College of Medicine

 

JUST THE FACTS: UF Research & HIPAA Regulations

General Information

•  At the University of Florida, research involving Protected Health Information (PHI - see definition) is subject to federal HIPAA regulations, effective April 14, 2003.
•  HIPAA's Privacy Rule does not override the Common Rule or FDA Human Subjects Research regulations. All federal research regulations apply.
•  For Gainesville, IRB-01 functions as the Privacy Board for human subject research conducted at the University of Florida, Shands, and local Veteran's Administration.
•   IRB-03 in Jacksonville performs similar functions for research conducted there by UF & Shands .

Training

•  To conduct research at the University of Florida or to use the IRB as a Privacy Board for research review, all principal investigators, research coordinators, and staff with access to research-related PHI must complete HIPAA Training. See: IRB-01: HIPAA Training.
•  Training must be successfully completed before research documents are submitted to the IRB. Two training modules are required, and both are available online at the Privacy website:
  • HIPAA for Researchers, a focused training module - renew every 2 years, and
  • HIPAA & Privacy: General Awareness, the Level 1 training module required for everyone - renew annually.
    

Data and Databases

•  Research data is subject to HIPAA if it includes any of the 18 specific individually identifiable health information factors as defined by the federal regulations.
•  Research studies that incorporate patient treatment, i.e. clinical trials, are subject to HIPAA regulations.
•  Research is not subject to HIPAA if the health information is de-identified, which means all 18 HIPAA factors are completely removed. Generally, human tissue is considered de-identified and is also excluded.
•  To create a research database, an IRB certification must be obtained and specific security and administrative criteria must be met.
•  University research policies permit limited data sets and data use agreements; however, they are very strictly controlled. Obtain data use agreements through the Contracts Office.
•  HIPAA regulations include some transition provisions, similar to "grand-fathering", for use and disclosure of PHI obtained prior to April 2003. To determine transition eligibility, contact the Privacy Office or the IRB Privacy Coordinator.

Authorizations and Documentation

•  Use or disclosure of PHI for research requires either the individual subject's authorization or IRB. Such approvals include: Waivers of Authorization, Certification Preparatory to Research, and Certification for Decedent Research. See IRB Documents
•  Authorization is not the same thing as Consent!  UF uses a HIPAA-compliant Informed Consent form that includes an approved authorization to use or disclose PHI for research purposes.
•  Templates for all HIPAA related forms are available at the IRB-01 website. Wording on these forms may not be changed without approval from the Privacy Office.
•  Researchers who wish to conduct research using PHI from any database or medical record must have each patient's authorization or an IRB approval before research or reviews begin.
•  All research documents must be retained for a minimum of six years. Longer retention periods might be required if the research involves OHRP or FDA reporting or litigation; if in doubt, check with the Privacy Office.

Recruitment Tactics to Avoid

• Recruitment by casual discussions among and between clinicians (a.k.a."trolling"), without patient authorization, is not permitted.
• Reviews of record systems to locate potential research participants, without specific patient authorization or IRB approval, is not permitted.
• Requesting a list of patients who meet research criteria is not permitted without an IRB-approved research study and a waiver of authorization.
• Sitting in on conferences or board discussions of patients to identify potential research participants is not permitted if the researcher does not have a direct patient-care relationship with the patients.

Disclosures and Tracking

•  Patients have the right, granted by federal and state regulations, to request an Accounting of Disclosures, i.e., disclosures of PHI that were not related to treatment or health care operations, and that were not authorized by the patient or by the IRB.
• "It is important to emphasize the difference between a use and a disclosure of PHI. In general, the use of PHI means communicating that information within the covered entity. A disclosure of PHI means communicating that information to a person or entity outside the covered entity, or the communication of PHI from a health care component to a non-health care component of a hybrid entity. The Privacy Rule restricts both uses and disclosures of PHI, but it requires an accounting only for certain PHI disclosures." (HHS/NIH website: Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule)
• Such disclosures generally include those required by law (i.e. public health, abuse, and law enforcement issues) and accidental or unintentional disclosures (sending information to the wrong address, loss or theft of PHI, etc.).
• Each principal investigator is responsible for tracking disclosures, whether research-related or not, by entering them in UF's On-line Disclosure Tracking System.
• Visit the Health and Human Services - HIPAA and Research website for some helpful resources.

Business Associates

• Vendors or consultants with access to research-related PHI must sign a UF Business Associate Agreement before reviewing the health information. In some instances, a Confidentiality Statement might be required instead.

Problems and Errors

• When research improprieties occur, such as failure to use patient authorizations or IRB approvals correctly, the researcher will have 30 days to "cure" the problem.
• Failure to meet the 30-day deadline may result in suspension of research privileges and a University requirement to destroy research data.
• In some instances, depending on the research study, the University may be required to file federal reports about the improprieties and to notify the patients involved.
• When research does not meet UF policies and procedures as well as state and federal statutes, sanctions up to and including dismissal may be imposed. Principal investigators might also be subject to state and federal civil and criminal penalties and incur personal liability.
• In Florida, patients may sue researchers in civil court for an invasion of privacy tort.

When in doubt about research issues involving PHI,
call the UF Privacy Office at
352-273-5094 or email the Privacy Office.

 

UF Privacy Home

About the UF Privacy Office & Contacts

Health Information Privacy
Health Information Privacy Contacts
More About HIPAA

Announcements

New UF Privacy Website

Policies & Procedures

Operational Guidelines
Forms
Privacy Management
Glossary of Terms

Training

HIPAA & Privacy - General Awareness
HIPAA for Researchers
HIPAA for Visitors & Vendors
Certificate Lookup

Confidentiality Statement

UF HSC Jacksonville

(including UFJHI and UFJPI)

Complaints & Incidents

Disclosure Tracking System

Student Data Access

Shadowing

FAQs

NPI - National Provider Identifier
Frequently Asked Questions
"Question of The Week" Archives
HIPAA & Research at UF
Computers & Electronic Data
Emails & PHI
Disclosures Allowed By Florida Laws
Florida Disclosures Matrix

Identity Theft

How it Happens, Reduce Your Risk, What To Do If You're a Victim

HIPAA Links

Search

This Site All UF Web Sites UF Directory

Confidentiality Statement

Other UF Resources

UF Home
UF Directory
Health Science Center
myUFL
HSC Information Security - SPICE
UF IT Security

Updated: January 17, 2008 :: Contact: Privacy@ufl.edu
Location: UF Privacy Office, N1-008 Health Science Center
Privacy Statement :: © 2005 University of Florida