Applying the new HIPAA Exemption: Are you in or out?

For investigators, IRB members, and IRB staff alike, the revised Common Rule’s new exempt category at 45 CFR 46.104(d)(4)(iii) was a dream come true. The so-called HIPAA Exemption eliminates IRB review for research use of retrospectively or prospectively collected “identifiable health information when that use is regulated by the HIPAA Privacy Rule as health care operations, research, or for public health activities […].”

Applying the HIPAA Exemption is not quite as simple as it might seem, as I learned at the 2018 Advancing Ethical Research Conference (AER18) session, appropriately titled “Just When You Thought You Understood the Health Insurance Portability and Accountability Act of 1996.” Before we funnel all secondary use studies of protected health information (PHI) into the exempt world, we need to ask an important question:

Is the research conducted within a covered entity subject to the HIPAA Privacy and Security Rules?

Following SACHRP’s recommendations on the HIPAA Exemption, the presenters stressed that the exemption does not apply when PHI is disclosed to a non-covered entity; if a study proposes such a disclosure, the research is subject to the Common Rule and requires IRB review.

Rationale for the Exemption

A common misconception is that the new exemptions “downgrade” the risk level of studies that previously required IRB review. That may be true for benign behavioral interventions, but any news clip about HIPAA breaches should remind us that use of PHI in research carries risks to subjects’ privacy and confidentiality, as well as to the institution itself.

Rather, the HIPAA Exemption recognizes and eliminates duplicative regulatory review: because the HIPAA Privacy Rule is already stringent and provides “adequate protections” for certain research activities, the safeguards gained by complying with two sets of regulations do not justify the corresponding administrative burden.

Hearing this rationale prompted an “aha-moment”—followed quickly by an appreciation for the importance of identifying which aspects of a study fall within a covered entity, especially for collaborative, multi-site research and research conducted within a hybrid entity.

Let’s Collaborate!

The most important ramification of the HIPAA Exemption for collaborative research is that all institutions using and/or disclosing PHI must be covered entities subject to HIPAA in order for the exemption to apply.

If doctors at Academic Medical Center A and Big Hospital B want to share PHI to evaluate trends in a certain disease, the study would likely qualify for the HIPAA Exemption because both institutions are covered entities and subject to HIPAA regulations. But if nursing students at Community College C (which is not a covered entity) will be assisting with analysis, the entire study must undergo IRB review.

Even if all collaborating institutions are covered entities, projects conducted under the HIPAA Exemption must still identify the institution(s) that will conduct privacy board review, consider reporting responsibilities in the event of a breach of PHI, and so on.

Closer to Home: Hybrid Entities

Similarly, research conducted within a hybrid entity qualifies for the HIPAA Exemption only when it is conducted completely within the covered component(s). Once PHI has been disclosed to a non-covered component, it is no longer regulated by HIPAA.

Let’s return to Academic Medical Center A, where clinician-researchers and biomedical engineering professors propose a secondary use study involving PHI. Although the College of Engineering is part of the same university system as the medical center, it is not part of the HIPAA-covered component; therefore, this study would not qualify for exemption.

More complex scenarios involve individuals who hold dual appointments in both covered and non-covered components, or individuals who hold appointments in a business associate of the hybrid entity. At Ohio State University, our College of Medicine is identified as a business associate of our medical center, which means that some functions of the college are regulated by HIPAA, and some are not; research is not one of the covered functions. Both the session presenters and SACHRP suggest that the HIPAA Exemption would only apply to research involving a business associate if the study evaluates PHI shared as part of the business associate purposes.  

What This Means for the Human Subjects Community

Considerations for Researchers

  1. Select collaborators carefully. Researchers who want to take advantage of the HIPAA Exemption should ensure that all members of the study team are part of a covered entity. (Need help? Check out this Covered Entity Guidance Tool.)
  2. Brush up on HIPAA regulations—and ensure your study personnel do too. Remember, under the exemption, HIPAA regulations regarding authorization (or waiver), disclosures, security measures, and breaches of PHI continue to apply.

Considerations for HRPPs

  1. Many institutions have internal processes for making exempt determinations. Those processes should now include a check to ensure everyone on the study team is within a covered entity—both at study initiation and, if you track personnel changes for exempt research, over the life of the study.
  2. If privacy board review will be housed within the HRPP, establish well-defined policies and procedures for evaluating whether HIPAA Exemption studies meet HIPAA research authorization/waiver requirements.
  3. Educate your research community. Explain the rationale behind the exemption and its implications.
  4. Understand the institutional risk and consult with relevant stakeholders within your institution.
      • Stakeholders may include HIPAA privacy officers, legal counsel, IT/security personnel, and others.
      • Consider developing policies related to investigator and institutional responsibilities when multi-site research is conducted under the HIPAA Exemption.
      • For hybrid entities, delineate who falls within a covered component and who does not.
      • Strengthen investigator education/training for HIPAA compliance and/or instituting a monitoring process for studies approved under the HIPAA Exemption—and decide which stakeholders will be responsible for such activities.

Determining whether a research project is “in or out” of a covered entity is just one of many considerations related to the application of the revised Common Rule’s HIPAA Exemption, but it’s a necessary first step in routing PHI-related research for appropriate review.

Erin Odor, MA, CIP, is an IRB Protocol Analyst II at The Ohio State University. She supports the operations of the Cancer IRB, Biomedical IRB, and Social & Behavioral Sciences IRB, as well as collaborative research with other institutions. She also regularly assists with outreach and education activities, staff training, and process improvement initiatives. She holds bachelor’s degrees in comparative cultural studies and Latin language, as well as a Master of Arts in East Asian studies.

Members of PRIM&R’s Blog Squad and other guest contributors are valued members of our community willing to share their insights. The views expressed in their posts do not necessarily reflect those of PRIM&R or its employees.