Research HIPAA Compliance Frequently Asked Questions

The following frequently asked questions are provided to help researchers navigate research HIPAA compliance.

What is PHI?
PHI stands for protected health information. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

How do I know if PHI is involved?
If you answer “yes” to any of the following four questions, then PHI is involved in your research.

  • Are you recruiting patients as participants from a health care component?
  • Are you accessing the medical record to retrieve data?
  • Is a health care component referring patients to you to recruit?
  • Are you conducting your research within a health care component?

How do I complete accounting of disclosures?
Accounting of disclosures are required to be completed when access to the medical record is approved without a signed HIPAA authorization from the participants through the approval of a partial or complete waiver of authorization. Partial or complete waivers of authorization are granted for recruitment, screening for eligibility, or research that meets criteria of a waiver. Instructions on how to complete accounting of disclosures in the electronic health record when instructed as a requirement for your research are available by downloading  (SOP ECUH Quick Disclosure Aug_2023) or visiting the website https://healthinformation.ecu.edu for all educational materials regarding the EHR .

Where can I store my research data?

Research data containing Protected Health information must either be stored on one of the pre-approved storage locations or obtain approval from the Office of Institutional Integrity (OII) and Healthcare Data Steward. Below is a list of the storage systems currently approved for use:

  • Departmental PIRATE drive
  • ECU REDCap
  • ECU Health secure drive; or
  • One Drive (no external collaboration can be part of the study)
  • Entering data into a Sponsor’s secure website or data storage equipment (and the sponsor will own the data)

What is a HIPAA system administrator?

A HIPAA system administrator is one that ensures that a device/system that stores Protected Health Information meets HIPAA Security compliance.

Who can be a HIPAA system administrator?

One requirement:  individual is a full time faculty or staff at ECU.  If the system is research related it is typically someone on the study team that will serve in this role; however, it can be a staff member within the department.

What is a HIPAA system administrator’s responsibility? 

  1. System administrators will complete the HIPAA Security Rule training on an annual basis.
  2. System administrators will complete Risk Assessments on each system they oversee on an annual basis.
  3. System administrators will review Log Reviews from their system(s) on a monthly basis.
  4. With regard to data storage and encryption (for University own systems/devices), it is recommended that the system administrator adhere to the following workstation security measures:
    1. It is highly recommended that the data is not stored on the local workstation but instead stored in a departmental Piratedrive folder with restricted access.
    2. The system administrator must ensure that the workstation is appropriately secured.  If data is stored on the local workstation instead of a departmental Piratedrive folder for any time period, it should be encrypted.
    3. Accounts which are no longer needed must be disabled in a timely fashion using an automated or documented procedure.
    4. An Antivirus software must be implemented- including a procedure to ensure that the virus detection software is maintained and up to date.
    5. Systems must be configured to automatically update operating system software, client software (web browsers, mail clients, office suites, etc.), and malware protection software (antivirus, anti-spyware, etc.).
    6. If available, auditing features on the system/device will be enabled.
  5. With regard to data storage on a departmental Piratedrive, it is recommended that the system administrator adhere to the following security measures:
    1. Plan the folder and data organization (i.e. will employees have their own folders in which they will store PHI?).
    2. Maintain documentation of folder administration.
    3. Grant and remove users and user access on as-needed basis.
    4. Choose level of access for users (only administrators should have full control access).
    5. Review and modify user access on as-needed basis.
    6. Review Piratedrive folder security four times a year. Use the Security Review Log Template that is provided by ITCS.
    7. Obtain ITPC approval to store Social Security Numbers.
    8. Obtain ITCS approval of HIPAA data storage measures.
    9. Protect sensitive data.
    10. Notify ITCS and the HIPAA Security Office if your role changes and you are no longer a folder administrator.

How long am I required to retain my research data once the study is closed?

When PHI is involved in your study, data should be retained for at least 3 years after the close of the study. All regulatory forms pertaining to the study must be retained for at least 6 years after the close of the study.

What is a workforce member of a health care component?

Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the HIPAA Privacy Rule.

Examples include but not limited to Staff, Employees, Volunteers, Students, trainees that serve in a role within the healthcare component (covered entity). If you are a student assigned to work within a healthcare component as part of your training, then you are representing the healthcare component and considered a workforce member.


How to know if you need a request for preparatory review of Protected Health Information form versus an Application for Waiver or alteration of HIPAA Authorization form for recruitment purposes and prep work for a research study?

If the study team simply needs to view or screen Protected Health Information for eligibility and screening and recruitment purposes and not remove the Protected Health Information from the medical record, then a request for preparatory review of Protected Health Information form is needed.

If the study team needs to review medical records and remove Protected Health Information to build a recruitment list that will be stored for research purposes outside the electronic or paper medical record, then a waiver or alteration of authorization form is needed.





Facebook logo