Privacy and Cyber Security Considerations for Research

The Health Insurance Portability and Accountability Act (HIPAA) establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. 

• PHI may be used and disclosed with individual’s written permission (HIPAA Authorization)
• PHI may be used and disclosed without authorization in the following limited circumstances:
• Waiver of authorization
• Limited data set with data use agreement
• Preparatory to research
• Research on descendants’ information

All research involving human subjects requires HMH IRB approval. See HMH’s HRPP webpage for additional information.

Even PHI used with the appropriate waivers of authorization still require data security controls to limit the access and inadvertent disclosure outside the IRB approved protocol. 

All research at HMH needs to have the appropriate security controls to protect data, regardless of the sensitivity. These include, but are not limited to:

• Storage of data on HMH approved devices
• Cloud storage on HMH supported services
• DTS approval may be required for release of certain data types outside of HMH. 

Additional Information

• HHS.gov HIPAA and Research
• HIPAA Privacy Booklet

HMH Policies and SOPs

• HRPP SOPs
• HIPAA Research and Privacy (13246773)
• HMH Digital Technology Services (DTS) and DTS Cybersecurity maintain a number of policies in order to recognize the requirement to comply with applicable administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of data. 
• DTS policies can be found on PolicyStat by selecting Policies > Policies by Policy Area > Digital Technology Services (DTS) - Enterprise
• DTS Cybersecurity policies can be found on PolicyStat by selecting Policies > Policies by Policy Area > Cybersecurity - Enterprise