All use of Scientific Computing and Data resources in publications and presentations must acknowledge Mount Sinai’s CTSA funding award. Click here

Scientific Computing and Data / AIR·MS (AI Ready Mount Sinai) / Compliance Overview (HIPAA and IRB Requirements)

 

Compliance Overview: Health Insurance Portability and Accountability Act (HIPAA) and Institutional Review Board (IRB) Requirements

 

 

Steps to Obtain IRB Approval and Data Access


 

 

Overview

Research involves several important compliance steps—such as preparing a strong IRB protocol, defining clear inclusion and exclusion criteria, completing data use agreements (DUAs), and securing appropriate computational resources. Although this process may seem daunting, it is designed to be as efficient as possible and to ensure that studies are conducted responsibly and accurately. By following the guidelines below, researchers can complete their projects effectively while safeguarding patient privacy. Key concepts researchers should be aware of are:

  • HIPAA 
  • Identified vs. De-Identified Data
  • HIPAA Minimum Necessary Rule and Inclusion / Exclusion Criteria
  • IRB

 

What is HIPAA?​

HIPAA establishes national standards for guarding protected health information (PHI) and promotes the secure, ethical use of medical data in both healthcare and research.​

Importance of HIPAA

  • Protects Patient Privacy – Safeguards all PHI from unauthorized access or disclosure.​
  • Ensures Data Security – Requires administrative, physical, and technical safeguards to keep health data secure.​
  • Empowers Patients – Gives patients rights to access, review, and request corrections to their medical records.​
  • Standardizes Practices – Sets national standards for healthcare transactions and data sharing.​
  • Supports Insurance Portability – Ensures patients can maintain health insurance coverage when changing jobs and prohibits discrimination based on pre-existing conditions.​
  • Enforces Accountability – Establishes penalties for violations and promotes compliance across all healthcare entities.

 

Identified vs. De-Identified Data

The first question researchers need to ask when working with health data is if they need de-identified or identified data:

Based on this critical decision, the use of identified / de-identified data will determine how the IRB protocol, your inclusion/exclusion criteria, and other project requirements are drafted.

 

Minimum Necessary Information Requirement

HIPAA requires that only the minimum necessary information be provided for a specific research question. The minimum necessary rule can be found here: Minimum Necessary Requirement | HHS.gov.

This is a critical rule to address when getting data for research: projects must have a focused project question, and clear inclusion / exclusion criteria. While it’s tempting to ask for all possible data and explore that data, this can increase the risk to patients if data were accidentally to leak to the public, if it were released through hacking, etc. So, at all times, only the smallest necessary dataset should be provided to researchers to address their questions. 

Key to this minimum necessary information requirement is well-defined inclusion / exclusion criteria. Here’s an example of some well-defined criteria:

The Institutional Review Board 

  • An IRB is a federally mandated ethics committee that reviews research involving human participants to ensure it is ethical, scientifically sound, and minimizes risk.​
  • The IRB’s mission is to protect the rights, welfare, and privacy of human subjects while supporting responsible scientific advancement.​

 

Why the IRB Matters​

  • Protects Participants: Reviews and approves studies to safeguard participants’ rights and well-being.​
  • Balances Risk and Benefit: Evaluates potential risks and ensures they are justified by the expected research benefits.​
  • Ensures Ethical Conduct: Confirms research follows federal regulations, Mount Sinai policies, and ethical standards.​
  • Validates Scientific Design: Reviews study methods to ensure sound, justified, and transparent research practices.​
  • Crucial Distinction for AIR·MS Access: Access to PHI via Artificial Intelligence-Ready Mount Sinai (AIR·MS) requires IRB approval.

 

Frequently Asked Questions

Q: What are HIPAA compliant environments?

A: These are secure systems or platforms that meet HIPAA standards for guarding protected health information through proper encryption, access controls, and auditing.​

Q: What’s the difference between identified and de-identified data?

A: Identified data includes personal information that can directly or indirectly identify an individual (e.g., name, date of birth).​De-identified data has had all identifiers removed so individuals cannot reasonably be identified.​

Q: What is the purpose of the minimum necessary rule?

A: It limits access to or use of PHI to the smallest amount needed to accomplish a task or purpose.​

Q: Where can I learn more about inclusion/exclusion criteria for datasets at Mount Sinai?

A: You can learn more about inclusion and exclusion criteria for datasets at Mount Sinai by visiting the Mount Sinai Data Warehouse or Research Informatics website, or by contacting the Mount Sinai IRB or data governance office for specific dataset documentation and guidance.

Q: How long does IRB protocol approval take?

A: Typically, IRB approval can take anywhere from a few weeks to several months, depending on the complexity of the study and the review type (expedited, exempt, or full board).​

Q: What’s a DUA and why do I need to sign it?

A: A DUA is a legal contract that governs the sharing of restricted or limited-use data. It protects privacy and defines how the data can be used and safeguarded.​