The Health Insurance Portability and Accountability Act (HIPAA) specifically addresses how protected health information (PHI) can be utilized for research purposes. HIPAA provides that PHI may be used for research as follows:

  • With a HIPAA authorization signed by the participant or his/her legal representative;
  • With a waiver of authorization from the IRB or UCD Health Privacy Board;
  • With a limited data set and a data use agreement;
  • If the data is fully de-identified;
  • For preparatory to research purposes; or
  • For research on decedent data.

In order to use or disclose a patient’s protected health information (PHI) for research purposes, a covered entity (UCD Health) is generally required to obtain a written authorization or a waiver of the authorization from the Institutional Review Board (IRB) or the UCD Health Privacy Board that meet the requirements of the regulations [45 CFR 164.512(i)]. To access the HIPAA Authorization for research form, go to: http://research.ucdavis.edu/policiescompliance/irb-admin/researchers/irb-forms/

A covered entity (UCD Health) may allow researchers, whether or not affiliated with UCD Health, to review PHI without written authorization for preparatory purposes (e.g., to determine the feasibility of a research study). To be eligible for access to this information, the researcher must certify that:

  • Access to PHI is solely to prepare a research protocol;
  • The PHI for which use or access is sought is necessary for the research purpose;
  • No PHI will be removed or retained; and
  • No potential research subject will be contacted as part of the preparatory to research process.

A researcher seeking to access PHI for preparatory purposes must first obtain consent from the Chief Compliance and Privacy Officer via submission of the Preparatory to Research Application form.

The HIPAA Rule protects individually identifiable health information about a decedent for 50 years following the date of death of the individual. UCD Health may use or disclose PHI to the researcher, if the researcher provides that:

  • Access to PHI is solely for research of the PHI on Decedents;
  • The PHI for which use or access is sought is necessary for the research purpose;
  • Only PHI of Decedents, not of living persons, will be accessed and reviewed; and
  • No PHI will be removed or retained.

A researcher seeking to access to PHI for decedent research must first obtain consent from the Chief Compliance and Privacy Officer via submission of the Research on PHI of Decedents Application form.

The Privacy Rule requires covered entities (UCD Health) to record the disclosure/access or use of patient information without a patient’s authorization in certain situations. Three such situations related to research where we must account for the use of patient information without the patient’s consent is for:

  • Research conducted pursuant to a waiver of authorization (commonly known as Form R and W at UCD Health), approved by the IRB,
  • PHI accessed under preparatory to research
  • PHI accessed under decedent research

There are two methods to account for disclosure:

The Privacy Rule affects the conduct of clinical research by controlling how researchers gain access to much of the information needed to perform clinical studies. The Security Rule covers electronic protected health information (ePHI) that a covered entity or business associate creates, receives maintains or transmits.  The Security Rule includes administrative, physical and technical safeguards to protect electronic health information (ePHI).

See HIPAA Security Program for additional information: http://intranet.ucdmc.ucdavis.edu/hipaasecurity/index.htm