The Health Information Privacy and Compliance Office works closely with the Institutional Review Board (IRB) on issues involving health information compliance.
Both the Health Information Privacy & Compliance Office and the IRB strongly recommend the use of de-identified information whenever feasible. If health information is de-identified in accordance with HIPAA, the information is no longer subject to HIPAA. The IRB maintains a HIPAA De-Identification Certification Form on its website (go to Forms/Templates/HIPAA) which must be presented to the IRB to demonstrate that de-identification has occurred.
If the use of de-identified data is not feasible, it is recommended that a Limited Data Set be created in accordance with HIPAA. A Limited Data Set involves stripping almost all of the same identifiers that must be stripped to create a de-identified data set, except that there is more flexibility with respect to postal address information and dates associated with individual patients/research subjects. A Limited Data Set must be used in conjunction with a Data Use Agreement, which is available in the University Contracts Library.
The Clinical and Translational Science Institute has a clinical data repository of more than 2 million patients seen at 8 hospitals and more than 40 clinics. This data is housed in a secure repository and is available for your research needs. Contact the CTSI for more information about how to access this data.
All research data must be securely stored. If you are not using CTSI's Clinical Data Repository for your research, use of the tools available through the Center of Excellence for HIPAA Data or encryption of your research data is strongly recommended. AHC-IS can be used as a resource to assist you in determining appropriate storage options for research involving health information.
The IRB provides additional guidance and maintains its own set of policies with respect to research activities.
In January 2016, the IRB and the Health Information Privacy & Compliance Office teamed up to do an education session that provided a broad overview of HIPAA, and provided more specific information about completing HIPAA Authorization Forms