HIPAA-Related Research Issues


The Health Information Privacy and Compliance Office works closely with the Institutional Review Board (IRB) on issues involving health information compliance.  

Securing Research Data

All human subjects research data must be secured with a University of Minnesota-approved resource at all times during the research process. This is true even if the research data has been de-identified. University approved methods of storing, analyzing and handling human subjects research data include:

  • CTSI’s Clinical Data Repository Data Shelter (also referred to as the AHC Information Exchange or AHC IE). The CTSI can also be used to retrieve data for use in your study: Visit the CTSI’s website for additional information.
  • Servers supported by HST: To determine if your area already has space on an HST supported server, or to obtain space, contact HST for assistance.
  • Box Secure Storage: The University’s Box instance is supported by the Center of Excellence for HIPAA Data. More information about using Box can be found on the Center of Excellence for HIPAA Data website.
  • REDCap: REDCap is designed to support data capture for research.  More information about REDCap is available on the CTSI website.              
  • OnCore: OnCore is designed as a clinical trial management system.  More information about OnCore is available on the CTSI website.
  • Devices supported by HST that are up to date with encryption and patches.  If your device is supported by HST, it will be tagged with an HST sticker. To obtain a HST supported device, contact HST for assistance.

More information on storage requirements is available on the Resources for Research Data webpage. If you have questions regarding whether your method of storing, analyzing, or handling human subjects research data is approved by the University, please contact [email protected].


Using Data from the CTSI's Clinical Data Repository

The Clinical and Translational Science Institute has a clinical data repository of more than 2 million patients seen at 8 hospitals and more than 40 clinics. This data is housed in a secure repository and is available for your research needs. Contact the CTSI for more information about how to access this data.

HIPAA & Research Training Session

In January 2016, the IRB and the Health Information Privacy & Compliance Office teamed up to do an education session that provided a broad overview of HIPAA, and provided more specific information about completing HIPAA Authorization Forms.

Expand all

Items to Be Removed to Create a Limited Data Set

  • Names;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images

Expand all

Items to Removed to Create a De-Identified Data Set