The Office for Civil Rights (OCR), Department of Health and Human Services (DHHS) has a comprehensive guidance document entitled, Standards for Privacy of Individually Identifiable Health Information. This document provides clarification on the privacy requirements of Pub. L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) governs how health care entities and their associates use and disclose individually identifiable health information about their patients, including any use of disclosure for research purposes. By April 14, 2003, "covered entities" must have implemented standards to protect and guard against the misuse of inadvertent disclosure of health information that can be linked to an individual -- or risk civil or criminal penalties.

For colleges and universities that conduct research covered by the rule, this guidance is a useful tool. The guidance is organized by major issues, such as "Uses and Disclosures for Treatment, Payment, and Health Care Operations." Each section provides an overview of requirements and frequently asked questions (FAQs). The extensive section on research builds upon the exiting rules for the protection of human subjects as prescribed in the Common Rule and Regulations of the Food and Drug Administration.

The Privacy Rule creates standards of privacy protection for research that is not already governed by the federal requirements.

Understanding Health Information Privacy

Summary of the HIPAA Privacy Rule

HIPAA- Frequently Asked Questions (searchable database)