HIPAA Questions and Policies

1 – Can I use MARCC resources for protected health information covered by HIPAA for my human subject research studies?

A: MARCC has a HIPAA compliant system called “MARCC Secure Environment” (MSE) that can be used for human research studies. It is different than the main cluster Bluecrab, which has been designed to handle “open” data (no-restrictions). Users with approved IRB projects need an additional account on this system. Prospective researchers  need to provide some additional information regarding  the project and the PI needs to include MARCC’s involvement as a research collaborator explicitly in your IRB protocol and in any consent signed by subjects. PIs also need to add a member of MARCC’s group to the research team listed in the IRB application. The PI also needs to enter into an agreement  with MARCC.

2 – What if I have already collected the PHI and did not include MARCC as a research collaborator in my protocol or consent form?

A: You should submit a change in protocol to your IRB to include MARCC’s involvement as a research collaborator on the protocol.

3 – Will MARCC sign a Business Associate Agreement?

A: No. MARCC is a research resource and will collaborate with you on your research needs. MARCC is not a “covered entity,” as that term is defined in HIPAA and will not perform any “covered functions.” Research activities are generally not considered “covered functions” under HIPAA, so MARCC would not be functioning as a “business associate” under HIPAA.

4 – What type of security measures does MARCC have in place?

A: While MARCC is not a “covered entity” or “business associate” under HIPAA, it does maintain security standards and safeguards consistent with the HIPAA Security Rule. Specifically, Multifactor authentication, encrypted data at rest and video monitoring of the facility.

5 – What if my dataset is de-identified under HIPAA or is otherwise identifiable data not subject to HIPAA?

A: If you have confirmation that your dataset is de-identified as required by HIPAA or your data is not otherwise subject to HIPAA, the research project description submitted to the IRB should include the collaboration with MARCC and a member of MARCC’s team needs to be added to the study team. An example would be dbGaP data.

COPY of the Document “Statement of Responsibilities between MARCC and the PI” can be downloaded here

MARCC will be glad to work with any research group. Please contact us at marcc-help@marcc.jhu.edu