Office for Research Protections
Senior Vice President for Research About ORP Human Participants Research (IRB) Animal Research (IACUC) Biohazardous Materials (IBC) Radioisotopes (UIC) Conflict of Interest (COI) Research Ethics Workshops, Outreach & Training Research Study Listing News & Events SARI Resource Portal

 

Find Us on Facebook
@PSUORP on twitter

 

HIPAA: An Introduction to the Impact on Research

Adapted in part from:

Office for Civil Rights. "OCR Guidance Explaining Significant Aspects of the Final Privacy Rule." December 5, 2002. Office for Civil Rights. December 13, 2002.

Woods, Gerald W. "Impact of the HIPAA Privacy Rule on Academic Research." ACENET. November 22, 2002. American Council on Education. December 13, 2002.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was designed to improve the efficiency and effectiveness of the healthcare system. In response to the original HIPAA law, Health and Human Services (HHS) published an additional regulation referred to as the Privacy Rule that relates directly to organizations involved in healthcare operations that transmit health information electronically. Typical organizations covered by HIPAA include:

  • Health plans;
  • Health care clearinghouses; and
  • Health care providers who conduct certain financial and administrative transactions electronically, such as billing and fund transfers.

The Privacy Rule establishes Federal protections for the privacy of protected health information (PHI), which is defined as individually identifiable health information transmitted or maintained in any form or medium including paper records. Explicitly, PHI:

  • Relates to the past, present or future physical or mental health condition.
  • Relates to the provision of health care or the past, present, or future payment for the provision of health care.
  • Identifies individual or could reasonably be used to identify individual.
    AND
  • Has been transmitted or maintained in any form or medium (electronic, paper, oral).

All affected entities will need to be in compliance with the Privacy Rule by April 14, 2003 - this includes research conducted at Penn State that utilizes PHI.