Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information.
Protected Health Information (PHI) is defined as "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. (e-PHI refers to PHI in electronic form.) PHI includes individual demographic data, provision of health care to the individual, or the payment for the provision of health care to the individual, and identifiable information that can be used to identify the individual.
While the primary focus of HIPAA is to healthcare providers (like the Thielen Student Health Center), the regulation also applies to research that involves personal health information of the research subjects.
- Healthcare in the United States is regulated by the Department of Health and Human Services (HHS)
- Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires national standards for electronic health care transactions
- HHS Office for Civil Rights administers the HIPAA Privacy and Security Rules
- HIPAA Privacy Rule describes what information is protected and how protected information can be used and disclosed
- HIPAA Security Rule describes who is covered by the HIPAA privacy protections and what safeguards must be in place to ensure appropriate protection of electronic protected health information
- Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 authorizes HHS to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange.
Guiding Policies at Iowa State
Institutional Review Board (IRB)
All University research projects and experiments involving human subjects must be reviewed by the Iowa State's Institutional Review Board (IRB). The purpose of the IRB is to ensure that the rights and safety of human participants in research are protected. The Security Team is represented on the IRB, and provides consultation on the handling of data subject to HIPAA requirements.
The IRB reviews all research at Iowa State involving human participants. Reviews include proposals to gather data from participants for theses, dissertations, and other student projects. Proposed research protocols must be approved by the IRB, as must any modifications to protocols already approved. The IRB also reviews cases of noncompliance, provides policy input, and promotes ethical research throughout the University community. The committee meets twice monthly to review research proposals. Materials for review must be submitted two full weeks before the next meeting. Forms for submission are available on the IRB website.
Methodology and Procedure
Members of the security team are called upon to audit a research project's security as part of an IRB review.
Required control documentation for any system handling level III (restricted) data:
- Data Storage (identification of data, identification of risks to the data, and procedures to mitigate those risks)
- Devices physically secured
- Data encrypted in storage and during transport
- Regular backups and data integrity checks
- Logs of storage devices retained
- Data communication
- Limited access to data storage via appropriate firewalls
- Wireless access discouraged, but if necessary must be through dedicated, isolated access points
- Access control
- Access limited to authorized personnel
- Records maintained of persons with access to data
- Personnel given security awareness training
- Devices used to access data in a controlled area, and locked when unattended
- Change management
- Changes in protocol must be approved by Iowa State's IRB
- When equipment is serviced, technicians must be authorized for ePHI
- Secure data sharing with other organizations
- Redaction and de-identification where possible
- Secure transportation of data
- Restriction of sharing to a data enclave where appropriate
The following are guidelines for reviewers:
Iowa State References
- Policy Library - Health Information Privacy and Security (HIPAA)
- Institutional Review Board
- Office of Responsible Research
- Health Information Privacy Compliance Committee
- Privacy Rules and HIPAA at the University of Iowa
- Administrative and technical requirements to ensure HIPAA regulation compliance: (University of Iowa)
- DHS.gov Health Information Privacy page
- NIH Data Sharing Policy and Implementation Guidance
- Office for Civil Rights (U.S. Department of Health & Human Services)
- Guidance for HIPAA and Cloud Computing