Health Insurance Portability and Accountability Act (HIPAA) and the MomentumTM Experiment Scheduling System

 

Overview

HIPAA addresses the mechanisms that are in place for protecting private patient health information. Many departments simply do not obtain private health information in the normal course of conducting Psychology experiments.  If this is the case for your department then the HIPAA regulations may not apply to your research activities or to the activities that the Momentum Experiment Scheduling System helps you monitor.  Of course, because each department is unique it is best for members of your department or University to determine if the HIPAA privacy rule will apply to your use of the Momentum Experiment Scheduling System.

It is possible, however, depending on decisions made by your institution, that some or all researchers would be required to comply with the HIPAA privacy rules.  This may occur if some part of your institution provides health care even though components of your institution may be involved only in research and may not provide health care.  In this case the HIPAA regulations might apply.

In some departments there is a possibility that health information about a participant would be obtained during the course of research and that such information would be affected by the HIPAA regulations.  With respect to the Momentum Experiment Scheduling System, this might occur if a person’s credit in a particular experiment would serve to identify them as having a particular health condition, or if a person’s ability or inability to schedule themselves to participate in a particular experiment or experiments indicates that they do or do not meet certain eligibility criteria and such criteria indicate the presence or absence of specific health conditions.  These conditions would be met only if the subject pool coordinator in your department chooses to use the features of the Momentum software such as experiment authorization codes, or if they use experiment numbers to code health-related characteristics of the research participants.  If you do not use these features, or if you do not use these features to code the type of health information covered by HIPAA then you do not have to be concerned with the manner in which Experimetrix® Inc. maintains your data.

What if HIPAA does apply -- how will MomentumTM help me comply with the HIPAA regulations?

If health related information is included in the data that you choose to include in your Momentum database, or if your institution requires that you comply with the HIPAA privacy rule then Experimetrix® Inc. may be what the HIPAA regulations consider to be a “business associate”.  Because we maintain your database for you it is necessary for us to have access to the information contained in the database.  As a covered entity your obligation is to obtain a written agreement from us in which we describe the mechanisms that are in place to protect the privacy of the health related information in your database.  To be in compliance with HIPAA you must simply decide that the mechanisms and procedures that we describe are reasonable.

Our agreement regarding the treatment of data is as follows:

  • Your subject pool coordinator determines whether any health related information will be coded in the database.  We assume that such information will be only the minimum necessary for performing the function that it is intended to serve.
  • Access to the information is protected by passwords.  Your administrator assigns passwords for each experiment, and only those with an experiment password can determine whether a particular individual has signed up for or received credit for that experiment.  Experimetrix® Inc. does not assign passwords to individual experimenters—that function is performed by your subject pool coordinator.
  • Reports of research participation that are made available to instructors (if you choose to make them available) list only credit and penalty totals for each participant.  They do not contain any health-related information.
  • The database information is housed on a security-hardened computer that is not directly accessible from the internet.
  • Employees of Sona Systems, Ltd. may have access to the information contained in your database as part of performing their necessary functions of maintaining the software and hardware but the information is protected via passwords and other software and hardware security devices to prevent unauthorized access.  Furthermore, the capabilities of the database are such that health related information is likely to be coded only very cryptically in the database and access to the data would not necessarily reveal the details of the private health information.
  • Research participants have a right under the HIPAA guidelines to obtain access to the covered health information. This information will always be available to participants – the need to simply log in to the website and review their experiment participation information.  All health related information (if any) that is stored in the database would be stored in the form of credits or penalties or appointments in various experiments.  This information is always accessible to the participant when they log in.  The information is not accessible to the public because it is protected by a password.

® Sona Systems, Ltd.
Experimetrix® is a registered trademark of Sona Systems, Ltd.