Human Research Protections (IRB)
HIPAA Compliance
protecting health information used in research
The mission of the HIPAA Compliance Program is to facilitate researchers' access to Protected Health Information (PHI) to further research and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (a.k.a. the "Privacy Rule"). The purpose of the HIPAA Compliance Program is to ensure that research studies involving the use, disclosure or collection of PHI are conducted with the utmost respect to the study participants' privacy and confidentiality rights, thereby preserving and maintaining public trust in the University.
Scope
The HIPAA Compliance Program extends directly or indirectly to any researcher who
is conducting research using PHI, whether the researcher's primary appointment is
with a ºÚÁÏÍø³Ô¹Ï±¬ÁÏCovered Component or not. The HIPAA Compliance Program also renders service
to ºÚÁÏÍø³Ô¹Ï±¬ÁÏaffiliates whose studies involve PHI. For more information regarding the HIPAA
Program:
Email HIPAA-research@usf.edu
Forms and Templates
WEB-BASED HIPAA COURSES
For ºÚÁÏÍø³Ô¹Ï±¬ÁÏHealth
HIPAA education is mandatory for ºÚÁÏÍø³Ô¹Ï±¬ÁÏHealth faculty, staff, students, residents, and fellows who are in the ºÚÁÏÍø³Ô¹Ï±¬ÁÏCovered Health Care Component. If you are required to complete HIPAA education for ºÚÁÏÍø³Ô¹Ï±¬ÁÏHealth, you must go to their Web Site to complete it: . If you have any questions or problems with the ºÚÁÏÍø³Ô¹Ï±¬ÁÏHealth HIPAA training, please contact their Help Desk at (813) 974-6288.
Please Note: The ºÚÁÏÍø³Ô¹Ï±¬ÁÏHealth HIPAA course does not meet the ºÚÁÏÍø³Ô¹Ï±¬ÁÏIRB requirement for education in human subject protections.
Faq
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy rule, which creates national standards to protect privacy of individuals' protected health information (PHI).
The Privacy Rule has been in effect since April 2003. The ºÚÁÏÍø³Ô¹Ï±¬ÁÏ
has adopted policies that promote compliance with the Privacy Rule.
Show
What is PHI?
PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Individually identifiable health information is information, including demographic data, which relates to:
- The individual's past, present or future physical or mental health or condition;
- The provision of health care to the individual, or
- The past, present or future payment for the provision of health care to the individual;
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Which groups at the ºÚÁÏÍø³Ô¹Ï±¬ÁÏ are subject to the HIPAA Privacy Rule?
Entities covered by HIPAA are health care providers, health plans (including employers' sponsored plans), and health care clearinghouses.
The following entities at ºÚÁÏÍø³Ô¹Ï±¬ÁÏare considered covered components:
- The ºÚÁÏÍø³Ô¹Ï±¬ÁÏHealth Morsani College of Medicine and its constituent schools and departments (including the ºÚÁÏÍø³Ô¹Ï±¬ÁÏSchool of Physical Therapy and Rehabilitation Sciences)
- The ºÚÁÏÍø³Ô¹Ï±¬ÁÏSt. Petersburg Family Study Center, Infant Family Center
- The ºÚÁÏÍø³Ô¹Ï±¬ÁÏCollege of Pharmacy
- The ºÚÁÏÍø³Ô¹Ï±¬ÁÏStudent Health Services
- The Johnnie B. Byrd, Sr. Alzheimer's Center and Research Institute
- The ºÚÁÏÍø³Ô¹Ï±¬ÁÏCollege of Behavioral & Community Sciences Department of Communication Sciences and Disorders
- The University Medical Services Support Corporation (MSSC)
- The University Medical Service Association (UMSA)
- Any University administrative personnel or unit if and to the extent that the personnel or unit performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or as otherwise regulated by the HIPAA Privacy Rule for, on behalf of, or in support of any of the above-listed components
How does the Privacy rule affect me as a researcher?
HIPAA affects an investigator's ability to collect and access existing PHI. The Privacy Rule requires certain procedural steps prior to releasing PHI to any investigator for use in research. This is true whether or not the investigator is in or outside of a ºÚÁÏÍø³Ô¹Ï±¬ÁÏcovered component. When PHI is to be used or disclosed for research purposes, a HIPAA Authorization must be obtained from the research subjects or a waiver of HIPAA Authorization must be obtained from the Privacy Board/IRB.
How does the Privacy rule affect the recruitment of subjects?
Recommended HIPAA Privacy Practices (Securing Electronic Research Data - As recommended by the ºÚÁÏÍø³Ô¹Ï±¬ÁÏPrivacy Board) (MS Word)
Policies & Procedures
- HRP-056 - SOP - Definitions of HIPAA Terms (PDF)
- HRP-056a - SOP - Accounting of Disclosures of PHI (PDF)
- HRP-056b - SOP - Evaluating a Research Study for HIPAA Compliance (PDF)
- HRP-056c - SOP - Limited Data Sets (PDF)
- HRP-056d - SOP - Obtaining a Waiver, Partial Waiver or Alteration of Authorization (PDF)
- HRP-056e - SOP - Obtaining Authorizations to Use PHI (PDF)
- HRP-056f - SOP - Preparatory to Research (PDF)
- HRP-056g - SOP - Study Participant Recruitment (PDF)
- HRP-056h - SOP - Use and Disclosure of Decedents' PHI for Research Purposes (PDF)
- HRP-056i - SOP - Use and Disclosure of De-Identified Data for Research Purposes (PDF)
Resources
- The Six Core Elements and Required Statements For a Valid HIPAA Research Authorization (MS Word)
- Recommended HIPAA Privacy Practices (Securing Electronic Research Data) (MS Word)