HIPAA Overview for Researchers


The purpose of this overview is to provide additional HIPAA training specifically relating to the use and disclosure of Protected Health Information (“PHI“) by individuals conducting research.

You must follow the Privacy Rule’s research provisions if you: (i) are a researcher in UWM’s Covered Departments, or (ii) are a researcher outside UWM’s Covered Departments who: (a) uses medical records from a Covered Department for research purposes, (b) uses PHI from an entity other than UWM for research purposes, or (c) uses PHI from databases that contain PHI derived from medical records for research purposes. Throughout this overview, UWM’s Covered Departments and other non-UWM HIPAA covered health care entities (e.g. a hospital) will be referred to collective as, “HIPAA Entities.” A list of UWM’s Covered Departments can be found at: UWM HIPAA Policies and Procedures: Section B.

If you are a researcher outside of a HIPAA Entity and are conducting research involving PHI in collaboration with researchers in a HIPAA Entity, depending on the entity’s policies and procedures, you may be considered part of the HIPAA Entity for purposes of that collaborative research.2

If you are a researcher in a department or unit outside of a HIPAA Entity and are gathering health information in your laboratory, directly from healthy subjects (such as by questionnaires or testing), and you are not part of a collaborative project with researchers in a HIPAA Entity using PHI, you are not subject to the Privacy Rule for purposes of your research, except to the extent you obtain health information from a medical record.

As a researcher, the Privacy Rule will affect you in two major ways: (1) how you use PHI for research or for “preparatory to research activities” (discussed below) and (2) how you handle PHI created as part of clinical research. You should note that the Privacy Rule requirements are in addition to the federal human subject protection regulations which are currently applied to all human subject research by a given entity’s Institutional Review Board (the “IRB“) (such regulations are hereinafter referred to as the “Common Rule” and are codified at 45 C.F.R part 46).

The below discussion will serve to highlight some of the main provisions of the Privacy Rule as they relate to research and also to answer questions as to what impact, if any, the rule will have on certain research activities.

A. What constitutes PHI?

The Privacy Rule defines three categories of PHI: identifiable information (to which the Privacy Rule applies); de-identified information (to which the rule does not apply); and a limited data set (a category to which limited parts of the Privacy Rule apply).

(1) Identifiable Protected Health Information: PHI is health information that is created or maintained by a HIPAA Entity and contains any of the 18 elements listed in the Privacy Rule as personal identifiers, or any information about which you have actual knowledge that could be used alone or in combination with other information to identify an individual. The 18 elements are listed in subsection (b) below.

(2) De-Identified Health Information: PHI is de-identified, and not subject to protection under the Privacy Rule, if all of the following direct and indirect identifiers are removed:

  • Name;
  • Geographic subdivisions smaller than a state (e.g. county, town or city, street address and zip code);
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and dates indicative of age over 89 (ages may be aggregated into a single category of age 90 or older);
  • Phone numbers;
  • Fax numbers;
  • Social security number;
  • Medical record number;
  • Health plan beneficiary number;
  • Account number;
  • Certificate/license number;
  • Vehicle identifier and serial number;
  • Device identifiers and serial numbers;
  • URLs;
  • Internet protocol addresses;
  • Biometric identifiers (e.g.; fingerprints);
  • Full face photographic and any comparable images;
  • Any other unique identifying, characteristic, or code; and
  • Any other information about which you have actual knowledge that could be used alone or in combination with other information to identify the individual.

PHI is also considered de-identified, and not subject to the Privacy Rule, if a qualified statistical expert opinion is obtained stating that the risk of identifying the person(s) is very small under the circumstances. The methods used and justification for the opinion must be documented.

(3) Limited Data Set: A limited data set is one that excludes 15 of the 18 above-listed personal identifiers, but allows inclusion of dates (e.g. date of birth, admission and discharge dates) and some geographic information — city, state and zip code, but not street address.

A limited data set may only be utilized for purposes related to research, health care operations and public heath. Many Privacy Rule requirements do not apply to limited data sets used internally or disclosed outside of a HIPAA Entity. For example, “disclosures” of a limited data set outside a HIPAA Entity do not have to be accounted for. However, before obtaining a limited data set, the recipient of the set, including researchers in a HIPAA Entity, must agree to a “Data Use Agreement.” UWM’s recommended Data Use Agreement can be found at: UWM HIPAA Policies and Procedures: Data Use Agreement. This agreement specifies what information is needed, and limits the manner in which the researcher can use and disclose PHI.

A HIPAA Entity may create the limited data set and provide it to a third party, in which case a Data Use Agreement is necessary. A HIPAA Entity may also provide the PHI to a third party, such as a researcher, to create the limited data set — this third party may be the party who in turn will use the limited data set. In this scenario, the HIPAA Entity must execute a Business Associate Agreement with the researcher as the researcher is creating the limited data set on behalf of the HIPAA Entity. The researcher must also sign a Data Use Agreement to use the data set once it is compiled.

B. Can I use PHI for research purposes?

In order to use PHI for research purposes, a researcher must obtain either a signed Authorization Form that complies with the Privacy Rule (see Question C below) or a Waiver of Authorization approved by IRB (see Question D below),before using the PHI. This rule applies regardless of how, where and by whom the PHI is recorded, stored or maintained.

A researcher may use PHI without an authorization or wavier for certain limited activities, called “preparatory to research activities“, if the researcher, before such use, makes certain required representations to the HIPAA Entity providing the PHI about the use of the PHI (including that the PHI will not be removed from the premises of the HIPAA Entity). These representations can be found in UWM’s suggested Preparatory to Research Activities Certification. The following is a list of activities considered to be “preparatory to research activities”:

  • Development of a research questions (preparation of a grant or protocol);
  • Development of eligibility (inclusion and exclusion) criteria;
  • The determination of study feasibility (in terms of the available number and eligibility of potential study participants); and
  • The determination of eligibility for study participation of individual potential subjects.

Researchers may not use their own databases containing PHI, or other databases containing PHI, for “preparatory to research activities” until they have made the required certifications.

[Note that although the federal Department of Health and Human Services (Office of Civil Rights) has opined that recruitment of subjects for a protocol or contacting potential subjects is a “preparatory to research activity” under the Privacy Rule, under the Common Rule, IRBs at most research universities, including UWM, usually require a protocol to be approved by the IRB before any potential subjects are contacted.]

C. What is a research subject or research participant “authorization”?

An authorization is a document signed and dated by the participant which meets the requirements of the Privacy Rule and grants permission for the researcher to use and disclose the participant’s PHI to perform a research protocol (the “Authorization Form“). Use of an Authorization Form is the preferred method under the Privacy Rule for a researcher to obtain permission to use the PHI for research purposes. The Authorization Form must include all of the elements contained in UWM’s recommended Authorization Form. The same elements may be incorporated into an Informed Consent Form (see Question E).

The recommended Authorization Form contains the elements listed below, as well as the date, and the participant’s (or an authorized representative’s) signature. If these requirements are not met, and the form is not signed and dated, the authorization is invalid and the researcher cannot use the participant’s PHI.

The authorization must contain the following:

  • A description of the PHI needed to conduct the study: This description should be as specific as possible but should also be broad enough to cover any PHI needed throughout the course of the entire study. If your description does not include certain information that you later need, you will have to obtain another authorization to use that information. If your research involves the use of psychotherapy notes in addition to other PHI, you should obtain specific authorization for the use of psychotherapy notes;
  • The name or other specific identification of the person(s), class(es) of persons, or entity who will provide PHI to the persons requesting it: This will typically include the custodian of the medical record or the custodian or creator of the database containing PHI;
  • The name or other specific identification of the person(s), or class(es) of persons, who will be receiving (using and/or disclosing) the PHI: This will typically include everyone involved in the conduct of the study who will use PHI or receive disclosed PHI;
  • A description of the purpose of the study;
  • An expiration date or an expiration event: “end of the research study” or “none” are acceptable;
  • A statement that the individual has the right to revoke the authorization at any time provided it is done in writing;
  • A statement about the consequences to the subject of refusal to sign the authorization form: For a clinical research protocol, the authorization needs to state that the subject/participant is unable to participate in the protocol if he/she is unwilling to sign the authorization. For all research protocols, a statement should be made that non-research-related treatment, payment, or other services or benefits will not be affected by the potential subject’s refusal to enroll;
  • A statement indicating that the participant agrees that access to his/her PHI during the study may be suspended but will be reinstated upon completion of the research; and
  • A statement about the potential for any PHI obtained by the researcher under the authorization to lose its protection under the Privacy Rule after disclosure to persons or entities who are not also covered by the Privacy Rule.

D. What is an IRB “Waiver of Authorization”?

A Waiver of Authorization may be granted to the researcher by the IRB when it is impracticable to obtain subject/participant authorization to use and disclose PHI for the research purposes outlined in the waiver. A waiver can be granted after the IRB is satisfied that the researcher meets the Privacy Rule requirements for obtaining a waiver. These requirements include the following:

  • The use or disclosure of PHI does not involve more than a minimal risk to an individual’s privacy based on, at least, the presence of the following elements:
    1. an adequate plan to protect identifiers from improper use and disclosure;
    2. an adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    3. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by the Privacy Rule;
  • The proposed research could not practicably be conducted without the waiver or alteration; and
  • The research could not practicably be conducted without access to and use of the PHI.

A Waiver of Authorization does not allow a researcher to access all of a subject’s PHI; rather it only allows researchers access to the minimum amount of PHI necessary to satisfy their research objectives. Researchers will need to justify to the IRB what PHI they will need.

E. Can the Informed Consent Form be combined with an Authorization Form?

Yes, however, UWM’s IRB prefers that researchers obtain a separate Authorization Form (required by the Privacy Rule) and Informed Consent Form (required by the Common Rule) from each participant. These forms may only be combined with permission from UWM’s IRB.

F. How do I obtain a Waiver of Consent and/or a Waiver of Authorization for new protocols?

Separate applications for a Waiver of Consent under the Common Rule and a Waiver of Authorization under the Privacy Rule should be submitted to the IRB. The Common Rule Waiver of Consent may be requested by the new protocol application form. Researchers seeking a Privacy Rule Waiver of Authorization (including a partial waiver of authorization or altered authorization) may do so by using the Waiver of Authorization Form.

The IRB must make an independent determination that each set of criteria for waiver is met.

* Note that UWM’s Covered Departments are not required to accept a Waiver of Authorization granted by an IRB that is not affiliated with it.

G. Does the Minimum Necessary Requirement Apply to Use and Disclosure of PHI in the research setting?

The minimum necessary requirement of the Privacy Rule requires that individuals limit access to PHI, and use and disclosure to PHI, to the minimum amount of information necessary to perform their job and/or accomplish their intended purpose. Until additional guidance is issued by the Secretary of Health and Human Services, a Limited Data Set should be used if practicable to accomplish the intended purpose of the use or disclosure. A Limited Data Set is PHI that does not contain certain direct patient identifiers.3 If use of a Limited Data Set is not practicable, the minimum necessary rule can be relied upon.

The minimum necessary requirement does not apply if an Authorization Form has been obtained permitting the use or disclosure of PHI for research purposes. For all other uses and disclosures, including for preparatory to research activities, pursuant to a Waiver of Authorization, or for research involving the deceased, only the minimum amount of PHI necessary may be disclosed.

H. Is coded information identifiable?

The Privacy Rule considers coded information to be de-identified if the 18 specific elements listed above are coded and the person cannot reasonably be identified. However, the means to re-identify the date, or code link, is considered identifiable and therefore PHI.

I. How can I use existing PHI from a HIPAA Entity to perform a research protocol or re-analyze PHI for an existing protocol?

First you need to determine if the desired information is identifiable. If it is not, the Privacy Rule does not apply. If the information contains any of the 18 identifiers listed above, the Privacy Rule applies and you may access the information for research protocol performance purposes, or reanalysis of data under the protocol, only if you obtain:

  • A signed Authorization Form from each subject/participant meeting the requirements of the Privacy Rule (see Question C); or
  • A Waiver of Authorization from the IRB (see Question D); or
  • A limited data set prepared by the custodian of the medical record, by the custodian of the database containing the PHI, or by a business associate or other researcher who maintains the database. In order to obtain a limited data set, you need to first sign a Data Use Agreement which meets the requirements of the Privacy Rule (see Question A).

Most research involving the review of medical records will require an IRB Waiver of Authorization under the Privacy Rule, unless the subject numbers are small and an Authorization Form for use of the PHI can be obtained directly from the subjects.

Researchers also must comply with requirements under the Common Rule.

J. How does the Privacy Rule affect IRB submissions for clinical trials?

The Principal Investigator (PI) will continue to submit an application under the Common Rule for approval of the protocol and subject/participant research consent form (the “Informed Consent Form“).

The investigator must submit an Authorization Form, or incorporate the elements of the Authorization Form in the Informed Consent Form, for IRB approval under the Privacy Rule for the subjects to grant permission for use of their PHI during performance of the protocol.

Any amendments to the Authorization Form requested by the IRB at continuing review will be effective for subjects enrolled after the continuing review.

K. How does the Privacy Rule affect clinical trial recruitment?

Privacy Rule protections should be addressed for any human subject recruited, regardless of the method of recruitment. Under the Privacy Rule, subject recruitment is considered a “preparatory to research activity.” As such, both researchers in the HIPAA Entity and third party researchers can review PHI to identify prospective candidates, provided however, that they do not remove PHI from the premises of the HIPAA Entity.

After identifying potential candidates for further study, the Privacy Rule permits members of a HIPAA Entity to contact these potential candidates, either on behalf of the HIPAA Entity or on behalf of the third party researcher. The HIPAA Entity may not, however, provide contact information on the potential research candidates to a third party researcher without obtaining an Authorization Form or a Waiver of Authorization.

The Common Rule must also be taken into consideration. IRBs at research universities, including UWM, do not typically permit recruitment of subjects without previous IRB approval of protocol.

L. How are databases containing PHI be affected by the Privacy Rule?

The Privacy Rule affects the use of databases containing PHI that is used for research purposes. All research uses of PHI are subject to the Privacy Rule, even if the research is determined to be exempt under the Common Rule. The Privacy Rule regulations apply to the use of databases containing PHI just as they do to any other research using PHI.

The custodian of a database containing PHI that is used in preparatory to research activities will require a copy of a signed preparatory to research certification before permitting use of the PHI. Databases containing PHI may not be used for the purposes of performing a research protocol, or re-analysis of data under a protocol, unless the researcher has obtained a signed Authorization Form from the subject or the researcher has obtained a Waiver of Authorization from the relevant IRB. This rule applies even to the use of PHI in databases created by researchers with health information from their own patients/subjects/clients. This rule does not apply to databases created prior to April 14, 2003.

M. How does the Rule affect protocols approved by the IRB prior to 4/14/03 and after 4/14/03?

For all protocols, a researcher should continue to follow all applicable Common Rule requirements.

  1. For protocols approved prior to April 14, 2003 that will not enroll new subjects on or after April 14, 2003, no additional action is necessary for compliance with the Privacy Rule.
    For protocols approved prior to April 14, 2003 that will enroll new subjects on or after April 14, 2003, the researcher should: Use an Authorization Form and submit a copy of this form to the IRB at the time of continuing review.
  2. For all protocols approved on or after April 14, 2003, a researcher should either:
    • Submit the Authorization Form together with the application for review of the protocol to the IRB; or
    • Submit an application for a Waiver of Authorization.

N. Is PHI of a decedent protected by the Privacy Rule?

With limited exceptions, the Privacy Rule requires researchers to obtain written authorizations from research subjects before using the subjects’ PHI in the course of that research. One of those exceptions is for the use of decedents’ PHI after filing an appropriate certification.

If you wish to use the PHI of subjects you know to be deceased, you may use the Privacy Rule exception by making a certification. The certification is appropriate when: (1) the PHI sought via the certification is only that of decedents, (2) you can document the death of each individual if asked to do so, and (3) the PHI is necessary to the research purposes.

You may make a certification for research on the PHI of decedents when all subjects in your protocol, or in a distinct part of that protocol, are deceased. Stated another way, the certification is appropriate when your research is specifically directed at the use of PHI of decedents.

Before you will be permitted to use PHI of decedents for research purposes, you must certify to the HIPAA Entity that (1) and (3) above are true. You will likely be required to sign a certification form and file it with an appropriate party at the HIPAA Entity. UWM requires that individuals conducting research with one of its Covered Departments file a certification with their Privacy Officer and the IRB for each protocol involving research directed at the use of known decedents’ PHI. UWM’s recommended form can be found at UWM HIPAA Policies and Procedures: Certification for Research on the PHI of Decedents.

If your research protocol involves the use of PHI of both living and non-living subjects, but no distinct part of your protocol is directed at the use of decedent’s PHI, you should not use this process, but rather should obtain a signed Authorization Form, or seek a Waiver of Authorization, before using the PHI. It is not necessary to file a certification to continue using PHI of a research subject who dies during the course of your research, as you will have obtained an Authorization, or Waiver of Authorization, for the subject while living that will allow you to continue using that PHI.

O. What rights does the Privacy Rule provide to research subjects/participants in the PHI?

The Privacy Rule provides patients with the right to request alternative communications, look at and obtain copies of their medical and billing records, ask for changes to these records, receive a list of certain disclosures, request restrictions on how their information is used and disclosed and to receive a notice of privacy practices. For more information on individual’s rights under the Privacy Rule see UWM’s Policies and Procedures.

P. How will investigators be affected by the patient/ subject/ participant’s privacy right to request and receive an accounting for “disclosures” of PHI?

The Privacy Rule grants to a patient a right to request and receive an accounting for some “disclosures” of PHI, including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. Patients have a right to an accounting only of those disclosures made by researchers in connection with protocols conducted with a Waiver of Authorization. An accounting of disclosures is not required when a patient authorization is obtained.

You do NOT have to account for disclosures during the research study if:

  1. Disclosure was made pursuant to a patient authorization; or
  2. You are disclosing a limited data set; or
  3. You are disclosing de-identified information; or
  4. Your study has been determined by the IRB to be exempt under the Common Rule, because the existing information you are recording cannot be identified, directly or through identifiers linked to subjects. [ 45 C.F.R. s. 46.101(b)(4) ] .

You MUST account for disclosures if:

You make disclosures in connection with a protocol for which the IRB approved a Waiver of Authorization.

The Privacy Rule requires you to record the following information:

  1. The name of each patient involved in the research whose PHI is disclosed;
  2. The name and address, if possible, of the person or entity to whom the PHI is disclosed;
  3. The date of disclosure;
  4. A brief description of the PHI disclosed; and
  5. A brief statement of the purpose of the disclosure or a copy of the request for the disclosure.

If multiple disclosures of PHI occur to the same person or entity for the same purpose, after the first disclosure, simply record the frequency of the disclosures and the date of the last disclosure.

See Disclosures Log for UWM’s recommended form.

Q. Does the Privacy Rule give a research subject/ participant the right to access all of their research information?

No. But the Privacy Rule says that a subject/participant can access any PHI maintained in a Designated Record Set (DRS) (that is, medical and billing records and any other records used to make decisions about individuals).

A researcher may delay access to PHI in the Designated Record Set until the end of the study, provided the subject/participant agreed to the planned delay in their signed Authorization Form.

Once research data is transferred to a third party outside of a HIPAA Entity, patients no longer have a right of access to this information. They would, however, have rights in the PHI from which the research data was derived after any restrictions on access have expired.

R. How may a research subject/ participant amend his/ her PHI?

A research subject/participant only has the right to amend PHI in research records if those records are part of the Designated Record Set. Requests for an amendment should be referred to the relevant Privacy Officer or the HIPAA Entity providing the PHI.

S. What Security Measures Must I Take to Protect Electronic PHI?

If you are a researcher in a Covered Department, your Department should have procedures in place for you to follow to safeguard electronic protected health information (“EPHI”) and prevent access to such confidential information by unauthorized persons. If you are a researcher outside of one of UWM’s Covered Departments, care should also be taken to ensure that your research participant’s EPHI is protected. What follows is a list of minimum security measures researchers should consider when working with EPHI. For additional information on how to protect EPHI see UWM’s HIPAA Security Guidelines.

  • All access to EPHI must be password protected. This includes devices such as laptops, PDAs, databases and other data sources.
  • Ensure any computers storing or transmitting EPHI meet a minimum standard of security. This includes:
    1. Up to date anti virus and anti-spyware software
    2. Fully up to date operating system software
    3. Software or hardware firewall
    4. Minimizing the number of operating system accounts and use of strong passwords.
  • Ensure a password protected screensaver or other time-out mechanism is configured on your computer.
  • Never transmit EPHI or passwords in plain text.
  • Ensure stored EPHI cannot be accessed by unauthorized third parties. Isolate this data and consider encryption.
  • Pay particular attention to EPHI on portable devices and media such as laptops, CD’s and USB “thumb” drives as they are particularly vulnerable to theft and loss. Limit their use and encrypt if mobile device or media use is necessary.
  • Get professional help securing devices that will store or transmit EPHI. Do not trust the security on home and personally owned devices.
  • Ensure that EPHI is properly removed from media before reuse or disposal. A product designed for this purpose should be used to fully remove sensitive data. Simple deletion or formatting is not sufficient.
  • Check computer logs regularly to ensure there has not been unauthorized access to your EPHI.
  • For full details on HIPAA Technical Security Guidelines, please see Security Guidelines

T. How Do HIPAA’s Breach Notification Requirements Impact My Research?

A key change under HITECH of 2009 is that breaches of PHI are now covered by rules detailing how that breach must be addressed.

A researcher using PHI in research who suspects that there has been an impermissible acquisition, access, use or disclosure of PHI in a manner not permitted under HIPAA should immediately report the circumstances of the suspected breach to a Privacy Officer for the HIPAA Entity, who can help in determining and following appropriate processes in response to that information.


A.   Dr. Smith wants to conduct a family 10 year genetic study on 5 families with a total of 20 subjects. She will collect medical records data from the medical records at Milwaukee Hospital and remove all identifiers at the end of the study. She says this makes the work exempt under the Privacy Rule since the data will be de-identified. Milwaukee Hospital, the HIPAA Entity, says it must either do the de-identification, or it will provide Dr. Smith the PHI after she provides signed Authorization Forms to access and use the PHI. Who is correct?

Answer: The HIPAA Entity must ensure the privacy protection of the PHI, so since Dr. Smith will need to have PHI for this study, she will need a signed Authorization Form from each subject. An IRB Waiver of Authorization probably would not be granted by an IRB because of the small number of subjects, unless, because of other circumstances, obtaining authorization to use the PHI was impracticable.

B.   Dr. Jones keeps in his own computer a file of every prostate surgery he has ever done (200 patients) including follow up. He has now developed a new surgical technique and wants to compare it to his prior cases to show it has fewer side effects and plans to publish the results. What procedures must be followed under the Privacy Rule before he can do this new study with the data in his computer file?

Answer: Dr. Jones needs either Authorization Forms from each subject or IRB approval of a Waiver of Authorization under the Privacy Rule to use his file for this research project.

C.   Professor Social Scientist wants to study the frequency of hospital admissions of children with acute asthma from 1960-1980. Her protocol says she plans to review all medical records of pediatric admissions to Milwaukee Children’s Hospital for asthma. She has been advised by Milwaukee Hospital that there are likely 200 patients in that period which fit her protocol requirements. She requests an IRB Waiver of Consent under the Common Rule and submits her protocol for IRB approval. She will also submit a Waiver of Authorization Form to both her university IRB and the hospital IRB. Is this a good circumstance for obtaining a Waiver of Authorization under the Privacy Rule from the IRBs?

Answer: This is a likely circumstance for seeking a Waiver of Authorization from the IRB since so much time has passed since the time period for which she wishes to collect data and the numbers of pediatric patients is large; obtaining Authorization Forms for each subject is likely to be found impracticable.

D.   A third year medical student presents teaching rounds at a hospital where she is doing a clerkship rotation on 20 current patients with aspergillus.

1. Does she need patient authorization for this presentation under the Privacy Rule?

Answer: No, training of future health care professionals is part of the hospital’s health care operations and she is doing this as part of her training.

2. Does she need IRB approval for this presentation?

Answer: No, on these facts alone it is teaching.

3. What if she decides to publish an article out of this presentation?

Answer: Her decision to publish probably converts this to a research use of the information and requires IRB approval. The journal may also require her to state whether she had IRB approval for the study.

4. If she writes an article, does she need patient/subject authorization (and thus IRB approval of the Authorization) under the Privacy Rule, as well as Common Rule approval by the IRB?

Answer: Yes.

5. Could a Waiver of Authorization for her use of subject PHI be approved by the IRB?

Answer: Not likely, because these are current patients from whom she likely can obtain an Authorization.

6. If it is possible for her to de-identify the PHI herself before publishing the article, does she still need IRB Privacy Rule approval and subject authorization?

Answer: Yes, she does because she is using the PHI herself in the research before doing the de-identification of the information.

E.   Dr. Johnson, an HIV specialist, wants to review treatment of HIV in the early 1990’s versus today. He proposes a chart review of 100 records from the early 1990’s at the hospital where he practices and a comparison to the next 100 cases seen. He will follow all living subjects for 5 years. Thus, this is both a retrospective and a prospective project. What should the IRB require?

Answer: He will need both Common Rule and Privacy Rule approval for this study. Under the Privacy Rule, he probably can obtain a Waiver of Authorization for the retrospective part of the study. He will need signed Authorizations as well as Informed Research Consents from the subjects for the prospective part of the study.

F.   Prof. Johnson is a faculty member in UWM’s Psychology Department. He wants to use client records in the Psychology Clinic for a human subjects research study. Is he subject to the Privacy Rule requirements in addition to the federal human subjects protection regulations (Common Rule)?

Answer: Yes, he is subject to Privacy Rule requirements in addition to Common Rule requirements.

G.   Prof. Wright is a faculty member in UWM’s Psychology Department. He is planning a new protocol to submit to the IRB in which he will bring healthy adult subjects into his laboratory, collect personal health information and collect other data from them by auditory and sense testing which he performs in the laboratory. He does not plan to collect information from these subjects’ medical records. Is he subject to the Privacy Rule requirements in addition to the Common Rule requirements?

Answer: He should continue to follow the usual requirements under the federal human subjects protection regulations (Common Rule). However, under these specific facts, he is not required to follow the Privacy Rule requirements. On these facts, he is not part of UWM’s Covered Departments (only the Psychology Clinic is in UWM’s Covered Departments), he is collecting health data directly from participants and will not use their medical records. However, if he decides to collaborate with a professor in one of UWM’s Covered Departments or another HIPAA Entity on this protocol and use PHI on these participants, or collect medical record information on these healthy participants for the study, Prof. Wright would then be subject to Privacy Rule requirements, as well as the Common Rule.


If you have any questions on the above or about the privacy and security regulations in general, please contact your Privacy Officer or UWM’s Office of Legal Affairs.

1 This document is modeled on, and certain sections are drawn directly from, University of Wisconsin – Madison’s HIPAA training materials. We would like to thank the University of Wisconsin – Madison (in particular, Rebecca Hutton) for allowing us the use of its materials.
2 Sharing PHI within a HIPAA Entity is a “use.” Sharing PHI outside of a HIPAA Entity is a “disclosure” which needs to be accounted for to the patient, subject, or participant who requests such accounting, unless the subject or participant granted permission in an authorization for such disclosure.
3 Please see “University of Wisconsin-Milwaukee HIPAA Policies and Procedures: Section J-2, Definition of ‘Limited Data Set’” for a list of all excluded identifiers.
© Board of Regents of the University of Wisconsin System on behalf of the University of Wisconsin -Milwaukee, 2012.