Skip to main content
Compliance Program

Compliance Program

Research Privacy and Security

The Health Insurance Portability and Accountability Act (“HIPAA”) specifically addresses how protected health information (“PHI”) can be utilized for research purposes. HIPAA provides that PHI may be used for research as follows:

(a) With a HIPAA authorization signed by the participant or his/her legal representative;
(b) With a waiver of authorization from the IRB or UCDHS Privacy Board;
(c) With a limited data set and a data use agreement;
(d) If the data is fully de-identified; With a HIPAA authorization signed by the participant or his/her legal representative;
(e) For preparatory to research purposes; or
(f) For research on decedent data.

HIPAA Authorization Requirement

In order to use or disclose a patient’s protected health information (PI) for research purposes, a covered entity (UCDHS) is generally required to obtain a written authorization or a waiver of the authorization from an IRB or the UCDHS Privacy Board that meets the requirements of the regulations [45 CFR 164.512(i)]. To access the HIPAA Authorization for research form, go to: http://research.ucdavis.edu/policiescompliance/irb-admin/researchers/irb-forms/

Preparatory to Research

A covered entity (UCDHS) may allow researchers, whether or not affiliated with UCDHS, to review PHI without written authorization of preparatory purposes (e.g., to determine the feasibility of a research study). To be eligible for access to this information, the researcher must certify that:

(a) Access to PHI is solely to preare a research protocol;
(b) The PHI for which use or access is sought is necessary for the research purpose;
(c) No PHI will be removed or retained; and
(d) No potential research subject will be contacted as part of the preparatory to research process. 

A researcher seeking to access information for preparatory purposes, must first obtain consent from the Compliance Dept via submission of the following form: https://ctscassist.ucdmc.ucdavis.edu/redcap/surveys/?s=VRGYXq8PVW

Access to PHI on Decedent Information

The HIPAA Rule protects individually identifiable health information about a decedent for 50 years following the date of death of the individual. UCDHS may use or disclose PHI to the researcher, if the researcher provides that:

(a) Access to PHI is solely for research of the PHI on Decedents;
(b) The PHI for which use or access is sought is necessary for the research purpose;
(c) Only PHI of Decedents, not of living persons, will be accessed and reviewed; and
(d) No PHI will be removed or retained. 

 A researcher seeking to access information for preparatory purposes, must first obtain consent from the Compliance Dept via submission of the following form: https://ctscassist.ucdmc.ucdavis.edu/redcap/surveys/?s=VqdaAG8o6M

Accounting of Disclosures

The Privacy Rule requires covered entities (UCDHS) to record the disclosure/access or use of patient information without a patient’s authorization in certain situations. Three of the situations where we must account for the use of patient information without the patient’s consent is for: (1) research conducted pursuant to a waiver of authorization (approved by the IRB), (2) reviews preparatory to research, and (3) decedent’ research.

There are two methods to account for disclosure:
(1) Directly accessing the database- https://disclose.ucdmc.ucdavis.edu/ (or by typing “disclose” into the UCDMC intranet)
(2 Quick Disclosures Activity located in the patient’s EHR. See EMR Quick Disclosure Instructions

 

HIPAA Security Rule

The Privacy Rule affects the conduct of clinical research by controlling how researchers gain access to much of the information needed to perform clinical studies. The Security Rule covers electronic protected health information (ePHI) that a covered entity or business associate creates, receives maintains or transmits.  The Security Rule includes administrative, physical and technical safeguards to protect electronic health information (ePHI).

See HIPAA Security Program for additional information: http://intranet.ucdmc.ucdavis.edu/hipaasecurity/index.htm