Acquiring and using administrative data in US health care research

Summary

This resource provides guidance on acquiring and working with administrative data for researchers working in US health care contexts, with a particular focus on how the Health Insurance Portability and Accountability Act (HIPAA) structures data access. It illustrates the concepts with examples drawn from J-PAL North America’s experience doing research in this area. This resource assumes some knowledge of administrative data, IRBs, and the Common Rule. Readers seeking a comprehensive overview of how to obtain and use nonpublic administrative data for randomized evaluations across multiple contexts should consult the resource on using administrative data for randomized evaluations. 

_{Disclaimer: This document is intended for informational purposes only. Any information related to the law contained herein is intended to convey a general understanding and not to provide specific legal advice. Use of this information does not create an attorney-client relationship between you and MIT. Any information provided in this document should not be used as a substitute for competent legal advice from a licensed professional attorney applied to your circumstances.}

Introduction

There are a number of advantages to using administrative data for research, including cost, reduced participant burden and logistical burden for researchers, near-universal coverage and long term availability, accuracy, and potentially reduced bias. For health research in particular, administrative data contains precise records of health care utilization, procedures, and their associated cost, which would be difficult or impossible to learn from surveying participants directly.¹ 

Despite these advantages, a key challenge for research in health care contexts in the United States is acquiring administrative data when researchers are outside the institution that generated the data. Protected Health Information (PHI) governed by the Health Insurance Portability and Accountability Act (HIPAA) makes health care data especially sensitive and challenging for researchers to acquire, which may cause lengthy negotiation processes and confusion about the appropriate level of protection for transferring and using the data. 

This resource covers:

• The relationships between HIPAA, human subjects research regulations, and researchers
• Levels of data defined by HIPAA 
• Important considerations for making a health care data request
• Compliance with IRBs and DUAs

 

 

What is HIPAA and how does it affect researchers?

In the United States, the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) regulates the sharing of health-related data generated or held by health care entities such as hospitals and insurance providers. HIPAA imposes strict data protection requirements with strict penalties and liability for non-compliance to the health care entities that it regulates (known as covered entities). These regulations allow, but do not require, sharing data for research. These regulations augment the more general research protections codified in the Common Rule—the US federal policy for the protection of human subjects that outlines the criteria and mechanisms for IRB review—sometimes in overlapping and confusing ways. 

Researchers (in most cases) are not covered entities, however researchers must understand HIPAA requirements in order to interact with data providers who are bound by them. Many of the obligations to protect data under HIPAA will be passed to the researcher and their institution through data use agreements (DUAs) executed with covered entities.² HIPAA imposes restrictions on what and how covered entities may disclose for research. HIPAA introduces distinct categories of data for health care research that researchers should understand, as they dictate much of the compliance environment a particular research project will fall under. In addition, researchers must understand how HIPAA requirements interact with requirements from the Common Rule. Note that HIPAA only applies in the United States and only to health care data; other topic areas and countries may have their own compliance standards.³

What kind of data does HIPAA cover?

The HIPAA Privacy Rule is a US federal law that covers disclosure of Protected Health Information (PHI) generated, received, or maintained by covered entities and their business associates. Covered entities are health care providers, health plans, and health care clearinghouses (data processors). Business associates include organizations that perform functions on behalf of a covered entity that may involve protected health information. In the research context, researchers may interact with business associates who work as data processors, data warehouses, or external analytics or data science teams. Data from covered entities used in research may include “claims” data from billing or insurance records, hospital discharge data, data from electronic medical records like diagnoses and doctors’ notes, or vital statistics like dates of birth. 

Protected health information (PHI) refers to identifiable health data maintained or received by a covered entity or its business associates. More specifically, the HIPAA Privacy Rule defines 18 identifiers and 3 levels of data — research identifiable data, also known as research identifiable files (RIF), limited data sets (LDS) and de-identified data — each with different requirements depending on their inclusion of these identifiers, detailed in Table 1 below. Data without any of the 18 identifiers is considered de-identified, does not contain PHI, and is therefore not restricted by HIPAA. The inclusion of any identifiers means that the data is subject to at least some restrictions. Notably, between fully identified and de-identified data, HIPAA defines a middle category — limited data — that contains some potentially-identifiable information and is subject to some but not all restrictions. As a result, the extent to which a data request must comply with HIPAA depends on the level of protected health information contained in the data to be disclosed. 

Not all health data is protected health information (PHI) governed by HIPAA. Health information gathered by researchers themselves during an evaluation is not PHI, though it would be personally identifiable information subject to human subject protections under the Common Rule.⁴ Not all secondary data providers are necessarily covered entities either. Student health records from a university-affiliated medical center, for example, are governed by the education privacy law FERPA rather than HIPAA, because FERPA offers stronger privacy protections. Researchers should confirm whether their implementing partner or data provider is a covered entity, as some organizations will incorrectly assume they are subject to HIPAA, invoking unnecessary review and regulation. For guidance ondetermining whether an organization is subject to the HIPAA Privacy Rule, the US Department of Health & Human Services (HHS) defines a covered entity and the Centers for Medicare & Medicaid Services (CMS) provides a flowchart tool.

Levels of data

Research identifiable data

Research identifiable data contain sufficient identifying information such that the data may be directly matched to a specific individual. Under HIPAA this means any identifiers (such as name, address, or record numbers) not including the dates and locations allowed in limited data sets (LDS). A list of variables that make a dataset identifiable under the HIPAA Privacy Rule can be found in Table 1. Identifiable data may only be shared for research purposes with individual authorization from each patient or a waiver of authorization approved by an institutional review board (IRB) or privacy board (a process similar to informed consent or waivers of consent as required by the Common Rule). This level of data is typically not necessary to conduct analysis for impact evaluations if a data provider or third party is able to perform data linkages on the researcher’s behalf. Researchers may need to acquire identified data to perform data linkages or because the data provider is not able or willing to remove identifiers prior to sharing the data.

Researchers receiving research identifiable files must take pains to protect data with strong data security measures and by removing and separately storing identifiers from analysis data after they are no longer needed (a J-PAL minimum must do). Researchers should expect extensive negotiations and review of their data request and to receive IRB approval and execute a DUA prior to receiving data. Protecting participant data confidentiality is a vital component of conducting ethical research. 

Limited data sets

The HIPAA Privacy Rule defines limited data sets as those that contain geographic identifiers smaller than a state (but less exact than street address) or dates related to an individual (including dates of medical service and birthdates for those younger than 90) but do not otherwise contain HIPAA identifiers. For research purposes, this geographic and time information (such as hospital admission and discharge dates) can be particularly useful for analysis. This makes limited data a particularly useful class of administrative health data that balances ease of access with ease of use. 

Limited data sets may be shared by a covered entity with a data use agreement (DUA).⁵ HIPAA does not require individual authorization or a waiver of authorization. Researchers should always seek IRB approval for research involving human subjects or their data, but it is possible that research using only a limited data set may be determined exempt or not human subjects research by an IRB if there is no other involvement of human subjects. Using a limited data set for randomized evaluations typically means that another party besides the researcher, such as the data provider or an intermediary, must link data to evaluation subjects. 

• In Health Care Hotspotting, J-PAL affiliated researchers partnered with the Camden Coalition of Healthcare Providers in New Jersey to evaluate the impact of a care transition program that provided assistance to high-cost, high-need patients with frequent hospitalizations and complex social needs, known as “super-utilizers.” Researchers executed multiple DUAs for limited data sets. As discussed above, working with hospital discharge data required matching to study participants on site in Camden, NJ before taking limited data back to MIT for analysis. For other datasets, including Medicaid data used in secondary analysis, the Camden Coalition submitted a finder file to the data provider, who matched study participants to their outcome data before delivering a dataset stripped of identifiers to the researchers. More options for data transfers where researchers cannot receive identifiers are discussed in the resource on using administrative data for randomized evaluations.

 

De-identified or publicly available data

De-identified data does not contain any of the 18 HIPAA identifiers and is therefore considered not to contain sufficient identifiers to link to specific individuals with certainty. HIPAA permits health care providers to share de-identified data for research purposes without further obligations (U.S. Department of Health & Human Services 2018). De-identified data is not PHI. 

Using de-identified data means that it is possible to obtain data through a much less onerous legal and contractual process, with less risk. However, this is balanced against the need for the data provider to conduct any linkages and to pre-process any information that cannot be included, such as turning dates of service into relative dates or exact locations into distances if such information is needed for analysis. 

• For the study “Clinical decision support for high-cost imaging: A randomized clinical trial,” researchers received only de-identified data from the implementing partner and data provider Aurora Health Care. This approach simplified legal compliance but necessitated additional work on the side of the data provider (and trust on the side of the researchers) to make the data usable for research, such as converting dates of service to days measured relative to the introduction of the intervention. This case is documented in significant detail in a chapter of J-PAL’s IDEA handbook
   

Considerations for making a data request

Picking a level of data

Researchers should understand what level of data is required to conduct their research. Using the least identifiable data possible will lower compliance costs and may increase the speed of negotiations and their likelihood of success. However, data without sufficient information can limit your research questions and additional data preparation may be required when working with de-identified data. Researchers should consider what is necessary to conduct their research and request what they need. Requesting limited data is often a good compromise as it balances these considerations.

The level of data is not always under researcher control. Data providers that frequently work with researchers may be able to provide essentially the same data in several formats. However data providers may also limit what is possible with each data type.

• For research using Medicare data, identifiable data is often necessary as using a unique beneficiary identifier is needed to track individuals across datasets and not all limited datasets include this information. Medicare also limits the dates allowed in limited datasets relative to the HIPAA definition. Researchers interested in working with CMS data should consult ResDAC’s documentation defining what is included in each file type.⁶
• For Health Care Hotspotting, researchers requested uniform billing data from the New Jersey Department of Health for all hospital discharges in the state related to an 800 patient trial in Camden, NJ. The health department preferred to send all data on discharges in the state, with identifiers. Researchers balanced the opportunity to conduct the match to study participants themselves with MIT’s desire not to receive identified data by having the implementing partner, the Camden Coalition of Healthcare Providers, receive the data, matching the data onsight in Camden, and only transferring the matched limited data set back to MIT. This process nonetheless required researchers to implement strong data security requirements and required a lengthy data request process.

Minimum necessary requirement

In addition to considering data in terms of the level of identification, HIPAA requires that data providers release only the minimum information “reasonably necessary to accomplish the purpose [of the research].” This restriction applies to data that contains PHI unless researchers have individual authorization from research subjects. Covered entities are required to develop their own protocols for determining what constitutes the minimum necessary, so the restrictiveness of this requirement varies significantly. Covered entities may also rely on IRB approval of a data request as evidence of meeting the minimum necessary standard. Researchers should consider the scope of a data request both in terms of the number of individuals and the number of variables requested. Minimizing the size of a request in either dimension can help smooth the data request process. Researchers should be prepared to justify the inclusion of particular variables as necessary to the research. To limit the number of individuals requested, it may be possible to request a random sample, particularly in cases where treatment is not assigned at the individual level or when requesting data for observational research.

Additional data provider requirements

Data providers may apply additional restrictions or conditions beyond what the law requires for the researcher to use their administrative data, especially for data considered “sensitive” for any reason. Practically speaking, researchers must follow whatever additional requirements data providers request. Data holders are typically under no obligation to share data. 

Researchers may be asked to demonstrate how their research will benefit the program from which they are requesting data. In some cases this may be to prioritize responding to requests for data. In others this may be legally required. Emphasizing the value of the research can be helpful in building trust and interest in any data request process. 

Researchers may be asked to submit their project for additional IRB review beyond what their own institution requests.

• In Health Care Hotspotting, the New Jersey Department of Health requires all data requests to be approved by the Rowan University IRB, which reviews projects on their behalf and which will not cede to an existing IRB.
• In an evaluation of the End Stage Renal Disease Treatment Choice model, a payment reform model to encourage greater use of home dialysis, CMS required a waiver of individual authorization issued by MIT’s IRB in order to process the request to access Medicare data via the Virtual Research Data Center (VRDC). Because MIT had initially determined the project exempt, researchers had to go back to the IRB and request a full review in order to be granted the waiver. CMS’s own Privacy Board also reviews requests for identifiable data.

Data use agreements frequently extend required protections for PHI to data elements that are not PHI, such as information about doctors or hospitals rather than patients. Researchers may also be asked to implement onerous data security requirements, whereas the Privacy Rule requires that researchers only "use appropriate safeguards," not the full list of administrative, technical, and physical safeguards the HIPAA Security Rule envisions for covered entities with complex businesses. In the experience of research staff at J-PAL North America, this has included setting up automated audit trails, intrusion detection, and vulnerability scans on research servers, which required close collaboration with IT staff and went significantly beyond standard operating procedures. 

Researchers are typically not in a strong negotiating position for reducing additional requirements. However it can be helpful to be knowledgeable about what HIPAA requires and what safeguards the research team and institution provide in order to build trust. Building trust and highlighting the value of the research to the data provider may increase the provider’s motivation to work with you. (Further consideration of each of these points is included in the resource on using administrative data). For example, particularly in cases where data providers do not frequently share data, providers may be unaware that outside researchers are not covered entities or unaware of the different requirements related to levels of identified data.⁷ Data providers who initially request security frameworks appropriate for handling health care data at enterprise scale may be satisfied with more limited measures already in place in a research computing environment, especially if researchers can speak knowledgeably about them and remain sensitive to the data provider’s concerns.⁸ 

How to receive data

How data will be received or accessed by researchers has implications for data security as well as cost. It may be possible to send data directly to a personal research server from a data provider via secure file transfer, or have the data provider send data to a data intermediary that maintains suitable infrastructure for research access. The National Bureau of Economic Research (NBER), for example, houses CMS data in use by multiple researchers. It may also be possible to access data remotely on a system maintained by the data provider instead of taking physical possession of the data.

• As an alternative to receiving actual copies of data, in an evaluation of the End Stage Renal Disease Treatment Choice model researchers chose to access Medicare data remotely, using CMS’s VRDC. This access method provides significant advantages in terms of speed of access (decreased lag time between when an event occurs and when it is reflected in the data), cost, and ease of use (responsibility for data security infrastructure remains with the data provider).

Compliance

Researchers should expect to need to receive IRB approval and execute a DUA prior to receiving data. Even de-identified data may be considered sensitive by the data provider and require a legal agreement. Researchers have their own obligation to seek IRB approval under the Common Rule and data providers may request evidence that someone external to the research team has signed off on a project and its use of data even if not required under HIPAA. In most instances, an IRB will also function as an institution’s HIPAA Privacy Board. 

IRB Approval and HIPAA Authorization

Researchers seeking access to identifiable data can do so with either individual authorization or a waiver of authorization. In either case, an IRB serves to document and approve the authorization form or the waiver. 

An authorization to release protected health information is a signed record of an individual’s permission to allow a HIPAA Covered Entity to use or disclose their Protected Health Information (PHI). The authorization must describe the information requested and the purpose, and must be written in plain language that is readily understood by the individual. This is similar to the concept of informed consent, and is often embedded within an informed-consent document. However, an authorization has a distinct set of criteria and may be a separate written agreement obtained outside of the informed-consent process. Researchers should consult their IRB for specific guidelines or templates. If possible it is also recommended to confirm with a data provider that a planned authorization will be sufficient to access data. 

The waiver standard is likewise quite similar to the waiver of individual consent under the Common Rule. Research must be no more than minimal risk, could not be accomplished without the protected health information being requested, and could not practically be accomplished without the waiver. In other words, it would not be possible to contact subjects to seek their consent, which may be the case in randomized evaluations where researchers are not involved in the delivery of the intervention, where the program does not interact with all research subjects — such as an informational intervention or encouragement design that does not contact the control group — or in observational research.

For researchers seeking a limited data set, HIPAA only requires a DUA. However, researchers (who are not covered entities and therefore bound by the Common Rule not the HIPAA Privacy Rule) must still seek IRB approval for human subjects research. In the case that research involves only limited data and not other contact with human subjects, it may be determined exempt under category 4 (ii) by an IRB because limited data is not “readily identifiable,” despite the inclusion of PHI in the form of dates and locations. Research involving only de-identified data is not considered human subjects research. Note that in the context of running randomized evaluations, there are likely elements of the project beyond the data set that would require human subjects compliance. When in doubt about what constitutes human subjects research, researchers should consult their institution’s IRB. IRB approval is a minimum must do for all J-PAL projects.

Data Use Agreement (DUA)

A data use agreement outlines the allowable uses of the data to be transferred and the requirements the receiving institution must adhere to for protecting the data. A DUA is a legal contract executed by the institutions sharing and receiving data. DUAs should be signed by a legal representative of the institution, not the researcher.

HIPAA lists specific requirements for what a data use agreement must include. In particular, recipients must agree to the following:

• "Not to use or disclose the information other than as permitted by the data use agreement or as otherwise required by law; 
• Use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement;
• Report to the covered entity any use or disclosure of the information not provided for by the data use agreement of which the recipient becomes aware; 
• Ensure that any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and
• Not to identify the information or contact the individual.”

Data providers may impose additional restrictions or safeguards. However, the DUA should also make clear the freedom of the researcher to publish the results of their work without interference from the data provider, except for reasonable review of publications to ensure no accidental disclosures.

Rather than construct a DUA from scratch, researchers should make use of an existing DUA template already in use by one of the parties and approved by their legal office. Universities will have standardized forms and many data providers, particularly if they share data frequently, will as well. For example, CMS’s DUA templates are linked on the ResDAC website. Despite a large degree of standardization, researchers should be aware that DUA negotiations can often take significant time (months, if not more) and plan for these delays. 

For guidance on formulating a data request and executing a data use agreement, please see the resource on using administrative data for randomized evaluations.

Relationship between IRB and DUA

Simultaneously seeking IRB approval and executing a data use agreement often generates a circular problem where the IRB wants to approve a research protocol that includes a data use agreement and the data provider wants to execute a data use agreement with researchers that have already received IRB approval. IRBs want to review data use agreements, as they contain details about what information will be acquired about study participants and how that information will be handled. Data providers, in contrast, often request proof that IRB approval has been received, before beginning negotiations. 

It may be possible to get provisional approval from one party to move forward with approval from the other party and then iterating between the two, as noted in the resource on using administrative data for randomized evaluations. In practice, this has typically meant first seeking IRB approval, providing as much detail as possible on the data request process, using that approval to execute the DUA, and then submitting the DUA (and any additional details, as necessary) as an amendment to the IRB protocol. 

If an IRB does in fact require documentation from a data provider, it may be possible to submit the data request application materials, which will often detail the purpose of the data for the research, the specific variables requested for the study, specify how data will be linked and potentially de-identified, and explain the data security plan, which are the necessary elements that an IRB will consider when making a determination about a research project. If the IRB requests approval from a data provider that does not yet exist, it may be possible to produce a letter of intent or support from the data provider, indicating general support for providing data to the research project, with the specifics of the data transfer subject to further negotiation and the execution of the DUA. (An example of such a letter is included as an attachment). 
 

_{Acknowledgments: We are grateful to Catherine Darrow, Amy Finkelstein, Laura Ruiz, Lisa Turley Smith, and Fatima Vakil for their insight and advice. This resource is heavily indebted to the creators of J-PAL’s original and more expansive guide to using administrative data for randomized evaluations: Laura Feeney, Jason Bauman, Julia Chabrier, Geeti Mehra, and Michelle Woodford. Amanda Buechele copyedited this document. Creation of this resource was supported by the National Institute On Aging of the National Institutes of Health under Award Number P30AG064190. The content is solely the responsibility of the authors and does not necessarily represent the official views of the National Institutes of Health}