DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of ContentsNext Page



Section VIII:

Privacy and Security


Privacy Manual


Use and Disclosure Policies, Research

Current Effective Date:

11/15/15, 5/1/05

Revision History:

4/14/03, 6/1/04, 11/15/15

Original Effective Date:




HIPAA Privacy Rule establishes the conditions under which individually identifiable health information may be used or disclosed by covered health care component and their internal business associates for research purposes. Research is defined in the privacy rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” The HIPAA definition of research also applies to the development of research repositories and research databases. For the purposes of this policy, this definition of research is expanded for institutions operated by the Division of Mental Health, Developmental Disabilities and Substance Abuse Services (DMH/DD/SAS) to include the definition of research provided in North Carolina Administrative Code (NCAC), 10A NCAC 28A.0102, in which “‘research’ means inquiry involving a trial or special observation made under conditions determined by the investigator to confirm or disprove an [sic] hypothesis or to explicate some principle or effect.”

The privacy rule also defines the means by which clients will be informed of uses and disclosures of their individually identifying health information for research purposes, and their rights to access their health information held by covered health care components and internal business associates. Where research is concerned, the privacy rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.


DHHS agencies conducting research on clients shall have access to an Institutional Review Board established in accordance with the Common Rule (45 CFR 46, Subpart A) that will:

DHHS researchers shall request the individually identifying health information that is the minimum necessary to conduct the research. Whenever possible, DHHS researchers shall request either de-identified data or a limited data set as necessary if either of these is the minimum necessary for conducting the research.

Each DHHS researcher that is a recipient of a limited data set shall sign a data use agreement with the DHHS agency that maintains the information and shall comply with the conditions of that agreement, in accordance with the DHHS policies.

Each DHHS researcher that receives individually identifiable health information from a DHHS covered health care component or internal business associate shall ensure that the information is protected in accordance with the DHHS Privacy Policies.

The requirements in this policy are in addition to (not a replacement for) other policies and regulations for human subjects research.

For treatment purposes, DHHS covered health care components shall contact researchers (either internal or external to DHHS) if a research subject seeks additional health care services from or is admitted into the component for additional treatment.

Researchers External to DHHS

DHHS agencies that receive requests for individually identifying health information from researchers external to DHHS shall require the researcher to submit the request in writing. Research requests must be documented in accordance with the requirements identified in this policy.

Institutional Review Boards

Institutional Review Boards (IRBs) are responsible for reviewing and modifying (to secure approval), disapproving, or approving the following for research involving human subjects:

DHHS agencies conducting research involving human subjects shall either:

DHHS IRBs shall implement and document procedures for normal review as defined in 45 CFR 46.108(b), or expedited review according to the procedures defined by 45 CFR 46.110.

DHHS IRBs shall document all decisions regarding the modification, approval, or disapproval of research protocols, documentation, and requests to waiver or alter the informed consent or authorization requirements. The IRB shall also record meeting minutes and document continuing review activities.

These records shall be maintained for a minimum of three (3) years, as required by 45 CFR 46.115.

Research Conducted with Client Authorization

Unless otherwise permitted by this policy, or required by state or federal law, a client authorization must be obtained prior to the use or disclosure of the subject’s individually identifiable health information for research purposes. Any authorization form received by a DHHS agency from a researcher external to DHHS must contain the following elements to be considered valid: