University of South Alabama   USA Home   Web Index   Search   Directories   FAQ

Office of Research Compliance and Assurance


Human Subjects

HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that governs, among other things, the transmission of health care financial or administrative information between two parties. The HIPAA Privacy Rule establishes for the first time a set of requirements for protecting the confidentiality of person identifiable data rising as a result of health care services, and includes the requirement that Authorization be obtained in most situations before this type of data can be used for research purposes. HIPAA is designed to protect people's privacy and to make certain patients and research subjects understand how their health information is used and disclosed. See the Protected Health Information (PHI) (pdf file) list for individual identifiers. Research studies for use of this type of data will require review and approval by the IRB. The HIPAA Privacy Rule becomes effective April 14, 2003.
HIPAA requires language in the written informed consent for the use and disclosure of PHI for research. This may be accomplished by inserting HIPAA privacy authorization language directly into your primary informed consent form. The proper format for the confidentiality section of the consent form, as modified to incorporate the authorization language in provided in the Revised Template: For the Confidentiality Section (pdf file). In order to comply with HIPAA requirements, additional language should be added the to Confidentially Section of the Informed Consent form - - See the HIPAA Authorization template.
HIPAA Forms and Compliance Procedures
- HIPAA Subject Authorization- template
- Waiver of Subject Authorization (Word file)
- Limited Data Use Agreement (pdf file)
- Revocation of Authorization to Release PHI (pdf file)
- Research Database Registration Form (Word file)
(Guidance: Databases containing protected health information (PHI) used for research purpose are affected by the HIPAA Privacy Rule. The Privacy Rule regulations cover the use of databases containing PHI just as they apply to any other research using PHI. The Research Database Form documents compliance with requirements outlined in the HIPAA Privacy and Security Rule.)
- USA HIPAA Privacy Compliance Plan for Research

HIPAA Certifications
- Reviews Preparatory to Research (pdf file)
- Research Involving Deceased Individuals
- De-Identification Certification

TRAINING

Faculty, fellows, staff, and students participating in human subjects research involving Protected Health Information (PHI) is required to complete the HIPAA Research tutorial. Training must be completed before participating in human subjects research involving PHI.

HIPAA has the following important implications for you as a researcher:

1.    To obtain prior written Authorization from the subject
2.    To obtain a waiver of Authorization

RESOURCES
- Protecting Personal Health Information in Research - HHS Publication
- Office for Civil Rights - HIPAA
- Privacy Rule - Regulation Text (pdf file)
- NIH HIPAA Privacy Rule - Educational Materials
-HIPAA and Research Requirements videotape, USA Office of Research Compliance and Assurance. Contact Ms. Layton at 460-6625 if you wish to borrow a copy.

HIPAA: Research FAQs:
What about research data that has already been collected?
According to HIPAA, such data is granfathered in.
How will HIPAA impact human subjects who are already enrolled in a research study?
Subjects that have enrolled prior to April 14, 2003 will not be required to re-consent. Investigators may continue to collect and use data gathered from these subjects and no new documentation is required.
What are the HIPAA standards for human subjects research?
There are four ways to perform HIPAA compliant research. They are:
1.    Obtain subject Authorization
2.    Obtain a waiver of authorization from the IRB
3.    Use of de-identified information
4.    Use of limited data set
What about reviews preparatory to research?
Investigators may review PHI without subject authorization to prepare a research protocol or for similar purposes preparatory to research.  Also, research on decedent's information involving PHI do not require subject authorization.  However, both activities must be approved by the IRB.
What are the new research documents required by HIPAA?
HIPAA compliant research documents include:
1.    Authorization (HIPAA language template form - to be inserted in the consent form)
2.    Waiver of Authorization
3.    Data use agreement
These forms will be made available as they become available and can also be obtained through the IRB.
What about releasing data outside of the USA Health System?
Intentional releases of research data outside USA must be made clear in the research study documents submitted for IRB approval. Such releases should be described within the authorization portion of the informed consent. Upon IRB approval, then such releases are permitted. Disclosures for studies involving de-identified information of a limited data set are also permitted.
For additional information, please contact the Office of Research Compliance and Assurance at 460-6625 or email dlayton@usouthal.edu
University of South Alabama   Contact Us
Text Only Options

Top of page


Text Only Options

Open the original version of this page.

Usablenet Assistive is a UsableNet product. Usablenet Assistive Main Page.