- Last updated:
Health Insurance Portability and Accountability Act
- Guidance Contact:
IU Human Research Protection Program (HRPP)
Research subject to the Health Insurance Portability and Accountability Act (HIPAA) must comply with the IU HRPP Policy on Use of PHI in Research. Research is subject to HIPAA when research personnel:
- are part of a covered entity or receive information from a covered entity, and;
- access, use, collect, or generate protected health information (PHI) for any part of the research, including recruitment.
Covered entities include IU HIPAA-affected areas (learn more at IU HIPAA Privacy and Security Compliance), IU Health, Eskenazi, and Roudebush VAMC.
Waiver of signature requirement when obtaining authorization
As the Privacy Board, the IU IRBs may consider requests to alter the required elements of HIPAA authorization. Most often, researchers use this mechanism to obtain authorization without obtaining a physical signature or date, especially when subjects are enrolled via phone or web.
In order to approve the alteration, the Privacy Board must find that the following criteria are met. These are the same criteria required for a full waiver of authorization; however, the study team’s response should indicate the scope of the waiver (e.g., requesting a waiver of the signature and date requirements only).
- The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
- An adequate plan to protect health information identifiers from improper use and disclosure.
- An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so).
- Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
- The research could not practicably be conducted without the waiver or alteration.
- The research could not practicably be conducted without access to and use of the PHI.
If the alteration is approved, all other required elements of HIPAA authorization must be presented to the subject verbally, and the subject should agree to the authorization verbally, but a physical signature and date will not be required.
Obtaining authorizations from individuals who don't read/speak English
If research personnel plan to enroll individuals who cannot read and/or speak English, the study team should have the HIPAA authorization (or if using a combined Informed Consent Statement and HIPAA authorization) translated into the appropriate languages. Spanish versions of IU HIPAA authorization templates are available at Forms & Templates.
If research personnel unexpectedly encounter a potential participant who cannot read and/or speak English, a translator may help obtain HIPAA authorization. The translator should verbally translate the authorization to the potential participant, then the participant should sign the English version of the form and be provided a copy. Use of a translator to obtain HIPAA authorization should be documented in the research record. If using a combined Informed Consent Statement and HIPAA authorization, refer to the IU HRPP Policy on Informed Consent to ensure proper consent and documentation processes.
Appropriate mechanisms for protecting PHI
PHI must be appropriately protected during all research activities, including:
- Collection - Acquire data from clinical or field data collection processes, or from existing research data sources such as health record databases.
- Transmission - Move data from one place to another.
- Storage - Keep data on a system for a shorter (90 days) or longer period of time for analysis.
- Computation - Perform analysis on data with various software packages
- Archival - Store data and results after the study ends for policy compliance and research reproducibility.
For example, for a clinical study, you might collect and store data in OnCore, collect and store data via data collection forms and a patient registry in REDCap, compute data using statistical software on a HIPAA Compute Enclave to perform analysis, transmit intermediate results with colleagues using a Microsoft or Google at IU Secure Storage, compute by making data analysis charts with Tableau, and archive the input data and results on the Scholarly Data Archive (SDA) to ensure research reproducibility.
The IU IRB must ensure protocols include adequate mechanisms for ensuring confidentiality of research data. IU and its affiliates have agreed that the following systems provide adequate provisions to protect confidentiality of research data. If research personnel will use only these systems to collect, transmit, store, compute, and archive research data, the IRB may find that adequate provisions exist to maintain confidentiality of data without additional information.
|OnCore||Record, manage, and report on operational data for clinical research||OCR|
|REDCap||Build online workflows to capture research data||RT|
|Microsoft or Google at IU Secure Storage||Store and share data with “unlimited” capacity||CAITS|
|SCP/SFTP (e.g. WinSCP)||Securely transport data to systems||UITS|
|SlashTMP Critical||Send ePHI to someone in a secure way||UITS|
|Other methods||Systems like OnCore, REDCap, and Box Health Data Account that have built in mechanisms for importing and exporting data||--|
|HIPAA Compute Enclave (Linux)||High security, Linux-based desktop environment with software and tools for data analysis, including temporary and long term data storage||RT|
|High Performance Clusters, Storage (Linux)||Cluster computing environments with desktop or command-line access for high volume or computationally expensive analysis. Includes space for temporary and longer-term storage of data, and MySQL databases.||RT|
|Tableau||Create and publish visual analytics and research dashboards with many connectors for importing data.||UITS|
|Scholarly Data Archive (SDA)||Tape-based storage of research data after the study concludes, or even during the study for certain research data workflows. Supports large volumes and long retention.||RT|
For more information about these services, contact:
- OCR: IU Office of Clinical Research email@example.com
- CAITS: Clinical Affairs IT Services firstname.lastname@example.org
- RT: UITS Research Technologies email@example.com
- UITS: University Information Technology Services firstname.lastname@example.org
- SecureMyResearch: a single place you can go for help with cybersecurity and/or compliance issues email@example.com
If PHI is lost, stolen, or misdirected, institutional reporting requirements may apply. IU research personnel should review the IU Policy on Information and Information System Incident Reporting, Management, and Breach Notification. All other research personnel should refer to their own institutional policies or consult with their institutional privacy officer.
Accessing IU Health PHI/Biospecimens for Research Purposes
Text description of information in above infographic:
Accessing identifiable PHI/biospecimens (accessed in EMR directly or via request to Regenstrief or IU Health Clinical Research Systems)
- If you are engaged in research:
- You need to obtain IRB approval. For information on how to obtain IRB approval, please see Submitting a new study for review or Reliance Requests.
- Subjects must provide authorization for use of PHI or the IRB, acting as Privacy Board, must grant a waiver of authorization.
- The IRB application will capture data sharing information and the Human Research Protection Program (HRPP) or the Office of Research Administration (ORA) will complete a data exchange agreement, if necessary.
- If you are NOT engaged in research:
- You must be granted a waiver of authorization by the IU Privacy Board. For more information on how to request a waiver of authorization, please see the Non Human Subjects Research section of Submitting a new study for review.
- The IRB application will capture data sharing information and the HRPP or the ORA will complete a data exchange agreement, if necessary.
Accessing a limited data set (provided by Regenstrief or IU Health Clinical Research Systems)
Receipt of data by IU-affiliated personnel is covered by a master agreement with Regenstrief or IU Health Clinical Research Systems.
- If IU-affiliated personnel plan to share the limited data set with a third party, ORA will ensure appropriate data exchange agreement is in place.
- There is no IRB/Privacy Board submission required.
Accessing deidentified data (provided by Regenstrief or IU Health Clinical Research Systems)
- There is no IRB/Privacy Board submission required.
- There is no project-specific agreements required.
For purposes of this infographic, PHI, data, and biospecimens follow the same process.
Research purposes include: accessing PHI for the investigator’s own research; accessing PHI in order to provide data to an external party for research purposes; and accessing previously-collected research data for a new research purpose.
The following activities are NOT research and do not require this process: quality improvement for IU Health’s own internal operation monitoring and program improvement; activities preparatory to research; research utilizing only decedent PHI.
Engaged in research includes: interacting/intervening with human subjects or using their identifiable data for research purposes. Investigators who simply access and release data to another institution and are not themselves conducting the research are likely not engaged in research. For more information, contact the HRPP at firstname.lastname@example.org or see OHRP guidance on Engagement of Institutions in Human Subjects Research.
- Researcher will use the PHI solely for the purpose of research associated with the study in accordance with the Waiver of Authorization and/or signed Authorization and for no other purposes.
- Researcher shall comply with HIPAA and all applicable laws governing the privacy and security of PHI, including Indiana University and IU Health applicable policies and procedures (posted on IU website). Researcher shall use appropriate safeguards to prevent unauthorized access, use, or disclosure of the PHI; including, but not limited to, encrypting the PHI when in storage, in transit, and at rest in accordance with HIPAA; ensure the PHI is stored behind a firewall and commensurate network security protection, including intrusion detection and prevention systems; and ensure the PHI is not downloaded to or stored on laptops, tablets, cell phones, desktops, or other end user devices. The preferred storage location of PHI used for research purposes is in the Indiana University REDCap database.
- Unless specifically permitted by the Waiver of Authorization and/or signed Authorization, Researcher shall not contact the individuals whose information is contained within the PHI (except for the provision of routine patient care if the individual is their patient).
- In any publication about the research study, IU Health will be acknowledged for its participation. Other than acknowledgment, IU Health will not be specifically mentioned in the publication without the written permission of IU Health. IU Health will not be compared in any identifiable way to other participating health care providers or institutions. IU Health agrees that de-identified data (PHI de-identified in accordance with HIPAA, 45 C.F.R. §164.514, along with removal of any characteristic that could be used to identify the patient) may be used by Researcher in publications regarding the study; otherwise, Researcher shall obtain the patient’s signed consent for publication.
- Researcher shall ensure that authorized persons to whom Researcher provides the PHI in furtherance of research study purposes (e.g. principal investigator, research team, data managers, biostatisticians and/or other individuals who will assist in analyzing the data) agree to the same restrictions, terms, and conditions contained herein.
- At the end of research study record retention requirements, Researcher agrees: (i) to return all PHI provided to IU Health in a secure and encrypted manner, or (ii) to destroy all PHI provided in accordance with HIPAA. If requested, Researcher shall certify its satisfaction of the forgoing.
- Without a signed Authorization or Waiver of Authorization, Researcher shall not directly access IU Health’s electronic medical record and shall use the services of Regenstrief or IU Health Clinical Research (ClinicalResearchSystems@iuhealth.org) to obtain PHI for research purposes, which will be subject to the terms of a separate Data Use Agreement involving a limited data set or data provided in a de-identified manner in accordance with HIPAA; provided, however, PHI may be accessed on-site at IU Health by an IU Health employee/workforce member if preparatory to research (e.g., to aid in study recruitment and identification of prospective research participants to seek their Authorization to use PHI) without a signed Authorization or a Waiver of Authorization but the PHI may not be removed from IU Health. For purposes of HIPAA, an individual dually employed by Indiana University and IU Health is considered a member of the IU Health workforce, as are IU employees working under direct control of dually employed individuals.