Subject: Re: HIPAA From: "Ferguson, Sarah Hargus" <safergus(at)KU.EDU> Date: Fri, 13 May 2005 09:00:21 -0500Oh, a SIMPLE question. My understanding, based on my experience and from talking to others, is that most of us doing auditory research aren't considered "covered entities" - for example, at KU there are exactly 3 covered entities - the student health center, the psychology clinic, and the SPLH clinic. I also understand that while the audiogram is considered personal health information, performance, say, on a list of words in noise isn't - thus I have different verbiage in different consent forms - which, BTW, is where any privacy stuff is handled - our IRB doesn't require additional forms, just certain text in the consent forms. I have separate IRB approval for recruiting subjects in my elderly subject pool that lays out all the procedures for the audiological evaluation, which is carried out in our clinic but the records of which only I have - the only thing the clinic keeps (in a locked cabinet) is a list of names so that if someone calls the clinic some time in the future saying they had their hearing tested there, and the clinic can find no record, they can check that list. The consent form that the subjects sign contains some (brief) IRB-required verbiage about information being collected and privacy procedures. In any case, you still should do what you can to make sure that any information you keep is de-identified as much as possible, which most of us should have been doing anyway for simple confidentiality purposes. For my elderly subject pool, I have a password-protected Excel file that connects their ID numbers to their contact information and audiometric data. There is nothing on paper that establishes this - the hard copies of their audiograms bear only an ID number, age and gender. For individual experiments, we usually use initials during data collection (just to keep things from getting totally unwieldy) but generate new subject ID codes when reporting the data. All data, although de-identified, are kept in a locked cabinet. I also make sure that my assistants don't leave messages lying around that have subject names and phone numbers and I use construction paper to cover receipts that were signed by other subjects (the only 3-copy receipt book I could get has 3 receipts to a page). One last comment is that HIPAA requirements seem to be a very squishy target - I've found repeatedly that regardless of what any written documents say, individual institutions interpret it the way they want, usually in a way that's more strict than what is written. For example, the privacy statement that regular clinic patients sign states that their information may be shared with researchers (you've probably seen this on anything you've signed at a doctor's office) - but our clinic director never ever shares results with researchers. She's decided to make her own (more strict) rules about privacy. I've run into this in other settings too - I think because no one's ever given anyone any solid information about WHY these rules came into existence or even, exactly, what the rules are - people seem to be terrified that they're going to get busted without even knowing they broke a rule. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Sarah Hargus Ferguson, Ph.D., CCC-A Assistant Professor Department of Speech-Language-Hearing: Sciences and Disorders University of Kansas Dole Center 1000 Sunnyside Ave., Room 3001 Lawrence, KS 66045 office: (785)864-1116 Speech Acoustics and Perception Lab: (785)864-0610 http://www.lsi.ku.edu/ipcd/FAC/Bios/FergusonBio.html -----Original Message----- From: AUDITORY Research in Auditory Perception [mailto:AUDITORY(at)LISTS.MCGILL.CA] On Behalf Of Brent Edwards Sent: Thursday, May 12, 2005 4:37 PM To: AUDITORY(at)LISTS.MCGILL.CA Subject: HIPAA How are people incorporating HIPAA regulations in their basic auditory research? If you measure someone's audiogram, speech understanding ability or basic psychacoustic function as a part of your research, what impact does HIPAA have on your procedures, such as data storage and providing subjects with Notice of Privacy Practices? Comments are appreciated. Thanks, --Brent