What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. The purpose of the Act was to increase the ease with which people could transfer their health care information from one insurer or provider to the next. Congress, as part of HIPAA, required the development of privacy regulations to
protect the confidentiality of individually identifiable health care information. The final privacy Rule was issued on August 14, 2002 (www.hhs.gov/ocr/hipaa/finalreg.html).  All Institutions must comply with HIPAA regulations by April 14, 2003.


Who is Affected by HIPAA?

All researchers (faculty, staff, or students) at MSU who access or create Protected Health Information (PHI) preceding or during the conduct of their research must comply with the HIPAA regulations.


What is PHI?

Protected Health Information is any information pertaining to a) the past, present, or future physical or mental health or condition of an individual; b) the provision of health care to an individual; or c) the past, present, or future payment for the provision of health care to an individual. PHI may be information that is recorded electronically, on paper, or orally. PHI may concern living people or dead people (referred to in the law as “decedents”).  PHI does NOT include de-identified information or biological tissue with no accompanying information, such as an accession number or code number that may be linked to an identifier.


What Kind of Research and Researchers are Affected by the HIPAA Regulations?

Any kind of research conducted under the auspices of MSU that creates or uses protected health information is subject to the HIPAA regulations (http://privacyruleandresearch.nih.gov/). This includes such research activities as clinical trials, chart reviews, epidemiological studies, behavioral, and social science studies, as well as basic science research activities. It includes research that involves the provision of treatment as well as research that provides neither treatment nor diagnosis.

All studies involving creation or use of Protected Health Information (PHI) must be reviewed and approved in advance by MSU’s Human Subjects Institutional Review Board.  All researchers, whether or not they are directly connected with MSU, who wish to conduct research involving protected health information must complete HIPAA training before they will be allowed to have access to individually identifiable health information in any form.


HIPAA Training

If your protocol involves Protected Health Information (PHI) you must complete the CITI training modules "Basics of Health Privacy" and "Health Privacy for Researchers" (Information Privacy Security [IPS] Course).


HIPAA Worksheet