PHI in Research

A Health Care Component may use Use and Disclose PHI for the purposes of Research only in accordance with the University's Office of Human Research Participant Program (HRPP) policies, including the HRPP HIPAA Policies.  The University's Institutional Review Board shall serve as the University's Privacy Board.

What Do I Need to Do?

HIPAA data requires safeguarding consistent with applicable laws and regulations.  Below is a list of resources we hope you will find helpful for protecting your research data.

Step One: Comply with HIPAA Policies

1. Review and implement the administrative and physical safeguards described in Safeguards – Administrative and Physical.  
2. Review and implement the technical safeguards described in Safeguards - Technical.
3. Review and implement procedures described in Tracking, Returning, and Disposing of Device and Media. 
4. Consult with local IT staff to verify your workstations and laptops comply with the HIPAA Workstation Policy. 

Step Two: Comply with IT Policies

1. Follow all existing policies (e.g., Identity and Access Management, Cybersecurity, etc.).  Where you are unable to comply with an existing policy, submit an IT exception request and be prepared to create a project-level procedure that provides a detailed set of instructions detailing how you have implemented to secure the system.