HIPAA/PIPEDA/EU/OECD : Regulatory Compliance

Our software includes a number of features that will ensure the protection of the rights of research participants, and make your IRB (Institutional Review Board, also known as an REB, HSB, or Ethics Board) happy. All the compliance features are optional so you may activate or deactivate them based on what your IRB thinks is best.

The system can be configured so students are only identified to researchers with a unique, numeric identity code to protect their privacy. Students never see a list of who else has signed up for a study. You can also require that a study is not made visible to students until the administrator has reviewed the study description to ensure it is in line with the text approved by the IRB (and does not contain coercive text). You may also require that researchers provide an IRB approval code, and an expiration date for the approval. If this is specified, the system will ensure no sessions are scheduled after the expiration date, and the system will automatically deactivate the study once its IRB approval expires.

Our system uses terminology that follows the APA guidelines for research participation pools. The system can require electronic acknowledgment that students and researchers have read the human subjects and privacy policies, and agree to the terms therein.

U.S. Compliance Description

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers a wide range of research and health care issues involving the privacy and security of information about human subjects. Stiff criminal and civil penalties may be imposed for non-compliance. Our software fully complies with all current HIPAA regulations, as well as the Common Rule (45 CFR 46) regarding human subject research.

Most research universities will self-classify as either a Covered Entity or Hybrid Entity. Your HIPAA compliance requirements will vary depending on this classification and how your department is classified within this scheme. Your IRB is the group within your university who will have this information. Many universities are planning to require HIPAA compliance for all human subject research, to minimize liability.

U.S. Compliance Features

Our software automatically implements all requirements of the regulations, including ensuring proper protection of privacy and data security. We follow the Software Engineering Institute guidelines for software development and routinely audit our software for compliance. Our data center is in a secure, staffed location and the data servers are secured behind multiple firewalls.

Our software includes the proper privacy policies, strictly following the guidance provided by HHS to ensure compliance. The software also includes a facility for research subjects to electronically review and acknowledge the policy prior to using the system.

Because compliance is more than just software, we include sample HIPAA training manuals for your researchers and administrators to educate them on non-software HIPAA compliance procedures they must follow. You may use these directly, or modify them to your institution's specific needs.

All our service agreements include the proper Business Associate contract provisions, as required by the regulations. As a company, Sona Systems fully complies with all the data handling requirements a Business Associate must meet.

U.S. Compliance FAQ

I thought HIPAA was for health plans and doctor's offices. Why does it apply to university human subject research?

While a large portion of HIPAA regulations do focus on health plans and doctor's offices, there is a distinct section specifically governing research, when it is performed on human subjects.

My IRB said I do not need to comply with HIPAA, but this information seems to indicate I do. Who is right?

The HIPAA regulations are somewhat unclear when it comes to university research, especially in the psychology field. Our HIPAA experts will be happy to speak with your IRB and come to a final determination on the matter.

My IRB and your HIPAA experts spoke, and my department is one of the few cases where HIPAA does not apply. Is there any reason to be concerned with it for the future?

Yes. If you plan to share your research with entities that must be HIPAA-compliant, you will need to follow a procedure for de-identifying the data, or bring your own research into HIPAA compliance. Also, many universities are requiring HIPAA compliance for all their human subject research, so you may need to prepare for this possibility in the future.

Can my IRB just grant a waiver so I don't have to worry about HIPAA?

There are provisions for an IRB to waive informed consent in special research situations, but an IRB cannot waive a subject's right to privacy and security of their information. Thus, compliance is still necessary if your IRB determines you are an entity that must be compliant.

I took a look at the HIPAA regulations, and the privacy regulations alone are 30 pages of fine print. How can anyone be expected to comply?

We have taken the numerous pages of regulations and integrated all the necessary information into our software and training guides. If you use our software and training guides, you'll never need to look at the regulations again.

Canadian Compliance

Since 2002, universities performing human subject research must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Most universities must also comply with the Tri-Council Policy Statement governing human subject research. These rules were established by the three main research organizations in Canada: NSERC, CIHR, and SSHRC.

Our software provides full compliance with both sets of regulations. In addition, we include the necessary training guidelines and instructions in our user documentation, as required by these regulations.

A variety of Canadian regulations and provincial laws restrict the storage of data in the US, because of the US Patriot Act. All the sites for our Canadian customers are located on our servers in a datacenter in Toronto, and backups are stored in the European Union. Data for our Canadian customers never resides in the US.

European Union Compliance

The European Union Directive on Data Privacy (EU Directive) governs the storage of information electronically in research situations. All universities that must comply with EU regulations must also be in compliance with the Directive.

Our software provides full compliance with these regulations. Our user documentation also includes all the necessary wording, and outlines procedures for how to properly respond to an information request. Finally, the software can automatically enforce and ensure electronic consent and acknowledgment by users of the policy statements, as required by EU regulations.

Other Country Compliance

Universities who do not fall under American, Canadian, or EU jurisdiction generally must comply with the OECD rules for data privacy. When the software is configured to enforce EU regulations, it also complies with OECD rules, as the EU regulations are based on OECD rules. If your university has more specific needs, we can work with you to ensure that the software enforces compliance.