The HIPAA Privacy Rule establishes conditions under which covered entities can provide researchers access to and use of Protected Health Information (PHI). The Privacy Rule should not impede research; however, it does estabish specific requirements for assessing and using PHI. Researchers should be cognizant of HIPAA requirements and ensure that their research procedures account for these requirements. The Principal Investigator is responsible for ensuring that his or her research is conducted in compliance with HIPAA. Under the HIPAA Privacy Rule, researchers must meet certain requirements before using or disclosing individually identifiable health information for research.
Researchers at USC may not use or disclose PHI, except in one of the following circumstances:
- The research subject has signed a written Authorization for Research containing all the elements specified in the Privacy Rule;
- An IRB has waived or altered the requirement for HIPAA Authorization for Research;
- The covered entity has de-identified the data prior to its use or disclosure for research;
- The data are in the form of a limited data set and the researcher has signed a Data Use Agreement; or
- The activities involved are preparatory to research.
Researchers are strongly encouraged to contact their Department's Privacy Officer for help with creating a HIPAA Authorization for Research for a specific study. The USC IRB does not review, approve, or stamp HIPAA Authorizations for Research. The IRB is USC's Privacy Board for the review and approval of Waivers of HIPAA Authorization.