Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information.


Protected Health Information (PHI) is defined as "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. (e-PHI refers to PHI in electronic form.) PHI includes individual demographic data, provision of health care to the individual, or the payment for the provision of health care to the individual, and identifiable information that can be used to identify the individual.

Pertinent Regulations

While the primary focus of HIPAA is to healthcare providers (like the Thielen Student Health Center), the regulation also applies to research that involves personal health information of the research subjects.

Guiding Policies at Iowa State

Institutional Review Board (IRB)

All University research projects and experiments involving human subjects must be reviewed by the Iowa State's Institutional Review Board (IRB). The purpose of the IRB is to ensure that the rights and safety of human participants in research are protected. The Security Team is represented on the IRB, and provides consultation on the handling of data subject to HIPAA requirements.

The IRB reviews all research at Iowa State involving human participants. Reviews include proposals to gather data from participants for theses, dissertations, and other student projects. Proposed research protocols must be approved by the IRB, as must any modifications to protocols already approved. The IRB also reviews cases of noncompliance, provides policy input, and promotes ethical research throughout the University community. The committee meets twice monthly to review research proposals. Materials for review must be submitted two full weeks before the next meeting. Forms for submission are available on the IRB website.

Methodology and Procedure

Members of the security team are called upon to audit a research project's security as part of an IRB review.

Required control documentation for any system handling level III (restricted) data:

  1. Data Storage (identification of data, identification of risks to the data, and procedures to mitigate those risks)
    • Devices physically secured
    • Data encrypted in storage and during transport
    • Regular backups and data integrity checks
    • Logs of storage devices retained
  2. Data communication
    • Limited access to data storage via appropriate firewalls
    • Wireless access discouraged, but if necessary must be through dedicated, isolated access points
  3. Access control
    • Access limited to authorized personnel
    • Records maintained of persons with access to data
    • Personnel given security awareness training
    • Devices used to access data in a controlled area, and locked when unattended
  4. Change management
    • Changes in protocol must be approved by Iowa State's IRB
    • When equipment is serviced, technicians must be authorized for ePHI
  5. Secure data sharing with other organizations
    • Redaction and de-identification where possible
    • Secure transportation of data
    • Restriction of sharing to a data enclave where appropriate

The following are guidelines for reviewers:

  1. Privacy Rule
  2. Security Rule


Iowa State References

External References