ARCHIVED: HIPAA for researchers at IU

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

HIPAA applies (or may apply) to you if your research involves human subjects. From an IT perspective, HIPAA is not a concern if your research data are completely anonymized, i.e., stripped of any ePHI. In general, HIPAA should be a consideration if your research:

Touches patients in the context of health care providers, health plans, public health authorities, life insurers and clearinghouses, billing agencies, information system vendors, service organizations, and other universities.
Involves human subjects or volunteers in any capacity.

HIPAA applies to covered entities, health care providers, health plans, defined by HIPAA as individual or group plans that provide or pay for health care, including employer plans; and health care clearinghouses. Within IU, HIPAA applies to human subjects research conducted at the Schools of Medicine, Nursing, and Dentistry, and other departments that either provide support functions for IU's health care components (e.g., the IUSM's CIO, UITS Research Computing) or conduct research involving human subjects (such as psychology or business).

For more information, visit these IU Office of Research Administration (ORA) pages:

For general compliance information, Institutional Review Board (IRB) requirements for human subjects research, and contact information, see the ORA Human Subjects/IRB page.
For a central resource of research compliance information, see the ORA Compliance Services page.
For more HIPAA information, see the ORA HIPAA Compliance page.