Human Subjects Research and the HIPAA Privacy Rule
When HIPAA took effect in 2003, it outlined new procedures for collecting and sharing protected health information (“PHI”) in research. Unless one of the exceptions discussed below applies, investigators who wish to use or disclose PHI for research purposes must first obtain a signed authorization from each research subject. Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for uses and disclosures of PHI for research purposes. At UW-Madison, each Institutional Review Board (IRB) serves as a Privacy Board. Thus, researchers are not obliged to apply to two separate committees/boards.
Mandated Training
According to federal regulations, all institutions governed by HIPAA must train their workforce regarding uses and disclosures of PHI. UW-Madison accomplishes this through online training.
Forms
-
Accounting of Disclosures
Accounting of Disclosures Log: this log must be used to record all disclosures of research subjects’ protected health information which occur based on an IRB waiver of authorization.
-
Authorizations for Use or Disclosure of PHI in Research
Authorizations for Use or Disclosure of PHI in Research
Please note, these are templates only. As with your research consent form, your HIPAA authorization form will need to be tailored to fit the particular uses and disclosures of PHI in your study.- Research Authorization
- Research Authorization for Children
- Research Authorization Wizard (not for interventional studies)
- Combined Research Consent and Research Authorization Wizard (not for interventional studies)
- Research Authorization — Veterans Affairs (VA)
-
Certifications
- Certification for Activities Preparatory to Research: this certification must be signed prior to using PHI in the preparation of a research protocol.
- Certification for Research on the Protected Health Information of Decedents: this certification must be signed when the research, or a distinct part of the research, uses only the protected health information of decedents.
- Certification for Use of a Limited Data Set within the UW HCC or UW ACE: this certification must be signed when an employee within the health care component or within the affiliated covered entity receives a limited data from the the same.
- Certification for Disclosure of a Limited Data Set to a UW-Madison Employee Outside of the UW HCC this certification must be signed when a UW-Madison employee outside of the health care component receives a limited data set from within the health care component.
-
Database Forms and Tools
- Database_Decision_Tool: this tool is used to determine if a database that is used for research purposes must be registered with the UW-Madison HIPAA Privacy Officer.
- Database Registration and Preparatory to Research Certification for Database Custodian: this form is used to register a database with the UW-Madison Privacy Officer and, when applicable, for the database custodian to certify use of the database in preparation of a research protocol.
-
Data Use Agreement and Related Forms
Data Use Agreement: This agreement must be completed before receiving or disclosing a Limited Data Set (“LDS”).
- DUA when UW receives a LDS
- DUA when UW discloses a LDS
- Data Use Agreement Evaluation Form: Use this form to evaluate another Covered Entity’s DUA when UW-Madison is the intended recipient of a LDS.