Research HIPAA Compliance Frequently Asked Questions
The following frequently asked questions are provided to help researchers navigate research HIPAA compliance.
What is PHI?
PHI stands for protected health information. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
How do I know if PHI is involved?
If you answer “yes” to any of the following four questions, then PHI is involved in your research.
- Are you recruiting patients as participants from a health care component?
- Are you accessing the medical record to retrieve data?
- Is a health care component referring patients to you to recruit?
- Are you conducting your research within a health care component?
How do I complete accounting of disclosures?
Accounting of disclosures are required to be completed when access to the medical record is approved without a signed HIPAA authorization from the participants through the approval of a partial or complete waiver of authorization. Partial or complete waivers of authorization are granted for recruitment, screening for eligibility, or research that meets criteria of a waiver. Instructions on how to complete accounting of disclosures in the electronic health record when instructed as a requirement for your research are available by downloading (SOP ECUH Quick Disclosure Aug_2023) or visiting the website https://healthinformation.ecu.edu for all educational materials regarding the EHR .
Where can I store my research data?
Research data containing Protected Health information must either be stored on one of the pre-approved storage locations or obtain approval from the Office of Institutional Integrity (OII) and Healthcare Data Steward. Below is a list of the storage systems currently approved for use:
- Departmental PIRATE drive
- ECU REDCap
- ECU Health secure drive; or
- One Drive (no external collaboration can be part of the study)
- Entering data into a Sponsor’s secure website or data storage equipment (and the sponsor will own the data)
What is a HIPAA system administrator?
A HIPAA system administrator is one that ensures that a device/system that stores Protected Health Information meets HIPAA Security compliance.
Who can be a HIPAA system administrator?
One requirement: individual is a full time faculty or staff at ECU. If the system is research related it is typically someone on the study team that will serve in this role; however, it can be a staff member within the department.
What is a HIPAA system administrator’s responsibility?
- System administrators will complete the HIPAA Security Rule training on an annual basis.
- System administrators will complete Risk Assessments on each system they oversee on an annual basis.
- System administrators will review Log Reviews from their system(s) on a monthly basis.
- With regard to data storage and encryption (for University own systems/devices), it is recommended that the system administrator adhere to the following workstation security measures:
- It is highly recommended that the data is not stored on the local workstation but instead stored in a departmental Piratedrive folder with restricted access.
- The system administrator must ensure that the workstation is appropriately secured. If data is stored on the local workstation instead of a departmental Piratedrive folder for any time period, it should be encrypted.
- Accounts which are no longer needed must be disabled in a timely fashion using an automated or documented procedure.
- An Antivirus software must be implemented- including a procedure to ensure that the virus detection software is maintained and up to date.
- Systems must be configured to automatically update operating system software, client software (web browsers, mail clients, office suites, etc.), and malware protection software (antivirus, anti-spyware, etc.).
- If available, auditing features on the system/device will be enabled.
- With regard to data storage on a departmental Piratedrive, it is recommended that the system administrator adhere to the following security measures:
- Plan the folder and data organization (i.e. will employees have their own folders in which they will store PHI?).
- Maintain documentation of folder administration.
- Grant and remove users and user access on as-needed basis.
- Choose level of access for users (only administrators should have full control access).
- Review and modify user access on as-needed basis.
- Review Piratedrive folder security four times a year. Use the Security Review Log Template that is provided by ITCS.
- Obtain ITPC approval to store Social Security Numbers.
- Obtain ITCS approval of HIPAA data storage measures.
- Protect sensitive data.
- Notify ITCS and the HIPAA Security Office if your role changes and you are no longer a folder administrator.
How long am I required to retain my research data once the study is closed?
When PHI is involved in your study, data should be retained for at least 3 years after the close of the study. All regulatory forms pertaining to the study must be retained for at least 6 years after the close of the study.