Compliance at Indiana University

HIPAA Privacy and Security

HIPAA Frequently Asked Questions

On this page:

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was designed to improve the efficiency and effectiveness of the health care system and requires many things, including the standardization of electronic patient health, administrative and financial data. In response to the original HIPAA law, Health and Human Services (HHS) published an additional regulation referred to as the Privacy Rule that relates directly to organizations involved in health care operations that transmit health information electronically.

Typical organizations covered by HIPAA include:

  • health plans
  • health care clearing houses (billing companies);
  • health care providers (“covered entities”) that transmit health information electronically; and
  • their business associates

The HIPAA Privacy Rule:

  • Establishes conditions under which PHI can be used within a Covered Entity and disclosed to others  outside that entity;
  • Grants individuals certain rights regarding their PHI;
  • Requires that Covered Entities maintain the privacy and security of PHI.

HIPAA also establishes security and privacy standards for the use and disclosure of "protected health information" (PHI).


What is a covered entity?

A covered entity is (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider (e.g., group practice, solo practitioner) that transmits any health information in electronic form in connection with health care transactions and (4) their business associates. The Privacy Rule allows covered entities to designate themselves as “hybrid entities” with selected parts subject to the requirements of the Privacy and Security Rules. Indiana University is a covered entity that has chosen hybrid status.  Therefore certain areas of the University have to comply directly with HIPAA.  The Indiana University (IU) Schools of Medicine (IUSM), Dentistry (IUSD) and Optometry (IUSO), IU Health Services (IUHS) in Bloomington, the Health Center in Indianapolis, the Department of Speech and Hearing are considered to be covered parts or covered healthcare components of the IU covered entity.  The other health science schools are subject to HIPAA as they act as Business Associates or use PHI for education and research purposes.  Other segments of the University, such as the non-health science schools, are not typically subject to HIPAA through Indiana University.


When can PHI be used and/or disclosed without an Authorization?

A covered entity can use and disclose PHI for Treatment, Payment and Health care Operations (TPO).

  • Treatment  generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
  • Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.  In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:
    • Determining eligibility or coverage under a plan and adjudicating claims;
    • Risk adjustments;
    • Billing and collection activities;
    • Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
    • Utilization review activities; and
    • Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).
  • Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include:
    • Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
    • Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
    • Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims
    • Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;
    • Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
    • Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. General Provisions at 45 CFR 164.506.

HIPAA does not consider Research part of health care operations and has created special rules for using PHI for research purposes.


When can PHI be used for research purposes?

HIPAA does allow PHI to be used for research purposes under the following circumstances:

Covered Entities may only use and disclose PHI for research purposes, even if they are their own patients:
  1.  with an Individual's Authorization; 
  2.  without an individual's authorization under limited circumstances such as a waiver of authorization approved by a Privacy Board; or 
  3.  if an exception applies
  • Patient (Participant) authorization
    • Similar to current informed consent requirement
    • Includes additional elements and statements pertaining specifically to data privacy
    • Can be combined with informed consent process
    • ORP will provide a template for use in designing a valid authorization
    • For current research, if participant consent was obtained prior to April 14, 2003, research on PHI may continue without authorization.
  • Waiver of authorization by IRB/Privacy Board
    • Waivers may be approved when research cannot feasibly be conducted on de-identified data or authorization cannot practically be obtained from research participants
      • Researcher must have a plan for protecting the identifiers from improper use and disclosure;
      • Researcher must have a plan to destroy the identifiers at the earliest opportunity;
      • Researcher must provide written assurances that the identifiable health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the project or for other permitted research purposes
    • Must demonstrate that disclosure of PHI will involve no more than minimal risk to the privacy of the individuals
    • Must demonstrate adequate plans to protect the data from improper use and disclosure
  • Review preparatory to research
    • For the purpose of study design and protocol development
    • Review must be essential for conduct of research
    • No PHI may be removed from the covered entity providing the data

  • De-identification is the removal of personally identifying information in order to protect an individual’s privacy.  Data are considered de-identified if 1) Safe Harbor method; exclude all eighteen (18) HIPAA identifiers, or 2) Expert Determination method; data are statistically de-identified.

          (See “What is de-identified data?”) De-identified data is not the same as “anonymous data” under the Common Rule.

  • Limited data set and data use agreement (See “What is a limited data set?”)
    • Requires fewer identifiers be removed than de-identified data
    • Allows use of dates and ages, diagnoses, and other unique identifiers not mentioned above, except those that could easily be used to identify the individual
    • Must be used in conjunction with a Data Use Agreement (DUA), a document intended to assure the data provider that the data will only be used or disclosed for limited purposes as specified in the research protocol
    • There are no exceptions to the requirement of a DUA, but if the researcher is part of the covered entity a document such as a confidentiality agreement will suffice.  The document must still include the required elements.
    • Data use agreements may be obtained by contacting the Research Compliance Office at 317-278-7189 or the Interim University HIPAA Privacy Officer at 317-278-4521.   
  • Research on decedents’ information is allowed by the Privacy Rule under certain circumstances.  The Researcher must represent:
    • Uses or disclosure are solely for research on decedents
    • PHI is necessary for research or the research could not practicably be done without PHI
    • Individuals are deceased (the researcher may have to provide documentation)


What is de-identified data?

De-identified data are not subject to the requirements of the Privacy and Security Rules because the data are not individually identifiable and not considered PHI.  There are two ways to de-identify data:

1.  Safe Harbor Method – in which all of the following 18 elements are removed from a data set:
  • Names
  • All geographic subdivisions smaller than a State, including:
    • Street Address
    • City
    • County
    • Precinct
    • Zip Codes and their equivalent geocodes, except for the initial three (3) digits of a zip code if according to the current publicly-available data from the Bureau of the Census:
      • the geographic unit formed by combining all zip codes with the same  three (3) initial digits contains more than 20,000 people; and
      • the three (3) digits of a zip code for all such geographic units containing  20,000 or fewer people is changed to 000
  • Telephone Numbers
  • Fax Numbers
  • Email Addresses
  • Social Security Numbers
  • Medical Record Numbers
  • Health Plan Beneficiary Numbers
  • Account Numbers
  • All Elements of Dates (except year) for dates related to an individual, including:
    • Birth date
    • Admission date
    • Discharge date
    • Date of death
    • All ages over 89 and all elements of dates (including year) indicative of such ages and elements may be aggregated into a single category of age 90 or older.
  • Certificate/License Numbers
  • Vehicle Identifiers and Serial Numbers, including license plate numbers
  • Device Identifiers and Serial Numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) Address Numbers
  • Biometric Identifiers, including finger and voice prints
  • Full Face Photographic Images and any comparable images
  • Any other Unique Identifying Numbers, Characteristics, or Codes

If all of the 18 identifiers listed above are removed, the information is no longer

  1. individually identifiable,
  2. PHI, and
  3. Subject to HIPAA's requirements.

2.  Statistical Method – in which certification is provided by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable so that there is a ‘very small’ risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information.”   For more information see HHS Guidance for De-identification of Protected Health Information.

A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data present a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.

"Anonymous" data are not necessarily considered de-identified under HIPAA. Anonymity under the federal Common Rule requires that individuals cannot be readily ascertained by the investigator and cannot be associated with the data. According to the Common Rule standard, anonymous data may retain dates of treatment. Under HIPAA's more stringent requirements, however, such data would be considered identifiable data.


What is a Limited-Data Set?

Some studies may need to retain a limited number of identifiers and, thus, not meet the strict HIPAA definition of "de-identified data." However, these studies may present only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a "Limited Data Set" for research purposes. A Limited Data Set is PHI that excludes "direct identifiers" of the individual, relatives of the individual, employers, or household members.

A limited data set must exclude all direct identifiers such as:

  1. Names
  2. Street Addresses or P.O. Box Numbers
  3. Phone and Fax Numbers
  4. Email Addresses
  5. Social Security Numbers
  6. Medical Record Numbers
  7. Health Plan Numbers
  8. Account Numbers
  9. Certificate/Licenses Numbers
  10. Vehicle Identifiers/License Plates
  11. Device Identifiers
  12. Web URLS
  13. Internet Protocols (IP)
  14. Full Face Photos

A limited data set may include one or more of the following:

  1. Towns
  2. Cities
  3. States
  4. Zip Code and their equivalent geocodes. (Note that a zip code cannot be used if the area composing the zip code has less than 20,000 citizens.)
  5. Dates including birth and death
  6. Other unique identifying numbers, characteristics, or codes that are not expressly excluded as long as the unique identifier(s) cannot be used to identify a specific individual. (e.g. the four time NFL MVP would be a unique identifier that identifies only one individual, so could not be used)
  7. Relevant medical information

A Limited Data Set may be used only for purposes of research, public health, or health care operations. Under the Privacy Rule, use or disclosure of limited data sets for research purposes requires a "Data Use Agreement."


What is a Data Use Agreement?

A Limited Data Set may be used only if the covered entity providing the data and the recipient of the data first enter into a Data Use Agreement. The investigator, the holder of the PHI, and their respective institutions, must sign Data Use Agreements, either for access to a Limited Data Set or for the release of a Limited Data Set. At IU, the Office of Research Administration, Research Compliance will assist with the completion of these agreements. These agreements must, among other things, establish the permitted uses and disclosures of the information included in the Limited Data Set and must provide that the recipient of the Limited Data Set will not identify the information or use it to contact individuals.

As with research conducted pursuant to an authorization, disclosure(s) of PHI that are part of a Limited Data Set need not be tracked for purposes of providing an accounting to an individual.


Do I, the IU researcher, have to comply with HIPAA?

IU is a hybrid covered entity meaning that parts of it are covered by HIPAA and other parts are not. Much of the research conducted by the health science schools involves PHI.  IU researchers using PHI as part of their research must comply with HIPAA.  If the source of your research data is a covered entity, the data are considered PHI.


When does the Privacy Rule apply to research?

The HIPAA Privacy Rule affects research and researchers when either:

  • Research creates or generates PHI, or
  • Research requires access to and/or use of PHI.


What are the requirements for research use of PHI?

The Privacy Rule applies to the following types of research activities when they involve PHI:

  • Research using or creating PHI about living individuals
    • Retrospective medical chart reviews
    • Existing biological samples
  • Activities preparatory to research
  • Research on decedents
  • Recruitment
  • Research using a limited data set
  • Collection of PHI of secondary subjects


Once I have a waiver of authorization, can I access all of the subject's information?

No, the Privacy Rule permits only the minimum necessary information (minimum necessary standard) to be accessed under a waiver of authorization for research. You will have to list and justify what identifiable health information you need.


What is minimum necessary standard?

The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." 

The minimum necessary standard applies to all uses and disclosures for the purposes of payment, health care operations and research (it does not apply to treatment).  Even if accessing PHI for research purposes pursuant to an authorization, the researcher must limit the amount of information requested in the authorization to the minimum necessary.

Under the HITECH Act it is further explains, if a covered entity does not comply with the minimum necessary standard it could be considered a Breach.


When is health information considered PHI?

Health-related information is considered PHI if (any of the following are true):

  • the researcher obtains the records directly from a health plan, health care clearing house, or health care provider;
  • the records were created by any of the entities (aka Covered Entities) in "1" and the researcher obtains the records from an intermediate source; OR
  • the researcher obtains it directly from the study subject in the course of providing treatment to the subject.


How does HIPAA affect reviews preparatory to research?

Reviews preparatory to research does not require subject authorization or a waiver of authorization.  Covered entities may allow a researcher access to PHI without an individual’s authorization, a waiver of authorization, or a data use agreement and the activity does not require accounting of the disclosure. However, the covered entity must obtain from a researcher representations that:

  • the use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research,
  • the PHI will not be removed from the covered entity in the course of review, and
  • the PHI for which use or access is requested is necessary for the research.


What about research involving PHI about decedents?

The Privacy Rule provides protections to living and deceased individuals. To use decedents’ PHI for research purposes, a researcher must provide all of the following:

  • Representation that the use or disclosure is solely for research involving the PHI of decedents (e.g., and not also the living relatives of decedents)
  • Representation that the PHI is necessary for the research
  • Documentation (at the request of the covered entity holding the PHI) of the death of the individuals whose PHI is sought.

Note: If the participant population contains both living and deceased individuals, the requirements for Authorization (or waiver or alteration) apply.

Under the HITECH Act, 50 years after an individual is deceased their personal health information is no longer covered under the HIPAA Privacy and Security Rules.


Does HIPAA apply during recruitment?

HIPAA considers recruitment, research.  Consequently, the use of PHI to recruit an individual to participate in a research study must comply with HIPAA's general requirement the use must be pursuant to an authorization or some exception, such as a waiver of HIPAA authorization.

Treating providers may not disclose PHI to a third party for purposes of recruitment in a research study without first obtaining authorization from the individual.  A treating provider does, however, have the option to:

  • Discuss with his/her own patients the option of enrolling in a study.
  • Delegate recruitment to a member of the same Department/Division or Practice Plan
  • Obtain written authorization from the patient for referral into a research study.
  • Provide research information to the patient so that the patient can initiate contact with the researcher.
  • Provide information to a researcher when the researcher has obtained an approved Waiver of Research Authorization from an IRB for recruitment purposes.

HIPAA also applies to recruitment and research activities conducted via medical records and medical registry reviews. Investigators must obtain either a Research Authorization from the subject or a Waiver of HIPAA Authorization approved by an IRB prior to commencing research recruitment activities from these sources. A Waiver of HIPAA Authorization for recruitment purposes only is referred to as a partial waiver. Researchers are required to obtain subjects' Research Authorizations after recruiting and enrolling subjects via a partial waiver and prior to creating or using PHI during research procedures.

For more detail please see Indiana University's Standard Operating Procedures for Research Involving Human Subjects (page 164 - Recruitment of Human Subjects).


How does HIPAA affect the collection or maintenance of PHI in databanks or repositories for future research purposes?

The collection or maintenance of PHI in databanks or repositories for future research purposes requires an IRB-approved protocol. In addition, research using data from these databanks and repositories must be conducted under an IRB-approved protocol. Since databanks and tissue repositories frequently survive beyond the lifespan of the initial IRB protocol in which the data/tissue is collected, researchers should normally submit the proposed data/tissue banking activities to the IRB in a separate protocol.

The HIPAA Privacy Rule affects activities such as research using identifiable or coded data or biological specimens such as human tissue, DNA, and blood where the researcher controls the coding. The HIPAA Privacy Rule requires an authorization from the subject about whom information is stored or a HIPAA Waiver of Authorization approved by an IRB for the collection of PHI and prior to conducting subsequent studies using PHI. The IRB must review and approve all proposed uses of stored tissues, irrespective of whether or not the secondary use(s) of the banked tissues will include use of HIPAA identifiers.


How do I secure data that I am using/what are my responsibilities as a researcher?


How can I get more information about HIPAA?

  • Contact:
    • University HIPAA Privacy Officer:
      Leslie Pfeffer
    • University HIPAA Security Officer:
      Andrew Marsh
  • Contact the Research Compliance Office at 317-278-7189
  • Check the web site for the Office of Civil Rights for the text of the rule and the latest OCR guidance on interpretation.
  • Check the National Institutes of Health website.