About HIPAA and your rights
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that seeks to accomplish many admirable goals.
The public may be most familiar with the portion of the law that relates to the portability of health insurance because it has been in effect since 1996. That portion of the law made it possible for individuals to retain some form of health insurance when transferring from one employer to another. Individuals may be less familiar with the portion of the law that relates to Administrative Simplification.
The HIPAA Privacy Regulations place limitations upon covered entities' use of "protected health information" (PHI). Protected health information is information that is individually identifiable and that relates to an individual's past, present, or future medical condition or treatment. The Privacy Regulations also create or formalize several rights patients or enrollees in a health plan have regarding their health information. Patients now have a right to request access to or a copy of their health information, to request an amendment to their health information if they believe their health information is inaccurate, or to request an accounting of the covered entity's uses and disclosures of their health information. Finally, the regulations establish an individual, called a Privacy Officer or Privacy Official, to whom patients or enrollees may address their questions, complaints, or requests.
Additional information regarding HIPPA can be found on the U.S. Department of Health and Human Services website.
If you have further questions or concerns about the HIPAA Privacy Regulations, please contact the university's Privacy Official, Lisa Ritenour by phone at 330-972-6084 or by email at lritenour@uakron.edu
If you have general questions about HIPAA, please contact the Office of General Counsel at 330-972-7830.
Objectives of the University Rule related to HIPAA Compliance
The University Board of Trustees adopted University Rule 3359-11-19 Policies and Procedures for Release, Privacy, and Security of Selected Health Information to address issues created by HIPPA and the way to properly protect health information. The Rule provides for University compliance with HIPPA, designates a University Privacy Office (Lisa Ritenour), develops specific privacy and training procedures for University entities determined to be covered by HIPAA, and guides University employees in HIPAA compliance efforts.
All complaints or questions regarding compliance with the HIPAA Privacy Regulations should be directed to the University Privacy Official, Lisa Ritenour. All patient or enrollee requests for access to, amendment of, copies of, or restrictions to their health information should be directed to the University Privacy Official, Lisa Ritenour. Any department that receives a subpoena for health information should refer the subpoena to the Office of General Counsel and notify the University Privacy Official, Lisa Ritenour.
University Privacy Official
Lisa Ritenour
The University of Akron
302 Buchtel Common
Akron, Ohio 44325-1101
330-972-6084
HIPAA's Impact on Research at The University of Akron
Why Should Researchers Be Aware of the HIPAA Privacy Rule?
While HIPAA only applies to healthcare providers, health plans or healthcare clearinghouses that are covered entities and does not apply to the research component of the University, researchers at The University of Akron should be aware of the HIPAA Privacy rule because it impacts how covered entities use or disclose protected health information. Because of this, the HIPAA Privacy Rule may affect the University's researchers because it will affect their interactions with covered entities.
What Health Information is Protected under the Privacy Rule?
The HIPAA Privacy Rule protects patient information called Protected Health Information or PHI. PHI is individually identifiable health information, including genetic information, that is created or maintained by covered entities and their business associates. However, several types of individually identifiable health information is not covered by the Privacy Rule. Non-protected health information includes individually identifiable health information that is not created or maintained by a covered entity or its business associates, education records covered by the Family Educational Right and Privacy Act (FERPA) (For more information about FERPA protections on campus, see University Rule 3359-11-08.), and records held by a covered entity in its role as an employer.
How does the Privacy Rule Differ from the Common Rule or FDA Protections of Human Subjects?
Area of Distinction | HIPAA Privacy Rule | HHS Protection of Human Subjects Regulations | FDA Protection of Human Subjects Regulations |
Applicability | Applies to HIPAA-defined covered entities, regardless of the source of funding. | Applies to human subjects research conducted or supported by HHS. | Applies to research involving products regulated by FDA. Federal support is not necessary for FDA regulations to be applicable. When research subject to FDA jurisdiction is federally funded, both the HHS Protection of Human Subjects Regulations and the FDA Protection of Human Subjects Regulations apply. |
Identifiable Information | Defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral or paper) by a covered entity or its business associates, excluding certain educational and employment records. | Private information must be individually identifiable in order for obtaining the information to constitute research involving human subjects. Individually identifiable means the identity of the subject is or readily may be ascertained by the investigator or others associated with the information. | Title 21 CFR Parts 50 and 56 do not define individually identifiable health information. |
Permissions for Research | Authorization | Informed Consent | Informed Consent |
IRB/Privacy Board Responsibilities | Requires the covered entity to obtain Authorization for research use or disclosure of PHI unless a regulatory permission applies. Because of this, the IRB or Privacy Board would only see requests to waive or alter the Authorization requirement. In exercising Privacy Rule authority, the IRB or Privacy Board does not review the Authorization form. | The IRB must insure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, HHS regulations. If specified criteria are met, the IRB may waive the requirements for either obtaining informed consent or documenting informed consent. The IRB must review and approve the Authorization form if it is combined with the consent document. Privacy Boards have no authority under the HHS Protection of Human Subjects Regulations. | The IRB must insure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, FDA regulations. If specified criteria are met, the requirements for either obtaining informed consent or documenting informed consent may be waived. The IRB must review and approve the Authorization form if it is combined with the informed consent document. Privacy Boards have no authority under the FDA Protection of Human Subjects Regulations. |
Review of Cooperative Research | Requests to waive or alter the Authorization requirement are reviewed and approved by an IRB or Privacy Board. The Privacy Rule permits a covered entity to reasonably rely on the determination of an IRB or Privacy Board, if the covered entity obtains appropriate documentation of such determination. | Each institution is responsible for safeguarding the rights and welfare of human subjects and for complying with the HHS Protection of Human Subjects Regulations. With the approval of HHS, an institution participating in a cooperative project may enter into a joint review arrangement, rely upon the review of another qualified IRB, or make similar arrangements for avoiding duplication of effort. | Cooperative research/multi-institutional studies may use joint review, reliance upon the review of another qualified IRB, or similar arrangements aimed at avoiding duplication of effort. |
Waivers of Authorization or Informed Consent Requirements | Allows waiver or alteration of Authorization when IRB or Privacy Board deems the following criteria are met: (1) Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements: (a) An adequate plan to protect health information identifiers from improper use or disclosure, (b) an adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them, and (c) adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule; (2) research could not practicably be conducted without the waiver or alteration; and (3) research could not practicably be conducted without access to and use of PHI. | Permits an IRB to waive some or all of the elements of informed consent, or to waive the requirement to obtain informed consent, provided the IRB finds and documents that (1) the research involves no more than minimal risk to the subjects; (2) the waiver or alteration will not adversely affect the rights and welfare of the subjects; (3)) the research could not practicably be carried out without the waiver or alteration; (4) whenever appropriate, the subjects will be provided with additional pertinent information after participation. Permits an IRB to waive the requirement for the investigator to obtain a signed consent for some or all of the subjects if it finds either (1) that the only record linking the subject and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality; or (2) that the research presents no more than minimal risk or harm to subjects and involves no procedures for which written consent is normally required outside of the research constitute. | Permits FDA to waive the IRB review requirement. Permits an IRB to approve a clinical investigation without subjects' informed consent in certain circumstances. These include: (1) circumstances in which immediate use of the test article is, in the investigator's opinion, required to preserve the life of the subject, and time is not sufficient to obtain informed consent; (2) circumstances when the U.S. President may waive informed consent for military personnel for administration of an investigational product to members of the armed forces; and (3) circumstances involving emergency research. |
Where Can I Get More Information?
Office of Research Services and Sponsored Programs
US Department of Health and Human Services National Institutes of Health
US Department of Health and Human Services - HIPPA information
Frequently Asked Questions about HIPAA
Q. Doesn't HIPAA prevent the University from asking me to provide medical documentation when I request paid sick leave?
HIPAA does not affect the University’s ability, as an employer, to request or require medical documentation before granting paid sick leave to employees. Congress and the U.S. Department of Health and Human Services recognize that employers frequently require such documentation as a way of eliminating fraudulent sick leave claims.
Therefore, University employees requesting sick leave should contact their departmental supervisor. The University reserves the right to require medical documentation (physician’s certification or other documentation) for all instances of paid sick leave. If the University requires medical documentation prior to approving paid sick leave, the documentation should be submitted directly to the Benefits Administration Office. In the case of employees who work in physical facilities or dining services, the director of these departments is authorized, in accordance with the collective bargaining agreement, to collect, audit and maintain such documentation in place of the Benefits Administration Office. No other departmental office should require, receive or retain such documentation. See University rules 3359-11-01 or 3359-26-04 for more information.
Employees who have further questions should contact the University’s Benefits Administration Office at x7092.
Q. As a faculty member at the University, may I require medical documentation from my students before granting an excused absence? Once I receive medical documentation of an absence from a student, what should I do with it?
Academic units of the University are not covered by HIPAA. As a result, none of HIPAA’s protections or prohibitions applies to the University’s academic functions. However, the University recognizes that medical information is very personal and should be treated with sensitivity.
Therefore, faculty members who wish to require that students provide medical documentation before absences are counted as excused may continue to do so. Faculty members who request such documentation should handle this information in as confidential a fashion as is possible and, in an effort to protect the student’s privacy, should make it a practice to either:
- Return the documentation to the student and retain no records for their files; or
- documentation after reviewing it and noting that the absence was excused.
Faculty members who have further questions should contact their department chair or dean.
Q. I have concerns about how the University is handling information related to a payment someone has made to the University. Who should I contact?
Information about payments made to the University may qualify as customer information and be protected by the Gramm-Leach-Bliley Act. Therefore, you should contact Kevin Rushing, the University's Information Security Program Coordinator, about your concerns. However, if the payment information involves payment for healthcare services or benefits, the information may be protected by HIPAA. For concerns regarding payment for healthcare services, please contact Lisa Ritenour, the University's HIPAA Privacy Official.
Q. I have concerns about how my health and/or benefits information is being used by the University. Who should I contact for more information?
The University's HIPAA Privacy Official, Lisa Ritenour at lritenour@uakron.edu can help address concerns about health information.
Q. I am a student or a student's parent, and I have questions about my academic information, such as how the University uses it, who has access to it, and how I can get access to it. Is there someone to whom I can direct my questions?
Yes. The records you have described are, most likely, protected by the Family Educational Rights and Privacy Act (FERPA). You may wish to begin by reviewing the University's FERPA notice and FERPA rule. If you still have questions, you should contact Ronald L. Bowman Jr., the University's FERPA Coordinator.
If you have questions that you think might be helpful if addressed here, please contact generalcounsel@uakron.edu.