HIPAA and Human Subjects Research

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations, including the Privacy Rule and the Security Rule, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act, govern the way certain health information is collected, maintained, used, and disclosed. The Privacy Rule establishes a set of safeguards on certain types of health information known as protected health information or PHI. The Privacy Rule was created to provide a national minimum level of protection for PHI.

Forms and Instructions

• HIPAA Research Authorization Form (03/16/2012)
• HIPAA Research Authorization Instructions (10/15/2014)
• Combined Consent & Authorization Guidance (02/09/2021)
• Combined Consent & HIPAA Authorization Template (04/19/2021) Submission Instructions
• Combined Parental Permission & HIPAA Authorization Template (07/18/16) Submission Instructions

Translated Authorization Forms

Authorization to use or disclose PHI for research must be obtained in a language understandable to the participant. Investigators must complete all sections and are responsible for the accuracy of the forms. (Translations were made possible courtesy of the Ohio State University Comprehensive Cancer Center.)

• Cebuano
• Chinese (Simplified)
• Chinese (Traditional)
• French
• Japanese
• Khmer
• Korean
• Laotian
• Nepali
• Russian
• Somali
• Spanish
• Vietnamese

Guidance

• Protected Health Information and HIPAA Policy  (university policy) 
• Protected Health Information and HIPAA Policy FAQs (OSUWMC) 
• Research and HIPAA (Ohio State College of Medicine) 
• Patient Rights and Responsibilities (OSUWMC)
• Guidance on HIPAA and Research
• IRBs and the HIPAA Privacy Rule
• NIH Guidance on Protecting Personal Health Information in Research
• NIH Guidance on Research Repositories, Databases, and the Privacy Rule

FAQs

What is a Covered Entity?

The Privacy Rule applies only to covered entities, including:

• health insurers
• health care clearinghouses
• health care providers who electronically transmit information for certain types of transactions such as billing and eligibility verification

The Privacy Rule allows covered entities to designate themselves as “hybrid entities” with selected parts subject to the requirements of the Privacy Rule. The Ohio State University is a hybrid entity. The “covered components” of the university include the health system and other university areas performing HIPAA covered functions as illustrated the HIPAA hybrid entity diagram. Privacy contacts are available at Report a privacy concern.

What is PHI?

Protected health information (PHI) is health information that is individually identifiable and created or held by a covered entity or a covered component of a hybrid entity Health information includes past, present, and future health information (mental and physical) about:

• health history or condition of an individual
• provision of care to an individual
• payment for an individual’s care

Health information is individually identifiable when it identifies an individual or there is a reasonable basis to believe the information can be used to identify an individual.

Limited-Data Sets

A limited data set is a special category of PHI that has all of the following identifiers removed:

1. name
2. postal address information other than town/city, state, and five-digit zip code
3. telephone number
4. fax number
5. email address
6. social security number
7. medical record number
8. health plan number
9. account numbers
10. certificate or license numbers
11. vehicle identification/serial numbers, including license plate numbers
12. device identification/serial numbers
13. universal resource locators (URLs)
14. internet protocol (IP) addresses
15. biometric identifiers, including finger and voice prints
16. full face photographs and comparable images

Under the Privacy Rule, use or disclosure of limited data sets for research purposes requires a “Data Use Agreement” unless researchers obtain HIPAA research authorization from participants or a waiver of authorization from an IRB/Privacy Board, as described below. Privacy contacts are available at Report a privacy concern.

De-Identified Data

De-identified data are not subject to the requirements of the Privacy Rule because they are not individually identifiable. There are two ways to de-identify data: Safe Harbor Method – in which all of the following elements are removed from a data set:

1. name
2. all geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits of the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people
3. for dates directly related to the individual, all elements of dates, except year (date of birth, admission date, discharge date, date of death)
4. all ages over 89 or dates indicating such an age
5. telephone number
6. fax number
7. email address
8. social security number
9. medical record number
10. health plan number
11. account numbers
12. certificate or license numbers
13. vehicle identification/serial numbers, including license plate numbers
14. device identification/serial numbers
15. universal Resource Locators (URLs)
16. internet protocol (IP) addresses
17. biometric identifiers, including finger and voice prints
18. full face photographs and comparable images
19. any other unique identifying number, characteristic, or code

Note: Item 19 is known as the “catch-all” provision and is intended to include items that are not otherwise specified but could make a data set identifiable. Statistical Method – in which certification is provided by “a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable so that there is a ‘very small’ risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information.” For more information see NIH Guidance Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule .

When Does the Privacy Rule Apply to Research?

The HIPAA Privacy Rule affects research and researchers when either:

• Research creates or generates PHI, or
• Research requires access to and/or use of PHI.

What is a Privacy Board?

A Privacy Board is a committee established to review requests for a waiver or alteration of the Authorization requirement for uses and disclosures of PHI in a particular research study. A Privacy Board may waive or alter all or part of the Authorization requirements. Under the Privacy Rule, an IRB may serve as a Privacy Board.

At The Ohio State University, the Privacy Board reviews requests for waivers or alterations of Authorization in exempt research. The IRBs serve as the Privacy Board for non-exempt research.

How Can Researchers Use PHI and Comply with HIPAA Requirements?

Researchers accessing or using PHI can obtain:

• authorization
• waiver or partial waiver of authorization
• alteration of authorization

Authorization

Although similar to informed consent, Authorization focuses on privacy risks and the use or disclosure of PHI. An Authorization must state how, why, and to whom the PHI will be used and/or disclosed for research purposes. An Authorization may not require an expiration date; consult state and/or local law. However, a research participant has the right to revoke (in writing) his/her Authorization at any time. The participant or the participant’s authorized representative must be given a signed copy of the Authorization and researchers must keep a signed copy of participants’ Authorization for six years.

HIPAA Research Authorization Form (updated 03/16/2012)

Waiver or Partial Waiver of Authorization

The requirement to obtain Authorization may be waived if all of the following criteria are met:

• use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on:
  • an adequate plan to protect the identifiers from improper use and disclosure
  • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research (unless a health or research justification for retaining the identifiers exists or retention is required by law)
  • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity (except as required by law for authorized oversight of the research) or for other research for which use/disclosure of PHI would be permitted
• waiver will not adversely affect the privacy rights and the welfare of the individuals
• the research could not practicably be conducted without the waiver
• the research could not practicably be conducted without access to and use of the PHI

Authorization may be waived for all, or only some uses of PHI for a particular study. At Ohio State, a “partial waiver” permits the use of PHI for recruitment purposes only, to allow identification and, as appropriate, contact of potential participants to determine their interest in study participation.

At The Ohio State University, the Privacy Board reviews requests for waivers or alterations of Authorization in exempt research. The IRBs serve as the Privacy Board for non-exempt research.

Alteration of Authorization

The requirement to obtain Authorization for use of PHI may also be “altered” for a specific study. An alteration allows a change in certain Authorization requirements, while still requiring authorization for the use of PHI. Examples include making an exception to the required language in an authorization or to the requirement to obtain a signed Authorization. To be granted, an alteration must meet the same criteria as a waiver or partial waiver.

At Ohio State, the Privacy Board reviews requests for waivers or alterations of Authorization in exempt research. The IRBs serve as the Privacy Board for non-exempt research.

Reviews Preparatory to Research

The Privacy Rule also permits certain activities involving use or disclosure of PHI without Authorization. The “preparatory to research” provision permits researchers to use PHI for limited purposes, such as a feasibility assessment (e.g., whether a sufficient population exists to conduct research). However, the Privacy Rule does not permit the researcher to remove PHI. To comply with both the Privacy Rule and human subjects protection regulations, Ohio State researchers are permitted to review PHI, but identifiers may not be recorded; and researchers may not use the preparatory to research provision to identify or recruit specific individuals for a study.

To conduct a review preparatory to research, a researcher must provide all of the following representations:

• The use or disclosure is requested solely to review PHI as necessary to develop a research protocol or for similar purposes preparatory to research
• PHI will not be removed in the course of review
• The PHI for which use or access is requested is necessary for the research.

Privacy contacts are available at Report a privacy concern.

Research Involving PHI About Decedents

The Privacy Rule provides protections to living and deceased individuals.

To use decedents’ PHI for research purposes, a researcher must provide all of the following:

• Representation that the use or disclosure is solely for research involving the PHI of decedents (e.g., and not also the living relatives of decedents)
• Representation that the PHI is necessary for the research
• Documentation (at the request of the covered entity holding the PHI) of the death of the individuals whose PHI is sought.

Note: If the participant population contains both living and deceased individuals, the requirements for Authorization (or waiver or alteration) apply.

Privacy contacts are available at Report a privacy concern.