University of Vermont

Human Subjects Research - Institutional Review Boards - IRBs

HIPAA Frequently Asked Questions









1. What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a broad federal law, only part of which is intended to protect the privacy of health care information. It is divided into three parts: portability, accountability, and administrative simplification. There are several sets of HIPAA regulations. The most important regulations for research are the privacy regulations, often called the Privacy Rule. The intent of the HIPAA Privacy Rule is to protect the privacy of individuals' health care information. The Privacy Rule creates a federal "floor" of protection so that every person in this country has at least the same basic rights and protections, though some may have additional rights depending on state law.

2. What is the Privacy Rule?
The Privacy Rule is only one set of the HIPAA regulations. It establishes the conditions under which protected health information (or, "PHI") may be used or disclosed by covered entities for any purpose, including research. It defines the means by which individuals/human research subjects can be informed of how their health information will be used or disclosed and it gives individuals a number of rights with regard to their health information.

  • Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time, ensuring that researchers continue to have access to medical information necessary to conduct vital research.
  • The Privacy Rule is similar to existing rules and human subject protection regulations (the Common Rule, 45 CFR 46 and FDA) but has some unique features.
  • Researchers will still be able to access health information for research purposes; however, they must now be aware of the requirements of the Privacy Rule.

3. What is "protected health information (PHI)"?
Generally, PHI is any identifiable information (including demographic information), whether in oral, electronic or written form, related to a person's past, present or future:

  • physical or mental health or condition; or
  • delivery of or payment for healthcare services.

4. What does "identifiable" mean?
Identifiable includes the obvious personal information such as name, social security number, telephone number, address and medical record number. But, it also includes any data element that could reasonably be expected to identify an individual such as zip code or date of birth. There are 18 data elements defined as identifiers in the Privacy Rule.

?        Names

?        ALL geographic subdivisions smaller than the state

?        All elements of dates smaller than a year (i.e. birth date, admission, discharge, death, etc.)

?        Phone numbers

?        Fax numbers

?        E-mail addresses

?        SS numbers

?        Medical record number

?        Health plan beneficiary

?        Any other account numbers

?        Certificate/license numbers

?        Vehicle identifiers

?        Device identification numbers

?        WEB URL's

?        Internet IP address numbers

?        Biometric identifiers (fingerprint, voice prints, retina scan, etc)

?        Full face photographs or comparable images

?        Any other unique number, characteristic or code.

5. What is a "covered entity"?
A covered entity is any of the following: (1) any healthcare provider who transmits health information electronically in connection with one of the transactions covered by the Privacy Rule; (2) any health plan (e.g. a health insurer or group health plan); and (3) any health care clearing house (e.g., a billing company)

6. Will the Privacy Rule prevent or inhibit clinical research?
The Privacy Rule will not prevent clinical research. Unfortunately, only time will tell whether the requirements of the Privacy Rule will inhibit research. The Privacy Rule allows for the creation, use and/or disclosure of PHI in the conduct of research with either authorization of the individual or with waiver of the authorization requirement by an Institutional Review Board.


7. What is an authorization?
An authorization is a document designating permission of a patient to use and disclose PHI for a specific research study. The Privacy Rule requires authorization or waiver of authorization by an IRB for the use and disclosure of identifiable health information for research.

8. Is there a difference between informed consent and authorization?
Yes. Under the Privacy Rule, a patient's authorization allows for the use and disclosure (or release) of "PHI for research purposes. In contrast, an individual's informed consent is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of PHI. For this reason, there are important differences between the Privacy Rule's requirements for individual authorization, and the Common Rule's and FDA's requirements for informed consent. We will comply with all three sets of regulations, as applicable to our research activities.

9. Will researchers need to get both an authorization and informed consent from research subjects?
Yes, unless the IRB approves a waiver of the authorization and consent requirements (see more below). An authorization is a customized document that gives Covered Entities permission to use specified PHI for specified purposes or to disclose PHI to a third party (a corporate sponsor for example). An authorization is detailed and specific. It covers only the uses and disclosures and only the PHI stipulated in the authorization and it also states the purpose for which the information may be used or disclosed. The authorization can be added to any existing or new informed consent document: however it should be a separate document (addendum to the informed consent) so that in instances where a release of information is necessary, the addendum can be easily detached (thus preventing study details from being compromised).

10. Does that mean that researchers will need to be very specific about the kinds of information being collected in a study?
Yes. An authorization must be very specific about the PHI being collected, used or accessed.


11. Now that the Privacy Rule has imposed new criteria for approving waivers, will the IRB still grant waivers and what will the process be?
The Privacy Rule requires that specific criteria be met for the approval of a waiver of the authorization requirement. Several of these criteria are closely modeled on the Common Rule's criteria for the waiver of informed consent and for the approval of a research study. The IRB will use its best judgment to assess both the Privacy and Common Rules criteria and will continue to rely on investigators to supply the information requested so that it can determine when waivers are appropriate.

12. If granted a waiver by the IRB, can investigators collect any information they think is relevant in a medical record review?
No. The Privacy Rule and common sense dictate that only the minimum information necessary be collected. Investigators will need to supply the IRB with a detailed listing of all data elements to be collected. Where appropriate, the IRB may ask for a rationale for the collection of specific information that may not appear to be in keeping with the protocol.

13. Do investigators need to keep a list or log of all disclosures of PHI?
The Privacy Rule gives individuals the right to request a list of disclosures of their PHI made over the last 6 years (starting April 14, 2003). This right does not apply to disclosures of PHI made with the individual's authorization. However, it does apply to disclosures of PHI made pursuant to a waiver of the authorization requirement. That means that researchers who have been granted a waiver after 4/14/03 will need to keep track of any disclosures of PHI made pursuant to that waiver, during the research project. Remember that disclosure refers to sharing of information outside of the covered entity.

14. Do I need a waiver of authorization if I use only de-identified information for my research project?
No. The Privacy Rule does not apply to de-identified information. However, you will still need to apply to the IRB for approval of the research and a waiver of consent under the Common Rule. Also, arrangements will have to be made with UVM Medical Center regarding the de-identification of PHI.

15. How can I review medical records of patients with a particular disease to identify and recruit participants for my research study?
Apply for a waiver of authorization to screen participants.


16. What do investigators need to do to review medical records of patients who have died?
While the Common Rule does not apply to decedents (and thus there is no informed consent or waiver of consent requirement), the Privacy Rule does apply. Specifically, the Privacy Rule requires researchers to provide written assurance that they will protect the privacy of decedents' identifiable health information. Accordingly, UVM and UVM Medical Center will require that all research involving the PHI of living subjects as well as decedents be submitted to and approved by the IRB. Important to remember is that the Privacy Rule does not distinguish between living and deceased subjects in terms of the requirement for tracking disclosures pursuant to a waiver of authorization . Therefore, tracking of disclosures of decedents' PHI will be required by the investigator.


17. What should I do if I have an existing research database that contains lots of patient information?
We are currently in the process of developing new guidelines for databases and registries. We will be collecting information about existing repositories and implementing a process for review and approval. The new procedures will include guidelines for developing databases and registries, maintaining them, and procedures for ensuring proper release of data from them. The first step will be an inventory process for determining what databases and registries are currently in existence and all researchers will be receiving a survey to complete in the near future.


18. Do my obligations to report serious adverse events or data required by state laws change under HIPAA?

19. What must I do if a subject revokes authorization to use their PHI for research purposes?
Send the participant notification in writing that his/her request has been received. Also, track all revocations because this number will need to be reported to the IRB at the time of continuing review. Revocation letter language is pending.

20. How do I track the research authorizations from each participant and his/her wishes regarding the use of their PHI for research?
Authorizations, in addition to the consent forms, should be kept in the research file. If they are separated for a request for PHI, they need to be returned and replaced in the research file. Any requests for revocation of authorization should also be kept with the consent form in the research file.

21. Can I expect audits or inspections for HIPAA compliance?
Yes, the Federal government could audit. The IRB Compliance Specialist during a normal monitoring visit will review certain aspects of HIPAA compliance. Because there are monetary fines for non-compliance, additional UVM Medical Center internal audits to monitor compliance will also take place.


22. My research collaborator is at another university, will I be able to share research data with him/her?
Yes, he/she is part of your research team and as long as it is so designated in the authorization, PHI may be shared with the collaborator. There may be other options, such as use of a Limited Data Set/Data Use Agreement.

23. I am performing clinical research that involves treatment. What steps do I need to take to deal with both the clinical and research issues?
Either an authorization or a waiver of authorization by an IRB will cover all aspects of the research study. However, it is important to note that in most clinical trials, authorization will be required, at least as it concerns enrollment in a study. It is important that your clinical consent for each participant contains a copy of your research authorization or waiver to identify the participant as a research participant as well as a clinical subject. All participants undergoing clinical treatment must be offered the Notice of Privacy Practices prior to collection of PHI.

24. How does the Certificate of Confidentiality relate to the HIPAA changes?
HIPAA does not affect the protections provided by a Certificate of Confidentiality. An authorization or waiver of authorization would still be required for those studies under a Certificate of Confidentiality.


Last modified November 07 2014 04:22 PM

Ethics and Compliance Reporting and Help Line
Contact UVM © 2018 The University of Vermont - Burlington, VT 05405 - (802) 656-3131