How is “research” defined by the Privacy Rule?
Who qualifies as a “researcher”?
When does the Privacy Rule apply to me as a researcher?
What is “individually identifiable health information”?
Does HIPAA apply to my research even if I am not a health care provider?
How does HIPAA affect a research study that also involves health care treatment?
What is the relationship between HIPAA and the “Common Rule” for the protection of human subjects?
What are the HIPAA requirements for using or disclosing PHI in research?
Can I disclose PHI as part of my research?
Is PHI ever created within the course of conducting research?
When is individually identifiable health information created within a research study not PHI?
Does HIPAA regulate how PHI created in the course of a research study is handled?
Can I use Box or other campus services to store my data set containing PHI?
What is a research authorization?
How is an authorization form different than an informed consent form?
How do I obtain an authorization to use and/or disclose PHI in my research?
What if the human research participant revokes the authorization?
What is a waiver of authorization?
How is a waiver of authorization different than a waiver of informed consent?
How do I obtain a waiver of authorization to use PHI in my research?
How does HIPAA apply to the recruitment of study participants?
May I use email to communicate with research subjects?
What is a de-identified data set?
What are the requirements for obtaining and using a de-identified data set for my research?
My data set is coded. Does this qualify as “de-identified”?
What are the requirements for using a limited data set?
How do I obtain a limited data set for use in my research?
What uses of PHI are permitted under HIPAA in a review preparatory to research?
How does HIPAA apply to research using the PHI of decedents?
Does HIPAA permit me to share data with other researchers not part of my study team?
How do I report a breach or other concern related to HIPAA?
How is “research” defined by the Privacy Rule?
Research has the same definition in the Privacy Rule as it does in the Common Rule. Research means a systematic investigation, including research development, testing, and evaluation, designed to contribute to generalizable knowledge.
Who qualifies as a “researcher”?
UW-Madison employees, trainees, or students who conduct research involving human subjects. Researchers include investigators, research staff, postdocs, fellows, residents, graduate students, undergraduate students and others who collaborate in UW-Madison human subjects research, including employees of the University of Wisconsin Hospital and Clinics Authority and the University of Wisconsin Medical Foundation.
When does the Privacy Rule apply to me as a researcher?
The Privacy Rule applies if: (1) you are a researcher with an appointment within the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (ACE); or (2) you are a researcher with an appointment outside of the UW HCC or UW ACE but you are collaborating on a research study in which the principal investigator is within the UW HCC or UW ACE; and (3) you collect individually identifiable health information directly from subjects or from medical records or other databases.
What is “individually identifiable health information”?
Individually identifiable health information is information that is a subset of health information, including demographics, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of individual; the provision of health care to an individual; or payment for the provision of health care to an individual; and (3) that identifies an individual or where there is a reasonable basis to believe the information can be used to identify an individual.
Does HIPAA apply to my research even if I am not a health care provider?
Yes, if as part of your research you are seeking to use individually identifiable health information from records in the custody of a “covered entity” (most health care providers, health plans, and health care clearinghouses), then HIPAA applies to your access to and use of that data whether or not you are a health care provider.
How does HIPAA affect a research study that also involves health care treatment?
HIPAA requires that research study subjects who will receive health care as part of the study authorize the use of their PHI in that research — or that a privacy board or Institutional Review Board (IRB) waive the authorization requirement — regardless of the consent for treatment. Additionally, any research-generated PHI that may be applied to treatment decisions is subject to HIPAA’s medical record requirements.
What is the relationship between HIPAA and the Common Rule for the protection of human subjects?
While the Common Rule addresses issues related to consent of subjects to participate in research, HIPAA addresses issues related to the subjects’ authorization to have their health information used or disclosed as part of a research study, and how that health information must be protected. The consent and authorization form may be combined. While the Common Rule and HIPAA have some similarities, such as the definition of research, there are many differences as well. For example, HIPAA does not contain the same exemptions from IRB review as the Common Rule.
What are the HIPAA requirements for using or disclosing PHI in research?
HIPAA regulates how covered entities may share PHI with researchers who are part of the covered entity, or how they may disclose PHI to researchers who are not part of the covered entity. HIPAA permits a covered entity to share PHI with, or disclose PHI to, researchers only through the following six options:
- Review of PHI solely in preparation for research, without collecting or using the PHI for research – commonly called “preparatory to research” activities (HIPAA requires the researcher to make certain attestations to the covered entity about the use).
- A signed patient authorization is obtained from the individual whose PHI is sought for research.
- Waiver by an IRB of the authorization requirement for use of individually identifiable PHI for research.
- Complete de-identification of the data.
- Conversion of the PHI to a limited data set (HIPAA requires the researcher to enter into a data use agreement).
- Use of PHI solely of decedents (HIPAA requires the researcher to make certain attestations to the covered entity about the use).
Can I disclose PHI as part of my research?
“Disclosure” of PHI under the Privacy Rule means that you are sharing PHI outside of the UW-Madison Health Care Component (UW HCC) or outside of the UW Affiliated Covered Entity (ACE). A disclosure of PHI for research may only occur if you have authorization to do so from the subject. UW-Madison IRBs do not approve requests to disclose PHI under a waiver of authorization. Alternatively, you may disclose a de-identified data set or, with a data use agreement in place, you may disclose a limited data set.
Is PHI ever created within the course of conducting research?
Yes. When a health care activity is performed within the research study itself, any clinical information about the subject that is generated within the research is PHI and is subject to all the HIPAA regulations that apply to PHI. For example, clinical information generated within a research study may be simultaneously entered into the electronic health record of an individual patient and into the research data set intended to produce generalizable knowledge. The research use of the PHI and protection of the privacy and security of the research data set must be in accord with the terms and conditions of the IRB approval, the informed consent and the authorization, relevant institutional policies on data privacy and security, and applicable HIPAA privacy and security regulations.
When is individually identifiable health information that is created within a research study not PHI?
When the principal investigator is not part of the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (ACE), the study does not involve health care treatment by a health care provider, and the health information created within the study is not expected to be shared by the researchers with the subject’s health care provider or placed in the subject’s electronic health record. For example, if researchers solely within the Department of Kinesiology conduct an exercise study that collects personal health data directly from the research participant and includes some health screening testing (blood pressure measurements, etc.), this data is not health information that is protected by HIPAA.
Does HIPAA regulate how PHI created in the course of a research study is handled?
Yes, when clinical treatment is performed in the course of a research study (e.g. a therapeutic trial studying the safety and efficacy of a new cancer drug), the information must be handled in accord with the appropriate medical practices regarding entry of the individual’s treatment data into the medical record. The research use of the information must be authorized in the HIPAA authorization and informed consent documents that the research participant signs. These documents should specify how PHI created in the course of a research study will be treated, for example:
- how PHI will be used in the research study,
- whether any of the data will be entered into the medical record, and
- whether the information will be shared with any health plan for payment purposes for any activities included within the study participation.
Can I use Box or other campus services to store my data set containing PHI?
Please consult the Approved Tools list to determine which campus services are available to use with PHI. Contact your HIPAA Security Coordinator for any follow up questions.
What is a research authorization?
An authorization is a document signed by an individual that gives the individual’s explicit permission to obtain her/his specified PHI from a health care provider(s), or to generate PHI as part of the study, and use it for a specified purpose other than the individual’s health care, such as for research. HIPAA is specific about the elements that must be included in a valid authorization document. See the For Researchers page for more information.
How is an authorization form different than an informed consent form?
An authorization is a HIPAA required document that defines only the terms and conditions of permission to use or disclose specified PHI for a specified research project. Except for authorizations to use psychotherapy notes in research, which must always be stand alone documents, an authorization can be combined with the informed consent document.
How do I obtain an authorization to use and/or disclose PHI in my research?
Apply to the appropriate IRB for approval of an authorization form to use in the informed consent process in your research project. You can find template authorization forms on the For Researchers page. When you have an IRB approved form of authorization for use in your research study, you are able to include the discussion and execution of this form in the informed consent process with each human research participant. Covered entities may want a copy of this authorization (or a waiver of authorization — see below) when you request access to the research participant’s individually identifiable health information in their records.
What if the human research participant revokes the authorization?
If the authorization is revoked, the researcher generally cannot continue to collect PHI on the participant for use in the research study; however, the researcher can continue to use the PHI already obtained before the revocation to the extent necessary to preserve the integrity of the research study. FDA regulations do not permit destruction of study data based on a subject’s revocation of their authorization.
What is a waiver of authorization?
When obtaining subject authorization is “impracticable,” the IRB may approve a waiver of authorization for a researcher to use protected health information. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver.
How is a waiver of authorization different than a waiver of informed consent?
The waiver of authorization is based solely on an assessment of the privacy risks in the proposed research use of individually identifiable PHI, whereas the waiver of informed consent is based on an assessment of risks to participation in the study itself.
How do I obtain a waiver of authorization to use PHI in my research?
Apply to the appropriate IRB for approval of a waiver of the authorization requirement. This is similar to a request for waiver of the informed consent requirement. If you are applying for a waiver, please refer to the additional Guidelines for Waiver of Authorization or Altered Authorization for an explanation of what information will be needed by the IRB to grant a request for a waiver of authorization. When the IRB has approved a waiver of authorization, it will issue an approval document. Covered entities may want a copy of this waiver of authorization (or an authorization — see above) when you request access to the research participant’s individually identifiable health information in their records.
How does HIPAA apply to the recruitment of study participants?
Under HIPAA, a covered entity may provide individually identifiable health information to researchers within its own workforce to allow those researchers to contact potential subjects for the purpose of obtaining their authorization to use their health information in the research. UW-Madison IRBs require that the first contact with potential subjects come from someone the subject would recognize as having valid access to their health information.
May I use email to communicate with research subjects?
Email should not be considered a secure, confidential means of communication with subjects. As such, it should generally not be used to communicate, to subjects or from subjects, information that contains or is likely to contain PHI. For example, a recruitment email sent to recipients based on non-health related information (e.g. “you are receiving this email because you are a female over the age of 45”) would usually be permissible but a recruitment email sent to participates that discloses a medical condition (e.g. “you are receiving this email because you have rheumatoid arthritis”) would not be permissible. Similarly, it would generally not be permissible to request subjects to reply to a series of questions about their health via email. There are often other, more secure, means of communication available. If email must be used, subjects must first agree to email communication by signing a written consent form in which they are informed of the security risks associated with email. See Policy 8.6 (UW-129) Email Communications Involving Protected Health Information for more information. Additionally, you must describe the use of email, and specifically what information is expected to be emailed, in your protocol and obtain IRB approval before email may be used as a method of communication.
What is a de-identified data set?
A de-identified data set is PHI from which the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:
- Names;
- All geographic subdivisions smaller than a State;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code;
and
The covered entity may not consider the information de-identified if it has actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
What are the requirements for obtaining and using a de-identified data set for my research?
De-identified data sets do not contain any individually identifiable health information. Neither authorization nor waiver of authorization, nor a data use agreement is required by HIPAA for a researcher to use and/or disclose de-identified data for research purposes.
My data set is coded. Does this qualify as “de-identified”?
If you have the key to the code, your data set is not de-identified. If an individual(s) within the covered entity maintains the key to the code but you do not have access to the code and will never have access to the code, then your data set is de-identified as to you.
If a data set identifies the site from which the data has been disclosed, does the geographic location of the site constitute an identifier?
No. The de-identified information does not lose its de-identification status simply by virtue of identification of the disclosing site. This is true as long as one other HIPAA caveat is met: the disclosing covered entity does not have actual knowledge that the de-identified information could be used alone or in combination with other information available to others outside the covered entity to identify an individual who is the subject of the information.
What is a limited data set?
In contrast to a de-identified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, State and zip code. A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
- Names;
- Postal address information, other than town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; an
Full face photographic images and any comparable images.
What are the requirements for using a limited data set?
A covered entity may use or disclose a limited data set from its records containing PHI for research use without either authorization or waiver of authorization if the researcher executes a data use agreement that binds the limited data set recipient to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data.
How do I obtain a limited data set for use in my research?
You can find UW-Madison’s template Data Use Agreement, as well as other information about the use of a limited data set on the For Researchers page.
Can a business associate agreement be used to obtain PHI from a covered entity for research purposes?
Generally, no. A business associate is an individual that performs on behalf of the covered entity or assists the covered entity in performing certain business related activities, such as claims processing, billing, benefit management or quality improvement. A researcher is generally not performing a business related activity on behalf of the covered entity when conducting research. However, a business associate agreement may be used when the researcher, who is not a member of the covered entity’s workforce, contracts with the covered entity to access the covered entity’s PHI for the purpose of creating a limited data set or a deidentified data set for his or her research.
What uses of PHI are permitted under HIPAA in a review preparatory to research?
The “review preparatory to research” is an option that allows review (but not research use) of individually identifiable PHI by researchers and does not require authorization or waiver of authorization. A covered entity may allow researchers to review PHI in the covered entity’s records in preparation for research but may not permit researchers to collect any of the PHI for actual research use. For example, the researcher may be permitted to review PHI for the development of research questions; to determine whether a study is feasible (in terms of available number and eligibility of potential subjects); or to develop inclusion and exclusion criteria. However, the researcher may not transcribe information from the records for inclusion in research data. Researchers must complete UW-Madison’s Use of PHI in Activities Preparatory to Research Certification prior to engaging in preparatory to research activities.
How does HIPAA apply to research using the PHI of decedents?
Research using the individually identifiable PHI of decedents requires neither authorization nor waiver of authorization nor a data use agreement. However, researchers must complete UW-Madison’s Certification for Research on the Protected Health Information of Decedents prior to engaging in such research activities.
Can subjects authorize the use of their PHI for future, unspecified research (such as for collection and storage in a data base)?
HIPAA requires that an authorization include a description of each purpose of the requested use or disclosure. An authorization may include use for future research so long as the authorization adequately describes the use in such a manner that it would be reasonable for the subject to expect that his or her PHI to be used or disclosed for such future research. In cases where the authorization does not address future research, an IRB waiver of authorization may be the most appropriate and practical HIPAA-compliant approach.
Does HIPAA permit me to share data with other researchers not part of my study team?
PHI in research data may only be shared with other researchers in accord with the agreement for acquiring the PHI; i.e. only in accord with the terms of the authorization or waiver of authorization or data use agreement. Research data that includes PHI may be shared, disclosed or transferred among the investigators named in the authorization, waiver of authorization or data use agreement. Sharing or disclosing or transferring the data outside of that circle requires IRB review and approval of the proposed research study for which the data would be shared. In the event that the original investigators wish to share research data that includes PHI with another colleague not originally identified as part of the research team within the existing approved study, contact the IRB for review of a change in the approved protocol.
How do I report a suspected breach or other concern related to HIPAA?
If the personally identifiable health information in any way involves information technology (e.g. lost or stolen portable device, compromised server, etc.) you must immediately contact the DoIT Help Desk at 608-264-HELP (4357). For any suspected breach of personally identifiable health information, you must contact the UW-Madison HIPAA Privacy Officer, whose contact information is on the right side of this page. You should also file an Unanticipated Problem Report form with the IRB that reviewed your protocol.