The Health Insurance Portability and Accountability Act (HIPAA) is the foundation for data protection requirements for human subject’s research that creates, obtains, uses, or discloses health data. This protection primarily focuses on individual identifiable health information, or information in any form that relates to an individual’s past, present or future medical health condition or payments relating to healthcare services. When it comes to enforcement of these procedures, one may rely on an IRB to assess the compliance to the regulations. Additionally, research subjects are encouraged to seek the organization’s authorities or federal/state agencies to file complaints or inquire about the protection efforts.
According to HIPAA, research is defined as a systematic investigation that includes development, testing, and evaluation of data to contribute to generalizable knowledge. It is important to note that some investigative activities that include patient data are excluded from this definition or research. For example, investigations intended to be used for quality assessment or improvement of guidelines and protocols are not included in this definition or research. In this case, different HIPAA rules would apply.
If the dataset falls within the definition of research, HIPAA requires explicit authorization (consent) from the subject for the use of the data. Just like all consent, however, it can be revoked by the subject at any time, and withdrawal of consent must be provided in writing. In some cases, HIPAA does allow for research related access to data without consent. This can happen when the research involves a minimal risk, is involved solely for research activities, if only information from deceased individuals is used, or if the research has been grandfathered in from before legal permissions were in place. Additionally, if data is fully de-identified, meaning that all direct identifiers relating to the data are removed, a researcher does not need consent from individual data subjects.
In addition to the rule of privacy for individual health information, researchers are also tasked to keep individual health information secure. This is called the security rule, and it requires researchers to disclose the appropriate security protections that exist to maintain the safety of the data to each subject.
We work with graduate students every day and know what it takes to get your research approved.