HIPAA and Research

Abstract

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains provisions that have significant implications for University researchers who use health information in their research. The HIPAA Privacy Rule, effective April of 2003, defined the types of organizations that are subject to HIPAA and the concept of Protected Health Information (PHI). The Privacy Rule specified that PHI could be used, created, or disclosed for research purposes only if authorized by a signed authorization, or waiver of that authorization by an Institutional Review Board or Privacy Board. The HIPAA Security Rule, effective April 2005, defines electronic PHI and establishes required and addressable administrative, physical, and technical safeguards that must be implemented to protect the privacy and confidentiality of PHI in electronic format.

Most research data is maintained locally by investigators using a variety of technologies that may range from Personal Digital Assistants and laptop computers to multi-user shared data repositories. The use of personal workstations running simple single-user database or spreadsheet programs is common in research settings. Compliance with the Security Rule for these types of systems will vary widely depending on the data and how it is created, used, shared, or stored. As a practical matter, many researchers may not possess the skill set or have the resources to fully implement the safeguards required by HIPAA. Information technology groups that do possess the requisite skills may have limited resources to support the hundreds of researchers who work with health data. In addition, some widely used computer technologies are not compliant with the Security Rule. Examples include workstations with no login security (e.g., Windows98) and data management and analysis applications used to store PHI that have no ability to generate audit trails. A common example would be the use of Excel spreadsheets containing ePHI, for which there is no technical capability to generate an audit trail, which is one of the required Technical Safeguards.

There are know compliance risks associated with health data and many common security needs in research. The University needs to develop a strategic response to the challenges of securing private data in research. The response needs to allow for the various and important needs for access to and sharing of research data while ensuring that the data is safeguarded in a method that meets compliance requirements and institutional expectations.