Effective November 1, 2022, all human subject research applications must be submitted on the “Protocol Form”. Any projects submitted on the old “Exempt Form” will no longer be accepted. OPRS will continue to make Exempt determinations for all eligible protocols. Exempt forms submitted to OPRS prior to November 1, 2022, will be reviewed.

The general statement of policy outlines the University of Illinois at Urbana-Champaign's basic responsibility to ensure the protection of human subjects and is applicable to all research involving human subjects.

Campus Administrative Manual: The policy describes the role of the Institutional Review Boards and the responsibilities of the investigators engaged in university-sponsored research activities involving human subjects, human tissues, or medical records of human subjects.

The University of Illinois is committed to protecting the privacy and security of health information, as mandated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). HIPAA and HITECH establish national standards for protecting the privacy and security of health information and define specific rights for individuals with respect to their health information.

List of colleges, departments or units are designated as “covered components” and shall comply fully with the HIPAA Privacy Rule and the policies and procedures set forth in UofI’s HIPAA policies.

In November 2013, the Board of Trustees approved policy that called for the formation of an Information Privacy and Security Council (IPSC) with representation from many areas of the university including Legal, IT Governance, IT Security, Faculty, etc. The IPSC serves an advisory role to the Board on information privacy and security issues. The IPSC commissioned a HIPAA Subcommittee to directly work on HIPAA related issues.

Each component of the UofI HIPAA Hybrid Entity has a HIPAA Liaison appointed by their Dean or Department Head. The liaisons are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Privacy and Security Officer may be contacted for general HIPAA questions and issues regarding HIPAA compliance at the University of Illinois.

Completion of annual HIPAA training is required for all workforce members for a Health Care Component. Failure to complete the annual training may result in the loss of network access until the training is completed. Depending on your access requirements and geographic location, HIPAA training may be administered by the UI Hospital, ACCC or Technology Services.

As a general rule, a HIPAA-covered entity, such as a health care provider, cannot use or disclose to you an individual’s protected health information (PHI) for research without having the individual’s written authorization. There are several specific situations, however, in which a written authorization is not required.

Tool to guide researchers on methods for obtaining PHI from a HIPAA covered entitiy for research needs.

Tool to guide researchers on methods for obtaining PHI from a HIPAA covered entitiy for research needs.

Individuals in a covered component of the University of Illinois Covered Entity may request a Box Health Data Folder (BHDF) that is capable of securely storing protected health information.

Per the University of Illinois HIPAA Privacy and Security Directive: “Each [Health Care Component] (HCC) must encrypt all HCC laptops and any HCC portable data storage devices used to access, process or store ePHI or has the potential to access, process or store ePHI, including but not limited to, flash drives, handheld devices, removable media, and backup media. Data encryption storage specifications must meet or exceed the minimum standard specified by the Security Official.“

Links to 1996 Act, Privcacy Rule, Security Rule and more.

In this section, you will find educational materials to help you learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information (e-PHI)

This page provides guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). This guidance assists such entities, including cloud services providers (CSPs), in understanding their HIPAA obligations.