The Health Information Privacy and Compliance Office works closely with the Institutional Review Board (IRB) on issues involving health information compliance.
Securing Research Data
All human subjects research data must be secured with a University of Minnesota-approved resource at all times during the research process. This is true even if the research data has been de-identified. University approved methods of storing, analyzing and handling human subjects research data include:
- CTSI’s Clinical Data Repository Data Shelter (also referred to as the AHC Information Exchange or AHC IE). The CTSI can also be used to retrieve data for use in your study. Visit the CTSI’s website for additional information.
- AHC-IS supported servers. To determine if your area already has space on an AHC-IS supported server, or to obtain space, contact AHC-IS for assistance.
- Box Secure Storage. The University’s Box instance is supported by the Center of Excellence for HIPAA Data. More information about using Box can be found on the Center of Excellence for HIPAA Data website.
- REDCap. REDCap is designed to support data capture for research. More information about REDCap is available on the CTSI website.
- OnCore. OnCore is designed as a clinical trial management system. More information about OnCore is available on the CTSI website.
- AHC-IS supported devices that are up to date with encryption and patches. If your device is supported by AHC-IS, it will be tagged with an AHC-IS sticker. To obtain an AHC-IS supported device, contact AHC-IS for assistance.
More information on storage requirements is available on this webpage. If you have questions regarding whether your method of storing, analyzing, or handling human subjects research data is approved by the University, please contact firstname.lastname@example.org.
Creating a De-Identified Data Set
HIPCO and the IRB strongly recommend the use of de-identified data whenever possible. To create a de-identified data set you must satisfy the HIPAA Safe Harbor de-identification definition. This requires that you remove all identifiers, and all derivatives of those identifiers. A full list of all identifiers that must be removed is available here. The University offers a service to de-identify human subjects research data if you use the CTSI’s Clinical Data Repositor.
Creating a Limited Data Set
HIPCO and the IRB strongly recommend that if a de-identified data set cannot be used for your research, that you consider using a Limited Data Set. To create a Limited Data Set you must satisfy the HIPAA Limited Data Set definition. This requires that you remove all identifiers, and all derivatives or those identifiers, but you may include dates (such as date of death, birth, and admission), and you may include geographic information including city, state, and zip code. A full list of all identifiers that must be removed to create a Limited Data Set is available here. The University does not offer a service to create a Limited Data Set.
If your research will involve individually identifiable health information classified as Protected Health Information under HIPAA, you will need to obtain a signed HIPAA Authorization from each research participant, or seek a waiver of HIPAA Authorization from the University’s IRB.
The updated HIPAA Authorization form for Release of Records for Research is available in the Contracts Library. A provider who treats a patient at M Health may not access that patient’s records for research purposes unless the patient has signed a HIPAA Authorization for the research study. This HIPAA Authorization gives the research team the right to use the information identified on the HIPAA Authorization for purposes of research.
A HIPAA Authorization or waiver of authorization is required when a research team needs health information from an outside, non M-Health provider. Outside health providers may require that you use their form of HIPAA Authorization before they will release any records.
Using Data from the CTSI's Clinical Data Repository
The Clinical and Translational Science Institute has a clinical data repository of more than 2 million patients seen at 8 hospitals and more than 40 clinics. This data is housed in a secure repository and is available for your research needs. Contact the CTSI for more information about how to access this data.
IRB Guidance & Policies
The IRB provides additional guidance and maintains its own set of policies with respect to research activities.
HIPAA & Research Training Session
In January 2016, the IRB and the Health Information Privacy & Compliance Office teamed up to do an education session that provided a broad overview of HIPAA, and provided more specific information about completing HIPAA Authorization Forms.