Skip to main content
Compliance Program

Compliance Program

Research Quick Reference

When Does HIPAA Apply?

If any of the following are true, then HIPAA applies to the study:

  1. Information is obtained from a covered entity, or
  2. The study involves the provision of health care in a covered entity, or
  3. The study involves the provision of health care, and a health insurer or billing agency is contacted for billing or eligibility determination.

What is a covered entity? Health insurers, billing clearinghouses, and most health care providers are covered. "Health care providers" includes hospitals, physicians, pharmacies, and clinics. The only health care providers not covered are those that do not contact or bill health insurers.

If HIPAA applies, the following is required.

Studies Started Before 4/14/2003

Study with consent form

If subject enrolled prior to 4/14/2003, continue as is. For subjects enrolled on or after 4/14/2003, obtain HIPAA authorization as well as consent, file copy in chart. At next IRB renewal, will need to submit HIPAA authorization as part of renewal.

Study with IRB waiver of informed consent

Continue study as is. At next IRB renewal, will need to submit documentation for waiver of HIPAA authorization. The IRB has a form for the waiver.

Study with IRB exemption

Cannot collect new patient information on or after 4/14/2003 without new approval from IRB. There are three different ways to obtain approval:

  1. Document that you are obtaining de-identified data (use IRB form).
  2. Obtain a data use agreement (contact the privacy officer, Anna Orlowski anna.orlowski@ucdmc.ucdavis.edu (916) 734-8808, for details).
  3. Document compliance with requirements for waiver of authorization (use IRB form).

Send this information into IRB for review and approval. After approval, study may continue.

Decedent research, no identifiers linked to living persons

Contact Privacy Officer for approval (on-line form).

Collecting data or reviewing charts in preparation for research

This can no longer be done without approval. Contact privacy officer (on-line form).

Studies Started On or After 4/14/2003

Study with consent form

Include HIPAA authorization as part of consent form in IRB application. Usually will also apply for waiver of authorization for recruitment phase of study. Follow IRB instructions.

Study with IRB waiver of informed consent

Include documentation for waiver of HIPAA authorization in IRB application. Follow IRB instructions.

Study with IRB exemption

Decide which category best fits: de-identified data, data use agreement, or waiver of authorization. For de-identified data or waiver of authorization, fill out IRB form and include in application. For data use agreement, contact the privacy officer, Anna Orlowski anna.orlowski@ucdmc.ucdavis.edu (916) 734-8808, to obtain agreement, include copy in IRB application.

Decedent research, no identifiers linked to living persons

Contact privacy officer for approval (on-line form).

Collecting data or reviewing charts in preparation for research

Contact privacy officer for approval (on-line form).

Common Questions

What is a HIPAA authorization? This is an authorization to release health information to the investigator. It is similar to our regular consents for release of information. The IRB will supply instructions on how to prepare this form.

What is required for decedent research? In order to access PHI for decedent research, the investigator must send a request to the privacy officer with the following:

  • A statement that the access is solely for the research of the PHI of decedents.
  • A list of the elements of PHI that are necessary for the work.

The privacy officer may request proof of death.

What is required for work preparatory to research? In order to access PHI for work preparatory to research, the investigator must send a request to the privacy officer with the following:

  • A statement that the work is solely to review PHI to prepare a research protocol or for similar purposes preparatory to research.
  • A statement that no PHI will be removed from the entity holding it.
  • A list of the elements of PHI that are necessary for the work.

What is a data use agreement? What is "de-identified"? Contact the privacy officer for details (Anna Orlowski anna.orlowski@ucdmc.ucdavis.edu (916) 734-8808) or look at the Compliance Web site section on HIPAA: http://compliance.ucdmc.ucdavis.edu/guidance/privacy/ .