Frequently Asked Questions 

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy rule, which creates national standards to protect privacy of individuals' protected health information (PHI).

The Privacy Rule has been in effect since April 2003. The University of South Florida has adopted policies that promote compliance with the Privacy Rule.

What is PHI?

PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.

Individually identifiable health information is information, including demographic data, which relates to:

  1. The individual's past, present or future physical or mental health or condition;
  2. The provision of health care to the individual, or
  3. The past, present or future payment for the provision of health care to the individual;

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Which groups at the University of South Florida are subject to the HIPAA Privacy Rule?

Entities covered by HIPAA are health care providers, health plans (including employers' sponsored plans), and health care clearinghouses.

The following entities at USF are considered covered components:

  • The USF Health Morsani College of Medicine and its constituent schools and departments (including the USF School of Physical Therapy and Rehabilitation Sciences)
  • The USF St. Petersburg Family Study Center, Infant Family Center
  • The USF College of Pharmacy
  • The USF Student Health Services
  • The Johnnie B. Byrd, Sr. Alzheimer's Center and Research Institute
  • The USF College of Behavioral & Community Sciences Department of Communication Sciences and Disorders
  • The University Medical Services Support Corporation (MSSC)
  • The University Medical Service Association (UMSA)
  • Any University administrative personnel or unit if and to the extent that the personnel or unit performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or as otherwise regulated by the HIPAA Privacy Rule for, on behalf of, or in support of any of the above-listed components

How does the Privacy Rule affect me as a researcher?

HIPAA affects an investigator's ability to collect and access existing PHI. The Privacy Rule requires certain procedural steps prior to releasing PHI to any investigator for use in research. This is true whether or not the investigator is in or outside of a USF covered component. When PHI is to be used or disclosed for research purposes, a HIPAA Authorization must be obtained from the research subjects or a waiver of HIPAA Authorization must be obtained from the Privacy Board/IRB.

How does the Privacy Rule affect recruitment of subjects?

  1. Through private medical information about individuals who are NOT patients of the investigator(s). Medical records, clinical databases, patient registries or referring physicians can be useful resources to identify potential study subjects, however, it is essential to take special precautions to ensure that patient privacy is protected. It is not appropriate for investigators to make the first contact with potential subjects identified via their protected health information (PHI). Active participation by the patient's primary/specialist health care provider in the recruitment process ensures that consideration is given to the appropriateness of an individual patient's participation in the research prior to recruitment and that the patient's privacy is respected.
  2. From among the researcher's own patient population. A researcher who has a treatment relationship with a patient may approach the patient about participation in any USF IRB-approved trials in which the clinician participates as a researcher/investigator. It is important to note, however, that in such scenarios, researchers must consider the possibility that their patients may feel obligated to participate because they are being asked to do so by their treating physician. Researchers should reinforce with their patients that participation in studies in voluntary, that they do not have to participate and that the decision not to participate will not affect their care, now or in the future.

Recommended HIPAA Privacy Practices (Securing Electronic Research Data - As recommended by the USF Privacy Board) (MS Word)