Human Research Protections (IRB)
HIPAA Compliance
protecting health information used in research
The mission of the HIPAA Compliance Program is to facilitate researchers' access to Protected Health Information (PHI) to further research and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (a.k.a. the "Privacy Rule"). The purpose of the HIPAA Compliance Program is to ensure that research studies involving the use, disclosure or collection of PHI are conducted with the utmost respect to the study participants' privacy and confidentiality rights, thereby preserving and maintaining public trust in the University.
Scope
The HIPAA Compliance Program extends directly or indirectly to any researcher who
is conducting research using PHI, whether the researcher's primary appointment is
with a аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Covered Component or not. The HIPAA Compliance Program also renders service
to аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢affiliates whose studies involve PHI. For more information regarding the HIPAA
Program:
Email HIPAA-research@usf.edu
Forms and Templates
WEB-BASED HIPAA COURSES
For аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Health
HIPAA education is mandatory for аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Health faculty, staff, students, residents, and fellows who are in the аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Covered Health Care Component. If you are required to complete HIPAA education for аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Health, you must go to their Web Site to complete it: . If you have any questions or problems with the аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Health HIPAA training, please contact their Help Desk at (813) 974-6288.
Please Note: The аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Health HIPAA course does not meet the аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢IRB requirement for education in human subject protections.
Faq
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy rule, which creates national standards to protect privacy of individuals' protected health information (PHI).
The Privacy Rule has been in effect since April 2003. The аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢
has adopted policies that promote compliance with the Privacy Rule.
Show
What is PHI?
PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Individually identifiable health information is information, including demographic data, which relates to:
- The individual's past, present or future physical or mental health or condition;
- The provision of health care to the individual, or
- The past, present or future payment for the provision of health care to the individual;
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Which groups at the аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢ are subject to the HIPAA Privacy Rule?
Entities covered by HIPAA are health care providers, health plans (including employers' sponsored plans), and health care clearinghouses.
The following entities at аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢are considered covered components:
- The аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Health Morsani College of Medicine and its constituent schools and departments (including the аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢School of Physical Therapy and Rehabilitation Sciences)
- The аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢St. Petersburg Family Study Center, Infant Family Center
- The аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢College of Pharmacy
- The аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Student Health Services
- The Johnnie B. Byrd, Sr. Alzheimer's Center and Research Institute
- The аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢College of Behavioral & Community Sciences Department of Communication Sciences and Disorders
- The University Medical Services Support Corporation (MSSC)
- The University Medical Service Association (UMSA)
- Any University administrative personnel or unit if and to the extent that the personnel or unit performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or as otherwise regulated by the HIPAA Privacy Rule for, on behalf of, or in support of any of the above-listed components
How does the Privacy rule affect me as a researcher?
HIPAA affects an investigator's ability to collect and access existing PHI. The Privacy Rule requires certain procedural steps prior to releasing PHI to any investigator for use in research. This is true whether or not the investigator is in or outside of a аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢covered component. When PHI is to be used or disclosed for research purposes, a HIPAA Authorization must be obtained from the research subjects or a waiver of HIPAA Authorization must be obtained from the Privacy Board/IRB.
How does the Privacy rule affect the recruitment of subjects?
Recommended HIPAA Privacy Practices (Securing Electronic Research Data - As recommended by the аÄÃÅÁùºÏ²ÊÄÚÄ»ÐÅÏ¢Privacy Board) (MS Word)
Policies & Procedures
- HRP-056 - SOP - Definitions of HIPAA Terms (PDF)
- HRP-056a - SOP - Accounting of Disclosures of PHI (PDF)
- HRP-056b - SOP - Evaluating a Research Study for HIPAA Compliance (PDF)
- HRP-056c - SOP - Limited Data Sets (PDF)
- HRP-056d - SOP - Obtaining a Waiver, Partial Waiver or Alteration of Authorization (PDF)
- HRP-056e - SOP - Obtaining Authorizations to Use PHI (PDF)
- HRP-056f - SOP - Preparatory to Research (PDF)
- HRP-056g - SOP - Study Participant Recruitment (PDF)
- HRP-056h - SOP - Use and Disclosure of Decedents' PHI for Research Purposes (PDF)
- HRP-056i - SOP - Use and Disclosure of De-Identified Data for Research Purposes (PDF)
Resources
- The Six Core Elements and Required Statements For a Valid HIPAA Research Authorization (MS Word)
- Recommended HIPAA Privacy Practices (Securing Electronic Research Data) (MS Word)