Human Research Protections (IRB)
HIPAA Compliance
protecting health information used in research
The mission of the HIPAA Compliance Program is to facilitate researchers' access to Protected Health Information (PHI) to further research and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (a.k.a. the "Privacy Rule"). The purpose of the HIPAA Compliance Program is to ensure that research studies involving the use, disclosure or collection of PHI are conducted with the utmost respect to the study participants' privacy and confidentiality rights, thereby preserving and maintaining public trust in the University.
Scope
The HIPAA Compliance Program extends directly or indirectly to any researcher who
is conducting research using PHI, whether the researcher's primary appointment is
with a ¹ú²ú¶ÌÊÓƵCovered Component or not. The HIPAA Compliance Program also renders service
to ¹ú²ú¶ÌÊÓƵaffiliates whose studies involve PHI. For more information regarding the HIPAA
Program:
Email HIPAA-research@usf.edu
Forms and Templates
WEB-BASED HIPAA COURSES
For ¹ú²ú¶ÌÊÓƵHealth
HIPAA education is mandatory for ¹ú²ú¶ÌÊÓƵHealth faculty, staff, students, residents, and fellows who are in the ¹ú²ú¶ÌÊÓƵCovered Health Care Component. If you are required to complete HIPAA education for ¹ú²ú¶ÌÊÓƵHealth, you must go to their Web Site to complete it: . If you have any questions or problems with the ¹ú²ú¶ÌÊÓƵHealth HIPAA training, please contact their Help Desk at (813) 974-6288.
Please Note: The ¹ú²ú¶ÌÊÓƵHealth HIPAA course does not meet the ¹ú²ú¶ÌÊÓƵIRB requirement for education in human subject protections.
Faq
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy rule, which creates national standards to protect privacy of individuals' protected health information (PHI).
The Privacy Rule has been in effect since April 2003. The ¹ú²ú¶ÌÊÓƵ
has adopted policies that promote compliance with the Privacy Rule.
Show
What is PHI?
PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Individually identifiable health information is information, including demographic data, which relates to:
- The individual's past, present or future physical or mental health or condition;
- The provision of health care to the individual, or
- The past, present or future payment for the provision of health care to the individual;
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Which groups at the ¹ú²ú¶ÌÊÓƵ are subject to the HIPAA Privacy Rule?
Entities covered by HIPAA are health care providers, health plans (including employers' sponsored plans), and health care clearinghouses.
The following entities at ¹ú²ú¶ÌÊÓƵare considered covered components:
- The ¹ú²ú¶ÌÊÓƵHealth Morsani College of Medicine and its constituent schools and departments (including the ¹ú²ú¶ÌÊÓƵSchool of Physical Therapy and Rehabilitation Sciences)
- The ¹ú²ú¶ÌÊÓƵSt. Petersburg Family Study Center, Infant Family Center
- The ¹ú²ú¶ÌÊÓƵCollege of Pharmacy
- The ¹ú²ú¶ÌÊÓƵStudent Health Services
- The Johnnie B. Byrd, Sr. Alzheimer's Center and Research Institute
- The ¹ú²ú¶ÌÊÓƵCollege of Behavioral & Community Sciences Department of Communication Sciences and Disorders
- The University Medical Services Support Corporation (MSSC)
- The University Medical Service Association (UMSA)
- Any University administrative personnel or unit if and to the extent that the personnel or unit performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or as otherwise regulated by the HIPAA Privacy Rule for, on behalf of, or in support of any of the above-listed components
How does the Privacy rule affect me as a researcher?
HIPAA affects an investigator's ability to collect and access existing PHI. The Privacy Rule requires certain procedural steps prior to releasing PHI to any investigator for use in research. This is true whether or not the investigator is in or outside of a ¹ú²ú¶ÌÊÓƵcovered component. When PHI is to be used or disclosed for research purposes, a HIPAA Authorization must be obtained from the research subjects or a waiver of HIPAA Authorization must be obtained from the Privacy Board/IRB.
How does the Privacy rule affect the recruitment of subjects?
Recommended HIPAA Privacy Practices (Securing Electronic Research Data - As recommended by the ¹ú²ú¶ÌÊÓƵPrivacy Board) (MS Word)
Policies & Procedures
- HRP-056 - SOP - Definitions of HIPAA Terms (PDF)
- HRP-056a - SOP - Accounting of Disclosures of PHI (PDF)
- HRP-056b - SOP - Evaluating a Research Study for HIPAA Compliance (PDF)
- HRP-056c - SOP - Limited Data Sets (PDF)
- HRP-056d - SOP - Obtaining a Waiver, Partial Waiver or Alteration of Authorization (PDF)
- HRP-056e - SOP - Obtaining Authorizations to Use PHI (PDF)
- HRP-056f - SOP - Preparatory to Research (PDF)
- HRP-056g - SOP - Study Participant Recruitment (PDF)
- HRP-056h - SOP - Use and Disclosure of Decedents' PHI for Research Purposes (PDF)
- HRP-056i - SOP - Use and Disclosure of De-Identified Data for Research Purposes (PDF)
Resources
- The Six Core Elements and Required Statements For a Valid HIPAA Research Authorization (MS Word)
- Recommended HIPAA Privacy Practices (Securing Electronic Research Data) (MS Word)