Skip to Content (Press Enter)

 California State University, Fullerton

FACT SHEETS

HIPPA and the IRB

The Health Insurance Portability and Accountability Act of 1996 (HIPPA) was enacted to issue privacy regulations governing individually indefinable health information.  The Privacy Rule protects all iindividually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic paper or oral.  The HIPPA Privacy Rule calls this information Protected Health Information (PHI) and governs how information can be linked to a particular person in the course of providing a health care service.

CSUF is considered a hybrid entity which allows only its designated health care components to comply with HIPPA.  HIPPA recognizes organization activities such as education and research. 

HIPAA defines a hybrid entity as one that uses or discloses protected health information (PHI) for only a part of its business operations (i.e., on-site health clinic.)

HIPPA allows both use and disclosure of PHI for research purposes, but such uses and disclosures must follow HIPPA guidance and be part of a research plan that is reviewed and approved by the Institutional Review Board (IRB). 

When participants in a research study sign a consent form allowing a researcher to have access to their PHI (for research purposes), the information obtained should be governed by the terms in their consent and is no longer PHI subject to HIPPA.  However, a researcher should continue to recognize and maintain confidentiality of the disclosed information so as to insure continued protection to the participant and maintain the best practices for research involving human participants.

For a complete summary of the privacy rule visit http://www.hhs.gov/ocr/privacysummary.pdf.