For Researchers at the University at Buffalo
of April 14, 2003 if
your research involves the use or creation of health
information about your research subjects there are new steps you must implement to protect
the privacy of a research subject's personally identifiable health information. This
website will assist you in fulfilling these new federal regulatory requirements.
The privacy provisions of the Health Insurance Portability and Accountability
Act (HIPAA) require that additional safeguards be put in place to protect the
privacy and security of an individual's health information, including persons
enrolled as research subjects.
The privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) require that additional safeguards be put in place to protect the privacy and security of an individual's health information, including persons enrolled as research subjects.
Although the UB research function has been explicitly defined as a non-covered function under HIPAA, research protocols involving the provision of health care, or that will be obtaining health information from a third party entity will be required by the UB IRBs to adhere to the HIPAA regulations as they relate to a non-covered entity for acquiring individually identifiable health information for research purposes from a covered entity.
In general, protocols that must comply with UB HIPAA policy will need to secure from each research subject a signed HIPAA compliant authorization form to use or disclose their personally identifiable health information for research purposes. In some instances, there are alternatives to obtaining authorization including a waiver of authorization and a certificate of de-identification. The HIPAA Worksheet (below) will guide you to the correct option available to fulfill the new regulatory requirements and UB's policy for implementing them.
Be mindful that your research protocol may obtain individually identifiable health information from different locations, and for different uses in various stages of the protocol, e.g., subject identification, recruitment, data collection and analysis. A protocol that is required to comply with UB's HIPAA research policies must have a HIPAA mechanism in place for every piece of individually identifiable health information it obtains.
HIPAA Documents and worksheets
Overview - documents to better understand HIPAA and HIPAA at UB
UB HIPAA Overview - what UB functions are covered under HIPAA and how does HIPAA apply to research.
UB HIPAA Declarations and Guidance - Formal UB position statements on issues such as UB covered functions, non-covered functions, etc. This page also contains UB Guidance documents aimed at helping the UB community understand specific HIPAA issues (some specifically target research issues).
Organizational Issues Describes the impact of HIPAA on research when multiple entities, each with its own HIPAA issues, participate in research.
HIPAA and UB Research Power Point presentation orienting the researcher to HIPAA at UB is available from this link.
Nuts-And-Bolts - documents needed by UB investigators to assist them in complying with HIPAA at UB.
This worksheet will assist you in determining if HIPAA will impact your
research and, if it does, what mechanisms you need to have in place in order to
collect individually identifiable health information so that your research will collect
data in a way that is compliant with UB's policy to meet the HIPAA Privacy regulations.
Specific HIPAA information transfer mechanisms:
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.