For additional FAQs about HIPAA, see HIPAA Overview.
How is “research” defined by the Privacy Rule?
Who qualifies as a “researcher”?
When does the Privacy Rule apply to me as a researcher?
What is “individually identifiable health information”?
Does HIPAA apply to my research even if I am not a health care provider?
How does HIPAA affect a research study that also involves health care treatment?
What is the relationship between HIPAA and the “Common Rule” for the protection of human subjects?
What are the HIPAA requirements for using or disclosing PHI in research?
Can I disclose PHI as part of my research?
Is PHI ever created within the course of conducting research?
When is individually identifiable health information created within a research study not PHI?
Does HIPAA regulate how PHI created in the course of a research study is handled?
Can I use Box or Electronic Laboratory Notebook (ELN) to store my data set containing PHI?
What is a research authorization?
How is an authorization form different than an informed consent form?
How do I obtain an authorization to use and/or disclose PHI in my research?
What if the human research participant revokes the authorization?
What is a waiver of authorization?
How is a waiver of authorization different than a waiver of informed consent?
How do I obtain a waiver of authorization to use PHI in my research?
How does HIPAA apply to the recruitment of study participants?
May I use e-mail to communicate with research subjects?
What is a de-identified data set?
What are the requirements for obtaining and using a de-identified data set for my research?
My data set is coded. Does this qualify as “de-identified”?
What are the requirements for using a limited data set?
How do I obtain a limited data set for use in my research?
What uses of PHI are permitted under HIPAA in a review preparatory to research?
How does HIPAA apply to research using the PHI of decedents?
Does HIPAA permit me to share data with other researchers not part of my study team?
How do I report a breach or other concern related to HIPAA?
How is “research” defined by the Privacy Rule?
Research has the same definition in the Privacy Rule as it does in the Common Rule. Research means a systematic investigation, including research development, testing, and evaluation, designed to contribute to generalizable knowledge.
Who qualifies as a “researcher”?
UW-Madison employees, trainees, or students who conduct research involving human subjects. Researchers include investigators, research staff, postdocs, fellows, residents, graduate students, undergraduate students and others who collaborate in UW-Madison human subjects research, including employees of the University of Wisconsin Hospital and Clinics Authority and the University of Wisconsin Medical Foundation.
When does the Privacy Rule apply to me as a researcher?
The Privacy Rule applies if: (1) you are a researcher with an appointment within the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (ACE); or (2) you are a researcher with an appointment outside of the UW HCC or UW ACE but you are collaborating on a research study in which the principal investigator is within the UW HCC or UW ACE; and (3) you collect individually identifiable health information directly from subjects or from medical records or other databases.
What is “individually identifiable health information”?
Individually identifiable health information is information that is a subset of health information, including demographics, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of individual; the provision of health care to an individual; or payment for the provision of health care to an individual; and (3) that identifies an individual or where there is a reasonable basis to believe the information can be used to identify an individual.
Does HIPAA apply to my research even if I am not a health care provider?
Yes, if as part of your research you are seeking to use individually identifiable health information from records in the custody of a “covered entity” (most health care providers, health plans, and health care clearinghouses), then HIPAA applies to your access to and use of that data whether or not you are a health care provider.
How does HIPAA affect a research study that also involves health care treatment?
HIPAA requires that research study subjects who will receive health care as part of the study authorize the use of their PHI in that research — or that a privacy board or Institutional Review Board (IRB) waive the authorization requirement — regardless of the consent for treatment. Additionally, any research-generated PHI that may be applied to treatment decisions is subject to HIPAA’s medical record requirements.
What is the relationship between HIPAA and the Common Rule for the protection of human subjects?
While the Common Rule addresses issues related to consent of subjects to participate in research, HIPAA addresses issues related to the subjects’ authorization to have their health information used or disclosed as part of a research study, and how that health information must be protected. The consent and authorization form may be combined. While the Common Rule and HIPAA have some similarities, such as the definition of research, there are many differences as well. For example, HIPAA does not contain the same exemptions from IRB review as the Common Rule.
What are the HIPAA requirements for using or disclosing PHI in research?
HIPAA regulates how covered entities may share PHI with researchers who are part of the covered entity, or how they may disclose PHI to researchers who are not part of the covered entity. HIPAA permits a covered entity to share PHI with, or disclose PHI to, researchers only through the following six options:
- Review of PHI solely in preparation for research, without collecting or using the PHI for research – commonly called “preparatory to research” activities (HIPAA requires the researcher to make certain attestations to the covered entity about the use).
- A signed patient authorization is obtained from the individual whose PHI is sought for research.
- Waiver by an IRB of the authorization requirement for use of individually identifiable PHI for research.
- Complete de-identification of the data.
- Conversion of the PHI to a limited data set (HIPAA requires the researcher to enter into a data use agreement).
- Use of PHI solely of decedents (HIPAA requires the researcher to make certain attestations to the covered entity about the use).
Can I disclose PHI as part of my research?
“Disclosure” of PHI under the Privacy Rule means that you are sharing PHI outside of the UW-Madison Health Care Component (UW HCC) or outside of the UW Affiliated Covered Entity (UW ACE). A disclosure of PHI for research may only occur if you have authorization to do so from the subject. UW-Madison IRBs do not approve requests to disclose PHI under a waiver of authorization. Alternatively, you may disclose a de-identified data set or, with a data use agreement in place, you may disclose a limited data set.
Is PHI ever created within the course of conducting research?
Yes. When a health care activity is performed within the research study itself, any clinical information about the subject that is generated within the research is PHI and is subject to all the HIPAA regulations that apply to PHI. For example, clinical information generated within a research study may be simultaneously entered into the electronic health record of an individual patient and into the research data set intended to produce generalizable knowledge. The research use of the PHI and protection of the privacy and security of the research data set must be in accord with the terms and conditions of the IRB approval, the informed consent and the authorization, relevant institutional policies on data privacy and security, and applicable HIPAA privacy and security regulations.
Top
When is individually identifiable health information that is created within a research study not PHI?
When the principal investigator is not part of the UW-Madison Health Care Component (UW HCC) or the UW Affiliated Covered Entity (UW ACE), the study does not involve health care treatment by a health care provider, and the health information created within the study is not expected to be shared by the researchers with the subject’s health care provider or placed in the subject’s electronic health record. For example, if researchers solely within the Department of Kinesiology conduct an exercise study that collects personal health data directly from the research participant and includes some health screening testing (blood pressure measurements, etc.), this data is not health information that is protected by HIPAA.
Does HIPAA regulate how PHI created in the course of a research study is handled?
Yes, when clinical treatment is performed in the course of a research study (e.g. a therapeutic trial studying the safety and efficacy of a new cancer drug), the information must be handled in accord with the appropriate medical practices regarding entry of the individual’s treatment data into the medical record. The research use of the information must be authorized in the HIPAA authorization and informed consent documents that the research participant signs. These documents should specify how PHI created in the course of a research study will be treated, for example:
- how PHI will be used in the research study,
- whether any of the data will be entered into the medical record, and
- whether the information will be shared with any health plan for payment purposes for any activities included within the study participation.
Can I use Box or Electronic Laboratory Notebook (ELN) to store my data set containing PHI?
At present, only the School of Medicine and Public Health has been approved by the Chief Information Security Officer to use Box to store data or other information containing PHI. Certain mandatory access configurations and processes are required. The SMPH Security Coordinator is responsible for overseeing the implementation of the required controls. If you are within SMPH and would like to use Box to store PHI, SMPH Security Coordinator for assistance.
UW-Madison has not yet approved the use of ELN for storage of PHI. UW-Madison data security experts are working with multiple groups, including the Division of Information Technology (DoIT) staff and the HIPAA Privacy and Security Operations Committee to finalize methods to allow use of Box more broadly on campus and ELN for some PHI under certain controlled setups in the near future. Please contact your HIPAA Security Coordinator for additional information.
What is a research authorization?
An authorization is a document signed by an individual that gives the individual’s explicit permission to obtain her/his specified PHI from a health care provider(s), or to generate PHI as part of the study, and use it for a specified purpose other than the individual’s health care, such as for research. HIPAA is specific about the elements that must be included in a valid authorization document. See Proposal Guidance, above, for more information.
How is an authorization form different than an informed consent form?
An authorization is a HIPAA required document that defines only the terms and conditions of permission to use or disclose specified PHI for a specified research project. Except for authorizations to use psychotherapy notes in research, which must always be stand alone documents, an authorization can be combined with the informed consent document.
How do I obtain an authorization to use and/or disclose PHI in my research?
Apply to the appropriate IRB for approval of an authorization form to use in the informed consent process in your research project. You can find template authorization forms, above. When you have an IRB approved form of authorization for use in your research study, you are able to include the discussion and execution of this form in the informed consent process with each human research participant. Covered entities may want a copy of this authorization (or a waiver of authorization — see below) when you request access to the research participant’s individually identifiable health information in their records.
What if the human research participant revokes the authorization?
If the authorization is revoked, the researcher generally cannot continue to collect PHI on the participant for use in the research study; however, the researcher can continue to use the PHI already obtained before the revocation to the extent necessary to preserve the integrity of the research study. FDA regulations do not permit destruction of study data based on a subject’s revocation of their authorization.
What is a waiver of authorization?
When obtaining subject authorization is “impracticable,” the IRB may approve a waiver of authorization for a researcher to use protected health information. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver.
How is a waiver of authorization different than a waiver of informed consent?
The waiver of authorization is based solely on an assessment of the privacy risks in the proposed research use of individually identifiable PHI, whereas the waiver of informed consent is based on an assessment of risks to participation in the study itself.
How do I obtain a waiver of authorization to use PHI in my research?
Apply to the appropriate IRB for approval of a waiver of the authorization requirement. This is similar to a request for waiver of the informed consent requirement. If you are applying for a waiver, please refer to the additional Guidelines for Waiver of Authorization or Altered Authorization for an explanation of what information will be needed by the IRB to grant a request for a waiver of authorization. When the IRB has approved a waiver of authorization, it will issue an approval document. Covered entities may want a copy of this waiver of authorization (or an authorization — see above) when you request access to the research participant’s individually identifiable health information in their records.
How does HIPAA apply to the recruitment of study participants?
Under HIPAA, a covered entity may provide individually identifiable health information to researchers within its own workforce to allow those researchers to contact potential subjects for the purpose of obtaining their authorization to use their health information in the research. UW-Madison IRBs require that the first contact with potential subjects come from someone the subject would recognize as having valid access to their health information.
May I use e-mail to communicate with research subjects?
E-mail should not be considered a secure, confidential means of communication with subjects. As such, it should generally not be used to communicate, to subjects or from subjects, information that contains or is likely to contain PHI. For example, a recruitment e-mail sent to recipients based on non-health related information (e.g. “you are receiving this email because you are a female over the age of 45”) would usually be permissible but a recruitment e-mail sent to participates that discloses a medical condition (e.g. “you are receiving this e-mail because you have rheumatoid arthritis”) would not be permissible. Similarly, it would generally not be permissible to request subjects to reply to a series of questions about their health via e-mail. There are often other, more secure, means of communication available. If e-mail must be used, subjects must first agree to e-mail communication by signing a written consent form in which they are informed of the security risks associated with email. See Policy 8.6 E-mail Communications Involving Protected Health Information for more information. Additionally, you must describe the use of e-mail, and specifically what information is expected to be e-mailed, in your protocol and obtain IRB approval before e-mail may be used as a method of communication.
What is a de-identified data set?
A de-identified data set is PHI from which the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:
- Names;
- All geographic subdivisions smaller than a State;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code; and
- The covered entity may not consider the information de-identified if it has actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
What are the requirements for obtaining and using a de-identified data set for my research?
De-identified data sets do not contain any individually identifiable health information. Neither authorization nor waiver of authorization, nor a data use agreement is required by HIPAA for a researcher to use and/or disclose de-identified data for research purposes.
My data set is coded. Does this qualify as “de-identified”?
If you have the key to the code, your data set is not de-identified. If an individual(s) within the covered entity maintains the key to the code but you do not have access to the code and will never have access to the code, then your data set is de-identified as to you.
If a data set identifies the site from which the data has been disclosed, does the geographic location of the site constitute an identifier?
No. The de-identified information does not lose its de-identification status simply by virtue of identification of the disclosing site. This is true as long as one other HIPAA caveat is met: the disclosing covered entity does not have actual knowledge that the de-identified information could be used alone or in combination with other information available to others outside the covered entity to identify an individual who is the subject of the information.
What is a limited data set?
In contrast to a de-identified data set, a limited data set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, State and zip code. A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
- Names;
- Postal address information, other than town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; an
Full face photographic images and any comparable images.
What are the requirements for using a limited data set?
A covered entity may use or disclose a limited data set from its records containing PHI for research use without either authorization or waiver of authorization if the researcher executes a data use agreement that binds the limited data set recipient to use or disclose the limited data set only for limited, specified purposes. The data use agreement must establish who is permitted to use or receive the limited data set and must pledge all recipients both to use appropriate safeguards to protect the data from unauthorized disclosure and not to attempt to identify or contact the individuals whose PHI is contained in the data.
How do I obtain a limited data set for use in my research?
You can find UW-Madison’s template Data Use Agreement, as well as other information about the use of a limited data set in the forms section, above.
Can a business associate agreement be used to obtain PHI from a covered entity for research purposes?
Generally, no. A business associate is an individual that performs on behalf of the covered entity or assists the covered entity in performing certain business related activities, such as claims processing, billing, benefit management or quality improvement. A researcher is generally not performing a business related activity on behalf of the covered entity when conducting research. However, a business associate agreement may be used when the researcher, who is not a member of the covered entity’s workforce, contracts with the covered entity to access the covered entity’s PHI for the purpose of creating a limited data set or a deidentified data set for his or her research.
What uses of PHI are permitted under HIPAA in a review preparatory to research?
The “review preparatory to research” is an option that allows review (but not research use) of individually identifiable PHI by researchers and does not require authorization or waiver of authorization. A covered entity may allow researchers to review PHI in the covered entity’s records in preparation for research but may not permit researchers to collect any of the PHI for actual research use. For example, the researcher may be permitted to review PHI for the development of research questions; to determine whether a study is feasible (in terms of available number and eligibility of potential subjects); or to develop inclusion and exclusion criteria. However, the researcher may not transcribe information from the records for inclusion in research data. Researchers must complete UW-Madison’s Use of PHI in Activities Preparatory to Research Certification prior to engaging in preparatory to research activities.
How does HIPAA apply to research using the PHI of decedents?
Research using the individually identifiable PHI of decedents requires neither authorization nor waiver of authorization nor a data use agreement. However, researchers must complete UW-Madison’s Certification for Research on the Protected Health Information of Decedents prior to engaging in such research activities.
Can subjects authorize the use of their PHI for future, unspecified research (such as for collection and storage in a data base)?
HIPAA requires that an authorization include a description of each purpose of the requested use or disclosure. An authorization may include use for future research so long as the authorization adequately describes the use in such a manner that it would be reasonable for the subject to expect that his or her PHI to be used or disclosed for such future research. In cases where the authorization does not address future research, an IRB waiver of authorization may be the most appropriate and practical HIPAA-compliant approach.
Does HIPAA permit me to share data with other researchers not part of my study team?
PHI in research data may only be shared with other researchers in accord with the agreement for acquiring the PHI; i.e. only in accord with the terms of the authorization or waiver of authorization or data use agreement. Research data that includes PHI may be shared, disclosed or transferred among the investigators named in the authorization, waiver of authorization or data use agreement. Sharing or disclosing or transferring the data outside of that circle requires IRB review and approval of the proposed research study for which the data would be shared. In the event that the original investigators wish to share research data that includes PHI with another colleague not originally identified as part of the research team within the existing approved study, contact the IRB for review of a change in the approved protocol.
How do I report a suspected breach or other concern related to HIPAA?
If the personally identifiable health information in any way involves information technology (e.g. lost or stolen portable device, compromised server, etc.) you must immediately contact the DoIT Help Desk at 608-264-HELP (4357). For any suspected breach of personally identifiable health information, you must contact the UW-Madison HIPAA Privacy Officer, whose contact information is on the left side of this page. You should also file an Unanticpated Problem Report form with the IRB that reviewed your protocol.
ACCOUNTING
The Privacy Rule grants to a patient a right to request and receive an accounting for some “disclosures” of protected health information (“PHI”), including disclosures made in connection with certain research projects. An accounting is a record of each disclosure of each patient’s PHI. A right to an accounting only applies to disclosures of PHI, not to uses of PHI. Patients have a right to an accounting only of those disclosures made by researchers in connection with protocols conducted with a waiver of authorization. An accounting of disclosures is not required when a patient authorization is obtained.
AFFILIATED COVERED ENTITY
UW-Madison is also one of three entities that have agreed to form an affiliated covered entity (“ACE”). These three entities have agreed to provide consistent protection of patient/subject/participant rights.
The ACE includes:
- University Hospitals and Clinics (UWHC)
- University of Wisconsin Medical Foundation (UWMF)
- A subset of the UW-Madison Health Care Component (HCC)
- The subset of the HCC in the ACE is comprised of the School of Medicine and Public Health (clinical departments only), the School of Nursing, the School of Pharmacy (clinical units only), the Waisman Center (clinical units only), the Athletic Department (athletic trainers and health information systems only).
AUTHORIZATION
A research authorization is a document signed and dated by a subject/participant that satisfies the requirements of the Privacy Rule (e.g., includes required elements) and grants permission for the researcher to use and disclose the subject/participant’s protected health information to perform a research protocol.
ALTERED AUTHORIZATION
An altered authorization is a form of waiver of authorization, in which an IRB permits a researcher to omit some of the required elements of an authorization.
COVERED ENTITY
A covered entity, i.e., an entity to which the Privacy Rule applies, includes a health care provider (person or entity) that provides, bills for, or is paid for health care and transmits health information electronically.
DATA USE AGREEMENT
A data use agreement (“DUA”) is an agreement required by the Privacy Rule between a covered entity and a person or entity that receives a limited data set. The DUA must state that the recipient will use or disclose the information in the limited data set only for specific limited purposes.
DE-IDENTIFIED INFORMATION
Information that does not allow an individual to be identified because specified identifiers have been removed. De-identification can be achieved by one of two ways:
- Remove the 18 specific identifiers listed in the Privacy Rule and determine there is no other information that may identify the individual. The identifiers are:
- Names
- Geographic subdivisions smaller than a State
- All elements of dates (except year) related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used)
- Telephone numbers
- FAX numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Device identifiers and serial numbers
- Web URLs
- Internet protocol addresses
- Biometric identifiers (including finger and voice prints)
- Full face photos and comparable images
- Any unique identifying number, characteristic or code
- Obtain an opinion from a qualified statistical expert that the risk of identifying an individual is very small under the circumstances; the methods and justification for the opinion should be documented.
DISCLOSURE OF PROTECTED HEALTH INFORMATION
A “disclosure” of PHI is the sharing of that PHI outside of a covered entity. The sharing of PHI outside of the health care component or affiliated covered entity is a disclosure. In general, a disclosure of PHI requires an accounting at the request of the individual who is the subject of the PHI, unless that individual gave permission for the disclosure by signing a valid authorization.
HEALTH CARE COMPONENT
The covered units of UW-Madison (which include all the employees of those units and certain researchers outside those units participating in research projects of the covered unit as described below) are called the health care component or HCC. Currently the HCC includes the following units:
- School of Medicine and Public Health (clinical departments only)
- School of Pharmacy (clinical units only)
- School of Nursing
- University Health Services
- Wisconsin State Laboratory of Hygiene
- Athletic Department (athletic trainers and health information systems only)
- Waisman Center (clinical units only)
The following are UW-Madison’s Internal Business Associate Units:
- Accounting Services
- Office of Legal Affairs
- SMPH Risk Management
- Internal Audit
- HIPAA Privacy and Security Officer
- HIPAA Privacy and Security Coordinators
- Health sciences school’s senior administrators and support staff
- Office of Clinical Trials
- Health Sciences Institutional Review Board (members and staff)
- Minimal Risk Institutional Review Board (members and staff)
- Other individuals or departments may become an internal business associate for limited projects.
Researchers who have appointments in units outside the HCC and who conduct research involving protected health information in collaboration with researchers within the HCC are considered within the HCC for the purposes of that collaborative research. For example, scientists in the basic science departments of the Medical School or in the Waisman Center who collaborate with scientists or clinical faculty in the Medical School’s clinical departments are considered within the HCC for the purpose of the collaborative research.
HEALTH CARE OPERATIONS
Any of the following activities of the covered entity to the extent that the activities are related to those functions, the performance of which, makes the covered entity a health plan, health care provider, or health care clearinghouse:
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.
- Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
- Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.
- Business management and general administrative activities of the entity, including, but not limited to:
- Management activities relating to implementation of and compliance with the requirements of the Privacy Rule.
- Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that PHI is not disclosed to such policy holder, plan sponsor,
or customer. - Resolution of internal grievances.
- Creating de-identified health information or a limited data set and fundraising for the benefit of the covered entity.
HEALTH CARE PROVIDER
A person or organization that furnishes, bills, or is paid for health care in the normal course of business.
HYBRID ENTITY
UW-Madison is a special type of covered entity, called a “hybrid entity,” which means that for the purposes of implementing the Privacy Rule, UW-Madison has both HIPAA-covered and non HIPAA-covered units.
LIMITED DATA SET
Protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
- Name;
- Postal address information, other than town or city, State, and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
PREPARATORY TO RESEARCH ACTIVITIES
The Privacy Rule regulates some of the typical activities done before submitting a protocol to an IRB for review. These activities are designated as “preparatory to research” in the Privacy Rule and are defined as the:
- Development of research questions;
- Determination of study feasibility (in terms of the available number and eligibility of potential study participants);
- Development of eligibility (inclusion and exclusion) criteria; and
- Determination of eligibility for study participation of individual potential subjects.
The recruitment of subjects or participants is not a preparatory to research activity. A recruitment plan is part of a research protocol and requires IRB approval before contact or other information about subjects/participants may be collected. Recruitment is a research activity.
PROTECTED HEALTH INFORMATION
The Privacy Rule protects “individually identifiable health information,” referred to as protected health information or PHI. The Privacy Rule defines PHI to include information that:
Is created or received by a “covered entity,” including a health care provider, and
- Relates to the past, present, or future physical or mental health, or condition of an individual; or
- Relates to payment for an individual’s health care; or
- Relates to the provision of health care in the past, present, or future; and
- Identifies an individual or could be used for identifying an individual.
PSYCHOTHERAPY NOTES
Psychotherapy Notes are notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.
Psychotherapy Notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
RESEARCH
A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
USE OF PROTECTED HEALTH INFORMATION
A “use of PHI is any sharing of that PHI within a covered entity. The sharing of PHI within the health care component (HCC) or within the affiliated covered entity (ACE) is a use. Uses, unlike disclosures, of PHI do not require an accounting at the request of the individual who is the subject of the PHI.
WAIVER OF AUTHORIZATION
When obtaining subject/participant authorization is “impracticable,” the IRB may approve a waiver of authorization for a researcher to use and disclose PHI. The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver.
SITE FOOTER CONTENT
Feedback, questions or accessibility issues: claire.allen@wisc.edu.