Search

Human Subjects

Policies & Guidance

HIPAA

If you are conducting human subject research (or plan to in the future) and can answer Yes to any of the following questions, then HIPAA requirements apply to you.

  • Are you using any health information or information that can be linked to or used to identify an individual (e.g., name, address, Social Security number, or other identifier) and pertains to an individual's past, present, or future physical or mental health?
  • Was the health information obtained as part of clinical care, or
    obtained by someone who normally cares for patients?
  • Are you conducting retrospective medical chart reviews?
  • Are you conducting research using existing biological samples?
  • Are you conducting research using existing research or clinical data?
  • Are you consenting or re-consenting subjects in an existing research protocol that involves health information after April 14, 2003?

If you have further questions regarding HIPAA, please see HIPAA Compliance FAQs.

.pdf HIPAA Affected Areas - Liaison List

Examples of Limited Data Sets & Deidentified Data

The highlighted data fields in the graphics below signify data that may NOT be collected for the respective data sets.

Limited Data Set

Demographics
Patient Identification Numbers or Cards (SS#, Medical Record Number, Drivers License)
Full Name
Street Address
City, State, zip Code
Phone Number
Fax Number
E-mail address
URLs and IP Addresses
Gender
Race
Religion
Date of Birth
Photographs
Spouse Information
Beneficiary Information
Parent/Guardian Information
Emergency Contact Information
Vehicle Identification Number
Biometric Identifiers (including finger and voice prints)

Insurance Information
Financial Information
Insurance Carrier
Insurance Group Numbers
Copy of Insurance Card
Guarantor (Responsible Party)
Billing Address
Employer
Primary Care Provider
Total Charges
Claim Forms
Payment History
Pre-certifications or Prior Authorizations
Medical Information (continued)
Procedures
Orders or Requests
Patient History
Personal Habits
Weight
Height
Age
Temperature
Pulse
History of Present Illness
Dictation
Symptoms
Physical Findings
Family Medical History
Discharge Status
Medications
Barriers to Communication
Mode of Arrival
Allergies/Untoward Reactions to
Drugs
Reason for Encounter
Request for Consultation
CPT Codes
ICD-9 Codes
Date of Death
 
Medical Information
Patient Complaints
Dates of Service
Admission and Discharge Dates
Treating or Referring Physician, Clinic, Hospital
Diagnosis
Treatment Plan
Immunization Record
Psychotherapy Note Information
Lab Tests
Blood Type

 

 

Deidentified Data Set

Demographics
Patient Identification Numbers or Cards (SS#, Medical Record Number, Drivers License)
Full Name
Street Address
City, State, Zip Code
Phone Number
Fax Number
E-mail address
URLs and IP Addresses>

Gender
Race
Religion
Date of Birth
Photographs
Spouse Information
Beneficiary Information
Parent/Guardian Information
Emergency Contact Information
Vehicle Identification Number
Biometric Identifiers (including finger and voice prints)

Insurance Information
Financial Information
Insurance Carrier
Insurance Group Numbers
Copy of Insurance Card
Guarantor (Responsible Party)
Billing Address
Employer
Primary Care Provider
Total Charges
Claim Forms
Payment History
Pre-certifications or Prior Authorizations
Medical Information (continued)
Procedures
Orders or Requests
Patient History
Personal Habits
Weight
Height
Age
Temperature
Pulse
History of Present Illness
Dictation
Symptoms
Physical Findings
Family Medical History
Discharge Status
Medications
Barriers to Communication
Mode of Arrival
Allergies/Untoward Reactions to
Drugs
Reason for Encounter
Request for Consultation
CPT Codes
ICD-9 Codes
Date of Death
 
Medical Information
Patient Complaints
Dates of Service
Admission and Discharge Dates
Treating or Referring Physician, Clinic, Hospital
Diagnosis
Treatment Plan
Immunization Record
Psychotherapy Note Information
Lab Tests
Blood Type

 

Accounting for Disclosures

The Privacy Rule grants the right to request and receive an accounting for some “disclosures” of PHI, including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. Patients have a right to an accounting of disclosures made in the six years prior to the patient’s request, and only of disclosures in connection with protocols conducted with a waiver of authorization.

Investigators must keep an accounting of the following disclosures:

  • Disclosures made in research conducted with a waiver of authorization approved by the IRB (Privacy Board) for the study or for recruitment purposes
  • Disclosure of PHI to a person or entity not on the authorization
  • Disclosure of PHI to or from a federal- or state-mandated registry
  • Disclosure of PHI that is used for reviews preparatory to research unless the information is deidentified or in a limited data set
  • Disclosure of a decedent’s PHI used for research

The following templates may be helpful for investigators when accounting for disclosures:

For more information, see the IU IRB SOP on Confidentiality and Privacy.

Research with Decedent PHI

Research involving use of decedent PHI is not considered human subjects research and does not require IRB review. However, the IU SOP on Confidentiality and Privacy requires that investigators conducting research with decedent PHI document certain criteria. A certification form is available below.

Investigators should complete this form prior to beginning their research and should be able to produce it upon request.

Lost, Stolen, or Misdirected Data

IU Policy ISPP-26 requires immediate reporting of lost, stolen, or misdirected data or devices. This policy applies to all:

  • Information – whether in printed, verbal, or electronic form – created, collected, stored, manipulated, transmitted, or otherwise used in the pursuit of Indiana University's mission, regardless of the ownership, location, or format of the information.
  • Information systems used in the pursuit of Indiana University's mission irrespective of where those systems are located.
  • Individuals encountering such information or information systems regardless of affiliation.

Per the procedures below, all individuals are required to immediately report to the University Information Policy Office (UIPO) any:

  • Suspected or actual security breaches of information – whether in printed, verbal, or electronic form – or of information systems used in the pursuit of the university's mission.
  • Abnormal systematic unsuccessful attempts to compromise information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission.
  • Suspected or actual weaknesses in the safeguards protecting information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission.

Policy: ISPP-26 - Information and Information System Incident Reporting, Management, and Breach Notification

RASD | Browser Recommendations | Webmaster | IU Emergency System | Office Information | Site Map