University of Wisconsin–Madison
Office of Compliance

HIPAA – Researchers

Report a HIPAA Incident

About HIPAA

Contact

Human Subjects Research and the HIPAA Privacy Rule

When HIPAA took effect in 2003, it outlined new procedures for collecting and sharing protected health information (“PHI”) in research. Unless one of the exceptions discussed below applies, investigators who wish to use or disclose PHI for research purposes must first obtain a signed authorization from each research subject. Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for uses and disclosures of PHI for research purposes. At UW-Madison, each Institutional Review Board (IRB) serves as a Privacy Board. Thus, researchers are not obliged to apply to two separate committees/boards.

Mandated Training

According to federal regulations, all institutions governed by HIPAA must train their workforce regarding uses and disclosures of PHI. UW-Madison accomplishes this through online training.

Forms

Research Proposal Requirements

New Proposals

Researchers should prepare and submit their research protocols for IRB review and submit their HIPAA-related documents to the IRB at the same time. Researchers whose new protocols involve PHI should either:

  1. Collect written authorization from subjects for the use and/or disclosure of their PHI in research;
  2. Ask the IRB for a waiver of authorization;
  3. Use a limited data set (“LDS”) subject to an executed data use agreement; or
  4. De-identify the data.

In addition, there are two circumstances under which IRB approval is not required but in which a researcher must make representations under HIPAA if they are doing work with PHI.

  1. Research on decedents. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.
  2. Preparatory to research activities (e.g. review of medical records, data bases, etc.) in order to design a research protocol.

Proposal Guidelines

Step One: Understand the Rights of Research Subjects

The Privacy Rule grants to subjects in research the following rights regarding their protected health information (PHI):

  • A right not to have PHI used in research unless Privacy Rule requirements are satisfied (as further described in this guidance).
  • A right, upon request, to an accounting of disclosures of PHI, except for disclosures permitted by a signed authorization.
  • A right to revoke an authorization for use or disclosure of PHI for research purposes, to the extent researchers have not already relied on the authorization.
  • A right to file complaints with the covered entity and with the federal Department of Health and Human Services.
Accounting for disclosures of Protected Health Information

The Privacy Rule grants to a subject a right to request and receive an accounting for some disclosures of PHI, including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each subject’s PHI. The right to an accounting only applies to disclosures of PHI, not to uses of PHI. A “disclosure” means that PHI is shared outside of the covered entity (i.e. outside of the UW-Madison Health Care Component or the University of Wisconsin Affiliated Covered Entity).

Subjects have a right to an accounting only of those disclosures made by researchers in connection with protocols conducted with a waiver of authorization. An accounting of disclosures is not required under the following circumstances:

  1. Disclosure was made pursuant to a patient authorization; or
  2. You are disclosing a limited data set through a data use agreement; or
  3. You are disclosing de-identified information.
Action Needed

The Privacy Rule requires you to record the following information using the Accounting for Disclosures Log

  1. The name of each patient involved in the research whose PHI is disclosed;
  2. The name and address, if possible, of the person or entity to whom the PHI is disclosed;
  3. The date of disclosure;
  4. A brief description of the PHI disclosed; and
  5. A brief statement of the purpose of the disclosure or a copy of the request for the disclosure.

If multiple disclosures of PHI occur to the same person or entity for the same purpose, then after the first disclosure simply record the frequency of the disclosures and the date of the last disclosure.

Step Two: Plan Your Research Project (Preparatory to Research Activities)

The Privacy Rule applies to the use of protected health information (PHI) in those activities preparatory to research that are necessary to prepare a research protocol for a grant application or IRB review, or for similar purposes preparatory to research. Preparatory to research activities are defined as:

  1. The development of research questions;
  2. The determination of study feasibility (in terms of the available number and eligibility of potential study participants);
  3. The development of eligibility (inclusion and exclusion) criteria; and
  4. The determination of eligibility for study participation of individual potential subjects.

Per federal guidance, researchers may access PHI in, for example, medical records to determine study feasibility or to identify prospective research participants for purposes of seeking their authorization to use or disclose PHI for a research study. The PHI used to identify prospective research participants could include contact information, diagnosis or condition, and other information necessary to determine study eligibility.

Although the use and disclosure of PHI to determine study eligibility is considered preparatory to research, the actual process used to recruit subjects remains a research activity and requires IRB approval.

Action Needed

A researcher may use PHI for preparatory to research activities only if, before such use, the researcher makes certain representations about the use of PHI by signing a Certification for Activities Preparatory to Research. In addition, researchers who are database custodians may not use their own databases for preparatory to research activities unless they have signed the required Certification for Database Custodians. Instructions on where to file the Certifications are on the forms.

Step Three: Conduct Your Research Involving Protected Health Information

The Privacy Rule affects the use or disclosure of protected health information (PHI) in research protocols. In order to use or disclose PHI in a research protocol, you should:

  1. Obtain a signed and valid research authorization from each subject, or
  2. Obtain a waiver of authorization from the IRB (not granted for disclosures), or
  3. Use one of the following altered forms of PHI as permitted by the Privacy Rule:
Obtain a Signed and Valid Authorization

The HIPAA Privacy Rule generally requires researchers to obtain the permission of research subjects to use or disclose their PHI for research purposes. This permission is referred to as an authorization. A research authorization is a document signed and dated by a subject/participant that satisfies the requirements of the Privacy Rule and grants permission for the researcher to use and disclose the subject/participant’s PHI to perform the research. A research authorization is the preferred method under the Privacy Rule for researchers to obtain permission to use or disclose PHI. The use of a research authorization is intended to involve a consent process.

Those elements required by the Privacy Rule for the research authorization form include:

  1. A specific description of the PHI to be used or disclosed.
  2. Specific identification of the person (or class of people) who are authorized to make the requested use or disclosure.
  3. Specific identification of the person (or class of people) to whom the covered entity may make the requested use or disclosure.
  4. A description of each purpose of the requested use or disclosure.
  5. An expiration date for the authorization, or if none, a statement that the authorization has no expiration date.
  6. The signature of the individual who is the subject of the PHI and the date the authorization is signed.
  7. A statement that participation in the research project is conditioned on receipt of the signed authorization.
  8. A statement that the authorization may be revoked in writing at any time, except to the extent that the researchers and custodian of the PHI have relied on it.
  9. A statement about the potential for re-disclosure of the PHI and loss of Privacy Rule protections for PHI disclosed to a recipient that is not also a covered entity.
  10. If research involves placing the PHI collected for the study into the medical record of each research participant or into another formally designated record-keeping system separate from the research records (e.g. OnCore), then the following element should also be included in a valid authorization:
    • A statement that information collected for the study will be placed in the subject’s medical record or other research record and that the subject’s right to inspect a copy his or her medical record or research record may be suspended until the research project has been completed.
    • A copy of the signed authorization must be provided to the subject.
Action Needed

Using one of the UW-Madison’s template research authorization forms, above, modify the authorization form to include specific details about your study.

Obtain a Waiver of Authorization

An IRB, under certain circumstances, may allow researchers to forgo obtaining an authorization; this is called a waiver of authorization. A waiver of authorization may be full or partial:

  • Full waiver: an IRB waives the requirement for authorization for all uses of PHI for a particular research protocol;
  • Partial waiver: an IRB waives the requirement for an authorization only for some uses of PHI for a particular research protocol.

In certain cases, the IRB may require the researcher to obtain permission from subjects for use of their PHI, but may allow the researcher to omit some of the required elements of an authorization. This exception is called an altered authorization. The altered authorization is a type of waiver. For example, an IRB may determine that the signature of a research subject is not required on the authorization when the researcher conducts survey or questionnaire research.

Generally, an IRB cannot grant a waiver of authorization for the use of PHI in a research study that requires the informed consent of individual subjects, or in a study that involves more than minimal risk to subjects. Examples of studies that would not qualify for a waiver of authorization include those involving interventions, such as administration of a drug, or those that require the subject to perform tasks.

An IRB can waive an authorization only if it makes all of the following determinations:

  1. The researcher has sufficiently justified that the risk to the subjects’ privacy is minimal by having adequate plans to protect the PHI from inappropriate use, and justification for retaining the PHI or plans to destroy the identifiers;
  2. The researcher has given assurances in the protocol application about not reusing or disclosing the PHI;
  3. The research cannot be practicably conducted without use of the PHI;
  4. The research cannot be practicably conducted without the waiver or alteration; and
  5. The researcher will use only the minimum amount of PHI needed for the research.

If you are applying for a waiver, please refer to the additional Guidelines for Waiver of Authorization or Altered Authorization for an explanation of what information will be needed by the IRB to grant a request for a waiver of authorization or altered authorization.

Action Needed

In the Arrow protocol application, select the option for a request for waiver of authorization or altered authorization in the HIPAA section and complete the additional required requests for information. The research use of PHI cannot commence until IRB approval has been obtained for a waiver or altered authorization.

Obtain a Limited Data Set

A limited data set (LDS) is an exception to the Privacy Rule requirement for an authorization from the subject for research use of protected health information. A LDS lacks 16 of the 18 identifiers itemized by the Privacy Rule. Specifically, a LDS does NOT include the following direct identifiers:

  1. Name
  2. Postal address information, other than town or city, State, and zip codes;
  3. Telephone numbers;
  4. Fax numbers;
  5. Electronic mail addresses;
  6. Social security numbers;
  7. Medical record numbers;
  8. Health plan beneficiary numbers;
  9. Account numbers;
  10. Certificate/license numbers;
  11. Vehicle identifiers and serial numbers, including license plate numbers;
  12. Device identifiers and serial numbers;
  13. Web Universal Resource Locators (URLs);
  14. Internet Protocol (IP) address numbers;
  15. Biometric identifiers, including finger and voice prints; and
  16. Full face photographic images and any comparable images.

The difference between a LDS and de-identified information is that a LDS may contain dates and certain geographic information associated with an individual that are absent from de-identified information.

A LDS may contain, for example:

  1. Dates of birth
  2. Dates of death
  3. Dates of service
  4. Town or city
  5. State
  6. Zip code

A LDS may also be coded so that the covered entity (but not the researcher) can re-identify the data set so long as the code is not unique to the individual (e.g. initials + last four digits of SSN).

A covered entity may use or disclose a LDS only for the purpose of research, public health, or health care operations.

Action Needed

Certification for Use or Disclosure of a Limited Data Set (LDS): If you are employed within the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (UW ACE) and are using a LDS from the same, you must sign the Certification for Use of a Limited Data Set Within the UW Health Care Component or Within theUW AffiliatedCovered Entity.

If you are employed by UW-Madison but are outside of the UW-Madison Health Care Component (UW HCC) and are receiving a LDS from the UW HCC, you must sign the Certification for Disclosure of a Limited Data Set from the UW-Madison Health Care Component to a UW-Madison Employee Outside of the UW HCC.

Data Use Agreement: If you have received a data use agreement from a person or entity outside of UW-Madison, then please refer to the Data Use Agreement Evaluation Form for a list of elements that must be present in the agreement. Forward the agreement to the Office of Research and Sponsored Programs (RSP) or the Office of Industrial Partnerships (OIP) for signature as outlined below.

If you are disclosing a LDS to a person or entity outside of the UW HCC or the University of Wisconsin Affiliated Covered Entity (UW ACE), please obtain that person’s or entity’s signature on the UW-Madison standard Data Use Agreement and forward the agreement to RSP or OIP for signature as outlined below. Please see Key Definitions for the Data Use Agreement if you are unsure about the meaning of any of the terms used in the data use agreement.

In order for a data use agreement to be valid, it must be signed by the appropriate institutional officials. Use of a LDS without a valid data use agreement in place is a violation of the Privacy Rule. Whether you are using a UW-Madison standard data use agreement, or a data use agreement you received from a person or entity outside of the UW HCC or UW ACE, you must forward the agreement to RSP or OIP for approval and signature by a UW official authorized by the Board of Regents of the University of Wisconsin System to sign contracts. Once the data use agreement is signed by all parties, you may begin using the LDS.

IRB Submission: Copies of the certifications or data use agreements for research use of a LDS must be submitted to the IRB with applications for initial review, exemption or change of protocol. The IRB does not approve data use agreements, but needs to maintain copies in its files. If the purpose of the LDS involves a collaboration or a subcontract, the protocol must be approved by a UW IRB and the data use agreement must be signed by a UW signatory prior to disclosure of the LDS.

Use De-identified Information

Privacy Rule requirements do not apply to information that has been de-identified.

Action Needed

The Privacy Rule makes two methods available for de-identifying health information:

  1. Remove the 18 specific identifiers listed in the Privacy Rule and determine there is no other information that may identify the individual. The identifiers are:
    • Name
    • Geographic subdivisions smaller than a state
    • All elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used)
    • Telephone numbers
    • FAX numbers
    • Electronic mail addresses
    • Social Security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers including license plates
    • Device identifiers and serial numbers
    • Web URLs
    • Internet protocol addresses
    • Biometric identifiers (including finger and voice prints)
    • Full face photos and comparable images
    • Any unique identifying number, characteristic or code
  2. Obtain an opinion from a qualified statistical expert that the risk of identifying an individual is very small under the circumstances; the methods and justification for the opinion should be documented.

Note: A business associate agreement is generally not an appropriate mechanism to use to obtain access to PHI for research. This is because a business associate is an individual that performs on behalf of the covered entity or assists the covered entity in performing certain business related activities, such as claims processing, billing, benefit management or quality improvement. A researcher is generally not performing a business related activity on behalf of the covered entity when conducting research. However, a business associate agreement may be used when the researcher, who is not a member of the covered entity’s workforce, contracts with the covered entity to access the covered entity’s PHI for the purpose of creating a limited data set or a de-identified data set for his or her research.

Use Only Information from Deceased Individuals

With limited exceptions, the Privacy Rule requires researchers to obtain written authorizations from research subjects before using the subjects’ PHI in the course of that research. One of those exceptions is for the use of decedents’ PHI, after filing an appropriate certification.

If you wish to use the PHI of subjects you know to be deceased, you may use the Privacy Rule exception by making a certification. The certification is appropriate when: (1) the PHI sought via the certification is only that of decedents; (2) you can document the death of each individual if asked to do so; and (3) the PHI is necessary to the research purposes. You may make a certification for research on the PHI of decedents when all subjects in your protocol, or in a distinct part of that protocol, are deceased. Stated another way, the certification is appropriate when your research is specifically directed at the use of PHI of decedents.

If your research protocol involves the use of PHI of both living and non-living subjects, but no distinct part of your protocol is directed at the use of decedent’s PHI, you should not use the process here, but rather obtain an authorization, or seek a waiver of authorization, before using the PHI. It is not necessary to file a certification to continue using PHI of a research subject who dies during the course of your research, as you will have obtained an authorization, or waiver of authorization, for the subject while living that will allow you to continue using that PHI.

Action Needed

The Common Rule does not apply to research involving decedents. Rather, the Common Rule applies only to research involving “human subjects”, who are defined as “living” individuals. However, it is the policy of UW-Madison that the determination as to whether research is exempt under the Common Rule (because the subjects are all deceased), is made by the IRB. Therefore, an exemption application must be submitted to the IRB, even if you believe your research is exempt.

Before you will be permitted to use PHI of decedents for research purposes, you must acknowledge and agree to abide by the Privacy Rule requirements by signing a Certification for Research on the Protected Health Information of Decedents. A certification must be filed for each protocol involving research directed at the use of known decedents’ PHI. Instructions on where to file the certification are on the form.

Step Four: Recognize Special Considerations for Databases, Chart Reviews, Re-Analysis of Data, and Exempt Research

1. Databases

The Privacy Rule applies to the creation of databases containing protected health information (PHI) that are to be used for research purposes, and to the subsequent use of the PHI in a particular research study. All research uses of PHI are subject to the Privacy Rule, even if the research is determined to be exempt under the Common Rule.

The custodian of a database containing PHI that is to be used in preparatory to research activities may require a copy of a signed preparatory to research certification before permitting use of the PHI.

Action Needed

All databases that contain PHI to be used for future unspecified research must be registered by the database custodian. Databases that are created as part of a study to be used only for that single study do not need to be registered. Use the Database Decision Tool to determine if a particular database should be registered. To register a database, complete a Database Registration and Preparatory to Research Certification for Database Custodian form and file the form with the University’s Privacy Officer. Filing instructions are on the database registration form.

2. Re-analyzing Data
The Privacy Rule views the re-analysis of existing data to answer a new research question as the use of PHI in a new protocol. In this case, refer to Step Three above for direction on how to obtain PHI for use in your research.

3. Exempt Research
All research using PHI is subject to the Privacy Rule, even research determined to be exempt under the Common Rule governing the protections for human subjects in research. Privacy Rule regulations apply to exempt research using PHI just as they do to any other research. Frequently, exempt research will satisfy Privacy Rule requirements for a waiver of authorization.

4. Chart Review
Privacy Rule regulations apply to chart review (medical records research) just as they do to any other research use of PHI. Frequently, chart review will satisfy Privacy Rule requirements for a waiver of authorization if it also satisfies the requirements for a waiver of informed consent under the Common Rule.

FAQS

For additional FAQs about HIPAA, see HIPAA Overview.

How is “research” defined by the Privacy Rule?

Who qualifies as a “researcher”?

When does the Privacy Rule apply to me as a researcher?

What is “individually identifiable health information”?

Does HIPAA apply to my research even if I am not a health care provider?

How does HIPAA affect a research study that also involves health care treatment?

What is the relationship between HIPAA and the “Common Rule” for the protection of human subjects?

What are the HIPAA requirements for using or disclosing PHI in research?

Can I disclose PHI as part of my research?

Is PHI ever created within the course of conducting research?

When is individually identifiable health information created within a research study not PHI?

Does HIPAA regulate how PHI created in the course of a research study is handled?

Can I use Box or Electronic Laboratory Notebook (ELN) to store my data set containing PHI?

What is a research authorization?

How is an authorization form different than an informed consent form?

How do I obtain an authorization to use and/or disclose PHI in my research?

What if the human research participant revokes the authorization?

What is a waiver of authorization?

How is a waiver of authorization different than a waiver of informed consent?

How do I obtain a waiver of authorization to use PHI in my research?

How does HIPAA apply to the recruitment of study participants?

May I use e-mail to communicate with research subjects?

What is a de-identified data set?

What are the requirements for obtaining and using a de-identified data set for my research?

My data set is coded. Does this qualify as “de-identified”?

If a data set identifies the site from which the data has been disclosed, does the geographic location of the site constitute an identifier?

What is a limited data set?

What are the requirements for using a limited data set?

How do I obtain a limited data set for use in my research?

Can a business associate agreement be used to obtain PHI from a covered entity for research purposes?

What uses of PHI are permitted under HIPAA in a review preparatory to research?

How does HIPAA apply to research using the PHI of decedents?

Can subjects authorize the use of their PHI for future, unspecified research (such as for collection and storage in a data base)?

Does HIPAA permit me to share data with other researchers not part of my study team?

How do I report a breach or other concern related to HIPAA?

How is “research” defined by the Privacy Rule?
Research has the same definition in the Privacy Rule as it does in the Common Rule. Research means a systematic investigation, including research development, testing, and evaluation, designed to contribute to generalizable knowledge.

Top

Who qualifies as a “researcher”?
UW-Madison employees, trainees, or students who conduct research involving human subjects. Researchers include investigators, research staff, postdocs, fellows, residents, graduate students, undergraduate students and others who collaborate in UW-Madison human subjects research, including employees of the University of Wisconsin Hospital and Clinics Authority and the University of Wisconsin Medical Foundation.

Top

When does the Privacy Rule apply to me as a researcher?
The Privacy Rule applies if: (1) you are a researcher with an appointment within the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (ACE); or (2) you are a researcher with an appointment outside of the UW HCC or UW ACE but you are collaborating on a research study in which the principal investigator is within the UW HCC or UW ACE; and (3) you collect individually identifiable health information directly from subjects or from medical records or other databases.

Top

What is “individually identifiable health information”?
Individually identifiable health information is information that is a subset of health information, including demographics, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of individual; the provision of health care to an individual; or payment for the provision of health care to an individual; and (3) that identifies an individual or where there is a reasonable basis to believe the information can be used to identify an individual.

Top

Does HIPAA apply to my research even if I am not a health care provider?
Yes, if as part of your research you are seeking to use individually identifiable health information from records in the custody of a “covered entity” (most health care providers, health plans, and health care clearinghouses), then HIPAA applies to your access to and use of that data whether or not you are a health care provider.

Top

How does HIPAA affect a research study that also involves health care treatment?
HIPAA requires that research study subjects who will receive health care as part of the study authorize the use of their PHI in that research — or that a privacy board or Institutional Review Board (IRB) waive the authorization requirement — regardless of the consent for treatment. Additionally, any research-generated PHI that may be applied to treatment decisions is subject to HIPAA’s medical record requirements.

Top

What is the relationship between HIPAA and the Common Rule for the protection of human subjects?
While the Common Rule addresses issues related to consent of subjects to participate in research, HIPAA addresses issues related to the subjects’ authorization to have their health information used or disclosed as part of a research study, and how that health information must be protected. The consent and authorization form may be combined. While the Common Rule and HIPAA have some similarities, such as the definition of research, there are many differences as well. For example, HIPAA does not contain the same exemptions from IRB review as the Common Rule.

Top

What are the HIPAA requirements for using or disclosing PHI in research?
HIPAA regulates how covered entities may share PHI with researchers who are part of the covered entity, or how they may disclose PHI to researchers who are not part of the covered entity. HIPAA permits a covered entity to share PHI with, or disclose PHI to, researchers only through the following six options:

  1. Review of PHI solely in preparation for research, without collecting or using the PHI for research – commonly called “preparatory to research” activities (HIPAA requires the researcher to make certain attestations to the covered entity about the use).
  2. A signed patient authorization is obtained from the individual whose PHI is sought for research.
  3. Waiver by an IRB of the authorization requirement for use of individually identifiable PHI for research.
  4. Complete de-identification of the data.
  5. Conversion of the PHI to a limited data set (HIPAA requires the researcher to enter into a data use agreement).
  6. Use of PHI solely of decedents (HIPAA requires the researcher to make certain attestations to the covered entity about the use).

Top

Can I disclose PHI as part of my research?
“Disclosure” of PHI under the Privacy Rule means that you are sharing PHI outside of the UW-Madison Health Care Component (UW HCC) or outside of the UW Affiliated Covered Entity (UW ACE). A disclosure of PHI for research may only occur if you have authorization to do so from the subject. UW-Madison IRBs do not approve requests to disclose PHI under a waiver of authorization. Alternatively, you may disclose a de-identified data set or, with a data use agreement in place, you may disclose a limited data set.

Top

Is PHI ever created within the course of conducting research?
Yes. When a health care activity is performed within the research study itself, any clinical information about the subject that is generated within the research is PHI and is subject to all the HIPAA regulations that apply to PHI. For example, clinical information generated within a research study may be simultaneously entered into the electronic health record of an individual patient and into the research data set intended to produce generalizable knowledge. The research use of the PHI and protection of the privacy and security of the research data set must be in accord with the terms and conditions of the IRB approval, the informed consent and the authorization, relevant institutional policies on data privacy and security, and applicable HIPAA privacy and security regulations.

Top
When is individually identifiable health information that is created within a research study not PHI?
When the principal investigator is not part of the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (UW ACE), the study does not involve health care treatment by a health care provider, and the health information created within the study is not expected to be shared by the researchers with the subject’s health care provider or placed in the subject’s electronic health record. For example, if researchers solely within the Department of Kinesiology conduct an exercise study that collects personal health data directly from the research participant and includes some health screening testing (blood pressure measurements, etc.), this data is not health information that is protected by HIPAA.

Top

Does HIPAA regulate how PHI created in the course of a research study is handled?
Yes, when clinical treatment is performed in the course of a research study (e.g. a therapeutic trial studying the safety and efficacy of a new cancer drug), the information must be handled in accord with the appropriate medical practices regarding entry of the individual’s treatment data into the medical record. The research use of the information must be authorized in the HIPAA authorization and informed consent documents that the research participant signs. These documents should specify how PHI created in the course of a research study will be treated, for example:

  • how PHI will be used in the research study,
  • whether any of the data will be entered into the medical record, and
  • whether the information will be shared with any health plan for payment purposes for any activities included within the study participation.

Top

Can I use Box or Electronic Laboratory Notebook (ELN) to store my data set containing PHI?
At present, only the School of Medicine and Public Health has been approved by the Chief Information Security Officer to use Box to store data or other information containing PHI. Certain mandatory access configurations and processes are required. The SMPH Security Coordinator is responsible for overseeing the implementation of the required controls. If you are within SMPH and would like to use Box to store PHI, SMPH Security Coordinator for assistance.

UW-Madison has not yet approved the use of ELN for storage of PHI. UW-Madison data security experts are working with multiple groups, including the Division of Information Technology (DoIT) staff and the HIPAA Privacy and Security Operations Committee to finalize methods to allow use of Box more broadly on campus and ELN for some PHI under certain controlled setups in the near future. Please contact your HIPAA Security Coordinator for additional information.

Top

What is a research authorization?
An authorization is a document signed by an individual that gives the individual’s explicit permission to obtain her/his specified PHI from a health care provider(s), or to generate PHI as part of the study, and use it for a specified purpose other than the individual’s health care, such as for research. HIPAA is specific about the elements that must be included in a valid authorization document. See Proposal Guidance, above, for more information.

Top

How is an authorization form different than an informed consent form?
An authorization is a HIPAA required document that defines only the terms and conditions of permission to use or disclose specified PHI for a specified research project. Except for authorizations to use psychotherapy notes in research, which must always be stand alone documents, an authorization can be combined with the informed consent document.

Top

How do I obtain an authorization to use and/or disclose PHI in my research?
Apply to the appropriate IRB for approval of an authorization form to use in the informed consent process in your research project. You can find template authorization forms, above. When you have an IRB approved form of authorization for use in your research study, you are able to include the discussion and execution of this form in the informed consent process with each human research participant. Covered entities may want a copy of this authorization (or a waiver of authorization — see below) when you request access to the research participant’s individually identifiable health information in their records.

Top

What if the human research participant revokes the authorization?
If the authorization is revoked, the researcher generally cannot continue to collect PHI on the participant for use in the research study; however, the researcher can continue to use the PHI already obtained before the revocation to the extent necessary to preserve the integrity of the research study. FDA regulations do not permit destruction of study data based on a subject’s revocation of their authorization.

Top

What is a waiver of authorization?
When obtaining subject authorization is “impracticable,” the IRB may approve a waiver of authorization for a researcher to use protected health information. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver.

Top

How is a waiver of authorization different than a waiver of informed consent?
The waiver of authorization is based solely on an assessment of the privacy risks in the proposed research use of individually identifiable PHI, whereas the waiver of informed consent is based on an assessment of risks to participation in the study itself.

Top

How do I obtain a waiver of authorization to use PHI in my research?
Apply to the appropriate IRB for approval of a waiver of the authorization requirement. This is similar to a request for waiver of the informed consent requirement. If you are applying for a waiver, please refer to the additional Guidelines for Waiver of Authorization or Altered Authorization for an explanation of what information will be needed by the IRB to grant a request for a waiver of authorization. When the IRB has approved a waiver of authorization, it will issue an approval document. Covered entities may want a copy of this waiver of authorization (or an authorization — see above) when you request access to the research participant’s individually identifiable health information in their records.

Top

How does HIPAA apply to the recruitment of study participants?
Under HIPAA, a covered entity may provide individually identifiable health information to researchers within its own workforce to allow those researchers to contact potential subjects for the purpose of obtaining their authorization to use their health information in the research. UW-Madison IRBs require that the first contact with potential subjects come from someone the subject would recognize as having valid access to their health information.

Top

May I use e-mail to communicate with research subjects?
E-mail should not be considered a secure, confidential means of communication with subjects. As such, it should generally not be used to communicate, to subjects or from subjects, information that contains or is likely to contain PHI. For example, a recruitment e-mail sent to recipients based on non-health related information (e.g. “you are receiving this email because you are a female over the age of 45”) would usually be permissible but a recruitment e-mail sent to participates that discloses a medical condition (e.g. “you are receiving this e-mail because you have rheumatoid arthritis”) would not be permissible. Similarly, it would generally not be permissible to request subjects to reply to a series of questions about their health via e-mail. There are often other, more secure, means of communication available. If e-mail must be used, subjects must first agree to e-mail communication by signing a written consent form in which they are informed of the security risks associated with email. See Policy 8.6 E-mail Communications Involving Protected Health Information for more information. Additionally, you must describe the use of e-mail, and specifically what information is expected to be e-mailed, in your protocol and obtain IRB approval before e-mail may be used as a method of communication.

Top

What is a de-identified data set?
A de-identified data set is PHI from which the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:

  • Names;
  • All geographic subdivisions smaller than a State;
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code; and
  • The covered entity may not consider the information de-identified if it has actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Top

What are the requirements for obtaining and using a de-identified data set for my research?
De-identified data sets do not contain any individually identifiable health information. Neither authorization nor waiver of authorization, nor a data use agreement is required by HIPAA for a researcher to use and/or disclose de-identified data for research purposes.

Top

My data set is coded. Does this qualify as “de-identified”?
If you have the key to the code, your data set is not de-identified. If an individual(s) within the covered entity maintains the key to the code but you do not have access to the code and will never have access to the code, then your data set is de-identified as to you.

Top

If a data set identifies the site from which the data has been disclosed, does the geographic location of the site constitute an identifier?
No. The de-identified information does not lose its de-identification status simply by virtue of identification of the disclosing site. This is true as long as one other HIPAA caveat is met: the disclosing covered entity does not have actual knowledge that the de-identified information could be used alone or in combination with other information available to others outside the covered entity to identify an individual who is the subject of the information.

Top

What is a limited data set?
In contrast to a de-identified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, State and zip code. A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

  • Names;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; an
    Full face photographic images and any comparable images.

Top

What are the requirements for using a limited data set?
A covered entity may use or disclose a limited data set from its records containing PHI for research use without either authorization or waiver of authorization if the researcher executes a data use agreement that binds the limited data set recipient to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data.

Top

How do I obtain a limited data set for use in my research?
You can find UW-Madison’s template Data Use Agreement, as well as other information about the use of a limited data set in the forms section, above.

Top

Can a business associate agreement be used to obtain PHI from a covered entity for research purposes?
Generally, no. A business associate is an individual that performs on behalf of the covered entity or assists the covered entity in performing certain business related activities, such as claims processing, billing, benefit management or quality improvement. A researcher is generally not performing a business related activity on behalf of the covered entity when conducting research. However, a business associate agreement may be used when the researcher, who is not a member of the covered entity’s workforce, contracts with the covered entity to access the covered entity’s PHI for the purpose of creating a limited data set or a deidentified data set for his or her research.

Top

What uses of PHI are permitted under HIPAA in a review preparatory to research?
The “review preparatory to research” is an option that allows review (but not research use) of individually identifiable PHI by researchers and does not require authorization or waiver of authorization. A covered entity may allow researchers to review PHI in the covered entity’s records in preparation for research but may not permit researchers to collect any of the PHI for actual research use. For example, the researcher may be permitted to review PHI for the development of research questions; to determine whether a study is feasible (in terms of available number and eligibility of potential subjects); or to develop inclusion and exclusion criteria. However, the researcher may not transcribe information from the records for inclusion in research data. Researchers must complete UW-Madison’s Use of PHI in Activities Preparatory to Research Certification prior to engaging in preparatory to research activities.

Top

How does HIPAA apply to research using the PHI of decedents?
Research using the individually identifiable PHI of decedents requires neither authorization nor waiver of authorization nor a data use agreement. However, researchers must complete UW-Madison’s Certification for Research on the Protected Health Information of Decedents prior to engaging in such research activities.

Top

Can subjects authorize the use of their PHI for future, unspecified research (such as for collection and storage in a data base)?
HIPAA requires that an authorization include a description of each purpose of the requested use or disclosure. An authorization may include use for future research so long as the authorization adequately describes the use in such a manner that it would be reasonable for the subject to expect that his or her PHI to be used or disclosed for such future research. In cases where the authorization does not address future research, an IRB waiver of authorization may be the most appropriate and practical HIPAA-compliant approach.

Top

Does HIPAA permit me to share data with other researchers not part of my study team?
PHI in research data may only be shared with other researchers in accord with the agreement for acquiring the PHI; i.e. only in accord with the terms of the authorization or waiver of authorization or data use agreement. Research data that includes PHI may be shared, disclosed or transferred among the investigators named in the authorization, waiver of authorization or data use agreement. Sharing or disclosing or transferring the data outside of that circle requires IRB review and approval of the proposed research study for which the data would be shared. In the event that the original investigators wish to share research data that includes PHI with another colleague not originally identified as part of the research team within the existing approved study, contact the IRB for review of a change in the approved protocol.

Top

How do I report a suspected breach or other concern related to HIPAA?
If the personally identifiable health information in any way involves information technology (e.g. lost or stolen portable device, compromised server, etc.) you must immediately contact the DoIT Help Desk at 608-264-HELP (4357). For any suspected breach of personally identifiable health information, you must contact the UW-Madison HIPAA Privacy Officer, whose contact information is on the left side of this page. You should also file an Unanticpated Problem Report form with the IRB that reviewed your protocol.

Top

Accounting

The Privacy Rule grants to a patient a right to request and receive an accounting for some “disclosures” of protected health information (“PHI”), including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. Patients have a right to an accounting only of those disclosures made by researchers in connection with protocols conducted with a waiver of authorization. An accounting of disclosures is not required when a patient authorization is obtained.

Affiliated Covered Entity

UW-Madison is also one of three entities that have agreed to form an affiliated covered entity (“ACE”). These three entities have agreed to provide consistent protection of patient/subject/participant rights.
The ACE includes:

  • University Hospitals and Clinics (UWHC)
  • University of Wisconsin Medical Foundation (UWMF)
  • A subset of the UW-Madison Health Care Component (HCC)
  • The subset of the HCC in the ACE is comprised of the School of Medicine and Public Health (clinical departments only), the School of Nursing, the School of Pharmacy (clinical units only), the Waisman Center (clinical units only), the Athletic Department (athletic trainers and health information systems only).

Authorization

A research authorization is a document signed and dated by a subject/participant that satisfies the requirements of the Privacy Rule (e.g., includes required elements) and grants permission for the researcher to use and disclose the subject/participant’s protected health information to perform a research protocol.

Altered Authorization

An altered authorization is a form of waiver of authorization, in which an IRB permits a researcher to omit some of the required elements of an authorization.

Covered Entity

A covered entity, i.e., an entity to which the Privacy Rule applies, includes a health care provider (person or entity) that provides, bills for, or is paid for health care and transmits health information electronically.

Data Use Agreement

A data use agreement (“DUA”) is an agreement required by the Privacy Rule between a covered entity and a person or entity that receives a limited data set. The DUA must state that the recipient will use or disclose the information in the limited data set only for specific limited purposes.

De-identified Information

Information that does not allow an individual to be identified because specified identifiers have been removed. De-identification can be achieved by one of two ways:

  1. Remove the 18 specific identifiers listed in the Privacy Rule and determine there is no other information that may identify the individual. The identifiers are:
    • Names
    • Geographic subdivisions smaller than a State
    • All elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used)
    • Telephone numbers
    • FAX numbers
    • Electronic mail addresses
    • Social security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers including license plates
    • Device identifiers and serial numbers
    • Web URLs
    • Internet protocol addresses
    • Biometric identifiers (including finger and voice prints)
    • Full face photos and comparable images
    • Any unique identifying number, characteristic or code
  2. Obtain an opinion from a qualified statistical expert that the risk of identifying an individual is very small under the circumstances; the methods and justification for the opinion should be documented.

Disclosure of Protected Health Information

A “disclosure” of PHI is the sharing of that PHI outside of a covered entity. The sharing of PHI outside of the health care component or affiliated covered entity is a disclosure. In general, a disclosure of PHI requires an accounting at the request of the individual who is the subject of the PHI, unless that individual gave permission for the disclosure by signing a valid authorization.

Health Care Component

The covered units of UW-Madison (which include all the employees of those units and certain researchers outside those units participating in research projects of the covered unit as described below) are called the health care component or HCC. Currently the HCC includes the following units:

  • School of Medicine and Public Health (clinical departments only)
  • School of Pharmacy (clinical units only)
  • School of Nursing
  • University Health Services
  • Wisconsin State Laboratory of Hygiene
  • Athletic Department (athletic trainers and health information systems only)
  • Waisman Center (clinical units only)

The following are UW-Madison’s Internal Business Associate Units:

  • Accounting Services
  • Office of Legal Affairs
  • SMPH Risk Management
  • Internal Audit
  • HIPAA Privacy and Security Officer
  • HIPAA Privacy and Security Coordinators
  • Health sciences school’s senior administrators and support staff
  • Office of Clinical Trials
  • Health Sciences Institutional Review Board (members and staff)
  • Minimal Risk Institutional Review Board (members and staff)
  • Other individuals or departments may become an internal business associate for limited projects.

Researchers who have appointments in units outside the HCC and who conduct research involving protected health information in collaboration with researchers within the HCC are considered within the HCC for the purposes of that collaborative research. For example, scientists in the basic science departments of the Medical School or in the Waisman Center who collaborate with scientists or clinical faculty in the Medical School’s clinical departments are considered within the HCC for the purpose of the collaborative research.

Health Care Operations

Any of the following activities of the covered entity to the extent that the activities are related to those functions, the performance of which, makes the covered entity a health plan, health care provider, or health care clearinghouse:

  • Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.
  • Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.
  • Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
  • Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.
  • Business management and general administrative activities of the entity, including, but not limited to:
    • Management activities relating to implementation of and compliance with the requirements of the Privacy Rule.
    • Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that PHI is not disclosed to such policy holder, plan sponsor,
      or customer.
    • Resolution of internal grievances.
    • Creating de-identified health information or a limited data set and fundraising for the benefit of the covered entity.

Health Care Provider

A person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Hybrid Entity

UW-Madison is a special type of covered entity, called a “hybrid entity,” which means that for the purposes of implementing the Privacy Rule, UW-Madison has both HIPAA-covered and non HIPAA-covered units.

Limited Data Set

Protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

  • Name;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images.

Preparatory to Research Activities

The Privacy Rule regulates some of the typical activities done before submitting a protocol to an IRB for review. These activities are designated as “preparatory to research” in the Privacy Rule and are defined as the:

  1. Development of research questions;
  2. Determination of study feasibility (in terms of the available number and eligibility of potential study participants);
  3. Development of eligibility (inclusion and exclusion) criteria; and
  4. Determination of eligibility for study participation of individual potential subjects.

The recruitment of subjects or participants is not a preparatory to research activity. A recruitment plan is part of a research protocol and requires IRB approval before contact or other information about subjects/participants may be collected. Recruitment is a research activity.

Protected Health Information

The Privacy Rule protects “individually identifiable health information,” referred to as protected health information or PHI. The Privacy Rule defines PHI to include information that:

Is created or received by a “covered entity,” including a health care provider, and

  • Relates to the past, present, or future physical or mental health, or condition of an individual; or
  • Relates to payment for an individual’s health care; or
  • Relates to the provision of health care in the past, present, or future; and
  • Identifies an individual or could be used for identifying an individual.

Psychotherapy Notes

Psychotherapy Notes are notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.

Psychotherapy Notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Research

A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

Use of Protected Health Information

A “use of PHI is any sharing of that PHI within a covered entity. The sharing of PHI within the health care component (HCC) or within the affiliated covered entity (ACE) is a use. Uses, unlike disclosures, of PHI do not require an accounting at the request of the individual who is the subject of the PHI.

Waiver of Authorization

When obtaining subject/participant authorization is “impracticable,” the IRB may approve a waiver of authorization for a researcher to use and disclose PHI. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver.