Human Subjects Research and the HIPAA Privacy Rule
When HIPAA took effect in 2003, it outlined new procedures for collecting and sharing protected health information (“PHI”) in research. Unless one of the exceptions discussed below applies, investigators who wish to use or disclose PHI for research purposes must first obtain a signed authorization from each research subject. Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for uses and disclosures of PHI for research purposes. At UW-Madison, each Institutional Review Board (IRB) serves as a Privacy Board. Thus, researchers are not obliged to apply to two separate committees/boards.
See the additional FAQs, Definitions, Forms, and Guidance for using and disclosing PHI in research for more information.
According to federal regulations, all institutions governed by HIPAA must train their workforce regarding uses and disclosures of PHI. UW-Madison accomplishes this through online training.
Research Proposal Requirements Summary
For more details, see the Research Guidance page.
Requirements for new research proposals:
Researchers should prepare and submit their research protocols for IRB review and submit their HIPAA-related documents to the IRB at the same time. Researchers whose new protocols involve PHI should either:
- Collect written authorization from subjects for the use and/or disclosure of their PHI in research;
- Ask the IRB for a waiver of authorization;
- Use a limited data set (“LDS”) subject to an executed data use agreement; or
- De-identify the data.
In addition, there are two circumstances under which IRB approval is not required but in which a researcher must make representations under HIPAA if they are doing work with PHI.
- Research on decedents. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.
- Preparatory to research activities (e.g. review of medical records, data bases, etc.) in order to design a research protocol.