Frequently asked questions about HIPAA

Q: What does this regulation do?

A: The Privacy Rule became effective April 14, 2001. Most health plans and health care providers that are covered by the new rule must comply with the new requirements by April 2003. The Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

  • It gives patients more control over their health information.
  • It sets boundaries on the use and release of health records.
  • It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
  • It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
  • And it strikes a balance when public responsibility requires disclosure of some forms of data — for example, to protect public health.

Q: What does this regulation require the average provider or health plan to do?

A: For the average health care provider or health plan, the Privacy Rule requires activities, such as:

  • providing information to patients about their privacy rights and how their information can be used;
  • adopting clear privacy procedures for its practice, hospital, or plan;
  • training employees so that they understand the privacy procedures;
  • designating an individual to be responsible for seeing that the privacy procedures are adopted and followed;
  • securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Q: What is the difference between "consent" and "authorization" under the Privacy Rule?

A: A consent is a general document that gives health care providers, which have a direct treatment relationship with a patient, permission to use and disclose all personal health information (PHI) for treatment, payment, or health care operations (TPO). It gives permission only to that provider, not to any other person.

An authorization is a more customized document that gives covered entities permission to use specified personal health information for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. An authorization is more detailed and specific than consent. It covers only the uses and disclosures and only the PHI stipulated in the authorization; it has an expiration date; and, in some cases, it also states the purpose for which the information may be used or disclosed.

Q: Will the rule hinder medical research by making doctors and others less willing and/or able to share information about individual patients?

A: We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to participate in research when they know their information is protected. For example, in genetic studies at the National Institutes of Health (NIH), nearly 32% of eligible people offered a test for breast cancer risk decline to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason.

Q: Are some of the criteria so subjective that inconsistent determinations may be made by IRBs and Privacy Boards reviewing similar or identical research projects?

A: Under the Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule’s criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks and benefits. For multisite research that requires PHI from two or more covered entities, the Privacy Rule permits covered entities to accept documentation of IRB or Privacy Board approval from a single IRB or Privacy Board.

Q: Does the Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing PHI?

A: No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.

Q: Does the Privacy Rule permit the creation of a database for research purposes through an IRB or Privacy Board waiver of individual authorization?

A: Yes. A covered entity may use or disclose PHI without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied.

Q: Will IRBs be able to handle the additional responsibilities imposed by the Privacy Rule?

A: Recognizing that some institutions may not have IRBs, or that some IRBs may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board, which could have fewer members and members with different expertise than IRBs.

In addition, for research that is determined to be of no more than minimal risk, IRBs and Privacy Boards could use an expedited review process that permits covered entities to accept documentation when only one or more members of the IRB or Privacy Board have conducted the review.

Q: By establishing new waiver criteria and authorization requirements, hasn’t the Privacy Rule, in effect, modified the Common Rule?

A: No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing PHI for research purposes.

Q: Is documentation of IRB and Privacy Board approval required before a covered entity would be permitted to disclose PHI for research purposes without an individual’s authorization?

A: No. The Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.

Q: Does a covered entity need to create an IRB or Privacy Board before using or disclosing PHI for research?

A: No. The IRB or Privacy Board could be created by the covered entity or the recipient researcher, or it could be an independent board.

Q: What does the Privacy Rule say about a research participant’s right of access to research records or results?

A: With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained in a "designated record set." A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care provider’s medical records and billing records, and a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. Research records or results maintained in a designated record set are accessible to research participants unless one of the Privacy Rule’s permitted exceptions applies.

One of the permitted exceptions applies to PHI created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual’s access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access PHI will be reinstated at the conclusion of the clinical trial.

Q: Are the Privacy Rule’s requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?

A: Yes. The Privacy Rule does not require clinical laboratories that are also covered health care pro-viders to provide an individual access to information if CLIA prohibits them from doing so. CLIA permits clinical laboratories to provide clinical laboratory test records and reports only to authorized persons, as defined primarily by state law. The individual who is the subject of the information is not always included as an authorized person. Therefore, the Privacy Rule includes an exception to individuals’ general right to access PHI about themselves if providing an individual such access would be in conflict with CLIA.

In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories if they are also a covered health care provider to provide individuals with access to PHI because doing so may result in the research laboratory losing its CLIA exemption.

Q: Do the Privacy Rule’s requirements for authorization and the Common Rule’s requirements for informed consent differ?

A: Yes. Under the Privacy Rule, a patient’s authorization will be used for the use and disclosure of PHI for research purposes. In contrast, an individual’s informed consent as required by the Common Rule and FDA’s human subjects regulations is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of PHI. For this reason, there are important differences between the Privacy Rule’s requirements for individual authorization, and the Common Rule’s and FDA’s requirements for informed consent. Where the Privacy Rule, the Common Rule, and/or FDA’s human subjects regulations are applicable, each of the applicable regulations will need to be followed.

Source: Department of Health and Human Services, Office for Civil Rights, Washington, DC. Web: