The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. 这项法律适用于所有接受美国联邦教育资助计划资助的学校.S. Department of Education.

For additional information on FERPA, see the IRB Guidance Document G-17: Guidance on FERPA in Human Subjects Research Studies, or check out the U.S. Department of Education.

1996年的《博天堂官方》包括安全电子存储和传输医疗保健信息的强制性标准. To comply with these standards, the Department of Health and Human Services issued two new regulations, 由民权办公室管理和执行:隐私规则和安全规则.

For more general information on HIPAA, check out the HHS Website. Also refer to HIPAA FAQs.

For more information on the actual content of the regulation, click 45 CFR 160, 162, and 164.

HIPAA Overview

The U.S. 联邦法规通常被称为“HIPAA”或“隐私规则”，为保护个人健康信息的隐私奠定了基础. This rule does not replace any other Federal, State or local law that grants even greater privacy protections, and health care entities are free to be more protective.

The Privacy Rule:

• Gives patients more control 谁有权获得他们的健康信息，包括直系亲属
• Sets boundaries on the use and release of health records
• Establishes safeguards that must be achieved to protect the privacy of protected health information
• Holds privacy violators accountable with civil and criminal penalties
• Strikes a balance when public responsibility supports disclosure of some information, for example, to protect public health

HIPAA法规的进一步发展包括解决管理问题的“安全规则”, physical and technical safeguard requirements for electronic health information.

See: Summary of HIPAA Privacy Rule 

HIPAA Brief History

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, U.S. Public Law 104-191, 包括制定和采用国家隐私保护标准的要求，以保护存储的个人可识别的个人健康信息和通过电子手段向指定的涵盖实体传输的个人健康信息.

The privacy protection standards that were developed by the U.S. 卫生与公众服务部(DHHS)和民权办公室(OCR), 于2000年12月公布，经过广泛的公众评论后于2002年8月修改为最终规定. The final rule, "Standards for Privacy of Individually Identifiable Health Information," required compliance by April 14, 2003 for so-called "covered entities" which include licensed health care providers, health plans, and health care clearinghouses. GVSU is not a covered entity, it is a hybrid entity. 这意味着只有一些组成部分的办公室和项目受到HIPAA保护保证. 这些包括咨询中心、学生健康中心和护士管理的护理中心.

研究人员在研究中收集本应被归类为受保护健康信息(PHI)的信息。 are not subject to the HIPAA protection requirements.

研究人员对患者现有的医疗记录进行研究，如图表审查研究， are covered under the HIPAA privacy Rule provisions.

This regulation is codified in 45 CFR 164 Security and Privacy, Subpart E Privacy of Individually Identifiable Health Information, 164.500 - 164.534.

These regulations were modified and expanded in February of 2003. A new section was added to 45 CFR 165: Subpart C,  Security Standards for the Protection of Electronic Protected Health Information, 164.302-164.318. 此子部分通常被称为“安全规则”或“安全标准”，并要求在4月20日之前遵守, 2005.

*Based on guidance posted on the U.S. Office of Civil Rights website, last revised May 16, 2006, and on the U.S. Centers for Medicare and Medicaid website, last modified May 06, 2008.

Implications For Research

HIPAA规定为受保护的健康信息(PHI)如何从受保护的实体(如医疗保健提供者)流出设定了标准, health plans, and health care clearinghouses for purposes of patient care, record keeping and payment of insurance claims for services provided. 研究人员需要为研究目的使用和访问这些PHI信息必须获得每个受影响研究参与者的个人授权, 或负责保护PHI记录的隐私委员会或IRB的放弃.

研究人员将被要求获得文件许可，以以下方式使用和访问这些覆盖实体的PHI:

1. 由个人参与者签署的安全签名和注明日期的有效授权表格，或
2. 获得机构审查委员会或私隐委员会批准更改或放弃所要求的授权或
3. 与受保实体签订有限数据集的合同，其中包含用于特定目的的选定和指定数据，并在研究完成时对数据进行最终处理.  如果下列条件之一与拟议的研究有关，则通常可以获得这些协议:
4. There is a documented approved Data Use Agreement for the PHI OR
5. Provide evidence that the research use is allowed without authorization because
   1. All study subjects are deceased
   2. The data required does not identify the subjects (it is "de-identified")
   3. 这些研究人员受雇于承保实体，并且(I)正在准备进行或支持研究，在进行研究之前进行“可行性调查或其他调查准备”.

What it Means for Researchers and IRB Members:

• IRB在定期审查的同时审查与HIPAA相关的研究协议
• De-identification of health information before it is given to researchers is recommended by as the best way to ensure privacy
• 研究人员必须将任何所需的HIPAA授权表格与他们的申请(或更新/修订)表格一起提交给IRB

Why Should Researchers Be Aware of the HIPAA Privacy Rule?

The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, 处理被称为受保护健康信息(PHI)的可单独识别的健康信息. 研究人员应该了解隐私规则，因为它规定了受保护实体可以出于多种目的使用或披露PHI的条件, including for research. Although not all researchers will have to comply with the Privacy Rule, 规则保护PHI的方式可能会影响研究的某些方面.

重要的是要了解，许多处理个人可识别健康信息的研究组织不必遵守《博天堂官方》，因为它们不在该规则所涵盖的实体之列. 隐私规则不会直接规范那些在非覆盖实体的组织内从事研究的研究人员，即使他们可能会聚集, generate, access, and share personal health information. For instance, 赞助健康研究或创建和(或)维护健康信息数据库的实体本身可能不包括在内, and thus may not directly be subject to the Privacy Rule. However, 研究人员可依赖所涵盖实体提供研究支持，或将其作为纳入研究存储库或研究数据库的个人可识别健康信息的来源. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.

(NIH publication)

The General Data Protection Regulation (GDPR) is a European law, effective May 25, 2018, 为欧洲经济区(EEA)国家的个人隐私和个人数据安全提供保护. All researchers collecting personal data in, and/or transferring personal data from, European countries must operate in compliance with this new regulation.

See Frequently Asked Questions about the GDPR.

对于涉及人类受试者的研究:访问包含GDPR所需元素的知情同意模板.