HIPAA FAQs
Q. I am planning a research study that will engage personnel at a HIPAA covered entity as collaborators, e.g., to recruit and enroll participants, deliver an intervention, and/or collect or share individuals’ health information. What do I need to do?
A. The Privacy Rule and Security Rule apply to all HIPAA covered entities. Your study design will need to conform with one of the options on the Privacy Rule and Research Design Options webpage. Information that is collected during clinical visits primarily for research purposes, but that will also become a part of the participant/patient’s medical record, is subject to HIPAA. For prospective studies, how the information that is collected will be used and who will have access to it must be clearly explained to participants during the informed consent process.
Q. UTC operates a health clinic—why isn’t the university considered a HIPAA covered entity?
A. HIPAA excludes individually identifiable health information that is maintained in records about post-secondary students. These records typically are subject to similar protections from disclosure by FERPA or other federal statutes. Researchers seeking to use health information from the university health clinic must comply with FERPA.
Q. What about the University of Tennessee Health Science Center in Memphis or the University of Tennessee College of Medicine - Chattanooga? Can I obtain health information from them to use in my research?
A. Some organizations that perform both covered and non-covered activities operate as hybrid entities under HIPAA. The University of Tennessee System is a hybrid entity. UT Health Science Center campuses and clinics have been designated as covered components within the UT system; other campuses and clinics have not. Contact the Office of Research Integrity if your research design requires health information from UTHSC or UT College of Medicine – Chattanooga.