Policy Materials

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a new Federal law that provides safeguards to protect the health information of individuals obtaining healthcare in the USA, also known as the Privacy Rule. Since investigators may create, use or exchange individually identifiable health information when conducting research, Pepperdine University must assure compliance with HIPAA as it relates to research.

For more information on Pepperdine's HIPAA policies and procedures, see the  HIPAA Policies, Procedures and Forms Manual at www.pepperdine.edu/provost/policies/ or contact the Pepperdine Privacy Official. The Pepperdine Privacy Official is identified on the Pepperdine University Human Protections  web site: community.pepperdine.edu/irb/. Pepperdine University's HIPAA Notice of Privacy Practices can also be found at www.pepperdine.edu/provost/policies/

HIPAA contains provisions to protect the confidentiality and security of individually-identifiable health information. The Privacy rule does NOT replace or modify the Common Rule or FDA regulations. The Privacy rule is in ADDITION TO privacy protections of these regulations.

  1. What is Individually Identifiable Health Information?
    Individually-identifiable health information is any information created, used, or received by a health or mental health care provider that relates to:
    • the past, present, or future physical or mental health or condition of an individual,
    • the provision of health care to an individual, or
    • the past, present or future payment for the provision of health care to an individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  2. The collection of individually-identifiable health information for research constitutes human subjects research. The HIPAA rule governs the use of individually-identifiable health information when it is Protected Health Information (PHI).

  3. What is PHI?
    is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.
    All Pepperdine research related disclosures of PHI must obtain prospective approval by a Pepperdine University IRB.  In general, except for treatment, investigators are restricted to the minimum PHI reasonably necessary to conduct the research.

HIPAA Defined Personal Identifiers

1.  Names 10.  Account number
2.  Dates of birth, death, admission, and discharge (except year) 11.  Certificate/license number
3.  Postal address including city, state, & zip code 12.  Vehicle identifier
4.  Telephone number 13.  Device identifiers and serial number
5.  Fax number 14.  URLs
6.  E-mail address 15.  IP address
7.  Social Security number 16.  Biometric identifiers, including finger prints
8.  Medical record number 17.  Full face photos and other comparable images
9.  Health Plan ID number 18.  Any other unique identifying number, characteristic or code

Removal of these identifiers makes information de-identified and not subject to HIPAA. Coded data is de-identified as long as the code is not derived from an identifying source, and as long as the key to the code is secure (source: kutkatl@od.nih.gov).

  1. Am I A Covered Entity? Is My Data Source a Covered Entity?
    A Covered Entity is:
    • A health care provider who transmits health information in electronic transactions for which the Secretary has adopted standards/for certain purposes. For example, a physician who electronically bills for services.
    • A health plan
    • A health care clearinghouse

Pepperdine University is a Hybrid Entity under HIPAA. A Hybrid Entity means a single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule (45 C.F.R. § 164.504). Investigators conducting research should determine whether they are planning to obtain data from part of Pepperdine that is a Covered Entity, which include:

  • Student Health Center and/or Wellness Program;
  • Athletic Training Center;
  • Student Counseling and Testing Control;
  • Pepperdine Psychology and Educational Clinic;
  • Pepperdine Communications Counseling Center;
  • Pepperdine Jerry B.H. Union Rescue Clinic; and
  • Center for Human Resources, Benefits Department.
    If you are seeking to obtain information for research purposes from a Pepperdine institutional unit not noted in the above list, your research does not fall under HIPAA.
    Pepperdine faculty, staff or student researchers who are not planning to do research in/with one of the above Pepperdine Covered Entities, but who plan to collect data from a non-Pepperdine Covered Entity (e.g., most hospitals; some counseling centers) must follow the HIPAA procedures of that CE. Contact your supervisor, IRB Chairperson, and/or Pepperdine's Privacy Officer, if you have questions about your status or the status of your research project, and which procedures you need to follow.
  1. What Types of Research are Typically Covered by HIPAA?
    Investigators should remember that PHI has three main components: (1) Covered Entity, (2) Health (and mental health) Information, (3) Identifier. All 3 components need to be met for your research to be covered under HIPAA. The PHI can be transmitted or maintained in any form (paper, electronic, web-based, etc.). Decedents' information can be included. PHI does not include de-identified health information or biological tissue.
    • Research that includes the review of medical records (including some mental health records) or biological materials with attached identifying information from a covered entity,
    • Research that results in the addition of new information to a medical record of a covered entity (e.g., research in which a health care service is performed, such as testing a new diagnostic method, or a new drug, biologic, or device, creating new information in a medical record).
  2. What is the IRB's Role?
    • subjects should sign a “HIPAA Authorization,” in addition to or in combination with the informed consent form for participation in research, OR
    • a Waiver of Authorization (roughly analogous to a Waiver of Informed Consent under 45 CFR 46) may be granted, AND
    • Investigators and research staff should have HIPAA research certification.
  3. Each Pepperdine IRB will act as a Privacy Board (required by HIPAA) to review the research use or disclosure of PHI and determine whether:

  4. What Procedures will Investigators Have To Follow?
    1. Obtain the “HIPAA Authorization” of the subject
      Research subject authorization for release or inclusion of individually identifiable health information may only occur if the subject has signed both (1) a HIPAA Authorization for Release of Protected Health Information for Research Purposes form and (2) the IRB approved informed consent document for the research or a combined form.

      If you will ask subjects to create or use their PHI, please use one of the following HIPAA Authorization forms, or the approved form of a covered entity from which you are obtaining the PHI.

      • Subjects enrolled prior to April 14, 2003 are “grandfathered,” meaning their existing signed research informed consent document is HIPAA compliant.
      • New subjects must sign a “HIPAA Authorization” unless a waiver of informed consent and authorization have been granted by the IRB.

    2. Obtain from the IRB permission for the use or disclosure of PHI without a Privacy Rule Authorization, through one of the following methods (as explained further in subsection C below):
      • a Waiver of HIPAA Authorization, or
      • use of a limited data set (LDS), or
      • use of a de-identified data set; or
      • the use of a de-identified data set (“Statistical Standard”); or
      • certification of use under Preparatory to Research provisions; or
      • certification of use of decedents' information.
  5. If the study involves PHI, all members of the study team are required to complete a HIPAA research certification (like the Human Subjects Research education requirement) before the IRB will approve the protocol.