HIPAA-Related Research Issues


The Health Information Privacy and Compliance Office works closely with the Institutional Review Board (IRB) on issues involving health information compliance.  

Securing Research Data

All human subjects research data must be secured with a University of Minnesota-approved resource at all times during the research process. This is true even if the research data has been de-identified. University approved methods of storing, analyzing and handling human subjects research data include:

  • CTSI’s Clinical Data Repository Data Shelter (also referred to as the AHC Information Exchange or AHC IE). The CTSI can also be used to retrieve data for use in your study: Visit the CTSI’s website for additional information.
  • Servers supported by HST: To determine if your area already has space on an HST supported server, or to obtain space, contact HST for assistance.
  • Box Secure Storage: The University’s Box instance is supported by the Center of Excellence for HIPAA Data. More information about using Box can be found on the Center of Excellence for HIPAA Data website.
  • REDCap: REDCap is designed to support data capture for research.  More information about REDCap is available on the CTSI website.              
  • OnCore: OnCore is designed as a clinical trial management system.  More information about OnCore is available on the CTSI website.
  • Devices supported by HST that are up to date with encryption and patches.  If your device is supported by HST, it will be tagged with an HST sticker. To obtain a HST supported device, contact HST for assistance. For more information, please see the HIPCO Ancillary Review Aid: Computer Device Guide for Research.

More information on storage requirements is available on the Resources for Research Data webpage. If you have questions regarding whether your method of storing, analyzing, or handling human subjects research data is approved by the University, please contact [email protected].


Using Data from the CTSI's Clinical Data Repository

The Clinical and Translational Science Institute has a clinical data repository of more than 2 million patients seen at 8 hospitals and more than 40 clinics. This data is housed in a secure repository and is available for your research needs. Contact the CTSI for more information about how to access this data.

HIPAA & Research Training Session

In January 2016, the IRB and the Health Information Privacy & Compliance Office teamed up to do an education session that provided a broad overview of HIPAA, and provided more specific information about completing HIPAA Authorization Forms.

De-Identified Data Sets and Limited Data Sets

The Health Information Privacy & Compliance Office and the IRB strongly encourage the use of de-identified datasets whenever possible. The HIPAA Privacy Rule protects Protected Health Information (PHI) by permitting only specific uses and disclosures of PHI allowed by the Rule, or as authorized by the subject of the information. However, a covered entity may create a de-identified dataset from PHI by following the HIPAA Privacy Rule's de-identification standard.

To create a de-identified dataset that meets the HIPAA Safe Harbor de-identification definition, a specific list of identifiers and derivatives of identifiers of individuals, as well as their relatives, employers, and household members must be removed. There can be no knowledge that the remaining information can be used alone or in combination with other information to identify the individual. The University offers a service to de-identify human subjects research data if you use the CTSI’s Clinical Data Repositor.

If a de-identified data set cannot be used for your research, that you consider using a Limited Data Set. To create a Limited Data Set you must satisfy the HIPAA Limited Data Set definition. This requires that you remove all identifiers, and all derivatives or those identifiers, but you may include dates (such as date of death, birth, and admission), and you may include geographic information including city, state, and zip code. The University does not offer a service to create a Limited Data Set. A Limited Data Set must be used in connection with a Data Use Agreement.

For more guidance on what data needs to be removed for a de-identified data set or limited data set, please refer to this guide.