Institutional Review Board

Research Data Security:
HIPAA Privacy Rule Implementation at Virginia Tech

Receipt, Storage, and Use of Protected Health Information (PHI)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and two of its specific rules, the Privacy Rule and the Security Rule, regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions).

HIPAA and Research

Virginia Tech researchers, in medical and other health-related disciplines, may rely on access to many sources of health information, ranging from patient medical records and epidemiological databases, to disease registries, hospital discharge records, and government compilations of vital and health statistics (e.g., the Centers for Medicare & Medicaid Services). For this reason, the HIPAA Privacy Rule may impact various areas of research, including clinical research, repositories and databases, and health services research. For example, health services researchers study the organization, financing, and delivery of health care services, often by analyzing large databases of health care information maintained by providers, institutions, payers, and government agencies.

The responsibility to not knowingly or accidently disclose confidential and/or protected information about research subjects rests on the principal investigator (PI) who designs, leads, or otherwise has responsibility of the investigator-led research. This website provides an overview of the duties and responsibilities of Virginia Tech PIs and their research staff when acquiring, handling, storing and using research subject PHI data.

General Definitions

PHI - The HIPAA Privacy Rule defines protected health information (PHI) as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, relating to the past, present, or future physical or mental health or condition of an individual. Any data (e.g., demographic data) a healthcare provider stores or transmits is deemed PHI if it identifies a patient even if it doesn't give any insight into their medical history. Specific examples of PHI identifiers are provided below.

Covered Entities - Under HIPAA regulations hospitals, academic medical centers, primary care physicians and specialists, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons. Researchers are covered entities if they are also health care providers who electronically transmit health information.

Business Associate - A person or entity (e.g., a Virginia Tech researcher or Center/Institute) who, on behalf of a Covered Entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis and quality assurance reviews. For a Virginia Tech PI to gain access to PHI data under HIPAA, that individual must enter into a formal, signed Business Associate Agreement with the Covered Entity.

Business Associate Agreement - A contractual agreement that describes the expectations for and obligations of a Business Associate with respect to protecting the privacy and security of protected health information entrusted to them by the Covered Entity.

Anonymized Data - Anonymization is a process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This involves removing all identifying data to create unlinkable data, such that no one, not even the researcher, can connect the information back to the individual who provided it.

De-identified Data - De-identification of data covered by HIPAA is accomplished by stripping the data of common identifiers by one of the following methods: (1) removing the 18 specific identifiers [see the section on Specific Examples of PHI Identifiers on this webpage]; or, (2) seeking the expertise of an experienced statistical expert to validate and document that the statistical risk of re-identification is very small. De-identified data may be coded, with a link to the original, fully identified data set kept by an honest broker. Links exist in coded de-identified data making the data considered indirectly identifiable and not anonymized. In order to protect against accidental disclosure, the subject's name or other identifiers should be stored separately from their research data, and replaced with a unique code to create a new identity for the subject.

Limited Data Set- A limited data set excludes most of the 18 PHI identifiers, but may include the following identifiers: city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers. Since some identifiable information is included, Limited Data Sets are still considered as PHI. A covered entity may use and disclose a limited data set for research activities conducted by itself, another covered entity, or by a researcher who is not a covered entity if the disclosing covered entity and the limited data set recipient enter into a data use agreement.

Data Use Agreement - A data use agreement is a written, signed document, and serves as the means by which covered entities obtain satisfactory assurances that the recipient of the limited data set will use or disclose the PHI in the data set only for specified purposes. Data Use Agreements must be routed through the OSP Contracts team for review and signature on behalf of Virginia Tech. If the covered entity providing the limited data set knows of a pattern of activity or practice by the recipient (e.g., the researcher) that constitutes a material breach or violation of the data use agreement, the covered entity must take reasonable steps to correct the inappropriate activity or practice. If the steps are not successful, the covered entity must discontinue disclosure of PHI to the recipient and notify HHS. Examples of sanctions/penalties associated with noncompliance are provided in a following section.

Jump To The Top Of The Page

Specific Examples of PHI Identifiers

The HIPAA Privacy Rule specifies 18 PHI identifiers:

  • Name
    o it could be possible to identify an individual using a combination of data, i.e. first name, zip code, street address, etc.]
  • Geographic Indicators
    o street address, city, precinct, zip code, latitude and longitude (GPS) coordinates, etc.
    o the first three digits of the zip code are usually considered ok for use except in the case of certain zip codes which cover a small population (less than 20,000)
  • All elements of dates except year
    o pertaining to significant events in an individual's life - birth, death, marriage, admission, discharge, etc. Just the year is generally considered fine for use except in the case of the very elderly (>89 years of age)
  • Telephone number
  • Fax number
  • Email address
  • URL address
  • IP address
  • Social Security number
  • Account numbers
  • License numbers
  • Medical Record number
  • Health plan beneficiary number
  • Device identifiers and their serial numbers
  • Vehicle identifiers and serial number
  • Biometric identifiers (finger and voice prints)
  • Full face photos and other comparable images
    o e.g. diagnostic images of the head [x-rays/radiographs, CT scans, MRI scans]
  • Any other unique identifying number, code, or characteristic

  • Jump To The Top Of The Page

    Appropriate Transmittal, Receipt, Storage and Use of PHI under HIPAA

    Transmittal and Receipt of PHI

    • Via Mail (USPS, FedEx, UPS, DHL and other physical mailing entities) - The file should be wrapped or sealed in an envelope or pouch in such a manner that the PHI cannot be identified during the transportation process. The outside of the container should contain clear information regarding the addressee, which includes the name, address and telephone number where he/she can be reached. Covered entities should ensure that transported PHI be delivered only to the appropriate individuals who are authorized to receive the information. This can be accomplished by implementing a tracking method by which the sender and the recipient can sign and verify delivery and receipt of the information.
    • Via email: the text in emails should not include PHI. Files containing PHI should be encrypted before being attached to and sent by email.
    • Via fax: unless the fax machine is a personal, stand alone device in the Business Associate's own secure office, PHI should not be transmitted by fax.
    • Via internet / file drops: ensure that files are encrypted prior to transmission.
    • Via social media - Social Media accounts and social media messaging tools must not be used for exchanging PHI.
    • Receipt of Unsolicited or Improperly Transmitted PHI: the PI should not open or retain improperly transmitted PHI, and should delete or properly dispose of the materials.
    • Storage of PHI

      • Ensure that devices are password-protected with strong passwords
      • Do not share authorized individuals' login name, credentials, or passwords with other individuals
      • Avoid storing PHI on portable devices (laptops, tablets, smartphones)
      • Encrypted thumb drives and external hard drives are also not recommended and strongly discouraged for storing or transferring PHI or any confidential files.
      • Do not store PHI on removable media (e.g., CD or DVD) unless it has been verified that files on such media are fully encrypted

      • Jump To The Top Of The Page

        PHI Breach Determination and Notification

        Notify the Virginia Tech IRB Administrator ***IMMEDIATELY*** of all events that may be potential breaches. Call (540) 231-4358 if you believe ePHI/PHI might have been lost, stolen, compromised, misdirected, etc., to determine what steps to take, and if further notifications are required.

        What is a Breach? A breach is defined as the compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or loss of control, where persons other than authorized users, or for an other than authorized purpose, have access or potential access to PHI, whether physical or electronic. Issues that should be reported include: lost, stolen, or misplaced records containing PHI; unauthorized personnel seeing or possessing PHI; lost, stolen, or misplaced electronic devices (e.g., tablets or laptops) that contain PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach.

        What Additional Notifications May Be Required? Under regulations related to HITECH provisions of HIPAA, organizations may be required to notify individuals whose PHI was compromised, the Department of Health and Human Services (DHHS), and in some cases, the media, if the Covered Entity or a Business Associate (e.g., a Virginia Tech researcher or Center/Institute) discovers a breach of unsecured PHI. Notification to organizations outside of Virginia Tech is required if there is a breach and PHI is "unsecured"; notification is not required if there is a breach and PHI is "secured".

        Jump To The Top Of The Page

        Federal Agency Responsible for Enforcement

        The federal Department of Health and Human Services (DHHS) Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. Violations may result in civil monetary penalties. In some cases, criminal penalties enforced by the U.S. Department of Justice may apply.

        Common noncompliance issues include:
        • Impermissible PHI uses and disclosures
        • Lack of PHI safeguards
        • Use or disclosure of more than the minimum necessary PHI
        • Lack of administrative ePHI safeguards

        Jump To The Top Of The Page

        Examples of Sanctions/Penalties Associated with Noncompliance

        The federal Office for Civil Rights (OCR) has made it clear to Covered Entities that Business Associate Agreements (BAAs) must be in place prior to release of PHI, or the entity would face HIPAA penalties.

        In March 2016, North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle OCR charges that it violated HIPAA by disclosing PHI to its business associate, Accretive Health, without first executing a BAA. The issue surfaced following the theft of an Accretive employee's unencrypted, password-protected laptop containing PHI of approximately 9,500 individuals. It was the business associate's laptop that was lost, not the covered entity's; nevertheless, the OCR extracted the settlement from the covered entity. The OCR also cited North Memorial's failure to conduct an appropriate risk analysis. In addition to the $1,550,000 payment, North Memorial was required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial also had to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan. [HHS Press Office, 3-16-2016; Holland & Hart, 5-12-16]

        In April 2016, Raleigh Orthopedic Clinic agreed to pay $750,000 to settle OCR allegations that it violated HIPAA by turning over thousands of x-rays and related protected health information to a vendor without a BAA. The vendor had promised to transfer the x-rays to electronic media in exchange for salvaging silver from the x-ray films. [Holland & Hart. 5/12/16]

        Additional recent examples of noncompliance with HIPAA privacy and security rules can be found at:

        Jump To The Top Of The Page

        Other Applicable Virginia Tech Policies

        Policy 7000: Acceptable Use and Administration of Computer and Communication Systems
        Policy 7010: Policy for Securing Technology Resources and Services

        Jump To The Top Of The Page

        Virginia Tech HIPPA Training Requirements for Researchers, Staff, and Students

        Contact the IRB administrative office to obtain guidance on training requirements for use of HIPPA PHI:
        Jump To The Top Of The Page

        Virginia Tech Contact Information for Additional Assistance/Guidance on HIPAA Compliance

        For additional information and guidance on research compliance with HIPAA rules, and safeguard control implementation, contact:
        Dr. Gary Sherman
        Virginia Tech Office of Research Integrity and Compliance

        Jump To The Top Of The Page