Human Research Protections (IRB)
HIPAA Compliance
protecting health information used in research
The mission of the HIPAA Compliance Program is to facilitate researchers' access to Protected Health Information (PHI) to further research and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (a.k.a. the "Privacy Rule"). The purpose of the HIPAA Compliance Program is to ensure that research studies involving the use, disclosure or collection of PHI are conducted with the utmost respect to the study participants' privacy and confidentiality rights, thereby preserving and maintaining public trust in the University.
Scope
The HIPAA Compliance Program extends directly or indirectly to any researcher who
is conducting research using PHI, whether the researcher's primary appointment is
with a USF Covered Component or not. The HIPAA Compliance Program also renders service
to USF affiliates whose studies involve PHI. For more information regarding the HIPAA
Program:
Email HIPAA-research@usf.edu
Forms and Templates
WEB-BASED HIPAA COURSES
For USF Health
HIPAA education is mandatory for USF Health faculty, staff, students, residents, and fellows who are in the USF Covered Health Care Component. If you are required to complete HIPAA education for USF Health, you must go to their Web Site to complete it: USF Health HIPAA Education. If you have any questions or problems with the USF Health HIPAA training, please contact their Help Desk at (813) 974-6288.
Please Note: The USF Health HIPAA course does not meet the USF IRB requirement for education in human subject protections.
Faq
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy rule, which creates national standards to protect privacy of individuals' protected health information (PHI).
The Privacy Rule has been in effect since April 2003. The University of South Florida
has adopted policies that promote compliance with the Privacy Rule.
Show
What is PHI?
PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
Individually identifiable health information is information, including demographic data, which relates to:
- The individual's past, present or future physical or mental health or condition;
- The provision of health care to the individual, or
- The past, present or future payment for the provision of health care to the individual;
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Which groups at the University of South Florida are subject to the HIPAA Privacy Rule?
Entities covered by HIPAA are health care providers, health plans (including employers' sponsored plans), and health care clearinghouses.
The following entities at USF are considered covered components:
- The USF Health Morsani College of Medicine and its constituent schools and departments (including the USF School of Physical Therapy and Rehabilitation Sciences)
- The USF St. Petersburg Family Study Center, Infant Family Center
- The USF College of Pharmacy
- The USF Student Health Services
- The Johnnie B. Byrd, Sr. Alzheimer's Center and Research Institute
- The USF College of Behavioral & Community Sciences Department of Communication Sciences and Disorders
- The University Medical Services Support Corporation (MSSC)
- The University Medical Service Association (UMSA)
- Any University administrative personnel or unit if and to the extent that the personnel or unit performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or as otherwise regulated by the HIPAA Privacy Rule for, on behalf of, or in support of any of the above-listed components
How does the Privacy rule affect me as a researcher?
HIPAA affects an investigator's ability to collect and access existing PHI. The Privacy Rule requires certain procedural steps prior to releasing PHI to any investigator for use in research. This is true whether or not the investigator is in or outside of a USF covered component. When PHI is to be used or disclosed for research purposes, a HIPAA Authorization must be obtained from the research subjects or a waiver of HIPAA Authorization must be obtained from the Privacy Board/IRB.
How does the Privacy rule affect the recruitment of subjects?
Recommended HIPAA Privacy Practices (Securing Electronic Research Data - As recommended by the USF Privacy Board) (MS Word)
Policies & Procedures
- HRP-056 - SOP - Definitions of HIPAA Terms (PDF)
- HRP-056a - SOP - Accounting of Disclosures of PHI (PDF)
- HRP-056b - SOP - Evaluating a Research Study for HIPAA Compliance (PDF)
- HRP-056c - SOP - Limited Data Sets (PDF)
- HRP-056d - SOP - Obtaining a Waiver, Partial Waiver or Alteration of Authorization (PDF)
- HRP-056e - SOP - Obtaining Authorizations to Use PHI (PDF)
- HRP-056f - SOP - Preparatory to Research (PDF)
- HRP-056g - SOP - Study Participant Recruitment (PDF)
- HRP-056h - SOP - Use and Disclosure of Decedents' PHI for Research Purposes (PDF)
- HRP-056i - SOP - Use and Disclosure of De-Identified Data for Research Purposes (PDF)
Resources
- The Six Core Elements and Required Statements For a Valid HIPAA Research Authorization (MS Word)
- NIH Frequently Asked Questions about HIPAA
- NIH Guide: IRB & HIPAA Privacy Rule
- Recommended HIPAA Privacy Practices (Securing Electronic Research Data) (MS Word)