Florence Library of HIPAA Guidance for Technology and Clinical Research
The Health Insurance Portability and Accountability Act was signed into law in the US in 1996, since then the clinical research industry has been navigating this federal statute to protect patient health information (PHI) from being disclosed without the patient’s consent or knowledge.
In response, the US Department of Health and Human Services has compiled and published these questions and responses. The questions stem mainly from this database:
So where does Florence fit?
Florence is the leading platform for remote connectivity and electronic document workflow management in clinical research. Our operations, practices, policies, and software all align with global data governance and regulatory standards. As a controller, processor, and trusted industry software vendor, Florence has extensive privacy and security controls in place, along with a dedicated data protection team that ensures our data privacy and security standards are at the highest level. You can learn more about our data protection programs here.
At Florence, one way we give back to the clinical research community is through sharing educational resources to ease digital transformation in clinical trials. This resource library was created to help educate the community on HIPAA and it’s role in clinical research.
The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.
Download the Complete HIPAA Technology and Clinical Research Guidance
HIPAA Technology and Clinical Research Guidance Library Topics
Health Information Technology
Accountability
- What is a covered entity’s liability under the HIPAA Privacy Rule for sharing data inappropriately to or through a health information organization (HIO) or other electronic health information exchange network? [see answer]
- Does the HIPAA Privacy Rule require a covered entity to “police” a health information organization (HIO), which functions as its business associate? [see answer]
- How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate? [see answer]
- Who is liable under the HIPAA Privacy Rule where multiple covered entities have signed on to a single business associate agreement and one member breaches the agreement? [see answer]
Collection, Use, and Disclosure Limitation
- May a covered health care provider disclose electronic protected health information (PHI) through a health information organization (HIO) to another health care provider for treatment? [see answer]
- May a health information organization (HIO) manage a master patient index on behalf of multiple HIPAA covered entities?
- What may a HIPAA covered entity’s business associate agreement authorize a health information organization (HIO) to do with electronic protected health information (PHI) it maintains or has access to in the network? [see answer]
- May a health information organization (HIO), acting as a business associate of a HIPAA covered entity, de-identify information and then use it for its own purposes? [see answer]
- How may the HIPAA Privacy Rule’s minimum necessary standard apply to electronic health information exchange through a networked environment? [see answer]
- Does the HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a health information organization (HIO)? [see answer]
- To what extent does the HIPAA Privacy Rule allow third parties to access protected health information (PHI) through a health information organization (HIO) for purposes other than treatment, payment, and health care operations? [see answer]
Correction
- Who is responsible for amendment of protected health information in an electronic health information exchange environment? [see answer]
- What are a covered entity’s responsibilities to notify others in a network if an amendment to protected health information is made? [see answer]
Access Right and HIT, Generally
- In an electronic health information exchange environment, what is a designated record set for purposes of an individual’s right of access under the HIPAA Privacy Rule? [see answer]
- How would a covered entity or health information organization (HIO), acting on its behalf, know if someone were a personal representative for the purpose of granting access under the HIPAA Privacy Rule? [see answer]
- How may judgments be made electronically about denial of access under the HIPAA Privacy Rule? [see answer]
Individual Choice
- Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions? [see answer]
- How do HIPAA authorizations apply to an electronic health information exchange environment? [see answer]
- Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to Opt-In or Opt-Out of electronic health information exchange? [see answer]
- Who has the right to consent or the right to request restrictions with respect to whether a covered entity may electronically exchange a minor’s protected health information to or through a health information organization (HIO)? [see answer]
- Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)? [see answer]
- Does the HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a health information organization (HIO)? [see answer]
General
- Is a health information organization (HIO) covered by the HIPAA Privacy Rule? [see answer]
- Can a health information organization (HIO) operate as a business associate of multiple covered entities participating in a networked environment? [see answer]
- What are some considerations in developing and implementing a business associate agreement with a health information organization (HIO)? [see answer]
- Can a health information organization (HIO), as a business associate, exchange protected health information (PHI) with another HIO acting as a business associate? [see answer]
- Can a health information organization (HIO) participate as part of an organized health care arrangement (OHCA)? [see answer]
- Can a health information organization (HIO) participate as part of an affiliated covered entity? [see answer]
Openness and Transparency
- May a HIPAA Notice of Privacy Practices (NPP) specifically mention that protected health information (PHI) will be disclosed to and through a health information organization (HIO)? May the NPP mention that the covered health care provider uses an electronic health record (EHR)? [see answer]
- Are health information organizations (HIOs) required to have a HIPAA Notice of Privacy Practices (NPP)? [see answer]
- May covered entities that operate in electronic environments provide individuals with their HIPAA Notice of Privacy Practices (NPP) electronically? [see answer]
Safeguards – Health Information Technology
- Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes? [see answer]
- How may the HIPAA Privacy Rule’s requirements for verification of identity and authority be met in an electronic health information exchange environment? [see answer]
- Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients? [see answer]
- Does the HIPAA Privacy Rule allow covered entities participating in electronic health information exchange with a health information organization (HIO) to establish a common set of safeguards? [see answer]
Access Right, Apps and APIs
- Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app’s use or disclosure of the health information it received? [see answer]
- What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app? [see answer]
- Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity? [see answer]
- Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives? [see answer]
- Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app? [see answer]
Telehealth
- What is telehealth? [see answer]
- What entities are included and excluded under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications? [see answer]
- What patients can a covered health care provider treat under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications and does it include Medicare and Medicaid patients? [see answer]
- Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications? [see answer]
- Does the Notification of Enforcement Discretion regarding COVID- 19 and remote telehealth communications apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?[see answer]
- When does the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications expire? [see answer]
- Where can health care providers conduct telehealth? [see answer]
- What telehealth services are covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications? [see answer]
- What may constitute bad faith in the provision of telehealth by a covered health care provider, which would not be covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications? [see answer]
- What is a “non-public facing” remote communication product? [see answer]
- If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule? [see answer]
Clinical Research
Authorizations
- Will the HIPAA Privacy Rule hinder medical research by making doctors and others less willing and/or able to share with researchers information about individual patients? [see answer]
- Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects? [see answer]
- Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information? [see answer]
- Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization? [see answer]
- Is documentation of Institutional Review Boards (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual’s authorization? [see answer]
- Does the HIPAA Privacy Rule require a covered entity to create an Institutional Review Board (IRB) or Privacy Board before using or disclosing protected health information for research? [see answer]
- What does the HIPAA Privacy Rule say about a research participant’s right of access to research records or results? [see answer]
- When is a researcher considered to be a covered health care provider under HIPAA? [see answer]
- When does a covered entity have discretion to determine whether a research component of the entity is part of their covered functions, and therefore, subject to the HIPAA Privacy Rule? [see answer]
- If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization? [see answer]
- Can the preparatory research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) be used to recruit individuals into a research study? [see answer]
- Does the HIPAA Privacy Rule require documentation of Institutional Review Board (IRB) or Privacy Board approval of an alteration or waiver of individual authorization before a covered entity may use or disclose protected health information for any of the following provisions: (1) for preparatory research at 45 CFR 164.512(i)(1)(ii), (2)for research on the protected health information of decedents at 45 CFR 164.512(i)(1)(iii), or (3) a limited data set with a data use agreement as stipulated at 45 CFR 164.51? [see answer]
- If research subjects’ consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule? [see answer]
- Can covered entities continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections? [see answer]
- Can covered entities continue to disclose protected health information to the HHS Office for Human Research Protections for purposes of determining compliance with the HHS regulations for the protection of human subjects (45 CFR Part 46)? [see answer]
Research Uses and Disclosures
- May a covered entity accept documentation of an external Institutional Review Board’s (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary? [see answer]
- How does the Rule help Institutional Review Boards (IRB) handle the additional responsibilities imposed by the HIPAA Privacy Rule? [see answer]
- By establishing new waiver criteria and authorization requirements, hasn’t the HIPAA Privacy Rule, in effect, modified the Common Rule? [see answer]
- Do the HIPAA Privacy Rule’s requirements for authorization and the Common Rule’s requirements for informed consent differ? [see answer]
- Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)? [see answer]
Privacy Rule: General Topics
- What does the HIPAA Privacy Rule do? [see answer]
- Why is the HIPAA Privacy Rule needed? [see answer]
- Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do? [see answer]
- Who must comply with HIPAA privacy standards? [see answer]
- When did covered entities have to meet these HIPAA privacy standards? [see answer]
- What were the major modifications to the HIPAA Privacy Rule that the Department of Health and Human Services (HHS) adopted in August 2002? [see answer]
- Why was the consent requirement eliminated from the HIPAA Privacy Rule, and how will it affect individuals’ privacy protections? [see answer]
- Will the Department of Health and Human Services (HHS) make future changes to the HIPAA Privacy Rule and, if so, how will these changes be made? [see answer]
- Does the HIPAA Privacy Rule create a government database with all individuals’ personal health information? [see answer]
- How does the HIPAA Privacy Rule affect my rights under the Federal Privacy Act? [see answer]
- Does the HIPAA Privacy Rule protect genetic information? [see answer]
- Does the HIPAA Privacy Rule require that covered entities document all oral communications? [see answer]