HIPAA Privacy and Security

Dr. Carpenter and Vina Cristobal in a clinic.

HIPAA Privacy Rule

The John A. Burns School of Medicine is committed to ensuring the privacy and security of protected health information. Under the Health Insurance Portability and Accountability Act (HIPAA) passed by the U.S. Congress in 1996, all health care service facilities covered under HIPAA are required to provide documentation of HIPAA training for everyone with access to patients and/or patient data.

The HIPAA Privacy Rule has established a set of requirements for protecting the confidentiality of person-identifiable data arising as a result of health care services, and includes the requirement that authorization (i.e., consent) be obtained in most cases before this type of data is used for research purposes. The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities.

Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.

For more information on HIPAA and the Privacy Rule visit the U.S. Department of Health & Human Services website on Health Information Privacy.

How does HIPAA apply to JABSOM?

An organization will be defined as a Covered Entity and will be subject to the provisions of HIPAA by virtue of providing healthcare services and billing using electronic means. The University of Hawaiʻi may include units or components that provide health care services and bill using electronic means. Given that the University of Hawaiʻi has not formally designated itself as a hybrid entity and that, “under the Privacy Rule, any entity that meets the definition of a covered entity, regardless of size or complexity, generally will be subject in its entirety to the Privacy Rule” (see http://privacyruleandresearch.nih.gov/pr_06.asp for more detailed information), JABSOM’s policy is to comply with the entirety of the Privacy Rule and all applicable HIPAA standards.

Additionally, many departments, programs, faculty and staff members at JABSOM have dual roles and are associated with Covered Entities (such as UCERA or partnering hospitals) and conduct research using data derived from a healthcare service and/or event or health care records may be produced in the course of doing research. When HIPAA related PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure. HIPAA allows both use and disclosure of PHI for research purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB). Note, all research involving humans must obtain approval and oversight by the UH Human Studies Program and UH IRB. This includes studies performed by UH faculty, staff or students and/or using UH facilities or other resources (e.g., data). It is JABSOM’s responsibility to educate and follow HIPAA privacy and security guidelines to the best of our ability, since many of our faculty and staff member have various roles and responsibilities that apply to HIPAA related PHI.

Why is training necessary?

When participants in a research study sign an authorization to have a copy of their HIPAA related PHI used for research purposes, the information transcribed into the research record is subsequently governed by the terms of their authorization and is no longer PHI subject to HIPAA. Although the HIPAA Privacy Rule no longer applies to this information as it is maintained in research records, best practices for research involving human volunteers requires that its confidentiality continue to be protected. Thus it is JABSOM’s responsibility to provide appropriate mechanisms to safeguard protected health information in compliance with federal and state law and the HIPAA Privacy and Security rules. JABSOM’s PHI training is required for all JABSOM faculty, staff and students. Note, JABSOM employees that are employed by a another covered Entity are required to follow the HIPAA policies that apply to that Covered Entity or Business Associate to which they are assigned.