University of Minnesota
Institutional Review Board
http://www.research.umn.edu/irb
612-626-5654

Institutional Review Board home

Guidance & FAQs

Frequently Asked Questions about HIPAA & Research

PHI & De-Identified Data

Authorizations

Other Research Questions

 

 

When is health-related information considered PHI?

Health-related information is considered PHI if (any of the following are true):

  1. the researcher obtains it directly from a provider, health plan, health clearinghouse or employer(other than records relating solely to employment status);
  2. the records were created by any of the entities in "1" and the researcher obtains the records from an intermediate source which is NOT a school record or an employer record related solely to employment status; OR
  3. the researcher obtains it directly from the study subject in the course of providing treatment to the subject.

Health-related information is not considered PHI if the researcher obtains it from:

  1. student records maintained by a school;
  2. employee records maintained by an employer related to employment status; OR
  3. the research subject directly, if the research does NOT involve treatment.

Am I required to get a signed Authorization Form at the time I get the signed consent form?

It is not required to get the HIPAA Authorization at the time of consent, but it is the most practical time.

top of page

Are any health records exempted from the definition of PHI?

The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:

  1. student records maintained by an educational institution
  2. employment records maintained by an employer related to employment status.

Studies that use these kinds of records are not subject to HIPAA. However, existing IRB rules on informed consent and confidentiality still apply.

top of page

When is data “de-identified”?

Data is considered de-identified under HIPAA when none of the following elements are present:

  1. Name
  2. All geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits if the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people
  3. For dates directly related to the individual, all elements of dates, except year. (date of birth, admission date, discharge date, date of death)
  4. All ages over 89 or dates indicating such an age
  5. Telephone number
  6. Fax number
  7. Email address
  8. Social Security Number
  9. Medical Record Number
  10. Health Plan Number
  1. Account Numbers
  2. Certificate or license numbers
  3. Vehicle identification/serial numbers, including license plate numbers
  4. Device identification/serial numbers
  5. Universal Resource Locators (URL’s)
  6. Internet Protocol addresses (IP’s)
  7. Biometric Identifiers
  8. Full face photographs and comparable images
  9. Any other unique identifying number, characteristic or code

top of page

What identifiers must be removed from a limited-data set?

  1. Names
  2. Postal address information other than town/city, state and zip.
  3. Telephone number
  4. Fax number
  5. Email address
  6. Social security number
  7. Medical record number
  8. Health plan number
  1. Account numbers
  2. Certificate or license numbers
  3. Vehicle identification/serial numbers, including license plate numbers
  4. Device identification/serial numbers
  5. Universal resource locators (URL)
  6. Internet protocol (IP) addresses
  7. Biometric identifiers, including finger and voice prints
  8. Full face photographs and comparable images

top of page

Is a HIPAA Authorization the same as the consent form?

No. An Authorization differs from an informed consent in that an Authorization focuses on the privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of how the confidentiality of records will be protected, among other things.

top of page

How do I qualify for a waiver of authorization?

(Approvals for waivers or alterations will be rare and in most cases researchers are advised to use an Authorization Form with their subjects to use/disclose PHI. IRB approval is required for this Authorization Form - similar to consent forms.)

The following criteria must be met to qualify for a waiver:

The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;

  • An adequate plan to protect the identifiers from improper use and disclosure;
  • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  • Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
  • The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;
  • The research could not practicably be conducted without the alteration or waiver or alteration; and
  • The research could not practicably be conducted without access to and use of the protected health information.

The IRB maintains the authority to make the final decision if a study meets the aforementioned criteria. Use Appendix H to apply for a waiver or alteration of authorization and include it with your application form submission to the IRB.

top of page

Do minors need to sign a separate HIPAA authorization?

Yes. The minor's parent or legal guardian must sign a HIPAA authorization on the minor's behalf. You can use the same HIPAA authorization for minors that you would use for adults. HIPAA does NOT have an added assent requirement for minors.

top of page

Do subjects receive a copy of the Authorization Form as they do a consent form?

Yes, but subjects must receive a signed copy of the authorization.

top of page

Can authorization be revoked by the subject?

Yes, a subject can revoke his/her authorization at any time in writing. Data already collected under the authorization can be used to a limited extent if necessary to preserve the integrity of the research.

top of page

How do I obtain valid authorization from non-english speakers?

HIPAA Authorization from non-English speaking subjects must be valid and meaningful. If a translated HIPAA Authorization will not be created, researchers must use a qualified translator to verbally translate the HIPAA Authorization and facilitate the informed consent process. The subject, the interpreter, and a witness (e.g. researcher) must sign the English language HIPAA Authorization form.

Contact the UMN Privacy Office for guidance if a non-UMN Translator will be used: 612-624-7447 or privacy@umn.edu.

In addition, please be aware that the Minnesota Department of Health has established a statewide roster of spoken language health interpreters. The Roster can be accessed via the following web address: http://www.health.state.mn.us/divs/pqc/hci/index.html

top of page

What happens to research studies underway or initiated before April 14, 2003?

For studies using IRB-approved consent forms: These studies may continue to collect and use data from subjects enrolled prior to April 14, 2003 without any any new documentation requirements. However, studies that will continue to enroll subjects after this date must request approval to collect and use this data. See Instructions for existing IRB-approved studies for details about what to submit to the IRB.

For studies not using consent forms: If the study will enroll or reenroll subjects (have subject contact) on or after April 14, 2003, see these instructions about what is required to be submitted to the IRB before that date. If the study will not enroll or reenroll subjects on or after April 14, 2003, the study may continue without any additional documentation to the IRB.

top of page

How does HIPAA define research?

HIPAA defines research as “a systematic investigation, including research development, testing and evaluation, designed to Develop or contribute to generalizable knowledge.”

This definition is identical to the one used in the 45 CFR 46.

top of page

What about reviews preparatory to research?

Reviews preparatory to research and research involving the PHI of decedents are two instances that do not require subject authorization.

In addition, activities involved in preparing for research, covered entities may use or disclose PHI to a researcher without an individual’s Authorization, a waiver or an alteration, or a data use agreement. The covered entity must obtain from a researcher representations that:

  1. the use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research,
  2. the PHI will not be removed from the covered entity in the course of review, and
  3. the PHI for which use or access is requested is necessary for the research. The covered entity may permit the researcher to make these representations in written or oral form.

A researcher who is an employee or a member of the covered entity’s workforce could use protected health information to contact prospective research subjects, i.e. study recruitment.

top of page

What does a researcher have to do to assure compliance with the new requirements?

If planning to use PHI, fill out Appendix H as part of the IRB application submission. In Appendix H, request to use or disclose PHI by means of one of the four following options:

  1. Use of a Subject Authorization Form (use of our Authorization Template Form is recommended),
  2. An alteration of the Authorization Form
  3. A Waiver of Authorization
  4. Use of a Data-Use Agreement

Once approved, the Subject Authorization Form must be signed by the subject or their authorized representative.

top of page

More Information

HIPAA-related IRB Forms & Templates

Authorization Form Template

Customize this template and use in conjunction with a consent form during the consent process with potential subjects. It must be signed and dated by the subject or the subject's authorized representative as a consent for would be. Use and disclosures of PHI must be described in this document to receive IRB approval.

Please submit your customized authorization form for IRB approval along with your IRB application.

Authorization Form Template (2012)

Authorization Form Template - Non-English Speakers (2012)

Authorization Form Template for Recruitment Databases

Complete and submit this form to the IRB with an application to establish a recruitment registry assuring the IRB that data used in your research is authorized.

Authorization Form Template for Recruitment

De-Identification Certification Form

Complete and submit this form to the IRB to assure the IRB that data used in your research is de-identified. (see When is data "de-identified"?)

This form is required when applying for an Exemption of IRB Review for studies that will use de-identified data. This form is to be used in conjunction with the IRB's Exempt Screening Application form.

De-Identification Certification Form

Data-Use Agreement Template

Customize this template as an agreement that will be signed by the researcher as an agreement for how they will use/disclose the PHI provided to them by a covered entity.

Data-Use Agreement Template

Authorization Form to Establish a Database for Future Research

Customize this template and use in conjunction with a consent form during the consent process with potential subjects. It must be signed and dated by the subject or the subject's authorized representative as a consent form would be. Use and disclosures of PHI must be described in this document to receive IRB approval.

Please submit your customized authorization form for IRB approval along with your IRB application.

Authorization Form to Establish a Database for Future Research Template