HIPAA Compliance in Research

The Health Information Privacy and Compliance Office works closely with the Institutional Review Board (IRB) on issues involving health information compliance.  

Securing Research Data

All research data must be securely stored.  If you are not using CTSI's Clinical Data Repository for your research, use of the tools available through the Center of Excellence for HIPAA Data or encryption of your research data is strongly recommended.  AHC-IS can be used as a resource to assist you in determining appropriate storage options for research involving health information. 

Creating a De-Identified Data Set

Health information that has been de-identified in accordance with HIPAA is no longer subject to HIPAA. Both the Health Information Privacy & Compliance Office and the IRB strongly recommend the use of de-identified information whenever feasible.

Creating a Limited Data Set

If the use of de-identified data is not feasible, it is recommended that a Limited Data Set be created in accordance with HIPAA.  A Limited Data Set involves stripping almost all of the same identifiers that must be stripped to create a de-identified data set, except that there is more flexibility with respect to postal address information and dates associated with individual patients/research subjects.  A Limited Data Set must be used in conjunction with a Data Use Agreement, which is available in the University Contracts Library. 

Using Data from the CTSI's Clinical Data Repository

The Clinical and Translational Science Institute has a clinical data repository of more than 2 million patients seen at 8 hospitals and more than 40 clinics.  This data is housed in a secure repository and is available for your research needs. Contact the CTSI for more information about how to access this data.

IRB Guidance & Policies

The IRB provides additional guidance and maintains its own set of policies with respect to research activities.  

HIPAA & Research Training Session

In January 2016, the IRB and the Health Information Privacy & Compliance Office teamed up to do an education session that provided a broad overview of HIPAA, and provided more specific information about completing HIPAA Authorization Forms.