Step One: Understand the Rights of Research Subjects
The Privacy Rule grants to subjects in research the following rights regarding their protected health information (PHI):
- A right not to have PHI used in research unless Privacy Rule requirements are satisfied (as further described in this guidance).
- A right, upon request, to an accounting of disclosures of PHI, except for disclosures permitted by a signed authorization.
- A right to revoke an authorization for use or disclosure of PHI for research purposes, to the extent researchers have not already relied on the authorization.
- A right to file complaints with the covered entity and with the federal Department of Health and Human Services.
Accounting for disclosures of Protected Health Information
The Privacy Rule grants to a subject a right to request and receive an accounting for some disclosures of PHI, including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each subject’s PHI. The right to an accounting only applies to disclosures of PHI, not to uses of PHI. A “disclosure” means that PHI is shared outside of the covered entity (i.e. outside of the UW-Madison Health Care Component or the University of Wisconsin Affiliated Covered Entity).
Subjects have a right to an accounting only of those disclosures made by researchers in connection with protocols conducted with a waiver of authorization. An accounting of disclosures is not required under the following circumstances:
- Disclosure was made pursuant to a patient authorization; or
- You are disclosing a limited data set through a data use agreement; or
- You are disclosing de-identified information.
The Privacy Rule requires you to record the following information using the Accounting for Disclosures Log
- The name of each patient involved in the research whose PHI is disclosed;
- The name and address, if possible, of the person or entity to whom the PHI is disclosed;
- The date of disclosure;
- A brief description of the PHI disclosed; and
- A brief statement of the purpose of the disclosure or a copy of the request for the disclosure.
If multiple disclosures of PHI occur to the same person or entity for the same purpose, then after the first disclosure simply record the frequency of the disclosures and the date of the last disclosure.
Step Two: Plan Your Research Project (Preparatory to Research Activities)
The Privacy Rule applies to the use of protected health information (PHI) in those activities preparatory to research that are necessary to prepare a research protocol for a grant application or IRB review, or for similar purposes preparatory to research. Preparatory to research activities are defined as:
- The development of research questions;
- The determination of study feasibility (in terms of the available number and eligibility of potential study participants);
- The development of eligibility (inclusion and exclusion) criteria; and
- The determination of eligibility for study participation of individual potential subjects.
Per federal guidance, researchers may access PHI in, for example, medical records to determine study feasibility or to identify prospective research participants for purposes of seeking their authorization to use or disclose PHI for a research study. The PHI used to identify prospective research participants could include contact information, diagnosis or condition, and other information necessary to determine study eligibility.
Although the use and disclosure of PHI to determine study eligibility is considered preparatory to research, the actual process used to recruit subjects remains a research activity and requires IRB approval.
A researcher may use PHI for preparatory to research activities only if, before such use, the researcher makes certain representations about the use of PHI by signing a Certification for Activities Preparatory to Research. In addition, researchers who are database custodians may not use their own databases for preparatory to research activities unless they have signed the required Certification for Database Custodians. Instructions on where to file the Certifications are on the forms.
Step Three: Conduct Your Research Involving Protected Health Information
The Privacy Rule affects the use or disclosure of protected health information (PHI) in research protocols. In order to use or disclose PHI in a research protocol, you should:
- Obtain a signed and valid research authorization from each subject, or
- Obtain a waiver of authorization from the IRB (not granted for disclosures), or
- Use one of the following altered forms of PHI as permitted by the Privacy Rule:
Obtaining a Signed and Valid Authorization
The HIPAA Privacy Rule generally requires researchers to obtain the permission of research subjects to use or disclose their PHI for research purposes. This permission is referred to as an authorization. A research authorization is a document signed and dated by a subject/participant that satisfies the requirements of the Privacy Rule and grants permission for the researcher to use and disclose the subject/participant’s PHI to perform the research. A research authorization is the preferred method under the Privacy Rule for researchers to obtain permission to use or disclose PHI. The use of a research authorization is intended to involve a consent process.
Those elements required by the Privacy Rule for the research authorization form include:
- A specific description of the PHI to be used or disclosed.
- Specific identification of the person (or class of people) who are authorized to make the requested use or disclosure.
- Specific identification of the person (or class of people) to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- An expiration date for the authorization, or if none, a statement that the authorization has no expiration date.
- The signature of the individual who is the subject of the PHI and the date the authorization is signed.
- A statement that participation in the research project is conditioned on receipt of the signed authorization.
- A statement that the authorization may be revoked in writing at any time, except to the extent that the researchers and custodian of the PHI have relied on it.
- A statement about the potential for re-disclosure of the PHI and loss of Privacy Rule protections for PHI disclosed to a recipient that is not also a covered entity.
- If research involves placing the PHI collected for the study into the medical record of each research participant or into another formally designated record-keeping system separate from the research records (e.g. OnCore), then the following element should also be included in a valid authorization:
- A statement that information collected for the study will be placed in the subject’s medical record or other research record and that the subject’s right to inspect a copy his or her medical record or research record may be suspended until the research project has been completed.
A copy of the signed authorization must be provided to the subject.
Using one of the UW-Madison’s template research authorization forms, modify the authorization form to include specific details about your study.
Obtaining a Waiver of Authorization
An IRB, under certain circumstances, may allow researchers to forgo obtaining an authorization; this is called a waiver of authorization. A waiver of authorization may be full or partial:
- Full waiver: an IRB waives the requirement for authorization for all uses of PHI for a particular research protocol;
- Partial waiver: an IRB waives the requirement for an authorization only for some uses of PHI for a particular research protocol.
In certain cases, the IRB may require the researcher to obtain permission from subjects for use of their PHI, but may allow the researcher to omit some of the required elements of an authorization. This exception is called an altered authorization. The altered authorization is a type of waiver. For example, an IRB may determine that the signature of a research subject is not required on the authorization when the researcher conducts survey or questionnaire research.
Generally, an IRB cannot grant a waiver of authorization for the use of PHI in a research study that requires the informed consent of individual subjects, or in a study that involves more than minimal risk to subjects. Examples of studies that would not qualify for a waiver of authorization include those involving interventions, such as administration of a drug, or those that require the subject to perform tasks.
An IRB can waive an authorization only if it makes all of the following determinations:
- The researcher has sufficiently justified that the risk to the subjects’ privacy is minimal by having adequate plans to protect the PHI from inappropriate use, and justification for retaining the PHI or plans to destroy the identifiers;
- The researcher has given assurances in the protocol application about not reusing or disclosing the PHI;
- The research cannot be practicably conducted without use of the PHI;
- The research cannot be practicably conducted without the waiver or alteration; and
- The researcher will use only the minimum amount of PHI needed for the research.
If you are applying for a waiver, please refer to the additional Guidelines for Waiver of Authorization or Altered Authorization for an explanation of what information will be needed by the IRB to grant a request for a waiver of authorization or altered authorization.
In the Arrow protocol application, select the option for a request for waiver of authorization or altered authorization in the HIPAA section and complete the additional required requests for information. The research use of PHI cannot commence until IRB approval has been obtained for a waiver or altered authorization.
Obtaining a Limited Data Set
A limited data set (LDS) is an exception to the Privacy Rule requirement for an authorization from the subject for research use of protected health information. A LDS lacks 16 of the 18 identifiers itemized by the Privacy Rule. Specifically, a LDS does NOT include the following direct identifiers:
- Postal address information, other than town or city, State, and zip codes;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
The difference between a LDS and de-identified information is that a LDS may contain dates and certain geographic information associated with an individual that are absent from de-identified information.
A LDS may contain, for example:
- Dates of birth
- Dates of death
- Dates of service
- Town or city
- Zip code
A LDS may also be coded so that the covered entity (but not the researcher) can re-identify the data set so long as the code is not unique to the individual (e.g. initials + last four digits of SSN).
A covered entity may use or disclose a LDS only for the purpose of research, public health, or health care operations.
Certification for Use or Disclosureof a Limited Data Set (LDS)
If you are employed within the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (UW ACE) and are using a LDS from the same, you must sign the Certification for Use of a Limited Data Set Within the UW Health Care Component or Within theUW AffiliatedCovered Entity.
If you are employed by UW-Madison but are outside of the UW-Madison Health Care Component (UW HCC) and are receiving a LDS from the UW HCC, you must sign the Certification forDisclosure of a Limited Data Set from the UW-Madison Health Care Component to a UW-Madison Employee Outside of the UW HCC.
Data Use Agreement
If you have received a data use agreement from a person or entity outside of UW-Madison, then please refer to the Data Use Agreement Evaluation Formfor a list of elements that must be present in the agreement. Forward the agreement to the Office of Research and Sponsored Programs (RSP) or the Office of Industrial Partnerships (OIP) for signature as outlined below.
If you are disclosing a LDS to a person or entity outside of the UW HCC or the University of Wisconsin Affiliated Covered Entity (UW ACE), please obtain that person’s or entity’s signature on the UW-Madison standard Data Use Agreement and forward the agreement to RSP or OIP for signature as outlined below. Please see Key Definitions for the Data Use Agreement if you are unsure about the meaning of any of the terms used in the data use agreement.
In order for a data use agreement to be valid, it must be signed by the appropriate institutional officials. Use of a LDS without a valid data use agreement in place is a violation of the Privacy Rule. Whether you are using a UW-Madison standard data use agreement, or a data use agreement you received from a person or entity outside of the UW HCC or UW ACE, you must forward the agreement to RSP or OIP for approval and signature by a UW official authorized by the Board of Regents of the University of Wisconsin System to sign contracts. Once the data use agreement is signed by all parties, you may begin using the LDS.
Copies of the certifications or data use agreements for research use of a LDS must be submitted to the IRB with applications for initial review, exemption or change of protocol. The IRB does not approve data use agreements, but needs to maintain copies in its files. If the purpose of the LDS involves a collaboration or a subcontract, the protocol must be approved by a UW IRB and the data use agreement must be signed by a UW signatory prior to disclosure of the LDS.
Using De-identified Information
Privacy Rule requirements do not apply to information that has been de-identified.
The Privacy Rule makes two methods available for de-identifying health information:
- Remove the 18 specific identifiers listed in the Privacy Rule and determine there is no other information that may identify the individual. The identifiers are:
- Geographic subdivisions smaller than a state
- All elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used)
- Telephone numbers
- FAX numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (including finger and voice prints)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code
- Obtain an opinion from a qualified statistical expert that the risk of identifying an individual is very small under the circumstances; the methods and justification for the opinion should be documented.
Note: A business associate agreement is generally not an appropriate mechanism to use to obtain access to PHI for research. This is because a business associate is an individual that performs on behalf of the covered entity or assists the covered entity in performing certain business related activities, such as claims processing, billing, benefit management or quality improvement. A researcher is generally not performing a business related activity on behalf of the covered entity when conducting research. However, a business associate agreement may be used when the researcher, who is not a member of the covered entity’s workforce, contracts with the covered entity to access the covered entity’s PHI for the purpose of creating a limited data set or a de-identified data set for his or her research.
Use Only Information from Deceased Individuals
With limited exceptions, the Privacy Rule requires researchers to obtain written authorizations from research subjects before using the subjects’ PHI in the course of that research. One of those exceptions is for the use of decedents’ PHI, after filing an appropriate certification.
If you wish to use the PHI of subjects you know to be deceased, you may use the Privacy Rule exception by making a certification. The certification is appropriate when: (1) the PHI sought via the certification is only that of decedents; (2) you can document the death of each individual if asked to do so; and (3) the PHI is necessary to the research purposes. You may make a certification for research on the PHI of decedents when all subjects in your protocol, or in a distinct part of that protocol, are deceased. Stated another way, the certification is appropriate when your research is specifically directed at the use of PHI of decedents.
If your research protocol involves the use of PHI of both living and non-living subjects, but no distinct part of your protocol is directed at the use of decedent’s PHI, you should not use the process here, but rather obtain an authorization, or seek a waiver of authorization, before using the PHI. It is not necessary to file a certification to continue using PHI of a research subject who dies during the course of your research, as you will have obtained an authorization, or waiver of authorization, for the subject while living that will allow you to continue using that PHI.
The Common Rule does not apply to research involving decedents. Rather, the Common Rule applies only to research involving “human subjects”, who are defined as “living” individuals. However, it is the policy of UW-Madison that the determination as to whether research is exempt under the Common Rule (because the subjects are all deceased), is made by the IRB. Therefore, an exemption application must be submitted to the IRB, even if you believe your research is exempt.
Before you will be permitted to use PHI of decedents for research purposes, you must acknowledge and agree to abide by the Privacy Rule requirements by signing a Certification for Research on the Protected Health Information of Decedents. A certification must be filed for each protocol involving research directed at the use of known decedents’ PHI. Instructions on where to file the certification are on the form.
Step Four: Recognize Special Considerations for Databases, Chart Reviews, Re-Analysis of Data, and Exempt Research
The Privacy Rule applies to the creation of databases containing protected health information (PHI) that are to be used for research purposes, and to the subsequent use of the PHI in a particular research study. All research uses of PHI are subject to the Privacy Rule, even if the research is determined to be exempt under the Common Rule.
The custodian of a database containing PHI that is to be used in preparatory to research activities may require a copy of a signed preparatory to research certification before permitting use of the PHI.
All databases that contain PHI to be used for future unspecified research must be registered by the database custodian. Databases that are created as part of a study to be used only for that single study do not need to be registered. Use the Database Decision Tool to determine if a particular database should be registered. To register a database, complete a Database Registration and Preparatory to Research Certification for Database Custodian form and file the form with the University’s Privacy Officer. Filing instructions are on the database registration form.
2. Re-analyzing Data
The Privacy Rule views the re-analysis of existing data to answer a new research question as the use of PHI in a new protocol. In this case, refer to Step Three above for direction on how to obtain PHI for use in your research.
3. Exempt Research
All research using PHI is subject to the Privacy Rule, even research determined to be exempt under the Common Rule governing the protections for human subjects in research. Privacy Rule regulations apply to exempt research using PHI just as they do to any other research. Frequently, exempt research will satisfy Privacy Rule requirements for a waiver of authorization.
4. Chart Review
Privacy Rule regulations apply to chart review (medical records research) just as they do to any other research use of PHI. Frequently, chart review will satisfy Privacy Rule requirements for a waiver of authorizationif it also satisfies the requirements for a waiver of informed consent under the Common Rule.