When Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, it focused on the portability of health insurance and safeguarding individuals’ protected health information (PHI).
The legislators recognized that health research sometimes requires access to individually identifiable health information. Legislators wanted to guarantee that privacy protections under HIPAA would not excessively impede researchers’ access to necessary data.
In two House Reports on HIPAA, Congress stated, “The conferees recognize that certain uses of individually identifiable information are appropriate, and do not compromise the privacy of an individual. Examples of such use of information include … the transfer of information from a health plan to an organization for the sole purpose of conducting healthcare-related research.”
“As health plans and providers continue to focus on outcomes research and innovation, it is important that the exchange and aggregated use of health care data be allowed.”
Ultimately, these reports show an appreciation that research can be conducted with integrity without violating individual privacy.
According to a book titled ‘Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research,’ when developing the Privacy Rule, the Department of Health and Human Services (HHS) needed to safeguard individual privacy while allowing the continued use of health information for research.
Specifically, the research states, “One option considered was exempting PHI used in research from the regulations, but HHS rejected this option, noting some reported shortcomings of the protection of the privacy and confidentiality of health information in research.”
The following approaches were considered:
One option was to exempt research-related PHI disclosures from regulation. However, HHS rejected this approach due to concerns about the adequacy of existing protections for privacy and confidentiality in research.
HHS also considered requiring researchers to obtain individual authorization for all PHI disclosures. While this would have maximized privacy protections, it would have made many research projects, particularly large-scale or retrospective studies, impossible to conduct.
Ultimately, HHS opted for a middle ground. The Privacy Rule allows covered entities to disclose PHI for research purposes without individual authorization under certain conditions, like when an international review board (IRB) or Privacy Board approves a waiver of authorization.
The Privacy Rule’s allows that healthcare researchers to use:
HIPAA compliant email solutions, like Paubox, use advanced security measures so researchers can securely share PHI, minimizing the risk of potential data breaches. It is especially useful in multi-institutional studies or when researchers coordinate with healthcare providers for data sharing, subject recruitment, or follow-ups.
Ultimately, these secure emails help researchers maintain regulatory compliance while giving them access to data that drives medical innovation.
HIPAA compliance refers to adhering to regulations outlined in the Health Insurance Portability and Accountability Act to safeguard patients’ protected health information (PHI).
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
HIPAA compliant emails can include sensitive health information, like patient education materials, appointment reminders, treatment plans, and other medical communications.