Are tissue repositories covered entities?

Tissue repositories are any facilities that collect or store tissue for research purposes. According to the HHS, tissue repositories are not covered entities under HIPAA unless they engage in specific healthcare activities that qualify them as such. For instance, if a tissue repository conducts testing on specimens for the benefit of transplant recipients based on orders from another healthcare provider, it would be classified as a covered entity under HIPAA, provided it also performs electronic transactions that are subject to standards set by the Department of Health and Human Services (HHS).

What is a covered entity under HIPAA?

HIPAA defines covered entities as organizations that fall into one of three categories:

• Healthcare providers: Entities like hospitals, clinics, and laboratories that transmit health information electronically in connection with HIPAA covered transactions (e.g., billing or claims).
• Health plans: Insurance companies, HMOs, and other payers.
• Healthcare clearinghouses: Entities that process or reformat health data.

Most tissue repositories do not perform activities that fit into these categories and are not covered entities.

Related: FAQs: HIPAA covered entities’

When are tissue repositories covered entities?

While tissue repositories generally fall outside the HIPAA definition of a covered entity, certain activities can bring them under HIPAA’s scope.

Healthcare provider activities

If a tissue repository conducts specimen testing, such as compatibility testing for transplant recipients, it may qualify as a healthcare provider. For example, a tissue bank that tests donor organs for compatibility and bills a transplant center through an electronic claims system could be classified as a covered entity.

Electronic transactions covered by HIPAA

HIPAA applies to organizations that perform certain standardized electronic transactions. Tissue repositories involved in activities like electronic claims submission, payment processing, or eligibility verification for healthcare services may qualify as covered entities under this rule.

Tissue repositories as business associates

Even if a tissue repository is not a covered entity, it may still need to comply with HIPAA as a business associate. A business associate is any organization that handles protected health information (PHI) on behalf of a covered entity. For instance: a tissue repository partnering with a hospital to store and manage samples tied to PHI would be considered a business associate. In such cases, the repository must sign a business associate agreement (BAA) with the covered entity and implement safeguards to protect the PHI it handles.

The role of de-identified data

Many tissue repositories handle de-identified samples or data, stripped of identifiers like names, birthdates, and other elements that could link the sample to an individual. HIPAA does not apply to repositories managing such data, as de-identified information falls outside the scope of the Privacy Rule.

Repositories that focus on research often anonymize their samples to avoid the HIPAA requirements. However, they must still follow de-identification standards outlined by HIPAA to ensure compliance and reduce risk.

Read more: How to de-identify protected health information for privacy

Best practices for tissue repositories handling PHI

• Understand applicable regulations: Evaluate whether your repository qualifies as a covered entity or business associate under HIPAA. Stay informed about state-specific privacy laws and federal regulations such as the Common Rule for federally funded research.
• Implement robust security measures: Encrypt PHI during storage and transmission to prevent unauthorized access. Use access controls to limit data visibility only to authorized personnel and conduct regular security risk assessments to identify vulnerabilities.
• Maintain BAAs: Establish BAAs with covered entities you work with, ensuring the agreement outlines each party’s responsibilities for protecting PHI. Regularly review and update BAAs to stay aligned with changes in law or practice.
• Train employees: Provide training on HIPAA compliance and data security for all staff. Include practical guidance on identifying and reporting potential breaches.
• Establish clear policies: Develop policies for managing, storing, and disposing of PHI. Create procedures for handling potential data breaches, including notification protocols.
• Regularly audit your practices: Conduct periodic internal audits to ensure adherence to HIPAA and organizational policies. Maintain detailed records of audits and corrective actions taken.

FAQs

Are research-only tissue repositories ever subject to HIPAA?

No, research-only tissue repositories are generally not subject to HIPAA because they do not perform healthcare functions or engage in electronic transactions regulated under HIPAA. However, other regulations like the Common Rule or state laws may still apply.

Can a tissue repository use identifiable patient information for research purposes under HIPAA?

Yes, but only if the covered entity obtains patient authorization or an institutional review board (IRB) waives the authorization requirement. Otherwise, the repository must use de-identified data.

What happens if a repository mistakenly handles PHI without a BAA?

Handling PHI without a valid BAA could result in non-compliance, exposing both the repository and the covered entity to potential HIPAA violations and penalties. Repositories should confirm BAAs are in place before working with PHI.