Research FAQs - UW-Madison HIPAA

For additional FAQs about HIPAA, see HIPAA Overview.

How is “research” defined by the Privacy Rule?

Who qualifies as a “researcher”?

When does the Privacy Rule apply to me as a researcher?

What is “individually identifiable health information”?

Does HIPAA apply to my research even if I am not a health care provider?

How does HIPAA affect a research study that also involves health care treatment?

What is the relationship between HIPAA and the “Common Rule” for the protection of human subjects?

What are the HIPAA requirements for using or disclosing PHI in research?

Can I disclose PHI as part of my research?

Is PHI ever created within the course of conducting research?

When is individually identifiable health information created within a research study not PHI?

Does HIPAA regulate how PHI created in the course of a research study is handled?

Can I use Box or Electronic Laboratory Notebook (ELN) to store my data set containing PHI?

What is a research authorization?

How is an authorization form different than an informed consent form?

How do I obtain an authorization to use and/or disclose PHI in my research?

What if the human research participant revokes the authorization?

What is a waiver of authorization?

How is a waiver of authorization different than a waiver of informed consent?

How do I obtain a waiver of authorization to use PHI in my research?

How does HIPAA apply to the recruitment of study participants?

May I use e-mail to communicate with research subjects?

What is a de-identified data set?

What are the requirements for obtaining and using a de-identified data set for my research?

My data set is coded. Does this qualify as “de-identified”?

If a data set identifies the site from which the data has been disclosed, does the geographic location of the site constitute an identifier?

What is a limited data set?

What are the requirements for using a limited data set?

How do I obtain a limited data set for use in my research?

Can a business associate agreement be used to obtain PHI from a covered entity for research purposes?

What uses of PHI are permitted under HIPAA in a review preparatory to research?

How does HIPAA apply to research using the PHI of decedents?

Can subjects authorize the use of their PHI for future, unspecified research (such as for collection and storage in a data base)?

Does HIPAA permit me to share data with other researchers not part of my study team?

How do I report a breach or other concern related to HIPAA?

---

How is “research” defined by the Privacy Rule?
Research has the same definition in the Privacy Rule as it does in the Common Rule. Research means a systematic investigation, including research development, testing, and evaluation, designed to contribute to generalizable knowledge.

Top

Who qualifies as a “researcher”?
UW-Madison employees, trainees, or students who conduct research involving human subjects. Researchers include investigators, research staff, postdocs, fellows, residents, graduate students, undergraduate students and others who collaborate in UW-Madison human subjects research, including employees of the University of Wisconsin Hospital and Clinics Authority and the University of Wisconsin Medical Foundation.

Top

When does the Privacy Rule apply to me as a researcher?
The Privacy Rule applies if: (1) you are a researcher with an appointment within the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (ACE); or (2) you are a researcher with an appointment outside of the UW HCC or UW ACE but you are collaborating on a research study in which the principal investigator is within the UW HCC or UW ACE; and (3) you collect individually identifiable health information directly from subjects or from medical records or other databases.

Top

What is “individually identifiable health information”?
Individually identifiable health information is information that is a subset of health information, including demographics, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of individual; the provision of health care to an individual; or payment for the provision of health care to an individual; and (3) that identifies an individual or where there is a reasonable basis to believe the information can be used to identify an individual.

Top

Does HIPAA apply to my research even if I am not a health care provider?
Yes, if as part of your research you are seeking to use individually identifiable health information from records in the custody of a “covered entity” (most health care providers, health plans, and health care clearinghouses), then HIPAA applies to your access to and use of that data whether or not you are a health care provider.

Top

How does HIPAA affect a research study that also involves health care treatment?
HIPAA requires that research study subjects who will receive health care as part of the study authorize the use of their PHI in that research — or that a privacy board or Institutional Review Board (IRB) waive the authorization requirement — regardless of the consent for treatment. Additionally, any research-generated PHI that may be applied to treatment decisions is subject to HIPAA’s medical record requirements.

Top

What is the relationship between HIPAA and the Common Rule for the protection of human subjects?
While the Common Rule addresses issues related to consent of subjects to participate in research, HIPAA addresses issues related to the subjects’ authorization to have their health information used or disclosed as part of a research study, and how that health information must be protected. The consent and authorization form may be combined. While the Common Rule and HIPAA have some similarities, such as the definition of research, there are many differences as well. For example, HIPAA does not contain the same exemptions from IRB review as the Common Rule.

Top

What are the HIPAA requirements for using or disclosing PHI in research?
HIPAA regulates how covered entities may share PHI with researchers who are part of the covered entity, or how they may disclose PHI to researchers who are not part of the covered entity. HIPAA permits a covered entity to share PHI with, or disclose PHI to, researchers only through the following six options:

1. Review of PHI solely in preparation for research, without collecting or using the PHI for research – commonly called “preparatory to research” activities (HIPAA requires the researcher to make certain attestations to the covered entity about the use).
2. A signed patient authorization is obtained from the individual whose PHI is sought for research.
3. Waiver by an IRB of the authorization requirement for use of individually identifiable PHI for research.
4. Complete de-identification of the data.
5. Conversion of the PHI to a limited data set (HIPAA requires the researcher to enter into a data use agreement).
6. Use of PHI solely of decedents (HIPAA requires the researcher to make certain attestations to the covered entity about the use).

Top

Can I disclose PHI as part of my research?
“Disclosure” of PHI under the Privacy Rule means that you are sharing PHI outside of the UW-Madison Health Care Component (UW HCC) or outside of the UW Affiliated Covered Entity (UW ACE). A disclosure of PHI for research may only occur if you have authorization to do so from the subject. UW-Madison IRBs do not approve requests to disclose PHI under a waiver of authorization. Alternatively, you may disclose a de-identified data set or, with a data use agreement in place, you may disclose a limited data set.

Top

Is PHI ever created within the course of conducting research?
Yes. When a health care activity is performed within the research study itself, any clinical information about the subject that is generated within the research is PHI and is subject to all the HIPAA regulations that apply to PHI. For example, clinical information generated within a research study may be simultaneously entered into the electronic health record of an individual patient and into the research data set intended to produce generalizable knowledge. The research use of the PHI and protection of the privacy and security of the research data set must be in accord with the terms and conditions of the IRB approval, the informed consent and the authorization, relevant institutional policies on data privacy and security, and applicable HIPAA privacy and security regulations.

Top
When is individually identifiable health information that is created within a research study not PHI?
When the principal investigator is not part of the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (UW ACE), the study does not involve health care treatment by a health care provider, and the health information created within the study is not expected to be shared by the researchers with the subject’s health care provider or placed in the subject’s electronic health record. For example, if researchers solely within the Department of Kinesiology conduct an exercise study that collects personal health data directly from the research participant and includes some health screening testing (blood pressure measurements, etc.), this data is not health information that is protected by HIPAA.

Top

Does HIPAA regulate how PHI created in the course of a research study is handled?
Yes, when clinical treatment is performed in the course of a research study (e.g. a therapeutic trial studying the safety and efficacy of a new cancer drug), the information must be handled in accord with the appropriate medical practices regarding entry of the individual’s treatment data into the medical record. The research use of the information must be authorized in the HIPAA authorization and informed consent documents that the research participant signs. These documents should specify how PHI created in the course of a research study will be treated, for example:

• how PHI will be used in the research study,
• whether any of the data will be entered into the medical record, and
• whether the information will be shared with any health plan for payment purposes for any activities included within the study participation.

Top

Can I use Box or Electronic Laboratory Notebook (ELN) to store my data set containing PHI?
At present, only the School of Medicine and Public Health has been approved by the Chief Information Security Officer to use Box to store data or other information containing PHI. Certain mandatory access configurations and processes are required. The SMPH Security Coordinator is responsible for overseeing the implementation of the required controls. If you are within SMPH and would like to use Box to store PHI, SMPH Security Coordinator for assistance.

UW-Madison has not yet approved the use of ELN for storage of PHI. UW-Madison data security experts are working with multiple groups, including the Division of Information Technology (DoIT) staff and the HIPAA Privacy and Security Operations Committee to finalize methods to allow use of Box more broadly on campus and ELN for some PHI under certain controlled setups in the near future. Please contact your HIPAA Security Coordinator for additional information.

Top

What is a research authorization?
An authorization is a document signed by an individual that gives the individual’s explicit permission to obtain her/his specified PHI from a health care provider(s), or to generate PHI as part of the study, and use it for a specified purpose other than the individual’s health care, such as for research. HIPAA is specific about the elements that must be included in a valid authorization document. See Proposal Guidance, above, for more information.

Top

How is an authorization form different than an informed consent form?
An authorization is a HIPAA required document that defines only the terms and conditions of permission to use or disclose specified PHI for a specified research project. Except for authorizations to use psychotherapy notes in research, which must always be stand alone documents, an authorization can be combined with the informed consent document.

Top

How do I obtain an authorization to use and/or disclose PHI in my research?
Apply to the appropriate IRB for approval of an authorization form to use in the informed consent process in your research project. You can find template authorization forms, above. When you have an IRB approved form of authorization for use in your research study, you are able to include the discussion and execution of this form in the informed consent process with each human research participant. Covered entities may want a copy of this authorization (or a waiver of authorization — see below) when you request access to the research participant’s individually identifiable health information in their records.

Top

What if the human research participant revokes the authorization?
If the authorization is revoked, the researcher generally cannot continue to collect PHI on the participant for use in the research study; however, the researcher can continue to use the PHI already obtained before the revocation to the extent necessary to preserve the integrity of the research study. FDA regulations do not permit destruction of study data based on a subject’s revocation of their authorization.

Top

What is a waiver of authorization?
When obtaining subject authorization is “impracticable,” the IRB may approve a waiver of authorization for a researcher to use protected health information. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver.

Top

How is a waiver of authorization different than a waiver of informed consent?
The waiver of authorization is based solely on an assessment of the privacy risks in the proposed research use of individually identifiable PHI, whereas the waiver of informed consent is based on an assessment of risks to participation in the study itself.

Top

How do I obtain a waiver of authorization to use PHI in my research?
Apply to the appropriate IRB for approval of a waiver of the authorization requirement. This is similar to a request for waiver of the informed consent requirement. If you are applying for a waiver, please refer to the additional Guidelines for Waiver of Authorization or Altered Authorization for an explanation of what information will be needed by the IRB to grant a request for a waiver of authorization. When the IRB has approved a waiver of authorization, it will issue an approval document. Covered entities may want a copy of this waiver of authorization (or an authorization — see above) when you request access to the research participant’s individually identifiable health information in their records.

Top

How does HIPAA apply to the recruitment of study participants?
Under HIPAA, a covered entity may provide individually identifiable health information to researchers within its own workforce to allow those researchers to contact potential subjects for the purpose of obtaining their authorization to use their health information in the research. UW-Madison IRBs require that the first contact with potential subjects come from someone the subject would recognize as having valid access to their health information.

Top

May I use e-mail to communicate with research subjects?
E-mail should not be considered a secure, confidential means of communication with subjects. As such, it should generally not be used to communicate, to subjects or from subjects, information that contains or is likely to contain PHI. For example, a recruitment e-mail sent to recipients based on non-health related information (e.g. “you are receiving this email because you are a female over the age of 45”) would usually be permissible but a recruitment e-mail sent to participates that discloses a medical condition (e.g. “you are receiving this e-mail because you have rheumatoid arthritis”) would not be permissible. Similarly, it would generally not be permissible to request subjects to reply to a series of questions about their health via e-mail. There are often other, more secure, means of communication available. If e-mail must be used, subjects must first agree to e-mail communication by signing a written consent form in which they are informed of the security risks associated with email. See Policy 8.6 E-mail Communications Involving Protected Health Information for more information. Additionally, you must describe the use of e-mail, and specifically what information is expected to be e-mailed, in your protocol and obtain IRB approval before e-mail may be used as a method of communication.

Top

What is a de-identified data set?
A de-identified data set is PHI from which the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:

• Names;
• All geographic subdivisions smaller than a State;
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints;
• Full face photographic images and any comparable images; and
• Any other unique identifying number, characteristic, or code; and
• The covered entity may not consider the information de-identified if it has actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Top

What are the requirements for obtaining and using a de-identified data set for my research?
De-identified data sets do not contain any individually identifiable health information. Neither authorization nor waiver of authorization, nor a data use agreement is required by HIPAA for a researcher to use and/or disclose de-identified data for research purposes.

Top

My data set is coded. Does this qualify as “de-identified”?
If you have the key to the code, your data set is not de-identified. If an individual(s) within the covered entity maintains the key to the code but you do not have access to the code and will never have access to the code, then your data set is de-identified as to you.

Top

If a data set identifies the site from which the data has been disclosed, does the geographic location of the site constitute an identifier?
No. The de-identified information does not lose its de-identification status simply by virtue of identification of the disclosing site. This is true as long as one other HIPAA caveat is met: the disclosing covered entity does not have actual knowledge that the de-identified information could be used alone or in combination with other information available to others outside the covered entity to identify an individual who is the subject of the information.

Top

What is a limited data set?
In contrast to a de-identified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, State and zip code. A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

• Names;
• Postal address information, other than town or city, State, and zip code;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate/license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints; an
  Full face photographic images and any comparable images.

Top

What are the requirements for using a limited data set?
A covered entity may use or disclose a limited data set from its records containing PHI for research use without either authorization or waiver of authorization if the researcher executes a data use agreement that binds the limited data set recipient to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data.

Top

How do I obtain a limited data set for use in my research?
You can find UW-Madison’s template Data Use Agreement, as well as other information about the use of a limited data set in the forms section, above.

Top

Can a business associate agreement be used to obtain PHI from a covered entity for research purposes?
Generally, no. A business associate is an individual that performs on behalf of the covered entity or assists the covered entity in performing certain business related activities, such as claims processing, billing, benefit management or quality improvement. A researcher is generally not performing a business related activity on behalf of the covered entity when conducting research. However, a business associate agreement may be used when the researcher, who is not a member of the covered entity’s workforce, contracts with the covered entity to access the covered entity’s PHI for the purpose of creating a limited data set or a deidentified data set for his or her research.

Top

What uses of PHI are permitted under HIPAA in a review preparatory to research?
The “review preparatory to research” is an option that allows review (but not research use) of individually identifiable PHI by researchers and does not require authorization or waiver of authorization. A covered entity may allow researchers to review PHI in the covered entity’s records in preparation for research but may not permit researchers to collect any of the PHI for actual research use. For example, the researcher may be permitted to review PHI for the development of research questions; to determine whether a study is feasible (in terms of available number and eligibility of potential subjects); or to develop inclusion and exclusion criteria. However, the researcher may not transcribe information from the records for inclusion in research data. Researchers must complete UW-Madison’s Use of PHI in Activities Preparatory to Research Certification prior to engaging in preparatory to research activities.

Top

How does HIPAA apply to research using the PHI of decedents?
Research using the individually identifiable PHI of decedents requires neither authorization nor waiver of authorization nor a data use agreement. However, researchers must complete UW-Madison’s Certification for Research on the Protected Health Information of Decedents prior to engaging in such research activities.

Top

Can subjects authorize the use of their PHI for future, unspecified research (such as for collection and storage in a data base)?
HIPAA requires that an authorization include a description of each purpose of the requested use or disclosure. An authorization may include use for future research so long as the authorization adequately describes the use in such a manner that it would be reasonable for the subject to expect that his or her PHI to be used or disclosed for such future research. In cases where the authorization does not address future research, an IRB waiver of authorization may be the most appropriate and practical HIPAA-compliant approach.

Top

Does HIPAA permit me to share data with other researchers not part of my study team?
PHI in research data may only be shared with other researchers in accord with the agreement for acquiring the PHI; i.e. only in accord with the terms of the authorization or waiver of authorization or data use agreement. Research data that includes PHI may be shared, disclosed or transferred among the investigators named in the authorization, waiver of authorization or data use agreement. Sharing or disclosing or transferring the data outside of that circle requires IRB review and approval of the proposed research study for which the data would be shared. In the event that the original investigators wish to share research data that includes PHI with another colleague not originally identified as part of the research team within the existing approved study, contact the IRB for review of a change in the approved protocol.

Top

How do I report a suspected breach or other concern related to HIPAA?
If the personally identifiable health information in any way involves information technology (e.g. lost or stolen portable device, compromised server, etc.) you must immediately contact the DoIT Help Desk at 608-264-HELP (4357). For any suspected breach of personally identifiable health information, you must contact the UW-Madison HIPAA Privacy Officer, whose contact information is on the left side of this page. You should also file an Unanticpated Problem Report form with the IRB that reviewed your protocol.

Top