The Health Insurance Portability and Accountability Act (HIPAA) establishes the conditions under which Protected Health Information (PHI) may be used or disclosed for research purposes.  HIPAA protects the privacy of individually identifiable health information while at the same time ensures that researchers continue to have access to medical information necessary to conduct research.  In order to ensure compliance with HIPAA, the Institutional Review Board (IRB) must first determine whether the information is individually identifiable.

  • Names
  • SSN
  • Telephone or Fax Numbers
  • Medical Record Numbers
  • Web URLs or IP Address
  • Email
  • Account Numbers
  • Device Identifiers and Serial Numbers
  • Health Plan Beneficiary Numbers
  • Certificate/License Numbers
  • Biometric Identifiers, Including Finger and Voice Prints
  • Full Face Photos or Comparable Images
  • Geographic Subdivisions
  • Vechicle Identifiers and Serial Numbers Including License Plates
  • Any Unique Identifying Number, Characteristic, or Code
  • The Researcher Knows that the Information that is Collected Could be Used Alone or in Combination with other Information to Identify Someone
  • All Elements of Date (Except Year) Related to an Individual: Including Dates of Admission, Discharge, Birth, Death, and for Persons >89y.o.; the Year of Birth Cannot be Used

If you DID identify items above, and your protocol application contains a written consent form, you are required to address issues 1-6 below in the consent form.  Your responses should reside under a new heading in the consent form entitled “Authorization To Share Personal Health Information In Research” and include the following:

  1. Address what identifiable health information will be used and for what purposes.
  2. Provide a description of any information that will be disclosed to others and, if
    applicable, a list of who will disclose the information and to whom it will be
    disclosed.
  3. Provide an expiration date for the disclosure.  Please note: the expiration date is for
    the use of the PHI by the researcher.  After that date, the researcher may no
    longer access the data.  The expiration date may be “none.”
  4. Include a statement that the authorization can be revoked, in writing, by the research
    subject.  Indicate that such written document must be provided to you, the
    principal investigator, who will confirm in writing to the subject that their
    PHI has been revoked per their request.  Copies of all such documentation must
    be provided to the IRB. 
  5. Provide a statement that disclosed information may be re-disclosed and no longer
    protected.  If the recipient of the disclosure has agreed to restrict its use of
    the data, a summary of the additional protections must be included.
  6. Provide a statement that if the individual does not provide an authorization, s/he
    cannot participate in the research.

If you DID identify items above, and your protocol application does NOT include a written consent form address questions 1-5 below.  Submit your response to the IRB along with your protocol application forms. The IRB will assess whether a Waiver of Authorization (notification to the research subjects that you are using their PHI is not required) is appropriate. If appropriate, the IRB will issue you the document, Waiver of Authorization, along with the other IRB approval forms at the time of IRB approval of the study.

  1. Please provide details of why the research could not practicably be conducted without
    access to and use of the PHI.
  2. Do you have an adequate plan to protect identifiers from improper use and
    disclosure?  Please provide details.
  3. Do you have an adequate plan to destroy all identifiers at the earliest opportunity
    consistent with the conduct of the research?  Please explain if there is a
    research or health justification for retaining identifiers or if retention of
    identifiers is otherwise required by law.
  4. Please provide written assurances that the PHI will not be reused or disclosed to any
    other person or entity, except as required by law or for authorized oversight of
    the research project.
  5. Provide an expiration date for the disclosures.  Please note: the expiration date is for
    the use of the PHI by the researcher.  After that date, the research may no
    longer access the data.  The expiration date may be “none”.