HIPAA and Research at
Insurance Portability and Accountability Act) is a federal law
aimed at protecting health information by establishing standards for
the use and disclosure of individually identifiable health
information (known as Protected Health Information or PHI) that is
created or received by a health care entity. HIPAA took effect in
April, 2003 with new procedures for collecting and sharing patient
information used in research.
Under HIPAA, unless
one of the exceptions discussed below applies, investigators who
wish to use PHI for research purposes must obtain a signed
authorization from each individual. Institutions are required
to establish a “Privacy Board” to review and approve requests for
waivers of authorization for use and disclosure of PHI for research
purposes. At UNC, the IRB serves as the Privacy Board. Thus, researchers are
not obliged to apply to two separate committees.
According to the Federal Regulations, all institutions governed by HIPAA must train their employees regarding PHI. The University provides online training for new employees and annual training updates for existing employees.
In addition, University employees involved in human subject research must complete IRB-approved ethics training through the Collaborative Institutional Training Initiative (CITI). CITI is a web-based training package on issues relating to human subjects research. The last module "Research and HIPAA Privacy Protections" is in addition to, and does not replace, any HIPAA training required by UNC Health Care and other covered units at UNC-Chapel Hill.
Office of Human Research Ethics IRB Training
Research Proposal Requirements
Requirements for new research proposals:
Researchers should prepare and submit their research
protocols for IRB review and submit their HIPAA-related
documents to the IRB at the same time. Researchers whose new
protocols involve PHI should either:
collect written authorization from patients for the
release of their PHI; or
the IRB for a waiver from the authorization (under
defined circumstances, the most important of which
is that the research could not be done without the
deidentify the data. PHI that has been deidentified
(stripped of a long list of identifiers) is not
governed by HIPAA regulations.
addition, there are two circumstances in which the IRB
approval is not required but in which a researcher must make
representations under HIPAA if they are doing work with PHI.
Research on decedents. You will be required to fill
out a form and certify to the office that holds the
data that you meet certain requirements.
Data review (medical records, film library, lab
data, etc.) preparatory to designing a research
protocol. You will be required to fill out a form
and certify to the office that holds the data that
you meet certain requirements.
Tracking Disclosures of PHI
If PHI is disclosed
to anyone outside your research team, or to someone who was not
identified in the patient authorization, you must, unless some
exception applies, keep a record of whom you shared the data with
and for what purpose.