University of Arizona

HIPAA Privacy Program Guidance:

Human Subjects Research and HIPAA

Page 1 of 5

HPP Use Only:

HIPAA Privacy Program

v. 2016

PURPOSE

To provide guidance about permissible uses and disclosures of Protected Health Information

(PHI) for research purposes (see 45 CFR § 164.512(i)).

REVIEW/REVISIONS

• 02/2016

REFERENCES AND RELATED FORMS

• HIPAA Privacy Program Guidance (Definitions)

• Human Subjects Protection Program: http://rgw.arizona.edu/compliance/human-

subjects-protection-program

GENERAL INFORMATION ABOUT HIPAA AND RESEARCH

HIPAA permits the access, disclosure and use of Protected Health Information (PHI) from a HIPAA

Covered Entity for research purposes in the following six methods:

1. The signed authorization of the patient whose individually identifiable PHI is sought;

2. Waiver by an IRB or a Privacy Board of all or part of the authorization requirement for use

of individually identifiable PHI;

3. A Data Use Agreement for research use of a Limited Data Set (see definition below);

4. Review of PHI solely in preparation for research, without collecting the PHI for research

use;

5. Complete de-identification of the PHI; or

6. Use of PHI solely of decedents.

SIX METHODS FOR USING OR DISCLOSING PHI FOR RESEARCH

1. Research Use or Disclosure of PHI with Authorization (may include any and all individual

identifiers)

• As a general rule, a researcher must obtain a signed Authorization from all

participants in research prior to the internal use or external disclosure of PHI for

any research related purpose that is not otherwise permitted or required under

HIPAA.

• The IRB, HIPAA Privacy Program, and/or Covered Entity will provide an

Authorization template that complies with HIPAA requirements.

• Special note: An Authorization is always required for access, disclosure or use of

psychotherapy notes.

HIPAA Privacy Program Guidance:

Human Subjects Research and HIPAA

Page 2 of 5

HPP Use Only:

HIPAA Privacy Program

v. 2016

2. Research Use or Disclosure of PHI with Waiver of Authorization by IRB (may include any

and all individual identifiers approved by the IRB in its waiver)

• In some circumstances, Authorizations for research use of PHI may be waived by

the IRB, provided the following three criteria are satisfied and documented

(generally in addition to satisfaction of waiver of informed consent requirements

pursuant to 45 CFR 46.116):

o The use or disclosure of PHI involves no more than a minimal risk to the

privacy of individuals, based on HIPAA-prescribed criteria;

o The research could not practicably be conducted without the waiver; and

o The research could not practicably be conducted without access to and

use of the PHI.

• A request for Waiver of Authorization must be completed by the researcher and

submitted to the IRB for prior review and approval.

• Uses or Disclosures of PHI made pursuant to a Waiver are subject to the HIPAA

Minimum Necessary rules.

• Since a researcher cannot practicably obtain a potential research participant’s

authorization for review of PHI in advance of contacting the potential participant,

the IRB may issue a limited waiver of authorization permitting specified access

and use of PHI solely for prescreening and recruitment contact pursuant to an

approved protocol.

• Physicians and other health care professionals who have a direct treatment

relationship with an individual may review that individual’s PHI for eligibility with

respect to a research protocol and may initiate a discussion with the individual

about potential participation as a research subject in a protocol relevant to the

treatment relationship. This scenario does not require an Authorization or a

Waiver of Authorization.

• Individuals responding to an advertisement or otherwise initiating contact and

indicating interest in participating in a research study may be given an explanation

of the study (including, but not limited to, the name of the principal investigator

and description of the study) without Authorization or Waiver of Authorization;

however, either their Authorization or a Waiver of Authorization is required to

review their PHI in health care records to determine potential eligibility.

3. Research Use of a Limited Data Set

• A researcher may use or disclose a Limited Data Set for research without an

Authorization or IRB Waiver of Authorization. A limited data set as defined in

HIPAA is described below. Although even a Limited Data Set is nearly de-

HIPAA Privacy Program Guidance:

Human Subjects Research and HIPAA

Page 3 of 5

HPP Use Only:

HIPAA Privacy Program

v. 2016

identified, this limited amount of PHI consisting of certain geographic data and

dates may be adequate for a broader array of research studies than completely

De-Identified data.

• A Limited Data Set contains PHI that is nearly de-identified. A Limited Data Set

may NOT include any of the direct identifiers listed under the HIPAA definition of

De-Identified health information (see HIPAA Privacy Program Form Q) EXCEPT the

following:

o State, county, city, town, census track, precinct, zip code or any other

geocodes above the level that would identify an individual household;

and/or

o All elements of dates directly related to an individual, including birth date,

admission date, discharge date, dates of health care procedures or other

services, and date of death.

• The Limited Data Set must exclude ALL OTHER direct identifiers listed in HIPAA

Privacy Program Form Q:

(http://rgw.arizona.edu/sites/researchgateway/files/q_is_it_phi.pdf).

• A Limited Data Set may be used or disclosed only if there is a Data Use Agreement

between the entity providing the data and the recipient of the limited data set. A

researcher should contact the HIPAA Privacy Program if he/she needs or receives

a Data Use Agreement for a Limited Data Set.

• A researcher may find the need to access full PHI in order to abstract from that a

Limited Data Set for research use. Because this abstraction activity requires

access to PHI, a researcher may ONLY engage in this abstraction activity under the

following circumstances:

o The researcher must have an IRB waiver of authorization; or

o In addition to a Data Use Agreement, the researcher must enter into a

Business Associate Agreement with the Covered Entity to create the

Limited Data Set on the covered entity’s behalf for the researcher’s use.

IMPORTANT: Contact the HIPAA Privacy Program for assistance in this

situation.

4. Access to PHI solely for Preparation for Research

• Researchers may access PHI in the records of Covered Entities without an

Authorization or IRB Waiver of Authorization for the purposes of development of

a research protocol or assessment of feasibility of a research protocol, provided

that the researcher documents to the satisfaction of the Covered Entity’s PHI data

custodian (e.g. the medical records manager) that all the following criteria are

HIPAA Privacy Program Guidance:

Human Subjects Research and HIPAA

Page 4 of 5

HPP Use Only:

HIPAA Privacy Program

v. 2016

satisfied (typically via an attestation form provided by the Covered Entity to be

signed by the individual researcher):

o The use or disclosure of PHI is solely to prepare or assess feasibility of a

research protocol;

o The researcher shall not record individually identifiable PHI or remove PHI

from the records reviewed (for example, researcher may review

identifiable PHI but may only record aggregate data or individual data that

does not include any individual identifiers);

o The PHI sought is necessary for the purposes of the research; and

o The researcher shall not contact or recruit patients under this provision.

5. Use or Disclosure of Completely “De-Identified” Health Information

• The HIPAA definition of completely De-Identified PHI is not the same as what

many researchers have been accustomed to consider “anonymized” data. The

completely De-Identified form of data defined in HIPAA may not be adequate for

many research studies. An advantage is that it presents no risk of privacy violation

and therefore requires relatively little documentation for research access or use

and is not subject to any restrictions on downstream use and disclosure.

• Individual health information that conforms to the HIPAA definition of “de-

identified” is exempt from HIPAA and may be used or disclosed for research

purposes without an Authorization or Waiver of Authorization or Data Use

Agreement.

6. Use and Disclosure of Decedent’s Individually Identifiable PHI Without Authorization

• Researchers may use and disclose a decedent’s individually identifiable PHI for

research without an Authorization or IRB Waiver, provided that the researcher

documents that all the following criteria are satisfied:

o The use will be solely for research on the PHI of a decedent; and

o The researcher has documentation of the death of the individual about

whom information is being sought, and

o The PHI sought is necessary for the purposes of the research.

• The researcher will provide documentation to the data custodian that all of the

above criteria are satisfied in accordance with the data management registration

process.

• Uses or Disclosures of a decedent’s PHI for research purposes are subject to the

HIPAA Minimum Necessary rules.

HIPAA Privacy Program Guidance:

Human Subjects Research and HIPAA

Page 5 of 5

HPP Use Only:

HIPAA Privacy Program

v. 2016