Main navigation | Main content
The Security Rule, an important part of HIPAA, goes into effect April 20. The rule's intention is to protect the confidentiality, integrity, and availability of electronic protected health information, which the University creates, accesses, transmits, or receives in both research and patient care settings. It sets forth specific requirements for the adoption of administrative, physical, and technical safeguards for the protection of electronic protected health information. Changes to existing University policies and procedures have been made to incorporate the new requirements. Of particular significance is the policy located at http://www1.umn.edu/oit/security/privatedata.html. For more information, call 612-624-7447 or write email@example.com.
Starting April 14, 2003 all research that will enroll subjects (including existing studies) AND obtain subjects' PHI will need to comply with HIPAA regulations.
If enrolling or reenrolling subjects AND obtaining PHI, subjects are required to sign an IRB-approved authorization form. Use our Authorization Form Template and submit it to the IRB for review.
If using existing data (gathered before April 14, 2003), this data is acceptable for use as long as the research study met with IRB approval.
The standard IRB approval process applies. IRB application forms have been updated to reflect new HIPAA requirements and should be submitted as usual along with Appendix H if the study will be using PHI.
PHI is health information transmitted or maintained in any form or medium that:
The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:
If your study uses these kinds of records, it is not subject to HIPAA. However, existing IRB rules on informed consent and confidentiality still apply.
More clarification of PHI - See When is Health-related information considered PHI?
If a study using/disclosing PHI is going to use/disclose this PHI by means of a subject authorization(the most common and recommended means), investigators should be aware of the following:
For research uses and disclosures of PHI, an IRB may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the IRB determines that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project.
If a researcher has used or disclosed PHI for research with an IRB approval of waiver or alteration of Authorization, documentation of that approval must be retained by the researcher for 6 years from the date of the its creation or the date it was last in effect, whichever is later.
Researchers may use or disclose health information that is de-identified without restriction under the Privacy Rule.
Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification OR by removing the 19 identifiers from each record as specified in the Rule.
Additional HIPAA Resources: