安全规则
研究 Compliance and the HIPAA Security Rule
的 HIPAA Security Rule complements 私隐规则 by helping ensure that the data security measures and confidentiality protections that HIPAA covered entities must use in their daily operations are also used to safeguard Protected Health Information (PHI) when it is disclosed to researchers employed by non-covered entities. 安全规则 includes:
- Administrative safeguards – organizational policies and procedures
- Physical safeguards – to limit access to locations where PHI is stored, e.g., using locks, ID card access controls, security cameras
- Technical safeguards – to limit access to and protect data stored on information systems, e.g., data encryption, password protection, network security controls
数据使用协议
的 burden of complying with the requirements of HIPAA rests with covered entities. When disclosing PHI to outside researchers, they achieve compliance with 私隐规则 and Security Rule via 数据使用协议 (DUAs). 的se agreements allow HIPAA covered entities to require non-covered entities to whom they disclose PHI to follow established confidentiality and data security practices while in possession of PHI. DUAs include terms and conditions that:
- Restrict the use and disclosure of the PHI by the recipient
- Specify safeguards that must be in place while the PHI is in the possession of the recipient
- Indicate how violations of the terms of the DUA must be reported to the covered entity
- Ensure that the DUA terms and conditions are applied to others who may need access to the PHI during the research (e.g., collaborators at another university)
- Require researchers to provide an assurance that they will not re-identify the information or contact individuals
- Govern the destruction of the PHI by the researchers at the earliest reasonable stage of the project
的 UTC Office of 研究 and Sponsored Programs (ORSP) negotiates and executes DUAs on behalf of all UTC researchers. A draft version of the DUA must be submitted with the IRB application for review by the Office of 科研诚信 and UTC IT Security Team. 的 HIPAA covered entity providing the data typically can share a DUA template. 对DUAs的更改, such as extensions of the end date or disclosure of additional PHI to the researchers, must be communicated to both ORSP and the IRB.
Information Security Plans
Universities help ensure that compliance with DUA data security requirements is addressed through information security plans that specify the controls that will be used to protect sensitive data. 的 UTC IT Security Team provides researchers with assistance and oversight in developing and monitoring information security plans. 的se plans must address any data security policies or regulations that are incorporated in the terms and conditions in the DUA. More information is available on the 研究数据安全 webpage.
下一个: IRB Application and Review Process for 研究 Involving PHI
Sources and Other Resources:
“的 HIPAA Security Rule.” Department of Health and Human Services.
“Security Rule Guidance Material.” Department of Health and Human Services.
HIPAA Implementation Standard for 数据使用协议, 45 CFR 164.514(e)(4)
National Institute of Standards and Technology (NIST) – Risk Management Framework Overview