University of Delaware
Toolbox

HIPAA and Research with Human Subjects

HIPAA and Research with Human Subjects

In the context of research, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. The Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct research.











How the Rule Works

Under HIPAA, researchers may obtain, create, use, disclose and/or otherwise access PHI for research purposes through one of the following methods:

By obtaining individual authorization: An Authorization is basically an individual's written permission or consent to use his or her PHI for research purposes. HIPAA requires that an Authorization be written in plain language and contain certain “core” elements. Research authorizations may be combined with an informed consent form or set forth in a separate Authorization document. See forms and templates in IRBNet for further guidance on what to include in a HIPAA Authorization for research.

By obtaining IRB waiver or alteration of the authorization requirement: The following three criteria must be satisfied for an IRB or Privacy Board to approve a waiver of authorization under the Privacy Rule:

  1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

    • an adequate plan to protect the identifiers from improper use and disclosure;
    • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as permitted by this subpart;

  2. The research could not practicably be conducted without the waiver or alteration; and

  3. The research could not practicably be conducted without access to and use of the protected health information.

By using de-identified information: Health information that has been “de-identified” in a manner required by HIPAA is not considered PHI and may be used or disclosed for research purposes without individual authorization. De-identification can be done by removal of all 18 elements that could be used to identify an individual and/or the individual’s relatives as described in the Privacy Rule. Alternatively, de-identification may be established by the use of statistical methods.

By using limited data sets with a data use agreement: A limited data set is described as health information that excludes certain, listed direct identifiers but that may include city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers. It is the responsibility of the researcher and the party releasing the PHI to have in place and maintain a copy of a data use agreement that meets HIPAA requirements.

By using only decedents' information, with certain assurances

By using PHI for purposes preparatory to research, with certain assurances and with no removal of any PHI from the covered entity (physically or electronically)

Questions

For questions please contact the UD IRB Office by email: hsrb-research@udel.edu or by phone: (302) 831-2137.