HIPAA Information for Researchers


HIPAA & HUMAN SUBJECTS RESEARCH

The Health Insurance Portability and Accountability Act (HIPAA) regulates the protection of private health information for individuals. HIPAA's Privacy Rule sets standards for the use and disclosure of all individually identifiable health information obtained from a covered entity. All forms of health information that are associated with an of the 18 identifies specifically defined by HIPAA are considered to be protected health information (PHI) subject to HIPAA regulations. To access this information, all research studies must obtain either an individual's authorization to access their information, granted by the provider of the PHI, or obtain a waiver of authorization.


HIPAA PROVISIONS FOR IRB APPLICATION

If your project includes Protected Health Information (PHI), then address the following issues in your IRB application, in addition to all other sections:

HIPAA Plan:

  • Indicate whether the project will involve protected health information (PHI)
  • Describe the procedures that will be used to comply with the HIPAA Policy.
    • Following are examples of information and forms that will need to be included in the plan.
      • Procedures to be used regarding the Notice of Privacy Practices
      • Authorization for Use and/or Disclosure of PHI
        • Procedures to be used in requesting Authorization for Use and Disclosure of PHI from Individuals, or
        • Procedures to be used in requesting a waiver of Authorization from the IRB; or
        • Statement that only “de-identified” individual health information will be used.
  • Request for access to PHI from a Health Care Component within Missouri State
  • Request for access to PHI from a Covered Entity outside of Missouri State

    • Application to Covered Entity for Access to PHI
    • Approval by Covered Entity enabling access to PHI
    • Plan for using other HIPAA procedures and forms, as applicable.