The Health Information Privacy and Compliance Office works closely with the Institutional Review Board (IRB) on issues involving health information compliance.
Securing Research Data
All human subjects research data must be secured with a University of Minnesota-approved resource at all times during the research process. This is true even if the research data has been de-identified. University approved methods of storing, analyzing and handling human subjects research data include:
- CTSI’s Clinical Data Repository Data Shelter (also referred to as the AHC Information Exchange or AHC IE). The CTSI can also be used to retrieve data for use in your study: Visit the CTSI’s website for additional information.
- Servers supported by HST: To determine if your area already has space on an HST supported server, or to obtain space, contact HST for assistance.
- Box Secure Storage: The University’s Box instance is supported by the Center of Excellence for HIPAA Data. More information about using Box can be found on the Center of Excellence for HIPAA Data website.
- REDCap: REDCap is designed to support data capture for research. More information about REDCap is available on the CTSI website.
- OnCore: OnCore is designed as a clinical trial management system. More information about OnCore is available on the CTSI website.
- Devices supported by HST that are up to date with encryption and patches. If your device is supported by HST, it will be tagged with an HST sticker. To obtain a HST supported device, contact HST for assistance.
More information on storage requirements is available on the Resources for Research Data webpage. If you have questions regarding whether your method of storing, analyzing, or handling human subjects research data is approved by the University, please contact [email protected].
Creating a Limited Data Set
HIPCO and the IRB strongly recommend that if a de-identified data set cannot be used for your research, that you consider using a Limited Data Set. To create a Limited Data Set you must satisfy the HIPAA Limited Data Set definition. This requires that you remove all identifiers, and all derivatives or those identifiers, but you may include dates (such as date of death, birth, and admission), and you may include geographic information including city, state, and zip code. See a full list of all identifiers that must be removed to create a Limited Data Set. The University does not offer a service to create a Limited Data Set.
Using Data from the CTSI's Clinical Data Repository
The Clinical and Translational Science Institute has a clinical data repository of more than 2 million patients seen at 8 hospitals and more than 40 clinics. This data is housed in a secure repository and is available for your research needs. Contact the CTSI for more information about how to access this data.
HIPAA & Research Training Session
In January 2016, the IRB and the Health Information Privacy & Compliance Office teamed up to do an education session that provided a broad overview of HIPAA, and provided more specific information about completing HIPAA Authorization Forms.