Office of Sponsored Programs

HIPAA Guidance Released

      On December 4, the Office for Civil Rights (OCR), Department of Health and Human Services (DHHS), issued a comprehensive guidance document, entitled Standards for Privacy of Individually Identifiable Health Information. This document, which has been long awaited by entities who use patients or patient records in clinical research, provides clarification on the privacy requirements of
Pub. L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
      The so-called "Privacy Rule" (45 CFR Part 160 and Subparts A and E of Part 164) governs how health care entities and their associates use and disclose individually identifiable health information about their patients, including any use of disclosure for research purposes. By April 14, 2003, "covered entities" must have implemented standards to protect and guard against the misuse of inadvertent disclosure of health information that can be linked to an individual -- or risk civil or criminal penalties.
      For colleges and universities that conduct research covered by the rule, this guidance will be a useful tool. The guidance is organized by major issues, such as "Uses and Disclosures for Treatment, Payment, and Health Care Operations." Each section provides an overview of requirements and frequently asked questions (FAQs). The extensive section on research builds upon the exiting rules for the protection of human subjects as prescribed in the Common Rule and Regulations of the Food and Drug Administration.
      However, the Privacy Rule goes beyond existing requirements and creates standards of privacy protection for research that is not already governed by the federal requirements. The FAQ section of the guidance is particularly useful.

Link to the guidance.

Other Useful HIPAA Documents

The American Council on Education (ACE) has published two white papers on the maze of HIPAA requirements. One of the papers explains the privacy requirements as they apply to academic research; the other explains how the requirements apply to campus functions, such as the medical services that colleges and universities offer to their students. The two reports, Impact of the HIPAA Privacy Rule on Academic Research and Primer for the College of University Administrator, are linked below:

Link to other HIPAA documents.


	Last Revised: December, 2007 Publisher: Sponsored Programs Administration For Information Contact: jmu_grants@jmu.edu Privacy Statement