Exceptions to HIPAA’s Authorization Requirement

When health information is collected in the course of a study where health care, as discussed above, is provided, it is possible to use the health information for research purposes without individuals’ authorizations if the records are de-identified, are modified to constitute “limited data sets” (and used only pursuant to a Data Use Agreement), or are used and disclosed pursuant to an IRB waiver (only in exceptional cases).

Use or Disclosure of “De-Identified” Health Information

  1. De-identified health information is exempt from HIPAA and may be used or disclosed for research purposes without an Informed Consent and Health Information Use and Disclosure Authorization. 
  2. Identifiers include the individual and the individual’s employer, relatives and household members that must be removed include: names; geographic subdivisions smaller than a state; zip codes; dates directly related to an individual; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images; and any other number, characteristic or code that could be used to identify the individual.
  3. Re-identification Code.  The de-identified information may be assigned a code that can be affixed to the research record that will permit the information to be re-identified if necessary, provided that, the key to such a code is not accessible to the researcher requesting to use or disclose the de-identified health information.
  4. Researchers using de-identified data must certify that they have de-identified the data as described.

Limited Data Set

  1. A researcher may use or disclose a Limited Data Set for any research purpose without an Informed Consent and Health Information Use and Disclosure Authorization.
  2. A “Limited Data Set” is defined as PHI that may include any of the following direct identifiers:
    • Town, city, State and zip code;
    • All elements of dates directly related to an individual, including birth date, admission date, discharge date, and date of death.
  3. A Limited Data Set must exclude all of the following direct identifiers of the individual or of the individual’s relatives, employers, or household members of the individual:  names; postal address information other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary identifiers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URL); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; full face photographic images and any comparable images; and any other number, characteristic or code that could be used to identify the individual.
  4. A Limited Data Set may be used or disclosed only if there is a Data Use Agreement between Northeastern University and the recipient of the limited data set.