HIPAA establishes security and privacy standards for protecting the health information of a subject, or potential subject, participating in research at the Yale School of Medicine, School of Nursing, University Health Services, and the Department of Psychology Clinics (these are the locations at Yale where health information is either created or received and that fall under HIPAA’s definition of a “covered entity”). HIPAA does not apply to research where health information or data has been stripped of the HIPAA identifiers or to research conducted at other schools or departments at the University as long as a subject’s health information or data is not held by one of Yale’s covered entities. Research data that is collected in foreign countries and brought back to one of Yale’s covered entities are considered protected health information if they contain identifiers. This information must be collected, stored, and maintained in a HIPAA-compliant fashion.
HIPAA requires investigators to obtain authorization from the subject (unless some exception applies) whenever they wish to collect, review, use, or disclose health information from identifiable subjects for research purposes. HIPAA impacts a broad range of research activities, including activities that are “preparatory to research” (such as the review of data to assist in designing the protocol and determining the sample size) as well as the recruitment of subjects. It also covers research activities that use or create health information on living individuals and decedents, and/or research associated with limited data sets. Additional guidance and forms for meeting an investigator’s HIPAA responsibilities can be found in Yale’s Researcher’s Guide to HIPAA at the link provided below. An interactive guide is also available at the link below to help investigators understand and fulfill their HIPAA research responsibilities.
Links to Yale’s interpretive guidance and forms: