Use of Protected Health Information

Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes federal protections for the use or disclosure of protected health information(PHI). The rule does not replace federal, state, or other laws that grant individuals greater privacy protections and covered entities are free to retain or adopt more protective policies or practices.

Responsibilities

Individuals engaged in human subject research maintain responsibility for complying with all requirements regarding use or disclosure of protected health information, including those specified by HIPAA and implemented by the covered entity (ies). The covered entity also maintains responsibility for the proper use or disclosure of protected health information for research purposes.

Use or Disclosure of PHI for Research

A covered entity may use or disclose PHI for research, regardless of the source of funding, provided that the activity meets the HIPAA requirements for:

  • Research use or disclosure with individual authorization
  • Approval of an alteration of the use or disclosure with individual authorization
  • Approval of a waiver of authorization
  • Limited data sets with a data use agreement
  • Reviews preparatory to research
  • Research in decedent’s information
  • De-identification

MSU Human Research Protection Program and HIPAA

When a research study submitted to the MSU Human Research Protection Program (HRPP) may involve PHI, the project will be assigned to a MSU Human Research Liaison. Assignments will include requests for not human subject research determinations, exempt applications, initial applications, renewals, and revisions. The review will follow the procedures described in the following HRPP Manual Sections.

See HRPP Manual Sections 7-6-A,B,C,D and 8-2 and 3.