HIPAA

Health Insurance Portability and Accountability Act

Research subject to the Health Insurance Portability and Accountability Act (HIPAA) must comply with the IU HRPP Policy on Use of PHI in Research. Research is subject to HIPAA when research personnel: 

  • are part of a covered entity or receive information from a covered entity, and;
  • access, use, collect, or generate protected health information (PHI) for any part of the research, including recruitment.

Covered entities include IU HIPAA-affected areas (learn more at IU HIPAA Privacy and Security Compliance), IU Health, Eskenazi, and Roudebush VAMC.

Waiver of signature requirement when obtaining authorization

As the Privacy Board, the IU IRBs may consider requests to alter the required elements of HIPAA authorization. Most often, researchers use this mechanism to obtain authorization without obtaining a physical signature or date, especially when subjects are enrolled and/or screened via phone or web. 

In order to approve the alteration, the Privacy Board must find that the following criteria are met. These are the same criteria required for a full waiver of authorization; however, the study team’s response should indicate the scope of the waiver (e.g., requesting a waiver of the signature and date requirements only).

  1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
    1. An adequate plan to protect health information identifiers from improper use and disclosure.
    2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so).
    3. Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
  2. The research could not practicably be conducted without the waiver or alteration.
  3. The research could not practicably be conducted without access to and use of the PHI.

If the alteration is approved, all other required elements of HIPAA authorization must be presented to the subject verbally, and the subject should agree to the authorization verbally, but a physical signature and date will not be required.

 

Obtaining authorizations from individuals who don't read/speak English

If research personnel plan to enroll individuals who cannot read and/or speak English, the study team should have the HIPAA authorization translated into the appropriate languages. Spanish versions of all three IU HIPAA authorization templates are available at Forms & Templates.

If research personnel unexpectedly encounter a potential participant who cannot read and/or speak English, a translator may help obtain HIPAA authorization. The translator should verbally translate the authorization to the potential participant, then the participant should sign the English version of the form and be provided a copy.  Use of a translator to obtain HIPAA authorization should be documented in the research record.

Appropriate mechanisms for protecting PHI

PHI must be appropriately protected during all research activities, including:

  • Collection - Acquire data from clinical or field data collection processes, or from existing research data sources such as health record databases.
  • Transmission - Move data from one place to another.
  • Storage - Keep data on a system for a shorter (90 days) or longer period of time for analysis.
  • Computation - Perform analysis on data with various software packages
  • Archival - Store data and results after the study ends for policy compliance and research reproducibility.

For example, for a clinical study, you might collect and store data in OnCore, collect and store data via data collection forms and a patient registry in REDCap, compute data using statistical software on a HIPAA Compute Enclave to perform analysis, transmit intermediate results with colleagues using a Box Health Data Account, compute by making data analysis charts with Tableau, and archive the input data and results on the Scholarly Data Archive (SDA) to ensure research reproducibility. 

The IU IRB must ensure protocols include adequate mechanisms for ensuring confidentiality of research data. IU and its affiliates have agreed that the following systems provide adequate provisions to protect confidentiality of research data. If research personnel will use only these systems to collect, transmit, store, compute, and archive research data, the IRB may find that adequate provisions exist to maintain confidentiality of data without additional information. 

Collection, Storage
IU ServiceDescriptionContact
OnCoreRecord, manage, and report on operational data for clinical research OCR
REDCapBuild online workflows to capture research dataRT
Box Health Data AccountStore and share data with “unlimited” capacityCAITS
Transmission
IU ServiceDescription Contact
SCP/SFTP (e.g. WinSCP)Securely transport data to systemsUITS
SlashTMP CriticalSend ePHI to someone in a secure wayUITS
Other methodsSystems like OnCore, REDCap, and Box Health Data Account that have built in mechanisms for importing and exporting data--
Computation, Storage
IU ServiceDescription Contact
HIPAA Compute Enclave (Linux)High security, Linux-based desktop environment with software and tools for data analysis, including temporary and long term data storageRT
High Performance Clusters, Storage (Linux)Cluster computing environments with desktop or command-line access for high volume or computationally expensive analysis. Includes space for temporary and longer-term storage of data, and MySQL databases.RT
Computation
IU ServiceDescription Contact
TableauCreate and publish visual analytics and research dashboards with many connectors for importing data.UITS
Archival
IU ServiceDescriptionContact
Scholarly Data Archive (SDA)Tape-based storage of research data after the study concludes, or even during the study for certain research data workflows. Supports large volumes and long retention.RT

For more information about these services, contact:

  • OCR: IU Office of Clinical Research oncore@iupui.edu
  • CAITS: Clinical Affairs IT Services caits@iu.edu
  • RT: UITS Research Technologies rt4iusm@iu.edu
  • UITS: University Information Technology Services ithelpu@iu.edu

If PHI is lost, stolen, or misdirected, institutional reporting requirements may apply. IU research personnel should review the IU Policy on Information and Information System Incident Reporting, Management, and Breach Notification. All other research personnel should refer to their own institutional policies or consult with their institutional privacy officer.