Evaluating HIPAA compliance: a guide for researchers, privacy boards, and IRBs.

The purpose of this article is to describe implications of the Health Information Portability and Accountability Act of 1996 (HIPAA) for nurses engaged in human and health services research. In general, a person's private health information (PHI) may only be disclosed for treatment, payment, and business procedures related to healthcare service delivery. Access and/or use of the same information for research purposes necessitates another layer of review and may require a separate process of authorization. A brief historical overview of regulatory requirements regarding health information privacy and security standards for the electronic transformation of data and protection of electronically kept medical records is discussed and related to the role and responsibilities of researchers and organizations where research is conducted. In addition, a generic document template adaptable for use by an individual or organization is presented that can provide a quick, systematic review of HIPAA compliance when a research proposal is being developed or is received that seeks access to PHI.