[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HIPAA
- To: AUDITORY@xxxxxxxxxxxxxxx
- Subject: Re: HIPAA
- From: "Ferguson, Sarah Hargus" <safergus@xxxxxx>
- Date: Fri, 13 May 2005 09:00:21 -0500
- Comments: To: Brent Edwards <brent@EDWARDS.NET>
- Delivery-date: Fri May 13 10:06:51 2005
- Reply-to: "Ferguson, Sarah Hargus" <safergus@xxxxxx>
- Sender: AUDITORY Research in Auditory Perception <AUDITORY@xxxxxxxxxxxxxxx>
- Thread-index: AcVXPM5qrMrS/0aiTTGQgGimGkH1YgAhH3OA
- Thread-topic: HIPAA
Oh, a SIMPLE question. My understanding, based on my experience and from
talking to others, is that most of us doing auditory research aren't
considered "covered entities" - for example, at KU there are exactly 3
covered entities - the student health center, the psychology clinic, and
the SPLH clinic.
I also understand that while the audiogram is considered personal health
information, performance, say, on a list of words in noise isn't - thus
I have different verbiage in different consent forms - which, BTW, is
where any privacy stuff is handled - our IRB doesn't require additional
forms, just certain text in the consent forms. I have separate IRB
approval for recruiting subjects in my elderly subject pool that lays
out all the procedures for the audiological evaluation, which is carried
out in our clinic but the records of which only I have - the only thing
the clinic keeps (in a locked cabinet) is a list of names so that if
someone calls the clinic some time in the future saying they had their
hearing tested there, and the clinic can find no record, they can check
that list. The consent form that the subjects sign contains some (brief)
IRB-required verbiage about information being collected and privacy
procedures.
In any case, you still should do what you can to make sure that any
information you keep is de-identified as much as possible, which most of
us should have been doing anyway for simple confidentiality purposes.
For my elderly subject pool, I have a password-protected Excel file that
connects their ID numbers to their contact information and audiometric
data. There is nothing on paper that establishes this - the hard copies
of their audiograms bear only an ID number, age and gender. For
individual experiments, we usually use initials during data collection
(just to keep things from getting totally unwieldy) but generate new
subject ID codes when reporting the data. All data, although
de-identified, are kept in a locked cabinet. I also make sure that my
assistants don't leave messages lying around that have subject names and
phone numbers and I use construction paper to cover receipts that were
signed by other subjects (the only 3-copy receipt book I could get has 3
receipts to a page).
One last comment is that HIPAA requirements seem to be a very squishy
target - I've found repeatedly that regardless of what any written
documents say, individual institutions interpret it the way they want,
usually in a way that's more strict than what is written. For example,
the privacy statement that regular clinic patients sign states that
their information may be shared with researchers (you've probably seen
this on anything you've signed at a doctor's office) - but our clinic
director never ever shares results with researchers. She's decided to
make her own (more strict) rules about privacy. I've run into this in
other settings too - I think because no one's ever given anyone any
solid information about WHY these rules came into existence or even,
exactly, what the rules are - people seem to be terrified that they're
going to get busted without even knowing they broke a rule.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Sarah Hargus Ferguson, Ph.D., CCC-A
Assistant Professor
Department of Speech-Language-Hearing: Sciences and Disorders
University of Kansas
Dole Center
1000 Sunnyside Ave., Room 3001
Lawrence, KS 66045
office: (785)864-1116
Speech Acoustics and Perception Lab: (785)864-0610
http://www.lsi.ku.edu/ipcd/FAC/Bios/FergusonBio.html
-----Original Message-----
From: AUDITORY Research in Auditory Perception
[mailto:AUDITORY@xxxxxxxxxxxxxxx] On Behalf Of Brent Edwards
Sent: Thursday, May 12, 2005 4:37 PM
To: AUDITORY@xxxxxxxxxxxxxxx
Subject: HIPAA
How are people incorporating HIPAA regulations in their basic auditory
research? If you measure someone's audiogram, speech understanding
ability or basic psychacoustic function as a part of your research, what
impact does HIPAA have on your procedures, such as data storage and
providing subjects with Notice of Privacy Practices? Comments are
appreciated. Thanks,
--Brent