Research Compliance

Welcome to Research Compliance:

The Health Insurance Portability and Accountability Act (HIPAA) - Protects individuals rights as it relates to privacy and confidentiality of ones protected health information (PHI). HIPAA implemented two rules, The Privacy and Security Rule:

  • The HIPAA Privacy Rule – Defines as well addresses Protected Health Information (PHI), and how PHI can be used. This includes instances when patient authorization is required and when authorization in not required if the access and request of the PHI is pursuant to treatment, payment, or operations (TPO). These terms are defined narrowly and do not include most research activities. One way a covered entity (UHS) can use or disclose PHI for research purposes without an authorization from the subject is by obtaining documentation of a waiver of the authorization by an Institutional Review Board (UT-Health).

  • The HIPAA Security Rule - establishes national standards to protect an individual’s electronic protected health information that is created, received, used, or maintained by the Covered Entity (University Health System). Safeguards ensuring the confidentiality and security of the PHI is not ever compromised leading to unnecessary access or disclosure.

Although HIPAA does not directly govern research, its privacy and security rules regulate healthcare providers, health plans, and clearinghouses (collectively known as covered entities) that often control data that researchers need to conduct clinical research. University Health System Policies