Dr. Susan Bouregy, Chief HIPAA Privacy Officer and an IRB Vice-Chair at Yale University, led an informative webinar about the HIPAA Final Rule as it pertains to researchers and data management. Below are a few key notes from the webinar that highlight the most relevant changes for researchers:

1. Flexible Research Authorizations– Researchers can now combine authorization forms —for current research with forms for future unspecified research (aka conditioned vs unconditioned authorizations). Previously, researchers were required to use an authorization form that described the use and disclosure of PHI for a clinical trial, a separate authorization form for banking study samples, and a different authorization form that described future use of the study samples. Now, under the Final Rule, these documents can be combined into one authorization form.

2. Modifications to Breach Notification- The previous mandate required that covered entities notify the government and affected individuals of all PHI privacy and security breaches.  The revised standard now states that breach notification is only necessary when a risk assessment proves that the PHI was compromised. A risk assessment is mandatory for every breach and covered entities are required to evaluate factors such as who received, acquired and viewed the PHI and the extent of risk mitigation.

3. Accountability for Business Associates–  The revised definition of a Business Associate now includes any entity who maintains, transmits, creates, or receives  PHI. Under the Final Rule, Business Associates are directly accountable to the Department of Health and Human Services for HIPAA compliance. For example, if you work with a vendor who stores personal health records or manages data containing PHI, that vendor will need to comply with HIPAA privacy and security standards. Consequently, the vendor is directly liable for any HIPAA violations.

If you missed the webinar or want to learn more about the Final Rule, watch the complete webinar recording below: