College of Medicine

 

JUST THE FACTS: UF Research & HIPAA Regulations

General Information

•  At the University of Florida, research involving Protected Health Information (PHI - see definition) is subject to federal privacy regulations.
•  HIPAA's Privacy Rule does not override the Common Rule or FDA Human Subjects Research regulations. All federal research regulations apply.
•  For Gainesville, IRB-01 functions as the Privacy Board for human subject research conducted at the University of Florida, Shands, and local Veteran's Administration.
•   IRB-03 in Jacksonville performs similar functions for research conducted there by UF & Shands .

Training

•  To conduct human subject research at the University of Florida or to use the IRB as a Privacy Board for research review, all principal investigators, research coordinators, and staff with access to research-related PHI must complete HIPAA Training. See: IRB-01: HIPAA Training.
•  Training must be successfully completed before research documents are submitted to the IRB. Only one training module is required: Research & Health Information Privacy, and is available online at the Privacy website.
• The Research and Information Privacy Training module should be completed annually. General Awareness training is included in this module, so only the one training should be completed.
  

Data and Databases

•  Research data is subject to HIPAA if it includes any of the 18 specific individually identifiable health information factors as defined by the federal regulations.
•  Research is not subject to HIPAA if the health information is de-identified, which means all 18 HIPAA factors have been removed. Generally, human tissue is also considered de-identified.
•   University policies permit limited data sets and data use agreements; however, they are very strictly controlled. Obtain data use agreements through the Contracts Office.
  
• To create a research database, obtain an IRB certification and meet the required security and administrative criteria prior to creating or loading data.
•  HIPAA regulations include some transition provisions, similar to "grand-fathering", for use and disclosure of PHI obtained prior to April 2003. To determine transition eligibility, contact the Privacy Office or the IRB Privacy Coordinator.

Authorizations and Documentation

•  Use or disclosure of PHI for research requires either the individual subject's authorization or IRB approval. Available approvals include a Waiver of HIPAA Authorization, Certification Preparatory to Research, and Certification for Decedent Research. See IRB Documents
•  Authorization is not the same thing as Consent!  UF uses a HIPAA-compliant Informed Consent form that includes an approved authorization to use or disclose PHI for research purposes.
•  Templates for all HIPAA related forms are available at the IRB-01 website. Wording on these forms may not be changed without approval from the Privacy Office.
•  All HIPAA-related research documents must be retained for a minimum of six years. Longer retention periods might be required if the research involves OHRP or FDA reporting or litigation; if in doubt, check with the Privacy Office, the IRB Privacy Coordinator, or the General Counse's office.

Recruitment Tactics to Avoid

• Recruitment by casual discussions among and between clinicians (a.k.a."trolling"), without patient authorization, is not permitted.
• Reviews of record systems to locate potential research participants, without specific patient authorization or IRB approval, is not permitted.
• Requesting a list of patients who meet research criteria is not permitted without an IRB-approved research study and a waiver of authorization.
• Sitting in on conferences or board discussions of patients to identify potential research participants is not permitted if the researcher does not have a direct patient-care relationship with the patients.

Disclosures and Tracking

•  Patients have the right, granted by federal and state regulations, to request an Accounting of Disclosures, i.e., disclosures of PHI that were not related to treatment or health care operations, and that were not authorized by the patient or by the IRB.
  • 
    "It is important to emphasize the difference between a use and a disclosure of PHI. In general, the use of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity outside the covered entity, or the communication of PHI from a health care component to a non-health care component of a hybrid entity. The Privacy Rule restricts both uses and disclosures of PHI, but it requires an accounting only for certain PHI disclosures." (HHS/NIH website: Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule)
• Such disclosures generally include those required by law (i.e. public health, abuse, and law enforcement issues) and accidental or unintentional disclosures (sending information to the wrong address, loss or theft of PHI, etc.).
• Each principal investigator is responsible for tracking disclosures, whether research-related or not, by entering them in UF's On-line Disclosure Tracking System.
• Visit the Health and Human Services - HIPAA and Research website for some helpful resources.

Business Associates

• Vendors or consultants with access to research-related PHI must sign a UF Business Associate Agreement before reviewing the health information. In some instances, a Confidentiality Statement might be required instead.

Problems and Errors

• When research improprieties occur, such as failure to use patient authorizations or IRB approvals correctly, the researcher will have 30 days to "cure" the problem.
• Failure to meet the 30-day deadline may result in suspension of research privileges and a University requirement to destroy research data.
• In some instances, depending on the research study, the University may be required to file federal reports about the improprieties and to notify the patients involved.
• When research does not meet UF policies and procedures as well as state and federal statutes, sanctions up to and including dismissal may be imposed. Principal investigators might also be subject to state and federal civil and criminal penalties and incur personal liability.
• In Florida, patients may sue researchers in civil court for an invasion of privacy tort.

When in doubt about research issues involving PHI,
call the UF Privacy Office at
352-273-5094 or email the Privacy Office.

 

UF Privacy Home - Main

About the UF Privacy Office & Contacts
Privacy Policies - General Privacy Management

Health Information Privacy

Health Information Privacy Contacts
More About HIPAA

Policies & Procedures

Operational Guidelines - Health
Forms - Health
Policies - Healthcare Privacy Management
Glossary

Training

HIPAA & Privacy - General Awareness
HIPAA for Researchers
HIPAA for Visitors & Vendors
HIPAA for Fundraisers

Certificate Lookup
Print your certificate or
Confidentiality Statement!!

Other Training Modules
The Red Flag Rules
FERPA Basics: Student Records
Protecting Social Security Numbers

Confidentiality Statement

UF HSC Jacksonville

(including UFJHI and UFJPI)

Report an Incident

File a Complaint

Accounting for Disclosures

Student Data Access

Shadowing & Volunteering

 

FAQs

Frequently Asked Questions
HIPAA & Research at UF
Computers & Electronic Data
Emails & PHI
Disclosures Allowed By Florida Laws

Identity Theft

How it Happens, Reduce Your Risk, What To Do If You're a Victim

HIPAA Links

Search

This Site All UF Web Sites UF Directory

Confidentiality Statement

Other UF Resources

UF Home
UF Directory
Health Science Center
myUFL
HSC Information Security - SPICE
UF IT Security

Updated: June 1, 2008 :: Contact: Privacy@ufl.edu
Location: UF Privacy Office, N1-008 Health Science Center
Privacy Statement :: © 2008 University of Florida