HIPAA and Human Subjects Research

UO researchers planning to work with HIPAA-covered entities, e.g., hospitals, medical centers, other universities, etc., may need to comply with use and disclosure requirements under HIPAA for use of protected health information in their research. University administration has designated certain centers and departments as meeting criteria to be covered by HIPAA regulatory requirements. Researchers working at or obtaining data from HIPAA covered components of the University of Oregon will have to comply with HIPAA use and disclosure requirements if their research involves protected health information. 

For more information on HIPAA and the covered components at the University of Oregon, please visit the University of Oregon Privacy Office website or contact Mary Kay Fullenkamp, Privacy Officer, at 541-346-2513.

Protected Health Information (PHI) includes any individually identifiable health information transmitted or maintained in any form or medium (e.g., electronic, paper, oral) by a covered entity or its business associate.

Individually Identifiable Health Information 

is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and
  • that identifies the individual, or
  • for which there is a reasonable basis to believe it can be used to identify the individual.

When personally identifiable information is used in conjunction with an individual's physical/mental health or condition, health care, or payment for that health care, it becomes Protected Health Information (PHI). Below we have included a list of the 18 HIPAA identifiers. 

18 HIPAA Identifiers

1. Names
2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Telephone numbers
5. Fax Numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code that could uniquely identify the individual

If data contain any of these identifiers, or parts of the identifier (e.g., initials), the data are identifiable. To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. For more information about how to de-identify the data according to the HIPAA privacy rule, refer to this HHS Guidance. 

Researchers should note that there are no restrictions under HIPAA for the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. HIPAA provides only two ways to de-identify information, either:

• a formal determination by a qualified statistician; or
• the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

Researchers who require access to individually identifiable health information must either have each participant whose PHI is being gathered sign a HIPAA Authorization form or request that the IRB/HIPAA Privacy Board waive the authorization requirement.

Researchers requesting HIPAA Authorization can either include language in their regular informed consent form or can include a separate authorization form during the consent process. In either scenario, HIPAA Authorization must be written in plain language and include 6 core elements and three required statements.

Authorization Core Elements

• A specific and meaningful description of the PHI to be used.
• The name(s) or specific identification of the person(s) or class of person(s) who will make the disclosure.
• The name(s) or specific identification of the person(s) or class of person(s) who will use the PHI or to whom the covered entity will make the disclosure.
• Description of each specific purpose of the requested disclosure. Once researchers have obtained PHI, it may not be used for any purposes except those described in the Authorization. Authorizations are study-specific and may not be used for future unspecified research.
• Authorization expiration date or event. Researchers may use the terms "end of the research study" or "none" if the PHI is collected for research.
• The individual's signature and the date the Authorization is signed.

Authorization Required Statements

• A statement of the individual's right to revoke the Authorization at any time in writing and a description of how to revoke the Authorization.
• A notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, the consequences of refusing to sign the Authorization. 
  • NOTE: In most research at the UO, this statement should simply indicate that refusing to sign the Authorization will not affect the subject's medical care and will result only in the subject being excluded from the research.
• A statement explaining that the researcher receiving the data could potentially re-disclose the PHI and that the HIPAA Privacy Rule does not apply to the re-disclosure.

Form Template

Research Compliance Services has developed a HIPAA Authorization Form template for researchers to use. As with all templates, researchers may alter the format or wording of the document as long as the elements required by law remain.

Researchers requesting either a partial or total waiver of HIPAA Authorization must demonstrate that their research meets the following requirements. A HIPAA waiver is appropriate where the following criteria are met;

• The use or disclosure involves no more than a minimal risk to the privacy of individuals based on at least the presence of
  • an adequate plan presented to the IRB or Privacy Board to protect PHI identifiers from improper use and disclosure;
  • an adequate plan to destroy those identifiers at the earliest opportunity, consistent with the research, absent a health or research justification for retaining the identifiers or if retention is otherwise required by law; and
  • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity except (a) as required by law, (b) for authorized oversight of the research study, or (c) for other research for which the use or disclosure of the PHI is permitted by the Privacy Rule;
• The research could not practicably be conducted without the requested waiver or alteration; and,
• The research could not practicably be conducted without access to and use of the PHI.

Finally, HIPAA provides for several exceptions to the Authorization/Waiver requirement for the use of protected health information, including activities “preparatory to research,” research solely on decedents, “limited data sets,” and where research permissions are allowable by the transition provisions of the Privacy Rule. Please note that specific criteria need to be met under HIPAA for these exceptions to apply. Please contact Research Compliance Services for more information.