家庭教育权和隐私权法案(FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. 教育部.

有关FERPA的更多信息，请参阅 IRB指引文件 G-17: FERPA在人类受试者研究中的指导，或查看 U.S. 教育部.

The Health Insurance Portability and Accountability Act of 1996 includes mandated standards for the secure electronic storage and transmission of health c是 information. 遵守这些标准, 卫生与公众服务部发布了两条新规定, administered and enforced by the Office for Civil Rights: the Privacy Rule and Security Rule.

有关HIPAA的更多一般信息，请查看 美国卫生和公众服务部网站. 也可参考 HIPAA常见问题.

有关该规定的实际内容的更多信息，请单击 45 CFR 160, 162和164.

HIPAA概述

美国.S. federal regulation commonly referred to as "HIPAA" or the "Privacy Rule" establishes a foundation of protection for the privacy of individual health information. 本规则不取代任何其他联邦法规, 州或地方法律给予更大的隐私保护, 医疗机构可以自由地采取更多的保护措施.

隐私规则:

• 给病人更多 控制 谁有权获得他们的健康信息，包括直系亲属
• 集 边界 博天堂官方网页健康档案的使用和发布
• 建立了 保障措施 必须做到这一点，以保护受保护的健康信息的隐私
• 监禁侵犯隐私者 负责任的 有民事和刑事处罚
• 找到一种平衡 公共责任 支持披露某些信息，例如，为保护公众健康

Further development of the HIPAA regulations include the "Security Rule" that addresses administrative, 电子卫生信息的物理和技术保障要求.

看到的: HIPAA隐私规则概述 

HIPAA简史

1996年美国《博天堂官方网页》(HIPAA).S. 公法104-191, includes requirements to develop and adopt national standards for privacy protection of individually identifiable personal health information in storage and as transmitted by electronic means to specified covered entities.

隐私保护标准是由美国政府制定的.S. Department of Health and Human Services (DHHS) and the Office of Civil Rights (OCR), were published in December of 2000 and modified into a final rule in August of 2002 after extensive public comment. 最后的规则是， 《博天堂官方网页》,要求在4月14日前完成, 2003 for so-called "covered entities" which include licensed health c是 providers, 健康计划, 以及医疗保健结算所. GVSU不是一个受保护的实体，它是一个混合实体. This means only some component offices and programs 是 subject to HIPAA protection assurances. These include the counseling center, student health center, and nurse managed c是 centers.

研究人员 who collect as part of their research what would otherwise be classified as protected health information (PHI) 不 符合HIPAA保护要求.

研究人员 who conduct research on patients existing medical records such as chart review studies, 是 受HIPAA隐私规则条款保护.

本规定在45 CFR 164安全与隐私中编纂, 个人可识别健康信息的隐私, 164.500 - 164.534.

这些规定在2003年2月进行了修改和扩充. 在45 CFR 165中增加了一个新部分:子部分C，  电子健康信息保护安全标准, 164.302-164.318. This Subpart is commonly referred to as the "Security Rule" or "Security Standard" and required compliance by April 20, 2005.

*根据指南张贴在 U.S. 民权办公室网站，上次修订于2006年5月16日 U.S. 医疗保险和医疗补助中心网站，最后修改于2008年5月6日.

研究意义

HIPAA provisions sets the standards for how protected health information (PHI) flows from covered entities such as health c是 providers, 健康计划, 以及医疗保健信息交换中心，用于病人护理, 记录和支付所提供服务的保险索赔. 研究人员 requiring use and 访问 of such PHI information for research purposes must receive either individual authorizations from each affected study participant, or a waiver of same from a privacy board or IRB responsible for safeguarding the PHI records.

研究人员 will be required to obtain documented permission to use and 访问 PHI from these covered entities in the following ways:

1. Secure signed and dated valid authorization forms signed by the individual participants, OR
2. Obtaining approval of an Institutional Review Board or Privacy Board for an alteration or waiver of required authorization OR
3. Contract with a covered entity for a limited data set with selected and specified data for a specified purpose and final disposition of the data when the research is completed.  These agreements 是 typically available if one of more of the following conditions pertain to the proposed research study:
4. PHI OR有文件化的批准数据使用协议
5. 提供证据证明未经授权的研究使用是允许的，因为
   1. 所有研究对象均已去世
   2. 所需的数据不会识别受试者(它被“去识别”)。
   3. They researchers 是 employed by the covered entity and (I) 是 preparing to do or to support research by conducting "feasibility inquiries or other investigatory preparations prior to the conduct of research.

对研究人员和IRB成员的意义:

• The IRB reviews HIPAA related research protocols at the same time as the regular IRB review
• De-identification 健康信息 之前 它被推荐给研究人员，作为确保隐私的最佳方式
• 研究人员 must submit any needed HIPAA authorization forms with their application (or renewal / revision) form to the IRB

为什么研究人员应该了解HIPAA隐私规则?

隐私规则规定了某些医疗保健组织的方式, 组织, 或企业, 被称为规则所涵盖的实体, handle the individually identifiable health information known as protected health information (PHI). 研究人员 should be aw是 of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, 包括研究. 尽管不是所有的研究人员都必须遵守隐私规则, the manner in which the Rule protects PHI could affect certain aspects of research.

It is important to understand that many research 组织 that handle individually identifiable health information will not have to comply with the Privacy Rule because they will not be covered entities. The Privacy Rule will not directly regulate researchers who 是 engaged in research within 组织 that 不 covered entities even though they may gather, 生成, 访问, 分享个人健康信息. 例如, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, 因此可能不直接受《博天堂官方》规管. 然而, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. 隐私规则可能会影响这些独立的研究人员, 因为这会影响它们与被覆盖实体的关系.

(国家卫生研究院出版)

通用数据保护条例(GDPR)是一项欧洲法律, 5月25日生效, 2018, that establishes protections for the privacy and security of personal data about individuals in European Economic Area (EEA) countries. 所有研究人员收集个人资料, 及/或转移个人资料予, 欧洲国家必须遵守这项新规定.

参见博天堂官方网页GDPR的常见问题.

For research involving human subjects:  To 访问 informed consent templates incorporating the required elements of GDPR.