Human Subjects Research and the HIPAA Privacy Rule
When HIPAA took effect in 2003, it outlined new procedures for collecting and sharing protected health information (“PHI”) in research. Unless one of the exceptions discussed below applies, investigators who wish to use or disclose PHI for research purposes must first obtain a signed authorization from each research subject. Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for uses and disclosures of PHI for research purposes. At UW-Madison, each Institutional Review Board (IRB) serves as a Privacy Board. Thus, researchers are not obliged to apply to two separate committees/boards.
Mandated Training
According to federal regulations, all institutions governed by HIPAA must train their workforce regarding uses and disclosures of PHI. UW-Madison accomplishes this through online training.
Forms
This is an accordion element with a series of buttons that open and close related content panels.
Accounting of Disclosures
Accounting for Disclosures Guidance: This document provides guidance on when and how researchers are required to account for disclosures of research participants’ PHI. The document includes a link to the REDCap Accounting Log researchers should use when accounting for disclosures.
Authorizations for Use or Disclosure of PHI in Research
Authorizations for Use or Disclosure of PHI in Research
Please note, these are templates only. As with your research consent form, your HIPAA authorization form will need to be tailored to fit the particular uses and disclosures of PHI in your study.
Certifications
- Certification for Activities Preparatory to Research: This certification must be signed prior to using PHI in the preparation of a research protocol.
- Certification for Research on the Protected Health Information of Decedents: This certification must be signed when the research, or a distinct part of the research, uses only the protected health information of decedents.
- Internal Data Use Agreement for Use or Disclosure of a Limited Data Set: This certification must be signed when a UW-Madison employee receives a limited data set from within the UW HCC or UW ACE.
Database Forms and Tools
- Database Decision Tool: This tool is used to determine if a database that is used for research purposes must be registered with the UW-Madison HIPAA Privacy Officer.
- Database Registration and Preparatory to Research Certification for Database Custodian: This form is used to register a database with the UW-Madison Privacy Officer and, when applicable, for the database custodian to certify use of the database in preparation of a research protocol.
Data Use Agreement and Related Forms
Data Use Agreement: This agreement must be completed before receiving or disclosing a Limited Data Set (“LDS”).
- DUA when UW receives a LDS
- DUA when UW discloses a LDS
- Data Use Agreement Evaluation Form: Use this form to evaluate another Covered Entity’s DUA when UW-Madison is the intended recipient of a LDS.