HIPAA in Human Research

• Protected Health Information (PHI): Any of the 18 HIPAA-recognized identifiers in combination with health information transmitted or maintained in any form (electronic, paper, or oral) that relates to the past, present, or future physical or mental health or conditions of an individual.
• Covered Entity (CE): Any department (or institution in some cases) that provides services that meet the definition of health care provider, health plan, or health care clearinghouse. Ex. An entity, or its covered departments or colleges, that is regulated by HIPAA is called a Covered Entity (CE).
• De-identified Information: Health information that cannot be linked to an individual.
• Patient Authorization: A document signed by the subject that gives the researcher permission to use/disclose PHI collected during the research study for defined purposes. 
• Waiver of Authorization: A request to forgo the authorization requirement based on the fact that the disclosure of PHI is a minimal risk to the subject and the research cannot practically be done without access to/use of PHI.
• Limited Data Set: A limited data set is a subset of identifiers that contain the following elements: city, state, zip code, date of birth, death, or date of service. 
• Preparatory Work for Research:  PHI will be reviewed for the purpose of designing a research study or identifying potential subjects.
• Decedent Research: Research where PHI is collected from a subject(s) who is deceased before the initiation of the study.

1. Names;
2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes;
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death;
4. Telephone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images;
18. Any other unique identifying number, characteristic, or code.

HIPAA lists 18 specific identifiers that must be removed to qualify as de-identified data. The following identifiers can be recorded: initial three digits of the zip code if population is greater than 20K, age if less than 90, gender, and ethnicity.

• If you are de-identifying protected health information (PHI) for your study and your department is a Covered Entity, complete the de-identification certification form and take it to Medical Records to obtain PHI. Make a copy of the de-identification form and submit it with your IRB application.
• If you are de-identifying PHI for your study and your department is NOT in a Covered Entity, complete the de-identification certification form and submit a Business Associate Agreement (BAA) to Medical Records to obtain PHI. Make a copy of the de-identification form and submit it with your IRB application.
• Contact: Erin McMahon, Associate General Counsel, (859) 323-1161 for assistance with BAAs.

An authorization should be signed by subjects when informed consent is obtained or when subjects are re-consented. If HIPAA Authorization is required for your research, you must use the Informed Consent/HIPAA Combined Template as a guide to develop your consent/authorization document and submit it with your IRB application.

• For a copy of the template, see the IRB application, or contact the Research Privacy Specialist.
• Take the IRB-approved authorization form signed by the subject to Medical Records to obtain PHI.

HIPAA Authorization Regulations [D19.0000]

According to HIPAA requirements outlined in 45 CFR 164.508, researchers should obtain written authorization from subjects before using or collecting protected health information (PHI) whenever possible. Authorization should be obtained in writing from prospective subjects. 

Under HIPAA, the following core elements and statements must be included in the authorization document. 

• A description that identifies the individually identifiable protected health information to be used/disclosed in a specific and meaningful fashion (e.g., list the types of data to be collected from the medical record);
• The name of the person(s) or class of persons to whom the covered entity may make the requested use or disclosure (i.e., researchers must list all of the entities that might have access to the study’s PHI such as ORI/IRB, University of Kentucky/Hospital representatives, sponsors, Food and Drug Administration, data safety and monitoring board or any others given authority by law);
• A description for each purpose of the requested use or disclosure (e.g., list reasons why the PHI is collected, such as to be able to conduct the research and to ensure that the research meets legal, institutional, or accreditation requirements; list the purpose of the research);
• An expiration date or an expiration event that relates to the use or disclosure (i.e., length of time researchers plan to maintain the data).  The statement “end of research study”, “none”, or similar language is sufficient;
• A description of how the individual may revoke the authorization and the exceptions to the revocation; or a copy of the Privacy Notice, which explains how to revoke the authorization and the exceptions to the revocation (i.e., HIPAA gives subjects the legal right to revoke authorization. The subjects must be told how they can withdraw.  Any request for revocation must be in writing. Also, the subjects should be told that if they do revoke, they can no longer participate in research and that researchers may use the PHI already obtained to maintain the integrity of the data.);
• A statement that a subject’s treatment, payment, or enrollment in any health plan or their eligibility for benefits will not be affected if they refuse to sign the authorization;
• A statement that the subject may not participate in a research study if they refuse to sign the authorization;
• An explanation that information disclosed pursuant to the authorization may no longer be protected when re-disclosed by the recipient (i.e., if the researchers disclose the information collected to a third party, then the HIPAA protections may no longer be in place);
• A signature of the individual and date. If a personal representative signs the authorization, a description of the representative’s authority must be provided.
• Optional item: Under HIPAA, subjects have the right to access their PHI. In research, this right can be suspended while the research is in progress. However, subjects must be told in the authorization that this right has been suspended, and the conditions of the suspension must be listed. The subjects should also be informed that their right to access the PHI will be reinstated at the conclusion of the research study.
• The authorization must be written in plain language;
• The subject must be given a copy of the signed authorization.

"Form K": Request for Waiver of HIPAA Authorization Form

Jump to: Sample Form | Submit to E-IRB

Guidance for Requesting and Completing the HIPAA Waiver of Authorization Form [D20.0000]

A waiver of authorization is a request to forgo the authorization requirements because the disclosure of protected health information (PHI) for research purposes is minimal risk to the subject and the research can not practically be done without access to/use of the PHI. The investigator must develop a written plan to protect the subject’s protected health information.

Examples that would require a waiver of authorization:

1. Researchers in the Covered Entity (CE) would require a waiver of authorization to remove PHI from the CE (i.e., sharing PHI with the sponsor) for the purpose of identifying subjects for a research study. The waiver would only be granted if:
   1. The investigator is submitting a screening log with PHI to a sponsor to identify potential subjects for a study; and
   2. The investigator has not obtained informed consent/authorization from the subject; and/or
   3. The screening log, which contains PHI, is disclosed to monitors or other agencies during the study.
2. Retrospective medical record reviews would require a waiver of authorization since it would be impractical to obtain authorization from the subjects.
3. Researchers not in the Covered Entity (CE) would require a waiver of authorization to remove PHI from the CE. The waiver would only be granted if:
   1. The investigator is removing PHI from the Covered Entity; and
   2. The investigator has not obtained informed consent/authorization from the subject.

The following identifiers can be recorded and removed from the CE without requesting a waiver of authorization:

• Initial three digits of the zip code if the population is greater than 20K
• Age if it is less than 90,
• Gender, and
• Ethnicity.

Sample Form K: HIPAA Waiver of Authorization [F1.0700]

An IRB-approved HIPAA Waiver of Authorization form allows researchers to access and use specific PHI for research purposes without patient authorization under certain conditions. See the following notes on completing a request for such information. Use of "N/A" or responses left blank is considered invalid and will not be approved by the IRB.

1. The use or disclosure of Protected Health Information (PHI) involves no more than a minimal risk to the privacy of individuals. Explain why.
   Instructions: Explain why your research is minimal risk to the privacy of subjects and why the waiver will not adversely affect their rights and welfare. Include details regarding the use of certain safeguards, such as coding information, using crosswalk tables, and obtaining the minimum amount of PHI necessary.
   
   Example: We will be performing a retrospective chart review to determine patient eligibility. There will be no intervention or interaction with participants, and we will be observing the minimal amount of PHI necessary to determine if a patient meets our inclusion criteria. We will store identifiers separately - our team will code information and utilize a crosswalk table. 
2. Include a detailed list of the PHI to be collected and a list of the source(s) of the PHI.
   Instructions: 
   • List all sources used to collect PHI (ex. medical records).
   • List all PHI being collected. It is permissible to reference a standalone data collection tool in the response if it is easier than listing each variable in the space provided. Refrain from listing "health and medical history," etc., or other non-specific language. Information should be consistent with what is listed in the E-IRB protocol 'Research Description' section.
     
     Example 1: See the attached data collection sheet (insert file name) for the full list of variables. PHI will be obtained by reviewing the patient's electronic medical records.
     
     Example 2: The sources of PHI for this study include the UK's electronic medical records and the UK ER's database. We will collect the following list of variables from these sources: Name, medical record number, date of birth, height, weight, BMI, smoking status, date of ER discharge, and medications prescribed upon ER discharge.
3. Describe the plan to protect PHI.
   Instructions: List your plans to protect PHI in all forms (physical and electronic). Laptops and flash drives must be encrypted if using as part of research. University issued software (such as OneDrive and REDCap) that are HIPAA compliant, are considered acceptable storage options for PHI. Personal drives such a Google drive are not considered appropriate for storage of PHI.
   
   Example: All electronic data will be accessed and stored on encrypted, password protected university desktop/PC computers/laptops and university issued, HIPAA compliant software located within the Medicine Department. A physical copy of the crosswalk table will only be accessible to the study PI and kept in a locked cabinet in the PI's office. No one other than approved study personnel will have access to the PHI.
4. Indicate where PHI will be stored.
   Instructions: List your plans to protect PHI in all forms (physical and electronic). Laptops and flash drives must be encrypted if using as part of research. University issued software (such as OneDrive and REDCap) that are HIPAA compliant, are considered acceptable storage options for PHI. Personal drives such a Google drive are not considered appropriate for storage of PHI.
   
   Example: All electronic data will be accessed and stored on encrypted, password protected university desktop/PC computers/laptops and university issued, HIPAA compliant software located within the Medicine Department. A physical copy of the crosswalk table will only be accessible to the study PI and kept in a locked cabinet in the PI's office. No one other than approved study personnel will have access to the PHI.
5. Who will have access to the PHI? (Note: researchers must list all of the entities that are ableaccess to the study’s PHI such as Office of Research Integrity/Institutional Review Board,UK/Hospital representatives, sponsors, FDA, data safety monitoring boards and any others given authority by law).
   Instructions: ORI/IRB, IRB approved study personnel, sponsors (if applicable/will access PHI) must all be listed in this response.
   
   Example 1: IRB approved study personnel and the Office of Research Integrity/Institutional Review Board will have access to the PHI.
   
   Example 2: IRB approved study personnel, ORI/IRB, FDA, and Drug Corporation (sponsor of this study) will have access to the PHI.
6. All PHI collected during the study will be destroyed at the earliest opportunity consistent withthe conduct of research, which is: (explain below). Alternatively, PHI collected during the studywill not be destroyed because: (explain below).
   Instructions: UK's data retention policies stipulate that IRB- related research data should be retained for a minimum of 6 years post study closure but PHI can be destroyed earlier. Please stipulate when PHI will be destroyed if applicable or explain why it will not be destroyed.
   
   Example: PHI collected as part of this study will be destroyed six years following closure of the study.
7. Please describe the procedure used to destroy PHI collected during the study (electronically,paper, audio/video, photography, other).
   Instructions: PHI destruction should take place according to UK policy. Detail the process that will be used for any electronic and/or physical PHI that will be created as part of the project. Information should be consistent with what is detailed in the E-IRB protocol.
   
   Example: PHI will be destroyed pursuant to UK policies.
8. The research could not practicably be conducted without the waiver because (explain below).
   Instructions: Explain why your research cannot be accomplished without this waiver. If doing retrospective data collection, explain why it is impracticable to obtain consent from participants. If doing prospective data collection, address why consent cannot be obtained.
   
   Note: Retrospective refers to PHI that exists at the time of IRB protocol submission (at initial review). Prospective refers to PHI that will be collected in the future/does not exist at the date of IRB submission.
   
   Example: This project involves retrospective review of patients charts who previously received treatment with the UK HealthCare Medicine Department per standard of care. There is no direct intervention involved in this study and it is not practicable to track down these patients to obtain consent due to many of the patients may be deceased or have already transferred their care elsewhere. Additionally, given the large target for enrollment, it is not practicable to contact this number of individuals. Excluding these individuals from our study would not allow for a representative sample of the target population for our study.
9. The research could not practicably be conducted without access to and use of the PHIbecause (explain).
   Instructions: Please note this question is similar to but not the same as question 8. Explain why the research objective cannot be completed without access to the PHI.
   
   Example 1: The research could not practicably be conducted without access to PHI because this information is needed to link existing clinical data to determine if there was improvement among patients treated with drug X in the ER. Since the required information is contained within patients’ medical records, there is no alternative source to capture this comprehensive clinical and outcome data.
   
   Example 2: Our study is targeting a specific population and we need access to the PHI to determine which patients meet the eligibility criteria so we can approach those patients for inclusion in our study at their next clinic appointment.
10. The HIPAA regulation requires reasonable efforts to limit PHI to the minimum necessary toaccomplish the intended purpose of the use, disclosure or request. Please note that researchersare also accountable for any PHI released under a waiver. Explain why PHI obtained for thisstudy is/are the minimum information needed to meet the research objectives.
    Instructions: Explain the variables listed on this form (in question 2) are the minimum necessary to accomplish the intended purpose of the study to comply with the HIPAA minimum necessary standard.
    
    Example: The PHI listed in #2 (above) is the minimum necessary to accomplish the intended purpose of the study.

The information listed in the waiver application is accurate and all research staff will comply with the HIPAA regulations and the waiver criteria. I assure that PHI obtained as part of this research will not be reused or disclosed to any other person or entity other than those listed on this form, except as required by law. If at any time I want to reuse this information for other purposes or disclose the information to other individuals or entity I will seek approval by the IRB.

Investigator's Name: Print or type PI's name

Date: Insert date

Principal Investigator Signature: The PI of the study will need to wet-ink sign/date and scan, or use an authenticated electronic signature

E-IRB Submission Instructions

• Attach a PDF copy of the completed form to the E-IRB protocol as an attachment with the "Waiver of Authorization" document type selected. 
• Once approved, the IRB will issue a HIPAA Waiver of Authorization approval letter. Take this letter to Medical Records to obtain PHI.
• After approval, any changes to this form will need to be submitted as an MR; the form will need to be resigned/dated, and a clean and highlighted "tracked changes" version should be attached to the E-IRB protocol.

Note: For clinical trials only:  If you plan to review PHI to identify subjects for recruitment purposes and your sponsor requires you to give them a screening log with PHI (and you have not obtained informed consent or authorization), submit a waiver of authorization form with your application. Note: The waiver of authorization will only be for recruitment purposes.

If your department is listed in the Covered Entity, a Data Use Agreement must be completed and submitted to Medical Records to obtain PHI.

• If your department is NOT listed in the Covered Entity, a Data Use Agreement and a BAA must be completed and submitted to Medical Records to obtain PHI.
• Contact: Erin McMahon, Associate General Counsel, (859) 323-1161 for assistance.

Please go to Medical Records and complete their HIPAA Research Form to obtain PHI.

Please go to Medical Records and complete their HIPAA Research Form to obtain PHI.

Note: Abbreviated list. There may be others not listed; please contact the Research Privacy Specialist for assistance.

• Entire College of Dentistry
• All Hospital Areas
• All Ky Clinic Operations
• College of Health Sciences
  • Business Office
  • Communication Disorders
  • Physician Assistant Studies
• College of Medicine
  • Clinical Affairs
    • Anesthesiology (Pain Mgmt Center)
    • Diagnostic Radiology
    • Emergency Medicine
    • Family Practice
    • Internal Medicine
    • Neurology
    • OB/GYN
    • Ophthalmology
    • Pathology and Lab Medicine
    • Pediatrics *UK's Children's Hospital)
    • Physical Medicine and Rehabilitation
    • Psychiatry
    • Radiation Medicine
    • Surgery
    • Orthopedics/Sports Medicine Center
  • Department
    • Dean's Office
    • Chief of Staff
  • Multidisciplinary Centers
    • Business Operations
    • Clinic Operation
    • Center for Minimally Invasive Surgery
    • Diagnostic Clinic (Neurology)
    • Gamma Knife Center
    • Gill Heart Center
    • KY Center for Rural Health Family Practice Clinic
    • Kentucky Neurosciences Institute
    • (Lucille Parker) Markey Cancer Center Clinical Activities
    • Rural Health Center Hazard
    • Transplant Center
    • Public Health
    • Preventive Medicine
• College of Pharmacy
  • Drug Information Services
• UK Campus
  • College of Social Work: CATS Clinic
  • Human Resource Services: Benefits
  • Human Resource Services: Employee Relations
  • Human Resource Services: The Plan/UKHMO-UKDC
  • Internal Audit
  • Legal Counsel
  • Office of Controller: Accounts Payable
  • Office of Controller: Benefits Financial Counseling
  • Public Relations

Business Associate Agreements

• You (or your department) are not in the Covered Entity, and you are either de-identifying information or creating a limited data set.
• You have an outside person/entity that performs a service on behalf of the healthcare provider (including a researcher) or the healthcare institution during which individually identifiable health information is created, used, or disclosed.
  
  The IRB does not consider research collaborators as business associates unless they sign a contract to perform certain duties/functions that involve the use and/or disclosure of PHI.