Research Compliance and the HIPAA Security Rule
The HIPAA Security Rule complements the Privacy Rule by helping ensure that the data security measures and confidentiality protections that HIPAA covered entities must use in their daily operations are also used to safeguard Protected Health Information (PHI) when it is disclosed to researchers employed by non-covered entities. The Security Rule includes:
- Administrative safeguards – organizational policies and procedures
- Physical safeguards – to limit access to locations where PHI is stored, e.g., using locks, ID card access controls, security cameras
- Technical safeguards – to limit access to and protect data stored on information systems, e.g., data encryption, password protection, network security controls
Data Use Agreements
The burden of complying with the requirements of HIPAA rests with covered entities. When disclosing PHI to outside researchers, they achieve compliance with the Privacy Rule and Security Rule via Data Use Agreements (DUAs). These agreements allow HIPAA covered entities to require non-covered entities to whom they disclose PHI to follow established confidentiality and data security practices while in possession of PHI. DUAs include terms and conditions that:
- Restrict the use and disclosure of the PHI by the recipient
- Specify safeguards that must be in place while the PHI is in the possession of the recipient
- Indicate how violations of the terms of the DUA must be reported to the covered entity
- Ensure that the DUA terms and conditions are applied to others who may need access to the PHI during the research (e.g., collaborators at another university)
- Require researchers to provide an assurance that they will not re-identify the information or contact individuals
- Govern the destruction of the PHI by the researchers at the earliest reasonable stage of the project
The UTC Office of Research and Sponsored Programs (ORSP) negotiates and executes DUAs on behalf of all UTC researchers. A draft version of the DUA must be submitted with the IRB application for review by the Office of Research Integrity and UTC IT Security Team. The HIPAA covered entity providing the data typically can share a DUA template. Changes to DUAs, such as extensions of the end date or disclosure of additional PHI to the researchers, must be communicated to both ORSP and the IRB.
Information Security Plans
Universities help ensure that compliance with DUA data security requirements is addressed through information security plans that specify the controls that will be used to protect sensitive data. The UTC IT Security Team provides researchers with assistance and oversight in developing and monitoring information security plans. These plans must address any data security policies or regulations that are incorporated in the terms and conditions in the DUA. More information is available on the Research Data Security webpage.
Next: IRB Application and Review Process for Research Involving PHI
Sources and Other Resources:
“The HIPAA Security Rule.” Department of Health and Human Services.
“Security Rule Guidance Material.” Department of Health and Human Services.
HIPAA Implementation Standard for Data Use Agreements, 45 CFR 164.514(e)(4)
National Institute of Standards and Technology (NIST) – Risk Management Framework Overview