The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that governs, among other things, the transmission of health care financial or administrative information between two parties. The HIPAA Privacy Rule establishes for the first time a set of requirements for protecting the confidentiality of person identifiable data rising as a result of health care services, and includes the requirement that Authorization be obtained in most situations before this type of data can be used for research purposes. HIPAA is designed to protect people's privacy and to make certain patients and research subjects understand how their health information is used and disclosed. See the Protected Health Information (PHI)
(pdf file) list for individual identifiers. Research studies for use of this type of data will require review and approval by the IRB. The HIPAA Privacy Rule becomes effective April 14, 2003.
HIPAA requires language in the written informed consent for the use and disclosure of PHI for research. This may be accomplished by inserting HIPAA privacy authorization language directly into your primary informed consent form. The proper format for the confidentiality section of the consent form, as modified to incorporate the authorization language in provided in the Revised Template: For the Confidentiality Section
(pdf file). In order to comply with HIPAA requirements, additional language should be added the to Confidentially Section of the Informed Consent form - - See the HIPAA Authorization template
HIPAA Forms and Compliance Procedures
- HIPAA Subject Authorization-
- Waiver of Subject Authorization
- Limited Data Use Agreement
- Revocation of Authorization to Release PHI
- Research Database Registration Form
(Guidance: Databases containing protected health information (PHI) used for research purpose are affected by the HIPAA Privacy Rule. The Privacy Rule regulations cover the use of databases containing PHI just as they apply to any other research using PHI. The Research Database Form documents compliance with requirements outlined in the HIPAA Privacy and Security Rule.)
- USA HIPAA Privacy Compliance Plan for Research
- Reviews Preparatory to Research
- Research Involving Deceased Individuals
- De-Identification Certification
Faculty, fellows, staff, and students participating in human subjects research involving Protected Health Information (PHI) is required to complete the HIPAA Research tutorial. Training must be completed before participating in human subjects research involving PHI.
HIPAA has the following important implications for you as a researcher:
- Anytime you look at, use or create PHI for research, this is considered a disclosure for research purposes.
- The Institutional Review Board (IRB) will be working with investigators and study coordinators who wish to obtain PHI under the following two conditions (where appropriate)
1. To obtain prior written Authorization from the subject
2. To obtain a waiver of Authorization
- Protecting Personal Health Information in Research
- HHS Publication
- Office for Civil Rights - HIPAA
- Privacy Rule - Regulation Text
- NIH HIPAA Privacy Rule - Educational Materials
-HIPAA and Research Requirements videotape, USA Office of Research Compliance and Assurance. Contact Ms. Layton at 460-6625 if you wish to borrow a copy.
HIPAA: Research FAQs:
What about research data that has already been collected?
According to HIPAA, such data is granfathered in.
How will HIPAA impact human subjects who are already enrolled in a research study?
Subjects that have enrolled prior to April 14, 2003 will not be required to re-consent. Investigators may continue to collect and use data gathered from these subjects and no new documentation is required.
What are the HIPAA standards for human subjects research?
There are four ways to perform HIPAA compliant research. They are:
1. Obtain subject Authorization
2. Obtain a waiver of authorization from the IRB
3. Use of de-identified information
4. Use of limited data set
What about reviews preparatory to research?
Investigators may review PHI without subject authorization to prepare a research protocol or for similar purposes preparatory to research. Also, research on decedent's information involving PHI do not require subject authorization. However, both activities must be approved by the IRB.
What are the new research documents required by HIPAA?
HIPAA compliant research documents include:
1. Authorization (HIPAA language template form - to be inserted in the consent form)
2. Waiver of Authorization
3. Data use agreement
These forms will be made available as they become available and can also be obtained through the IRB.
What about releasing data outside of the USA Health System?
Intentional releases of research data outside USA must be made clear in the research study documents submitted for IRB approval. Such releases should be described within the authorization portion of the informed consent. Upon IRB approval, then such releases are permitted. Disclosures for studies involving de-identified information of a limited data set are also permitted.
For additional information, please contact the Office of Research Compliance and Assurance at 460-6625 or email firstname.lastname@example.org