HRPP Manual Section 7-6
Health Insurance Portability and Accountability Act Compliance in Human Research
Individuals engaged in human subject research are responsible for complying with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes federal protections for the use (i.e. the sharing, employment, application, utilization, examination, or analysis of health information within an entity that maintains such information) or disclosure (i.e. the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information) of protected health information.
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Protected health information means individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.
The rule does not replace federal, state, or other laws that grant individuals greater privacy protections and covered entities are free to retain or adopt more protective policies or practices. As such, individuals engaged in human subject research maintain responsibility for complying with all requirements regarding use or disclosure of protected health information, including those specified by HIPAA and implemented by the covered entity (ies). The covered entity also maintains responsibility for the proper use or disclosure of protected health information for research purposes. Covered entitymeans (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. At MSU, the MSU Health Team is responsible for its clinics as a covered entity.
A covered entity may use or disclose protected health information (PHI) for research, regardless of the source of funding, provided that the activity meets the HIPAA requirements for:
i) Research use or disclosure with individual authorization
ii) Approval of an alteration of the use or disclosure with individual authorization
iii) Approval of a waiver of authorization
iv) Limited data sets with a data use agreement
v) Reviews preparatory to research
vi) Research in decedent’s information
vii) De-identification
In some instances, the use or disclosure of PHI (or de-identification) for research as defined in HIPAA may not otherwise require review by a Michigan State University Institutional Review Board because the activity does not involve human subjects as defined in the HRPP Manual Section 4-3.
However, when a research study submitted to the MSU Human Research Protection Program (HRPP) may involve PHI, the “Use of Protected Health Information Application” must be submitted to the IRB. The project will be assigned to the Compliance office. Assignments will include requests for not human subject research determinations, exempt applications, initial applications, renewals, and revisions. The review will follow the procedures described in the following HRPP Manual Sections.
See HRPP Manual Sections:
This policy and procedure supersedes those previously drafted.
Approved By: Vice President of Research and Graduate Studies on 2-25-2015. Revision 1 approved by Assistant VP Regulatory Affairs on 12-11-2015.
Related HRPP Manual Sections