DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The rules on HIPAA and research can be found in several sections of the HIPAA regulations. This article covers the threshold question of whether researchers can be regarded as HIPAA covered entities or business associates. The short answer is: sometimes, yes, sometimes no. In situations where a researcher is neither a covered entity nor a business associate, HIPAA does not apply to the researcher. This article discusses whether and in what circumstances a researcher can be a covered entity or business associate under HIPAA.
To qualify as a covered entity, a researcher must be one of the following:
1. A healthcare provider that conducts certain transactions in electronic form
2. A health care clearinghouse.
3. A health plan
This article focuses on whether and when a researcher meets the requirements of #1 above. If these requirements are met, the researcher is a covered entity.
A researcher is a covered entity if he or she furnishes healthcare services to individuals, including the subjects of research, and conducts certain transactions in electronic form.
For example, a researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third-party payer for payment, would be a covered entity under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf.
A researcher is not a covered entity if it does not engage in one or more of the above-mentioned transactions in electronic form. A researcher is also not a covered entity if the researcher does not furnish healthcare services to individuals, including subjects of research.
HIPAA defines "healthcare" quite specifically. Healthcare means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
A researcher who does not provide healthcare is not a covered entity.
When May a Researcher be a Business Associate?
A business associate is a person or entity, who is not a member of a covered entity's workforce who and performs or assists in performing, for or on behalf of a covered entity, a function or activity involving the use or disclosure of individually identifiable health information, or, that provides certain services to a covered entity that involve the use or disclosure of individually identifiable health information.
The Privacy Rule does not require a researcher or a research sponsor to become a business associate of a covered entity for research purposes. However, a covered entity may engage the services of a business associate to perform certain research-related tasks. These tasks include de-identifying PHI, preparing limited data sets, or performing data aggregation. Data aggregation has a mouthful of a definition under HIPAA. Data aggregation is defined as: "With respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities." Essentially, data aggregation is combining PHI that a BA shares with one covered entity, with PHI it shares with another covered entity.
The purpose of this collection is to permit data analyses relating to the healthcare operations of the respective covered entities. In English, data aggregration allows business associates to assist covered entities in performing healthcare operations that involve comparative analysis of protected health information from otherwise unaffiliated covered entities. The BA engages in data aggregation when it assists in comparing one covered entity's PHI with another's.
Are Researchers Required to Enter into Business Associate Agreements?
A researcher that is a covered entity is required to enter into a business associate agreement with a business associate it shares PHI with. If a business associate engages in de-identifying PHI, preparing limited data sets, or performs data aggregation, on behalf of a covered entity, the parties need to enter into a business associate agreement.
For more information on the HIPAA Privacy Rule, research, and researchers, please click here.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article