DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses whether and when researchers are regarded as covered entities under HIPAA.
When Can Researchers be Regulated by HIPAA?
The rules on HIPAA and research can be found in several sections of the HIPAA regulations. This article covers the threshold question of whether researchers can be regarded as HIPAA covered entities or business associates in the first place and thus be subject to these rules. The short answer is: sometimes, yes, sometimes no.
In situations where a researcher is neither a covered entity nor a business associate, HIPAA does not apply to the researcher.
A researcher is a covered entity if he or she furnishes healthcare services to individuals, including the subjects of research, and conducts certain transactions in electronic form.
What is an Example of When a Researcher is a Covered Entity?
A researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third-party payer for payment, would be a covered entity under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf.
A researcher is not a covered entity if it does not engage in one or more of the above-mentioned transactions in electronic form or have other entities conduct such transactions on its behalf. A researcher is also not a covered entity if the researcher does not furnish healthcare services to individuals, including subjects of research.
What is the HIPAA Definition of Healthcare?
HIPAA defines "healthcare" quite specifically. Healthcare means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
A researcher who does not provide healthcare is not a covered entity.
When is Researcher be a Business Associate?
A business associate is a person or entity, who is not a member of a covered entity's workforce who and performs or assists in performing, for or on behalf of a covered entity, a function or activity involving the use or disclosure of individually identifiable health information, or, that provides certain services to a covered entity that involve the use or disclosure of individually identifiable health information.
The Privacy Rule does not require a researcher or a research sponsor to become a business associate of a covered entity for research purposes. However, a covered entity may engage the services of a business associate to perform certain research-related tasks. These tasks include de-identifying PHI and preparing limited data sets (78 FR 5575). De-identifying PHI and creating limited data sets are functions, activities or services for a covered entity that fall within the definition of healthcare operations business associate services and functions.
When are Researchers Required to Enter into Business Associate Agreements?
A researcher that is a covered entity is required to enter into a business associate agreement with a business associate it shares PHI with. If a business associate engages in de-identifying PHI, preparing limited data sets, or performs data aggregation, on behalf of a covered entity, the parties need to enter into a business associate agreement.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article