The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.
Effective November 1, 2022, all human subject research applications must be submitted on the “Protocol Form”. Any projects submitted on the old “Exempt Form” will no longer be accepted. OPRS will continue to make Exempt determinations for all eligible protocols. Exempt forms submitted to OPRS prior to November 1, 2022, will be reviewed.
The general statement of policy outlines the University of Illinois at Urbana-Champaign's basic responsibility to ensure the protection of human subjects and is applicable to all research involving human subjects.
Campus Administrative Manual: The policy describes the role of the Institutional Review Boards and the responsibilities of the investigators engaged in university-sponsored research activities involving human subjects, human tissues, or medical records of human subjects.
The University of Illinois is committed to protecting the privacy and security of health information, as mandated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). HIPAA and HITECH establish national standards for protecting the privacy and security of health information and define specific rights for individuals with respect to their health information.
In November 2013, the Board of Trustees approved policy that called for the formation of an Information Privacy and Security Council (IPSC) with representation from many areas of the university including Legal, IT Governance, IT Security, Faculty, etc. The IPSC serves an advisory role to the Board on information privacy and security issues. The IPSC commissioned a HIPAA Subcommittee to directly work on HIPAA related issues.
Each component of the UofI HIPAA Hybrid Entity has a HIPAA Liaison appointed by their Dean or Department Head. The liaisons are the first point of contact regarding HIPAA Compliance questions and procedures for each of the listed covered entities. The HIPAA Privacy and Security Officer may be contacted for general HIPAA questions and issues regarding HIPAA compliance at the University of Illinois.
Completion of annual HIPAA training is required for all workforce members for a Health Care Component. Failure to complete the annual training may result in the loss of network access until the training is completed. Depending on your access requirements and geographic location, HIPAA training may be administered by the UI Hospital, ACCC or Technology Services.
As a general rule, a HIPAA-covered entity, such as a health care provider, cannot use or disclose to you an individual’s protected health information (PHI) for research without having the individual’s written authorization. There are several specific situations, however, in which a written authorization is not required.
Per the University of Illinois HIPAA Privacy and Security Directive: “Each [Health Care Component] (HCC) must encrypt all HCC laptops and any HCC portable data storage devices used to access, process or store ePHI or has the potential to access, process or store ePHI, including but not limited to, flash drives, handheld devices, removable media, and backup media. Data encryption storage specifications must meet or exceed the minimum standard specified by the Security Official.“
In this section, you will find educational materials to help you learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information (e-PHI)
With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). This guidance assists such entities, including cloud services providers (CSPs), in understanding their HIPAA obligations.