HIPAA
(the Health
Insurance Portability and Accountability Act of 1996)
required the creation of a Privacy Rule for identifiable
health information. The resultant Privacy Rule, finalized
in August 2002, took effect on April 14, 2003. While
the main impact of the Privacy Rule is on the provision
of care (treatment, payment and operations), the Rule
also affects the conduct and oversight of research.
HIPAA
and the Security Rule
The
HIPAA Security Rule, which addresses the privacy protection
of electronic protected health information (PHI), went
into effect in April 2005. Similar to the Privacy Rule,
the Security Rule also deals with identifiable health
information as defined by the HIPAA-designated 18 identifiers.
The Security Rule defines standards for protecting electronic
PHI with detailed attention to how PHI is stored, accessed,
transmitted, and audited.
The
Security Rule affects any researcher who stores PHI
electronically, including (but not limited to):
1. A single researcher who stores data in a spreadsheet,
Word document, etc., on an H: drive
2. A researcher who stores data on a personal laptop,
zip drive, or other portable hard drive or non-Partners
PC
3. A researcher and co-investigators who access data
on a shared drive maintained by their department or
by Partners IS
4. Researchers who transmit data electronically as part
of a multi-center study
5. Researchers who maintain small, medium, or large
data repositories.