Frequently Asked Questions

Expand all

What information is protected by HIPAA?

PHI generally consists of individual health information the University has concerning:

  • Our patients;
  • Beneficiaries of our University health plans; and
  • Research participants in studies involving our Medical, Dental, Nursing or Pharmacy schools

I heard HHS authorized a waiver of HIPAA, is this true?

HHS is waiving a limited number of HIPAA requirements for hospitals, including the requirement to distribute Notice of Privacy Practices, to permit patients to opt out of facility directories and to request additional privacy restrictions, among others.

HHS is also waiving certain telehealth requirements for providers who are treating patients, although it is still prohibiting public-facing video communications for health care such as Facebook Live, Twitch and TikTok. The waiver for telehealth does not extend to research. 

University clinics (including CUHCC and Boynton) and research teams should use Zoom for any video communications with patients or research participants. Zoom is a HIPAA compliant tool.

For patient interactions in the M Health Fairview system, please check with Fairview on the appropriate tools to use for video communications with patients.

Is Zoom permitted for conducting patient interactions, or for interactions with research participants?

For patient interactions in the M Health Fairview system, please check with Fairview on the appropriate tools to use.

For patient interactions in University clinics, such as CUHCC or Boynton, as well as for research participant interactions, Zoom is HIPAA compliant. You must take a very brief training prior to using Zoom for the first time, available at this link: https://training.umn.edu/courses/14040

When hosting or participating a Zoom meeting, keep in mind the following:

  • Be aware of your surroundings before launching a Zoom meeting. Make sure there is nothing visible about other patients or research participants on your desk or in the background. Consider using a virtual background if your device supports this feature.
  • Before sharing your screen via Zoom, make sure you don’t have any PHI that is not intended to be shared. Close other browser windows before starting to reduce the risk of sharing information you don’t intend to share.
  • Do not record your meeting unless it is for classroom or teaching purposes and it does not contain any PHI. If you feel it is important for patient health to make a recording that contains PHI, contact HIPCO at [email protected] for guidance.
  • Do not transmit PHI via interactive tools available in Zoom, such as pools, shared screen annotations, chat, or question and answer tools.
  • Only invite attendees who have a need to be involved with the patient or research participant interaction. 
  • When scheduling the Zoom meeting, do not include the patient or research participant name in the meeting title. You can include the name of the provider or PI, such as “Consult with Dr. Anderson.”

I heard that Zoom is not secure, should I still be using it?

There have been media reports about security concerns with Zoom. The University is continuing to use Zoom, although we recommend that you follow the guidance provided by OIT to ensure that only authenticated users join your meeting. Instructions to do this along with additional security options are located here: https://it.umn.edu/zoom-secure-your-zoom-meetings

I am recording the classes I conduct via Zoom, but do not have sufficient storage on my device to store the recordings, is there another way to store Zoom recordings?

If you plan to record your lectures or classes via Zoom, make sure that the recording does not contain any PHI. To record, you must initially select the "Record on this Computer" option. When you complete the recording and end the class, Zoom will compress the file. Once the file has been compressed, Zoom will ask you to select the folder where you would like to save the compressed file.

  • If you have access to an HST server, you can create a new folder or select an existing folder on the HST server and save the compressed file directly to the HST server. 
  • If you do not have access to an HST server, you can save the compressed file to your device, then move it to a HIPAA compliant storage solution, such as Box. You can then delete the file from your device. If you are looking for the file on your device, by default, all recordings will be placed in a Zoom folder found in the following file path:
    • PC: C:\Users\User Name\Documents\Zoom
    • Mac: /Users/User Name/Documents/Zoom

Are research participants permitted to sign HIPAA authorizations electronically to eliminate in-person visits?

FDA-regulated studies: 

Yes, but the electronic signature must be captured by software that is compliant with 21 CFR 11 (known as "Part 11"). Please indicate in your IRB application which software you will be using and whether the manufacturer certifies that it is Part 11 compliant. E-signatures must be approved in advance by the IRB. In addition, the research participant must be provided with a signed copy of the HIPAA Authorization. The signed copy can be either in hard copy or electronic format. 

Non-FDA regulated studies: 

Yes, but Minnesota law requires that there must be some way to ensure that the signature was actually signed by the research participant. If participants are signing remotely (i.e., not in the physical presence of a study team member), this must be made clear in your IRB application and you must develop an approach whereby the research participant must enter credentials that identify themselves prior to signing the HIPAA authorization. For example, a study team could email HIPAA authorizations to research participants, and participants would need to access their email in order to obtain and sign the authorization. Alternatively, a study team could use HIPAA compliant software to capture signatures. Please check with HIPCO by emailing [email protected] to confirm whether any software you are using is HIPAA compliant. In addition, the research participant must be provided with a signed copy of the HIPAA Authorization. The signed copy can be either in hard copy or electronic format.

I need to work remotely and cannot communicate via Google Hangouts or Google Chat with my colleagues, how do I get an exception to use these tools?

Individuals working in units that are designated as health care components (HCC) have all been granted the ability to use Google Hangouts and Google Chat during this time. These changes were initiated on March 17th, and may take up to 24 hours for complete roll-out. For more information, please see the announcement from Health Sciences Technology.

Do not use other, unapproved chat applications or programs such as Slack, Facebook, iMessage or similar variations.  The University does not have enterprise wide agreements or security controls in place for these applications.  

I need to work remotely, but I still need to contact research participants or potential research participants for recruitment and follow-up. May I contact research participants by phone, email or text?

Contacting research participants by phone

If your original study protocol did not include remote recruitment or communication, then you must first submit a modification to the IRB describing the remote methods of communication you would like to use. See the IRB’s website for more information about research considerations and COVID-19.

When calling participants from your home you must conduct calls in a private setting and ensure that participant information is protected. You must take reasonable precautions to limit incidental uses or disclosures of PHI, such as using a headset whenever possible and conducting calls in a private room with a closed door.

The University has temporarily authorized remote workers to utilize the University’s ‘soft-phone’ PC software to send and receive phone calls from University-managed computers. Note that a University softphone cannot be installed on a home computer (unless you are using the Remote Desktop function, described below). To enroll for the softphone function, visit the University's page for Data Network Services Voice Requests or call 1-Help. A participant receiving a call from a University softphone will see the number as a University phone number on caller-id.

Softphones procured from sources other than the University are not permitted for conducting University business, such as contacting research participants. Common examples of unauthorized applications are Google Voice, VoIP phones, and 8x8. Individuals or teams with special requirements can contact HIPCO at [email protected].

The authorization to use University-provided soft-phones extends only so long as the University continues with Reduced Operations as announced by University President Joan Gabel.

Contacting research participants by phone if you don’t have a University device at home

If you do not have a University device at home and your University device is still on campus, you may configure your on campus device for Remote Desktop. Remote Desktop involves installing the University VPN client on your home computer and then connecting to your on campus University device to access your applications and data. You may then use the softphone option described above. If you need help with set up, contact 1-Help.

The University is continuing to work on other possible solutions for University employees that cannot use the University softphone because they do not have a University device at home or they cannot use Remote Desktop. Until other solutions are available for those that cannot use the University softphone, you may use your personal landline to call research participants provided that:

  • You do not record the conversation
  • You do not store participant phone numbers on your personal phone
  • You delete any call logs immediately following the call
  • You use *67 to anonymize your call 
  • You only make out-going calls to participants, you do not receive any calls

Fairview is currently making a “redialer” available for use to University researchers that are not able to use the University softphone and need to contact research participants using a landline phone. A research participant receiving a call in this way will see the number as a Fairview number on caller-id. To use the Fairview redialer:

  • Dial 612-336-2699 from your landline phone
  • After connection, you will be asked to enter the number you want to dial, you must first dial 1 followed by the full phone number
  • The redialer cannot be used for long distance calls

If you are unable to use the University softphone and do not have a landline phone, contact HIPCO for guidance at [email protected].

Emailing or texting with research participants

It is recommended that text messaging not be used to communicate. Texting is not a secured method of communication and can expose PHI easily.

How can I set up a call center with a single phone number for participants to call when the study team is working remotely?

The University’s softphone application has call-center functionality. Researchers may set up a softphone call-center for their studies during the period of reduced operations. You can request call-center setup through the same form as the soft-phone request: http://z.umn.edu/datavoicerequest. If you have technical or setup questions, please reach out to the help desk ([email protected]). If you have questions about what applications are permissible for use by researchers in the HIPAA-covered area of the University, please reach out to [email protected].

I need to work remotely, and need to do data analysis involving PHI from home. What guidelines do I need to follow?

PHI must not be stored, edited, or viewed on personally owned computers. You must use your University managed device with VPN to access University systems to do data analysis. If you mistakenly create any temporary files on your personal device containing PHI, they must be deleted promptly.

I need to work remotely, how do I secure my equipment and documents when moving them back and forth from work to home?

When transporting equipment and documents outside of the office, employees should take the same precautions as they would when transporting any kind of extremely valuable item. The items should be kept out of sight in a bag or briefcase and should not be left unattended at any time. Ideally, the employee should go straight home without any stops, but if necessary, the employee should keep the items on their person or locked securely out of sight in the trunk of their car before they stop.

While your work items are in your home, you should take care that other people in your home are not able to view any confidential information. Device screens should be locked when not in use. Papers with confidential or sensitive information should be kept out of sight of other people in your home.

Items should be returned to the University worksite when employees are able to return. Items should not be left at home indefinitely or destroyed/discarded at home.

Any loss or theft of PHI or University owned devices shall be reported immediately to the employee’s supervisor and [email protected].

I am working from home and have a “smart-home” device (Alexa, Google-Home, Nest or Smart-speakers), is this a problem?

You must take precautions to ensure that your home working environment is appropriate for conducting University business. If you have any type of device in your home that can listen, or record audio or video, you must disable these devices while you are conducting University business.

Is it OK to use my personal printer for University business while working from home?

If you need to print information to mail to research participants or patients, or any information that contains PHI, configure your printer so that it does not save print jobs and disable any connection to cloud servers. If your printer creates electronic logs, delete those logs promptly. If you feel you need to print material containing PHI for some purpose other than mailing information to research participants/patients, please contact HIPCO at [email protected] for guidance.

Does HIPAA allow for any sharing of PHI during a health crisis like COVID-19?

HIPAA generally restricts our ability to share PHI without an individual's authorization, but HIPAA does permit sharing without such authorization:

  • With public health authorities (including the MN Department of Health and the CDC); or 
  • With family, friends, caregivers or others known to be involved in the individual's care; or
  • With those who can prevent or lessen a "serious and imminent threat" to the health and safety of an individual or the public (including law enforcement, family, friends, and caregivers).

Is the information I share with my manager about my health or treatment protected by HIPAA?

PHI generally consists of individual health information the University has concerning:

  • Our patients;
  • Beneficiaries of our University health plans; and
  • Research participants in studies involving our Medical, Dental, Nursing or Pharmacy schools 

HIPAA does not apply to information that is shared by an employee with a manager about the employee's health or condition. However, this information is subject to other restrictions and must be handled appropriately. 

Is it OK to use my personal fax machine for University business while working from home?

To receive faxes, use the University fax-to-email system (follow the instructions here and here, or contact 1-help for assistance). Do not receive faxes to your personal fax machine. If you inadvertently receive a fax that contains PHI, store it securely until you are able to return to the University and shred it.

If you must send a fax, ensure that the receiver will not use your personal fax number to reply. Typically this requires programming an invalid “return number” or using *67 when dialing.

What do I need to do if I want to use a University resource that is outside the healthcare component (HCC)?

If there is a University resource within the healthcare component that is able to handle your use case, using a non-HCC resource is not allowed. Some resources to refer to include HST, CTSI, and BPIC.

If a study team member gets a new HST device during the course of a study, do we need to submit a modification to add the new device number to the protocol?

No, it's not necessary to submit a MOD just for a HST device update. Just ensure all HST numbers and such are updated whenever a study team submits a MOD for another reason. If they are about to have their yearly Continuing Review and haven't updated devices since the last CR, study teams should ensure the devices are updated via MODCR or they will have to submit another MOD afterwards to update HIPCO info.

I have a study that involves international data, how should I move forward?

International data is a complex issue that can involve multiple privacy laws and steps. If you have a study that involves either: (1) data originating in a foreign country and then coming to the United States; or (2) data originating in the United States and then moving to a foreign country, please reach out to HIPCO for assistance and guidance. For a quick reference, of some steps that may need to be taken, please see this guide. (Note: this guide is not exhaustive, and cannot substitute for reaching out to HIPCO.)

How can I determine whether my data is PHI and covered under HIPAA?

A final PHI determination is made by HIPCO using statutory law and regulatory guidance. For general guidance to assist you in planning, please see UIS's data classification policy and HIPCO's de-identification and limited data set guide.