Submit your HIPAA questions to Editor Jaclyn Fitzgerald at email@example.com  and we will work with our experts to provide the information you need.
Q: My organization conducts research. The research coordinators working on our project are hospital employees. The screening they use identifies candidates that meet study criteria. They do not share information with the research sponsor unless the patient enrolls in the study and completes an informed consent form that details the information that the organization will collect and with whom they will share it. We always include an institutional review board (IRB) waiver of authorization for our studies. Is the work the research coordinators do to find suitable candidates for a study reasonably considered part of operations under HIPAA?
A: Research does not fall under healthcare operations. De-identification of data and the creation of limited data sets does, but that would not necessarily include disclosing potential patient participant information to research coordinators. However, that doesn’t mean research coordinators may not seek candidates for approved research. What it does mean is the research project must be approved by the IRB or privacy board prior to seeking candidates to participate in the research. That all falls under the HIPAA research umbrella, not healthcare operations.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA . This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.