HIPAA FAQ – Transition Provisions2020-09-08T13:32:12-04:00

HIPAA FAQ – Transition Provisions

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?2020-09-10T21:42:43-04:00

Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).

Were there Privacy Rule compliance deadlines in 2004?2020-09-10T20:56:06-04:00
  • “Small health plans” (health plans with annual receipts of $5 million or less), must be in compliance with the Privacy Rule;
  • and Covered entities (including small health plans) had to have in place with their business associates written contracts or arrangements that meet Privacy Rule requirements.

Small Health Plans. Small health plans that are subject to HIPAA received an additional year – until April 14, 2004 – to come into compliance with the Privacy Rule. See 45 CFR 164.534(b)(2).

Plans that are self-administered and have fewer than 50 participants are excluded from HIPAA’s Administrative Simplification requirements. The Department of Health and Human Services’ (HHS) “Are you a Covered Entity?” decision tool helps entities determine whether they are health plans or other HIPAA covered entities. These materials, hundreds of FAQs, and a wide range of other guidance and materials to assist covered entities in complying with HIPAA and the Privacy Rule, are available on the OCR Web site.

Business Associate Agreements. As of April 14, 2004, whenever the Privacy Rule requires covered entities to have written contracts or other arrangements with their business associates, these documents must include provisions that comply with Privacy Rule requirements. As modified in August, 2002, the Privacy Rule provided most covered entities with up to one additional year – or until April 14, 2004 – to amend written contracts or other written arrangements that existed prior to October 15, 2002, to meet the Rule’s business associate requirements. (Unless they renewed automatically, contracts or other written arrangements were not eligible for this transition period if they were renewed, modified or newly entered into on or after October 15, 2002.) See 45 CFR 164.532(d) and (e). To assist covered entities in meeting these requirements, OCR has published a Fact Sheet regarding compliance with the Privacy Rule’s business associate requirements, sample business associate contract provisions, and a number of related Answers to Frequently Asked Questions, all of which are available on the OCR Privacy Web site.

If research subjects’ consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?2020-09-10T20:02:47-04:00

Yes. If informed consent or reconsent (ie., asked to sign a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research. The revised informed consent document may be combined with the authorization elements required by 45 CFR 164.508.

Go to Top