Skip to main content
Compliance Program

Compliance Program

Research Privacy and Security

Applications and Forms

  • Research preparation application — To obtain permission to review PHI in preparation for a research project. Do not use if you intend to use the data for publication (Staff Only)
  • Decedent research application — To obtain permission to use PHI for decedent research when no identifiers are linked to living persons (Staff Only)
  • Research authorization — Standard authorization for release of information for research. Download and customize for your project

The primary laws and regulations that cover research privacy and security are found in the Health Insurance Portability and Accountability Act (“HIPAA”) and the HITECH provisions dealing with data breaches. The final HIPAA Omnibus Rule was published in January 2013 and in research-related issues, it essentially modified the rule related to authorizations to use and disclose protected health information (“PHI”).

HIPAA Authorization Requirement

In order to use or disclose a patient’s protected health information (PI) for research purposes, a covered entity (UCDHS) is generally required to obtain a written authorization or a waiver of the authorization from an IRB or the UCDHS Privacy Board that meets the requirements of the regulations [45 CFR 164.512(i)]. To access the HIPAA Authorization for research form, go to:

HIPAA provides that PHI may be used for research purposes:

(a) with an authorization signed by the participant or his/her legal representative; or
(b) With a waiver of authorization from an IRB or the UCDHS Privacy Board; or
(c) With a limited data set and a data use agreement; or
(d) If the data is fully de-identified; or
(e) If the data is on a decedent

Preparatory to Research

A covered entity (UCDHS) may allow researchers, whether or not affiliated with UCDHS, to review PHI without written authorization from affected individuals if the researchers certify that:
(1) the use or disclosure is sought solely to review PHI as necessary to prepare a research protocol,
(2) and that no PHI will be removed, and
(3) the PHI for which use or access is sought is necessary for research purposes.

If you are seeking access to PHI to determine whether a protocol is feasible, go to applications and forms section and fill out the application online.

Access to PHI on Decedent Information

The HIPAA Rule protects individually identifiable health information about a decedent for 50 years following the date of death of the individual.  UCDHS may use or disclose PHI to the researcher, if the researcher provides that:
(1) a representation that the use or disclosure sought is solely for research on the PHI on decedents,
(2) documentation, at the Privacy Officer’s request, of the death certificate, and
(3) a representation that the PHI for which use or disclosure is sought is necessary for research purposes.

Accounting of Disclosures

The Privacy Rule requires covered entities (UCDHS) to maintain records of certain unauthorized disclosures, including disclosures  for public health purposes and for research conducted pursuant to a waiver of authorization, reviews preparatory to research and research on decedent’ information. UCDHS must provide information about those disclosures upon request of the patient.
Required disclosures shall be documented as follows:

1. All disclosures can be documented by accessing the Tracking and Disclosure database.
a. The database can be accessed directly at: or by typing “disclose” into the UCDMC intranet web browser.

2. Disclosures for Research purposes without authorization pursuant to IV.A.2 above, may also be documented in the Quick Disclosure Activity located in the patient’s EHR.
a. To access the Quick Disclosure Activity section in the EHR:
i. Go to Hospital Chart or Chart;
ii. Click on “More Activities” and choose Quick Disclosure;
iii. Fill out the appropriate fields as follows:
iv. Quick Disclosure opens. Fill out the appropriate fields.
v. Purpose Field: Type Research and choose the appropriate purpose
vi. Info Requested: Click “Third Party” and type “UCD” in requester field then press enter.

HIPAA Security Rule

The Privacy Rule affects the conduct of clinical research by controlling how researchers gain access to much of the information needed to perform clinical studies. The Security Rule covers electronic protected health information (ePHI) that a covered entity or business associate creates, receives maintains or transmits.  The Security Rule includes administrative, physical and technical safeguards to protect electronic health information (ePHI).