HIPAA Flow Chart
USA HIPAA Privacy & Security Compliance for Research
HIPAA Subject Authorization- template
Waiver of Subject Authorization
Limited Data Use Agreement
Revocation of Authorization to Release PHI
- Research Database Registration Form
(Guidance: Databases containing protected health information (PHI) used for research purpose are affected by the HIPAA Privacy Rule. The Privacy Rule regulations cover the use of databases containing PHI just as they apply to any other research using PHI. The Research Database Form documents compliance with requirements outlined in the HIPAA Privacy and Security Rule.)
The 秘密研究所 IRB follows numerous regulations set by federal agencies to ensure the protection of participants in human subjects research. These include:
The (OHRP) provides leadership in the protection of the rights, welfare, and wellbeing
of human subjects involved in research conducted or supported by the U.S. Department
of Health and Human Services (HHS). OHRP is part of the Office of the Assistant Secretary
for Health in the Office of the Secretary of HHS.
OHRP provides clarification and guidance, develops educational programs and materials,
maintains regulatory oversight, and provides advice on ethical and regulatory issues
in biomedical and behavioral research. OHRP also supports the Secretary鈥檚 Advisory
Committee on Human Research Protections (SACHRP), which advises the HHS Secretary
on issues related to protecting human subjects in research.
Protection of Human Subjects
- Policy Implementation (NIH)
- Protection of Human Subjects
- Institutional Review Boards
- Investigational New Drug Applications (INDs)
- Investigational Device Exemptions (IDEs)
- Guidance, resources, good clinical practices (GCPs)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations, including the Privacy Rule and the Security Rule, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act, govern the way certain health information is collected, maintained, used, and disclosed. The Privacy Rule establishes a set of safeguards on certain types of health information known as protected health information, or PHI. HIPAA is designed to protect individual鈥檚 privacy and to inform patients and research subjects how their health information is used and disclosed. See list of 18 PHI identifiers (PDF).
HIPAA requires specified language in the informed consent for the collection, use and/or disclosure of PHI for research. The HIPAA Subject Authorization template below includes University specific language which must be included in the Confidentiality Section of the Informed Consent form in order to comply with HIPAA requirements.
HIPAA Forms And Compliance Procedures
HIPAA Certifications
Reviews Preparatory to Research
Reviews Preparatory to Research Certain activities involving the use/disclosure of PHI are permitted without Authorization. The 鈥減reparatory to research鈥 provision allows researchers to use PHI for limited purposes, such as a feasibility assessment (e.g., whether a sufficient population exists to conduct research). However, the Privacy Rule does not permit the researcher to remove PHI. To comply with HIPAA Privacy Rule and human subject鈥檚 regulations, researchers are permitted to review PHI, but identifiers may not be recorded. To conduct a review preparatory to research, a researcher must provide CERTIFY all of the following representations:
- The use or disclosure is requested solely to review PHI as necessary to develop a research protocol or for similar purposes preparatory to research
- PHI will not be removed in the course of review
- The PHI for which use or access is requested is necessary for the research
Research Involving Deceased Individuals
The Privacy Rule provides protections to living and deceased individuals. To use decedents鈥 PHI for research purposes, a researcher must CERTIFY all of the following:
- Representation that the use or disclosure is solely for research involving the PHI of decedents (e.g., and not also the living relatives of decedents)
- Representation that the PHI is necessary for the research
- Documentation (at the request of the covered entity holding the PHI) of the death of the individuals whose PHI is sought.
Note: If the participant population contains both living and deceased individuals, the requirements for Authorization (or waiver or alteration) apply.
De-Identification Certification
Faculty, fellows, staff, and students participating in human subjects research involving Protected Health Information (PHI) is required to complete the HIPAA Research tutorial. Training must be completed before participating in human subjects research involving PHI.
HIPAA Forms And Compliance Procedures
- (nih.gov)
- (hhs.gov)
- (nih.gov)
- HIPAA and Research Requirements videotape, USA Office of Research Compliance and Assurance. Contact Ms. Layton at 460-6625 if you wish to borrow a copy.
HIPAA: Research FAQs:
What about research data that has already been collected?
According to HIPAA, such data is grandfathered in.
How will HIPAA impact human subjects who are already enrolled in a research study?
Subjects that have enrolled prior to April 14, 2003 will not be required to re-consent. Investigators may continue to collect and use data gathered from these subjects and no new documentation is required.
What are the HIPAA standards for human subjects research?
There are four ways to perform HIPAA compliant research. They are:
- Obtain subject Authorization
- Obtain a waiver of authorization from the IRB
- Use of de-identified information
- Use of limited data set
What about reviews preparatory to research?
Investigators may review PHI without subject authorization to prepare a research protocol or for similar purposes preparatory to research. Also, research on decedent's information involving PHI do not require subject authorization. However, both activities must be approved by the IRB.
What are the new research documents required by HIPAA?
HIPAA compliant research documents include:
- Authorization (HIPAA language template form - to be inserted in the consent form)
- Waiver of Authorization
- Data use agreement
These forms will be made available as they become available and can also be obtained through the IRB.
What about releasing data outside of the USA Health System?
Intentional releases of research data outside USA must be made clear in the research study documents submitted for IRB approval. Such releases should be described within the authorization portion of the informed consent. Upon IRB approval, then such releases are permitted. Disclosures for studies involving de-identified information of a limited data set are also permitted.
For additional information, please contact the Office of Research Compliance and Assurance at (251) 460-6625 or email dlayton@southalabama.edu
The (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
The (PPRA) is a federal law that sets forth additional requirements in elementary and/or secondary public schools when certain activities are conducted (e.g., survey, analysis, physical examinations) or if funded by the Department of Education (e.g., survey, analysis, or evaluation).
- listing laws, regulations, and guidelines on human subjects research in over 100 countries and standards from international and regional organizations.