HIPAA and Research at UNC-Chapel Hill

HIPAA (Health Insurance Portability and Accountability Act) is a  federal law aimed at protecting health information by establishing standards for the use and disclosure of individually identifiable health information (known as Protected Health Information or PHI) that is created or received by a health care entity. HIPAA took effect in April, 2003 with new procedures for collecting and sharing patient information used in research.

Privacy Review

Under HIPAA, unless one of the exceptions discussed below applies, investigators who wish to use PHI for research purposes must obtain a signed authorization from each individual.  Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for use and disclosure of PHI for research purposes. At UNC, the IRB serves as the Privacy Board.  Thus, researchers are not obliged to apply to two separate committees.

Mandated Training

According to the Federal Regulations, all institutions governed by HIPAA must train their employees regarding PHI. The University provides online training for new employees and annual training updates for existing employees.

In addition, University employees involved in human subject research must complete IRB-approved ethics training through the Collaborative Institutional Training Initiative (CITI). CITI is a web-based training package on issues relating to human subjects research. The last module "Research and HIPAA Privacy Protections" is in addition to, and does not replace, any HIPAA training required by UNC Health Care and other covered units at UNC-Chapel Hill.

Office of Human Research Ethics IRB Training

Research Proposal Requirements

• Requirements for new research proposals:
  Researchers should prepare and submit their research protocols for IRB review and submit their HIPAA-related documents to the IRB at the same time. Researchers whose new protocols involve PHI should either:

  1. collect written authorization from patients for the release of their PHI; or

  2. ask the IRB for a waiver from the authorization (under defined circumstances, the most important of which is that the research could not be done without the waiver); or

  3. deidentify the data. PHI that has been deidentified (stripped of a long list of identifiers) is not governed by HIPAA regulations.

• In addition, there are two circumstances in which the IRB approval is not required but in which a researcher must make representations under HIPAA if they are doing work with PHI.

  1. Research on decedents. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.

  2. Data review (medical records, film library, lab data, etc.) preparatory to designing a research protocol. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.

Tracking Disclosures of PHI

If PHI is disclosed to anyone outside your research team, or to someone who was not identified in the patient authorization, you must, unless some exception applies, keep a record of whom you shared the data with and for what purpose.