Printer Friendly, PDF & Email

Incorporating research compliance into healthcare privacy and security risk management programs

Emmelyn Kim ( is VP, Research Compliance & Privacy Officer, and Hamangi Patel ( is Director, Research Compliance, The Feinstein Institutes for Medical Research, Northwell Health, New York.

Healthcare environments are extraordinarily complex and heavily regulated through a variety of local, state, and federal rules. Privacy and security are major risk areas, especially given the increase in cybersecurity threats and attacks.[1] Healthcare organizations often have an array of ongoing research activities to utilize the rich data sources provided by direct access to patients and medical records. However, the use and disclosure of protected health information (PHI) in healthcare environments for research require special attention, not only to the Health Insurance Portability and Accountability Act (HIPAA) rules, but to the research provisions within the rules and other research requirements. This requires coordination with research stakeholders such as institutional review boards (IRBs) that often act as privacy boards, privacy officers, and human research protection programs (HRPPs).

Over the past decade, better technology and computing capabilities have resulted in an increase in research activities using digital health technologies such as artificial intelligence, devices and applications, and data mining software that searches electronic health records for potential research participants, among many others. Technology has also enabled remote clinical trials to be offered in communities outside of healthcare facilities. All of this has changed the research landscape and the overall risk profiles at healthcare systems, particularly privacy and security risks.

Since research activity in healthcare organizations often involves the use and disclosure of PHI outside of treatment, payment, and healthcare operations, it requires special attention to ensure that the uses and disclosures comply with HIPAA rules and determinations of the reviewing IRB or privacy board. Additionally, research often involves many other rules outside of healthcare that govern the activity. Ensuring that organizations are meeting other applicable regulatory requirements in the research space, such as those enforced by the Food and Drug Administration and the Office for Human Research Protections and requirements by funding agencies and sponsors, is also important. Therefore, compliance programs should incorporate research risks into their overall risk assessment to assess organizational risk accurately and effectively. This article will provide considerations and best practices for incorporating research compliance into the healthcare privacy and security risk management framework.

This document is only available to members. Please log in or become a member.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field