HIPAA & Human Subjects Research

Implementation of HIPAA and the Privacy Rule by UCR


The Health Insurance Portability and Accountability Act (HIPAA), defines the scope of Protected Health Information, known as “PHI.” HIPAA sets standards to protect patients from inappropriate disclosures of their PHI through the “Privacy Rule.” HIPAA also sets standards for the creation, storage, and transmission of electronic PHI through the “Security Rule.” Together, the Privacy Rule and Security Rule both serve to protect patients against unauthorized uses and disclosures of PHI that may cause harm to their insurability, employability, reputation, and/or their privacy rights.

What is PHI (Protected Health Information)?

All forms of health information that are associated with any of the 18 identifiers specifically defined by HIPAA and are maintained by a covered entity, are considered to be PHI subject to HIPAA regulations. PHI is information created or received by a covered entity relating to:

  • The past, present or future physical or mental health or condition of a patient
  • Payment for the provision of healthcare to a patient that is transmitted or maintained in any form or medium
  • Contains identifiers that can identify a patient or for which there is a reasonable basis to believe the information can be used to identify a patient

To access this information as part of research, authorization or written permission is normally required. The following conditions dictate when PHI may be utilized for Research Purposes:

  1. When the PI obtains an individual’s HIPAA authorization for use of their PHI
  2. When the PI obtains a waiver of HIPAA authorization from the IRB for use of PHI
  3. As part of a Limited Data Set & Data Use Agreement
  4. When PHI has been De-identified prior to being obtained and utilized
  5. As part of activities that are considered to be ‘preparatory to research’
  6. Research on the Deceased

HIPAA Regulations Apply
  • Derived from a medical record
  • Added to the hospital or clinical medical record
  • Created or collected as part of health care
  • Used to make health care decisions

HIPAA Regulations do not apply
  • Obtained only from the subject, including interviews, questionairres
  • Obtained from a foreign country or countries only
  • Obtained from records open to the public

How to utilize PHI within these categories, prior to engaging in research with PHI

  • When to apply to Internal Review Board

    When Researchers Need to Apply to the IRB (Institutional Review Board)

    Most Studies involving human participants will require application to the UCR IRB at IRB@ucr.edu. Researchers planning to use PHI held by an outside institution are also required to submit an application to the IRB for review and must also follow the HIPAA requirements of the institution(s) holding those records (e.g., Riverside University Health Systems, Riverside Community Hospital, Saint Bernadine’s Medical Center, etc.). Research is subject to HIPAA privacy requirements when it is conducted together with the provision of health care information or services.

    Examples include research involving the review of medical records, or research, (such as surveys), which obtain PHI from patients receiving treatment. If an IRB application is determined not to meet federal requirements for “Human Subjects Research,” but still involves the use, disclosure or creation of any PHI, this guidance still applies. The IRB will request that you submit the appropriate HIPAA forms to the UCR School of Medicine’s Health Sciences Compliance office for guidance on a case-by-case basis.

  • Obtaining an Individual’s HIPAA Authorization

    Obtaining an Individual’s HIPAA Authorization

    The Principal Investigators (PI) or their designee can obtain authorization from individual participants, or their representatives, for utilization of their PHI for research purposes. This form, along with the Informed Consent Form, can be approved for utilization by the UCR IRB. A single Authorization form for the utilization of PHI for multiple study activities may be used, so long as the authorization is fully vetted by an accredited IRB and contains the same level of information found in the UCR IRB forms.

    Because UCR researchers may be working with non-affiliated hospitals and clinics, such non-affiliated institutions may also require use of their version of the HIPAA authorization form to access their medical records. The authorization form originates from the covered entity that owns the PHI. If a covered entity does not have their own authorization form, UCR researchers must still utilize the UCR HIPAA Research Authorization form when obtaining informed consent for research that involves PHI.

    Both the UCR HIPAA Authorization Form and the UCR Informed Consent Guide can be found on our forms webpage.

  • Obtaining a Waiver of a HIPAA Authorization

    Obtaining a Waiver of a HIPAA Authorization

    A PI can request a waiver of an individual participants’ HIPAA authorization as part of their IRB application. There are several important components that go into requesting a waiver. The UCR IRB has the jurisdiction to request changes or deny a HIPAA waiver form if the required components are insufficient to ensuring human subjects protections.

    Both the HIPAA Waiver Form and the IRB application form can be found on our forms webpage.

  • Use of a Limited Data Set

    Use of a Limited Data Set

    The covered entity and PI can also agree to use a Limited Data Set for research purposes so long as a Data Use Agreement has been executed between both parties. In these cases, with the establishment of an appropriate data use agreement (i.e., meets HIPAA requirements, including limiting further use or disclosure of PHI) between the holder of the PHI and the researcher, a limited data set may be used or disclosed for research purposes without obtaining either an Authorization or Waiver. A Limited Data Set is PHI that excludes the following direct Identifiers of the individual or of relatives, employers, or household members of the individual:

    1. Names;
    2. Postal address information, other than town or city, State, and zip code;
    3. Telephone numbers, fax numbers, electronic mail addresses;
    4. Social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers (including license plate numbers);
    5. Device identifiers and serial numbers;
    6. Web Universal Resource Locators (URLs), Internet Protocol (IP) address numbers;
    7. Biometric identifiers, including finger and voice prints; and
    8. Full face photographic images and any comparable images

    For more information about Data Use Agreements please visit the Material Transfer Agreements website and an MTA officer can assist you with this process.

  • Use of De-Identified PHI

    Use of De-Identified PHI

    De-identified health information is a record in which identifying information has been removed to render the health information not subject to HIPAA’s Privacy Rule. Researchers may use or disclose de-identified health information, without restriction, since it is not PHI and thus is not protected by the Privacy Rule.

    However, in order to be used as part of a research study this information must be de-identified prior to it being obtained by the researcher. This is typically done by the covered entity before being released for use. The covered entity seeking to release health information to researchers must determine that the information has been de-identified using either of the following methods:

    1. By removing all 18 identifiers that could be used to identify the individual or the individual's relatives, employers, or household members, or
    2. By using statistical methods to establish de-identification, which requires the use of a qualified expert.
  • Activities that are “Preparatory to Research”

    Activities that are “Preparatory to Research”

    For activities involved in preparing for research, PHI may be used or disclosed to a researcher without an individual’s authorization, a waiver or an alteration of authorization, or a data use agreement. However, this type of access must be requested prior to the actual review or use as part of the IRB application. As part of the IRB application, the UCR IRB must obtain representations from the researcher that:

    1. The use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research,
    2. The PHI will not be removed from the covered entity in the course of review, and
    3. The PHI for which use or access is requested is necessary for the research
    4. Researchers may not use this information to contact potential study participants.

    The preparatory to research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, this does not permit the researcher to remove protected health information from the covered entity’s site. As such, a researcher who is an employee or a member of the covered entity’s workforce could use protected health information to contact prospective research subjects.

    This preparatory to research provision would allow such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information for a research study. In addition, this rule permits a covered entity to disclose protected health information to the individual who is the subject of the information.

  • Research on Decedents

    Research on Decedents

    California law requires local IRBs to review research using State of California-produced death data files containing personal identifying information. State of California-produced death data files which require IRB review include:

    • All files that can be linked to other death files using the certificate number (e.g., Death Address Files, Multiple Cause of Death Files); and
    • All files that are provided with personal identifiers (e.g., Death Statistical Master Files, Merged Death Files, Fetal Death Statistical Master Files).
    • Access to State of California-produced death data files that include personal identifying information also requires review by the State of California Committee for the Protection of Human Subjects (CPHS). Researchers apply for CPHS review when ordering the data from the State of California.
    • Research involving State of California-produced death data files that do not contain personal identifying information does not need to be reviewed by the IRB.

    As part of the research plan, PIs should contact the Office of Research Integrity directly at IRB@ucr.edu as an IRB application may be required. The State of California requires that researchers have a "valid scientific interest" in order for the IRB to approve such a study.

  • Additional HIPAA Resources

    Additional HIPAA Resources

    • Investigators, research staff, coordinators and administrators who need to know HIPAA research procedures are requested to take the UCR HIPAA Training. You will need to register in order to complete the tutorial.
    • Additional helpful information regarding HIPAA can be found on the UCSD Human Subjects Protection Website. The Online Tutorial Assessment on Research Aspects of HIPAA was developed by the UC San Diego Human Subjects Protection Program is completely optional and has been made available to the UC research community.
      • This tutorial has been targeted to research investigators - just fill in the requested information to begin. At the end of the session, you will be able to download a certificate of completion to attach to your UCR IRB application.
    • SOM researchers: In addition to the information provided here, SOM researchers should also be familiar with the UCR Health Sciences Compliance Program as it applies to the practice of medicine as a whole.
    • See the UCOP Policy on Research Use of Protected Health Information for important information on how HIPAA can apply to a research project.
    • For more information about HIPAA requirements as they pertain to review of three or fewer case studies, please review the HIPAA & Case Report Guidance.

Data that is not subject to HIPAA Regulations and is not PHI

Some research studies do not use, disclose or create PHI and are not subject to HIPAA regulations.

For example, some studies use individually identifiable health information that includes personal identifiers such as name, date of birth or address. However, it is not considered to be PHI because the data is not:

  1. Obtained or generated as part of a health care service (treatment, payment, operations, medical records)
  2. Entered into a medical record, or
  3. Used to make treatment decisions

Examples of studies that use research (only) generated health information and are not subject to HIPAA:

  • Studies that obtain data from subjects during interviews or surveys, and the investigators do not review or alter the subjects' health records or make treatment decisions as part of the research.
  • Studies that obtain data from records open to the public or existing research records.
  • Studies that use tests that do not go into the medical record because they are part of a basic research study and the results will not be disclosed to the subject.

Also, health information by itself without the 18 identifiers is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute PHI. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier.

Data that is not subject to HIPAA is still regulated by other human subjects protection regulations and may also be subect to other privacy regulations (e.g., the Family Educational Rights and Privacy Act (FERPA) or California's Confidentiality of Medical Information Act (CMIA)).