YSM HIC
HIC home page
Status check.
Table of Contents

Introduction

What is HIPAA?

What is PHI?

What is a covered entity?

What research activities are covred by HIPAA?
Impact on Research Protocols

Requirements for Research Use of PHI

Research Using or Creating PHI of Living Individuals

Consent Obtained Prior to April 14, 2003

Research Under a Participant's Authorization

Waiver of Authorization

Activities Preparatory to Research

Research on Decedents

Recruitment

De-identified Data

Limited Data Sets

Studies Exempted from IRB Review

Databanks and Repositories

International Research

Resignations of Investigators or Research Staff
Patient's Rights Provisions in Research Studies
Privacy and Security Measurers
Resources and links
Researcher Certification

Search Yale sites





Human
Investigation Committee
Yale University
School of Medicine
47 College Street,
Suite 204
New Haven, CT
06520-8010 USA


Phone:
(203) 785-4688


Fax:
(203) 785-2847
YSMInfo. Library. Calendar. Directories. Search. Home.
YSM - HUMAN INVESTIGATION COMMITTEE.

Privacy and Security Measures

HIPAA requires that the privacy of PHI be maintained by limiting its uses and disclosures and that reasonably steps are taken to ensure that PHI is secure. Most often, breeches of privacy can be traced to lax security, so the two issues are intimately related. In April 2005, a portion of HIPAA known as the Security Rule became effective. The Security Rule requires institutions and individuals to take appropriate steps to secure the integrity, availability, and confidentiality of electronic PHI (ePHI). ePHI is defined as any PHI that is created, stored, accessed, or transmitted electronically. The Security Rule requirements apply to all electronic computing and communication systems that create, store, or transmit PHI, both on-campus and off-campus. All users, must comply with the Yale IT Appropriate Use Policy. The specific requirements for complying with the Security Rule can be found at http://hipaa.yale.edu/security/

Security requirements can change frequently and the web site should be referred to for the most recent policies and best practice guidelines. Some general guidelines to secure data include:

  • Access to paper files should be limited by locking file cabinets or locking rooms with files
  • Password protection of all computers using the ITS best practices for creating strong passwords
  • PHI can not be transmitted using instant messaging or other insecure "Peer to Peer" software.
  • Use of unencrypted e-mail to send PHI is limited in accordance HIPAA policy 5123 "Electronic Communication of Health Related Information" Note however that e-mail is allowed within or between Yale or Yale New Haven Hospital.
  • Computing devices must be physically secured such as via use of locking cables for laptops or locking up storage devices such as memory sticks.
  • Computing devices should be maintained with appropriate anti-virus and anti-spyware software.
  • Databases containing PHI may also need an additional level of password protection to restrict access to the database itself and may need to be assessed via the ePHI tracking system.
  • Disposal or re-use of electronic computing and communication devices requires that they be stripped of all PHI.
  • Data should be routinely backed-up.
  • Use secure network access procedures for connecting to the Yale network from off site locations.

 

Return to the Table of Contents

Up. HIC home YNHH Web site. Yale home.


Last modified: Wednesday, 11-Feb-2009 15:39:01 EST. (JJ)

Copyright ©2001-2005 Yale University. All rights reserved.

Comments or suggestions to the site editor.


Home url: http://info.med.yale.edu/hic