How HIPAA applies in prisoner research

When it comes to legislation specifically designed for prisoner research, Title 45 CFR Part 46 Subpart C is the most applicable. These regulations focus solely on the protection of prisoners involved in research. HIPAA guarantees that all medical information remains confidential and secure. Together, these regulations provide a framework for ethical and secure research involving prisoners.

How prisoner research is classified

A "prisoner" is defined as someone who cannot leave because they are held in a place like a prison, jail, or a juvenile facility. The definition comes from 45 CFR 46.303(c), which is part of the regulations governing human subjects research. The rule ensures that researchers know exactly who is considered a prisoner.  When researchers study prisoners, they must handle health information with extra care to comply with both the specific protections for prisoners in research and the privacy rules established by HIPAA.

For organizations involved in research, figuring out if prisoners are involved is set by the following criteria mentioned by the HHS, “In general, an institution is considered engaged in a particular human subjects research proposal involving prisoners when its employees or agents, for the purposes of the research proposal, obtain:...

1. data about the prisoner subjects through intervention or interaction with them; or
2. identifiable private information about the prisoner subjects.”
   
   

The information that is protected by HIPAA

In prisoner research under HIPAA, the protected health information (PHI) includes:

• Names, addresses, and any personal identifiers that could link the data to an individual.
• Medical records, including diagnoses, treatment plans, and health history.
• Any information related to mental health and psychiatric treatments.
• Results of clinical tests and procedures.
• Genetic information, including any DNA-derived data.
• Information about substance abuse treatment.
• Billing information related to healthcare services.
• Photos or any comparable images.
• Any other data that might identify an individual directly or indirectly through linkage with other data.
  
  

The circumstances where HIPAA applies

• When healthcare providers transmit health information electronically in connection with transactions for which HHS has adopted standards.
• When healthcare clearinghouses process nonstandard information they receive from another entity into a standard format or vice versa.
• When health plans conduct transactions that involve the use and disclosure of PHI.
• When business associates, entities that perform certain functions or activities on behalf of, or provide certain services to, a covered entity that involves the use or disclosure of PHI, carry out these roles.
• In cases of healthcare operations, including quality assessment and improvement, credentialing, and conducting or arranging for medical reviews.
• In circumstances related to treatment and payment activities, such as billing, claims management, collection activities, and obtaining payment under a contract for insurance.
• When a covered entity is required by law to disclose PHI, such as for reporting diseases or injuries, reporting events like births and deaths, and conducting public health surveillance, investigations, or interventions.
• During judicial and administrative proceedings, in response to a court or administrative order, a subpoena, discovery request, or other lawful process.
• In law enforcement contexts, for purposes such as identifying or locating a suspect, fugitive, material witness, or missing person.
• When involving oversight agencies for activities authorized by law, including audits, investigations, and inspections.
• In situations requiring the provision of information about victims of abuse, neglect, or domestic violence.
• For research purposes, under certain conditions where the use of PHI is necessary to conduct the research.
• When covered entities communicate with individuals about their health, including case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
  
  

The role of deidentification

Deidentification involves stripping personal identifiers from data, rendering it impossible to trace the information back to individual prisoners. The practice is governed by HIPAA. There are two primary methods of deidentification under HIPAA: the expert determination method and the safe harbor method. In the expert determination method, a qualified expert employs statistical or scientific principles to ensure the risk of re-identification is extremely low. 

Alternatively, the safe harbor method involves the removal of specific identifiers from the data, including names, geographic details smaller than a state, and all data elements directly linked to an individual, among others. These methods allow researchers to utilize or share medical data effectively.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is deidentification? 

Deidentification is the process of removing personal identifiers from data to prevent it from being linked back to individual subjects.

When are researchers covered entities under HIPAA?

Researchers become covered entities under HIPAA when they transmit any health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted standards.

What is an IRB?

An IRB, or Institutional Review Board, is a committee that reviews and oversees research involving human subjects to ensure ethical standards and regulatory compliance are met.