General Approach Described

A researcher receives research data derived from a clinical context.  These may be fully deidentified, limited dataset (still retains dates or limited geographic data elements), or identified data approved for export through a waiver of authorization by the covered entity's IRB. The research organization is not a covered entity or is a hybrid entity with the researcher outside the covered entity portion. The researcher, or the institution's privacy/security officers refer to these research data as "HIPAA data". 

Researchers often use data that a lay person would consider HIPAA (without understanding the definitions of covered entity or covered functions).

Example 1:

Institution 1, a large research university, runs a secure enclave for health data. It is included under the university’s covered entity. However, it does not perform any covered functions and any health data needs an IRB waiver of authorization. What are the institution’s and researcher’s responsibilities under HIPAA?

Example 2:

Institution 2, a large research university, runs a secure enclave for health data. It is not included under the university’s covered entity. What are the institution’s and researcher’s responsibilities under HIPAA?

Example 3:

Epic (a SaaS electronic health record) has modules for research studies that are separate from the clinical modules. However, there is still only one patient profile that everything is linked back to. The same database rows are used for the clinic and research. Are those database rows under HIPAA, even when a researcher is viewing them through a research study module?

When evaluating HIPAA implications for a research organization that is not a covered entity, or for a hybrid entity where the researcher sits outside the designated health care component, the key issue is entity status and function, not whether the data is informally referred to as “HIPAA data.” HIPAA applies to covered entities and their business associates when performing covered functions. It does not attach to data in isolation. That said, the absence of direct HIPAA applicability does not mean there are no obligations. The research organization may still be bound by Data Use Agreements, IRB approval conditions, Federal research regulations (e.g., Common Rule), Contractual requirements, State privacy laws, and institutional policies.

In some cases, if the research organization performs services on behalf of the covered entity involving protected health information (PHI), it may qualify as a business associate, which would trigger HIPAA Security Rule requirements and certain Privacy Rule provisions through a Business Associate Agreement (BAA). Before assuming HIPAA liability, the organization should analyze (1) entity designation, (2) whether covered functions are being performed, (3) whether a business associate relationship exists, and (4) the legal mechanism that permitted the data disclosure.