The HIPAA Privacy Rule, in effect starting April 14, 2003, protects the privacy of subject’s health information which is used in human research. For researchers to gain access to health information that is stored at any HIPAA “covered entity”, investigators must provide the covered entity with written assurances covering how the health information will be used and protected. On the medical campus, “covered entities” include Boston Medical Center (both inpatient and outpatient), and several Boston University clinical functions (BUSDM Dental Clinic, Human Genetics Laboratory, Dental Pathology Laboratory, and BU Dental Plan).
These “covered entities” will require that investigators’ requests for health information receive prior approval through BUMC Office of the Institutional Review Board. The forms that investigators will need and the approval processes differ for different types of research. A brief description of each research type is listed below and the forms are available on the left button bar of this page.
- Authorization: (http://www.bumc.bu.edu/hipaa)
In studies that require the subjects to sign a consent form, subjects must also sign an authorization form which gives researchers permission to use and share subjects’ protected health information for the purposes of the research study.
- Waiver of HIPAA Authorization: (http://www.bumc.bu.edu/hipaa)
In some situations where there is minimal risk to subjects’ privacy and several other conditions are met (analogous to the conditions when the IRB can waive Informed Consent), investigators can request a waiver of HIPAA Authorization.
- De-identified Health Information: (http://www.bumc.bu.edu/hipaa)
Investigators may request access to health information that has been stripped of identifiers (i.e., identifying characteristics like name, social security number, etc.). Be aware that, for HIPAA purposes, there is a lengthy list of 18 different identifiers that must be stripped.
- Limited Data Set: (http://www.bumc.bu.edu/hipaa)
This refers to health information that is not completely de-identified (i.e., can include dates, zip codes and city, and some other unique identifying numbers, characteristics, or codes.) To access a limited data set, investigators must also provide the “covered entity” with a Data Use Agreement, which provides assurances how the privacy of the health information will be protected.
- Preparation of a Research Proposal: (http://www.bumc.bu.edu/hipaa)
To review medical records and collect data for preparation of a research proposal or to identify subjects that would be eligible for a study, researchers must document what information they need, why, and how they will protect the data.
- Decedent Research: (http://www.bumc.bu.edu/hipaa)
To do research using health information from individuals who are deceased, researchers must provide information about what information is needed, why, and how the privacy of the information will be assured.
- Privacy in Research & HIPAA (http://www.bumc.bu.edu/hipaa)
- HIPAA Forms(BMC/BUMC)
- Research and HIPAA (BMC/BU research policy and procedure)
- Privacy at BMC
Additional information on BMC’s policies and procedures for Internal Resources available on BMC intranet (http://www.internal.bmc.org/hipaa), including Disclosure Tracking, HIPAA Disclosure Matrix and Policy on Account of Disclosures of PHI at BMC.
- NIH Human Subjects Training Site (http://www.nihtraining.com/crt.html)
- Clinical Research Times (http://www.bu.edu/crtimes)
- New COI Form & Policy (.doc)