I'm looking for information about
Can't find what you're looking for? You may need to login to see more documents.
Suggested parameters and sets of instructions outlining best practices and standards for accomplishing specific duties.
HIPAA
IRBMED
| Approval Date:
August 10, 2020 3:00 pm
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs the use and release of a patient’s personal health information, also known as Protected Health Information (PHI), by a covered entity.
To use and/or disclose PHI for research purposes generally requires either a signed authorization from the individual or a waiver of authorization by the IRBMED. The Privacy Rule also allows, without individual authorization, use/disclosure under a selected few additional circumstances:
- Use/disclosure is solely for purposes preparatory to research, such as assessing the feasibility of conducting a study.
- Use/disclosure is solely for research on the protected health information of decedents (deceased individuals)
- Data is de-identified by the covered entity before being made available to the researcher (researcher never views PHI).
- A limited data set may be used/disclosed under the terms of a written data use agreement.
For studies subject to IRBMED review and approval, the Full Convened Board or Expedited Reviewer(s) makes applicable determinations regarding HIPAA compliance along with determinations required by other federal regulations.
HIPAA Privacy Rule protections apply to research use/disclosure of PHI, independent of other federal regulations on human subjects research. For instance, “Exempt human subjects research” making use of PHI to identify eligible subjects, or to create a research dataset, may require a waiver of HIPAA authorization. “Activities not regulated as human subjects research” that involve use/disclosure of PHI are also regulated under HIPAA. Depending on the type of activity, HIPAA requirements may be satisfied by individual authorization, waiver, or one of the other provisions. IRBMED makes determinations regarding HIPAA compliance for “Exempt human subjects research” and for “Activities not regulated as human subjects research.”
Research involving PHI may also require a data use agreement (DUA), even when Michigan Medicine staff/faculty use Michigan Medicine data. Standard Data Use Agreement (aka Data Sharing Agreement) templates for Michigan Medicine data are available from the UMMS Data Office for Clinical and Translational Research and Michigan Medicine Compliance Office. These offices, as well as ORSP Data Sharing Resource Center, are available to assist with DUAs. External DUAs (sending data to, or obtaining from, outside the University) should be processed through the Unfunded Agreement (UFA) form in eResearch Proposal Management (eRPM).
IRBMED HIPAA topics
HIPAA Authorization documents
IRBMED Informed Consent Templates include HIPAA Authorization section for research
Regulations, Guidance, and Policies
Federal Regulations & Guidance on HIPAA
- 45 CFR164.501,
164.508, 164.512(i) - Office for Civil Rights main HIPAA site
- Research and HIPAA Privacy Rule page
- HIPAA Privacy Rule Information for Researchers from NIH
Michigan Medicine Guidance on HIPAA
Michigan Medicine Policies on HIPAA, Security, and Privacy
(requires level-2 login)
- 01-04-300 Introduction to Privacy and Security Concepts and Definitions
- 01-04-340 De-identification and Re-identification of Protected Health Information (PHI)
- 01-04-342 Limited Data Sets
- 01-04-360 Use of Protected Health Information (PHI) in Research
- 01-04-001 Corporate Compliance Program (code of conduct which contains requirements for securing
data)
Email Questions about IRBMED HIPAA documents, applications, and processes
Questions?
Contact us at [email protected] or 734-763-4768 / (Fax 734-763-1234)
2800 Plymouth Road, Building 520, Room 3214, Ann Arbor, MI 48109-2800
A list of IRBMED staff is available in the Personnel Directory, or view the list of Regulatory Teams.
Edited By: [email protected]
Last Updated: December 21, 2020 3:30 PM