Graph View

ActorsStandardsResourcesGovernance

LogoLogo

HIPAA — Health Insurance Portability and Accountability Act

Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA, Public Law 104-191) is the primary US federal framework governing the privacy and security of identifiable health information, and its de-identification standard is the basis on which US human health, clinical, and genomic data can be shared for research. The HIPAA Privacy Rule, issued by the Department of Health and Human Services to implement the Act, established the first national standards for protecting individually identifiable health information, termed protected health information, and took effect for most covered entities on 14 April 2003. It binds a defined set of covered entities, namely health plans, healthcare providers, and healthcare clearinghouses, together with their business associates, rather than research data or researchers as such. Its relevance to open neuroscience is indirect but load-bearing: research data reaches public archives only after de-identification, and the HIPAA Privacy Rule defines the two methods that US frameworks treat as the standard for that step. The Act is enforced by the HHS Office for Civil Rights through compliance reviews and civil monetary penalties.

De-identification methods

The Privacy Rule defines two methods for de-identifying protected health information, and these are the provisions that matter for research data sharing. Safe Harbor requires the removal of 18 enumerated identifiers, including names, geographic subdivisions smaller than a state, dates more specific than a year, and full-face images, after which the information is no longer treated as protected health information. Expert Determination requires a qualified person to certify, using accepted statistical and scientific principles, that the risk of re-identification is very small. The distinction matters for brain data because whole-genome data and certain neuroimaging data, such as full-face structural scans and voiceprints, can be inherently identifying, so de-identification alone is often insufficient and controlled-access sharing is used instead.

Relevance to research data sharing

HIPAA does not govern research repositories directly, because archives such as dbGaP are not covered entities. Its de-identification standard reaches research data through funder policy. The NIH Data Management and Sharing Policy and its genomic data sharing implementation require that human data be de-identified according to the HIPAA Privacy Rule before deposit, so the methods defined here set the operational threshold for what US human genomic, clinical, and neuroimaging data can be shared openly and what must be placed under controlled access. The standard is method-based rather than repository-based, which is why it applies across archives without naming any of them.

Comparison with GDPR

HIPAA and the EU GDPR address overlapping territory through different mechanisms, and the difference shapes cross-border data reuse. Whether HIPAA de-identification satisfies the GDPR definition of anonymisation is contested, because research has shown that Safe Harbor does not reliably prevent re-identification, so the reasoned position is to treat HIPAA-de-identified health data as pseudonymised under GDPR and therefore still regulated personal data. The frameworks also differ on individual rights, with GDPR providing a right to erasure that HIPAA does not, and on scope, with HIPAA confined to covered entities and US territory while GDPR applies to any organisation processing the data of people in the EU.

Connections

  • relatedTo: NIH Data Management and Sharing Policy (its genomic data sharing implementation requires de-identification per the HIPAA Privacy Rule)
  • relatedTo: GDPR (HIPAA de-identification corresponds to GDPR pseudonymisation, not anonymisation; differing consent, erasure, and scope)

Resources

Graph View

ActorsStandardsResourcesGovernance

Tags

Backlinks