Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA), also known as the “Privacy Rule” (effective April 14, 2003), established minimum Federal standards for safeguarding the privacy of individual’s identifiable health information. The law generally prohibits health care providers such as health care practitioners, hospitals, nursing facilities and clinics from using or disclosing “protected health information” without written authorization from the individual.

“Protected Health Information” (PHI) is any identifiable health information relating to the individual’s past, present or future physical or mental health condition or payment for health care.

All faculty, staff and other USC employees, as well as students, volunteers, agents and certain other individuals who have access to patient health information through USC providers, are subject to HIPAA regulation and must complete an online course.

News and Information regarding the most recent version of the Privacy Rule – Health Information Technology for Economic and Clinical Health (HITECH Act).

HIPAA Authorization

The HIPAA authorization form should be given to the research participant or his/her/zir legal representative during the informed consent process. You may obtain HIPAA authorization electronically using DocuSign or REDCap for all studies, irrespective of risk level.

In the event your participant population cannot access DocuSign, REDCap, or another secure and encrypted online platform, you may consider having participants take photographs of their signed HIPAA authorization using their cell phones and emailing them to the study team. Make sure you document the consent process so that anyone examining your approach will be able to see how consent was obtained in good faith.


HIPAA Resources

For more information, please contact the Office of Culture, Ethics and Compliance