic account deactivation of dormant accounts, automatic account lock after failed login attempts (wrong password), etc. Some software provide the user administrator with some flexibility in the management of these security settings. Although there are very good reasons why software provides this flexibility, it can lead to situations that leave the research team out of compliance if the user administrator uses the incorrect settings. For example, a user administrator may decide to increase the time required for automatic logoff or the number of failed login attempts prior to blocking an account. To avoid falling out of compliance, users who have access to such security settings should contact their institution IT compliance administrator for guidance on the recommended settings to maintain compliance.
Using non-compliant email. HIPAA does not prohibit the use of email, but the security and privacy guidelines also apply to email. Therefore, email can be HIPAA compliant but most email systems are not compliant. Thus, unless your institution has explicitly told you that a specific email system is HIPAA compliant and authorized you to communicate with your participants via email, you should assume that using email will place you out of compliance. Some of you may be confused by this given that you IRB may have given you permission to email participants using the standard university system (e.g., Gmail) for things like scheduling visits. There may be many reasons for this, but most often it is because your work is technically not subject to HIPAA and instead you are being asked to simply follow most HIPAA guidelines and they are giving you an exception for the use of email. However, using non-compliant email is not an option for covered entities. If you are sure that you are truly subject to HIPAA, you should only use fully HIPAA-compliant email providers.
Not following the notification rules in case of a breach. HIPAA has specific language about when and who should be notified in the case of a data breach or unauthorized disclosure of protected information. Failure to comply can result in significant fines. If your research team experiences a breach, researchers should contact their compliance office immediately to ensure that the proper protocols are followed.
Not having a BAA signed with the software companies. As mentioned above, HIPAA requires a specific type of contract to be signed between the covered entity and the software provider. Without this contract, the use of the software is technically not fully HIPAA compliant. This BAA is almost never signed by the researcher, but it is instead signed by an authorized official of the institution as such a contract includes specific language about the responsibilities of the institution and the software provider and researchers are usually not authorized to sign contracts on behalf of the institution.
What if you are not technically subject to HIPAA; should you still follow the HIPAA guidelines? Absolutely. HIPAA defines the minimum common-sense security practices necessary to protect the privacy and confidentiality of your research participants. There may be aspects of the guidelines that are unnecessary if are not subject to HIPAA, such as having a BAA with the software provider, but most other security guidelines are considered best practices and should be adopted by all research teams managing sensitive participant information. Your participants deserve it!
Nestor L Lopez-Duran Ph.D. is an Associate Professor at the University of Michigan and the co-founder of Ripple Science Corporation.