In 1996, DHHS was obligated under federal law to create privacy regulations governing the protection of personal health information held by health care providers, insurers and others (“covered entities”). The HIPAA Privacy Rule, effective April 14, 2003, protects the privacy and confidentiality of all individually identifiable health information, such as medical history, diagnosis, treatment or payment information. This Protected Health Information (PHI) also includes demographic information that is maintained with health information (e.g., an individual's date of birth and social security number). HIPAA protection applies to all forms of PHI, both electronic and paper.

The OHRP and FDA human subject protection regulations (45 CFR § 46 and 21 CFR § 50, respectively) contain some provisions concerning protection of research participants’ confidential information that are similar to but separate from the HIPAA Privacy Rule research provisions. The HIPAA Privacy Rule built upon those pre-existing federal protections, creating a second, partly overlapping but also complementary tier of privacy protection for research participants whose PHI will be accessed or used in research.

Harvard is not a covered entity under HIPAA. It is a "hybrid entity", consisting of both covered and non-covered components. The University's covered components include the University Health Service (UHS), the Harvard Dental Center, and the Harvard University Group Health Plan (HUGHP). All other parts of the University, including Investigators whose research involves health care information, are not covered components.

An Investigator seeking data must first find out if the data exists as PHI at a HIPPA covered entity. If the entity holding the data is not a covered entity, then the Investigator does not need to be concerned with the HIPAA Privacy Rule to obtain the data, unless the entity passes along secondary restrictions in disclosing the data. However, the entity may still be bound by other laws, contractual agreements or institutional policies which restrict or condition its ability to provide the data. The Faculty of Medicine SPA office is available to help Investigators obtain these data, under appropriate restrictions and conditions.

If the data source is a HIPAA covered entity, Investigators should work with the covered entity's Privacy Officer to establish the permissible ways of accessing the PHI. Examples include: obtaining written authorizations from individuals; the Privacy Board may grant a waiver of the individual authorization requirement; or the Investigator and the HIPAA covered entity may enter into strict data use agreements (DUA) permitting the sharing of PHI with the least number of identifiers necessary for the research to proceed.

HIPAA waivers are approved by an institution’s Privacy Board. For the Faculty of Medicine, the CHS serves as the Privacy Board.

For more information on HIPAA and Harvard, patient authorizations, data use agreements, and the use of limited data sets, please the Harvard University Research Administration website; or the HSDM website.

Updated: 22-Oct-2009