Go to Michigan State University Home

 

 

Human Research Protection Program

 

 

 

 

 

 

 Go to AAHRP Home  
This site requires the use of Flash Player 6 or later to display properly. Get it free from here.

 

Office Hours:
Monday - Friday
8am - 5pm

 

Mailing Address:
Michigan State University

207 Olds Hall
East Lansing, MI 48824

Phone: (517) 355-2180
Fax: (517) 432-4503
Email: irb@msu.edu

 

Office Location:
207 Olds Hall.
Olds Hall is located between the Administration Building and MSU Main Library. Campus Map

  

Health Insurance Portability and Accountability Act (HIPAA)

 

HIPAA Overview

HIPAA Brief History

Implications for Research

What it Means for MSU Researchers and IRB Members:

MSU Privacy Board

 

 

HIPAA Overview

 

The U.S. federal regulation commonly referred to as “HIPAA” or the “Privacy Rule” establishes a foundation of protection for the privacy of individual health information.  This rule does not replace any other Federal, State or local law that grants even greater privacy protections, and health care entities are free to be more protective.  The Privacy Rule:

  • Gives patients more control over their health information
  • Sets boundaries on the use and release of health records.
  • Establishes safeguards that must be achieved to protect the privacy of health data
  • Holds violators accountable with civil and criminal penalties
  • Strikes a balance when public responsibility supports disclosure of some information, for example, to protect public health

Further development of the HIPAA regulations include the “Security Rule” that addresses administrative, physical and technical safeguard requirements for electronic health information.

 

HIPAA Brief History

 

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, U.S. Public Law 104-191, included requirements to develop and adopt national standards for privacy protection of individually identifiable health information and for electronic health care transactions.

 

The privacy protection standards were developed by the U.S. Department of Health and Human Services, Office of Civil Rights (HHS, OCR), published in December of 2000, and modified into a final rule in August of 2002 after extensive public comment.  The final rule, “Standards for Privacy of Individually Identifiable Health Information,” required compliance by April 14, 2003 for health care providers, health plans, and health care clearinghouses with an extension of one year for small health plans.  This regulation is codified in 45 CFR 164 Security and Privacy, Subpart E Privacy of Individually Identifiable Health Information, 164.500 – 164.534.

 

These regulations were modified and expanded in February of 2003.  A new section was added to 45 CFR 165: Subpart C Security Standards for the Protection of Electronic Protected Health Information, 164.302-164.318.  This Subpart is commonly referred to as the “Security Rule” or “Security Standard” and required compliance by April 20, 2005.

 

*Based on guidance posted on the US Office of Civil Rights website, last revised May 16, 2006, at http://www.hhs.gov/ocr/hipaa/privacy.html and  on the US Centers for Medicare and Medicaid  website, last modified December 14, 2005, at http://www.cms.hhs.gov/SecurityStandard/

 

Implications For Research

 

HIPAA sets standards for how health care information flows from health care providers, health plans, and health care clearinghouses. Researchers requiring use and access of this information will be impacted indirectly because of the regulations on this flow.

Researchers will be required to obtain use and access to medical information from these "covered entities" in the following ways:

  1. Presenting valid authorization forms signed by the individual.
  2. Obtaining approval of an Institutional Review Board or Privacy Board for a waiver of authorization.
  3. Contracting for a "limited data set" with a valid "data use agreement"
  4. Representing that their research use is allowed without authorization
  5. Subjects are deceased
  6. The data they require does not identify the subjects (it is "de-identified")
  7. They are employed by the covered entity and are preparing to do research

What it Means for MSU Researchers and IRB Members:

  • The MSU Research Privacy Board reviews HIPAA related research protocols at the same time as the regular IRB review
  • Deidentification of health information before it is given to researchers is recommended by the Privacy Board as the best way to ensure privacy
  • Researchers must submit any needed HIPAA authorization forms with their application (or renewal / revision) form to the IRB
  • The MSU approved template of a valid authorization is acceptable to MSU HealthTeam. Sparrow Hospital has adopted a similar form.
  • Information for MSU researchers is available by website, email, telephone, and through requested seminars and meetings
  • The MSU HealthTeam HIPAA privacy officer has developed logs for tracking disclosures without authorizations, e.g., limited data sets
  • Requests for waiver of authorization can be submitted to the MSU Research Privacy Board as part of the initial application to the IRB; criteria are included in the application.
Return to top

 

 

 

Quick Links

 

Biomedical and Health Institutional Review Board (BIRB)

 

Community Research Institutional Review Board (CRIRB)

 

Social Science/Behavioral/Education Institutional Review Board (SIRB)

 

MSU Privacy Board

 

 

Government Websites:

 

Department of Health and Human Services (DHHS)

 

HIPAA General Information

 

HIPAA Privacy Rule

 

HHS Frequently Asked Questions

 

 

 

Local Entities (Hospitals):

 

Sparrow Health Systems

 

Ingham Regional Medical Center

 

Home | Investigator Login | Reviewer Login | Contacts| FAQs | Site Map | Vice President for Research & Graduate Studies

 

© 2009 Michigan State University Board of Trustees