Protected Health Information (HIPAA)

HIPAA and Human Subject Research

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains provisions to protect the confidentiality and security of personally-identifiable information that arises in the course of providing health care. The intention of HIPAA is to protect patients from inappropriate disclosures of Protected Health Information (PHI) that can cause harm to a person's insurability, employability, etc.  In order to understand how HIPAA affects research, there are a few important terms that are defined by the law.

  • A covered entity is the organization that has to comply with HIPAA. The University of California is a Hybrid Covered Entity because, in addition to providing health care at its medical facilities, it also has other organizational activities such as education and research.
  • The HIPAA Privacy Rule governs PHI which is defined as information that can be linked to a particular person (ie., is person-identifiable) that arises in the course of providing a health care service.

When PHI is communicated inside of a covered entity, this is called a use of the information. When PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure. HIPAA allows both use and disclosure of PHI for research purposes, but such uses and disclosures have to follow HIPAA guidance and have to be part of a research plan that is reviewed and approved by an Institutional Review Board (IRB).

When the research protocol requires creation, use or disclosure of PHI, Researchers must indicate whether subjects will sign a written HIPAA research authorization for release of PHI for research, formally titled, “UC Permission to Use Personal Health Information for Research” form, or request a waiver of authorization from the IRB. In addition, if a study involves PHI, all members of the research protocol team engaged in human subject research must complete the HIPAA Research tutorial.

There are 18 PHI identifiers as follows:

  1. Name
  2. Telephone Number(s)
  3. Social Security Number
  4. Account Number(s)
  5. Device Identifiers or Serial Numbers
  6. Finger or Voice Prints
  7. Address (all geographic subdivisions smaller than state, including street address, city, county, ZIP code)
  1. FAX Number
  2. Medical Record Number
  3. Certificate/License Number(s)
  4. Web URL
  5. Photographic Images
  6. All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
  1. Email Address(es)
  2. Health Plan Beneficiary Number
  3. Any Vehicle of Other Device Serial Number
  4. Internet Protocol (IP) Address Numbers
  5. Any other characteristic that could uniquely identify the individual
Medical 4072546

The Privacy Rule and Research

As noted above, HIPAA affects only that research which uses, creates, or discloses PHI. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies. The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research. In general, there are two types of human research that would involve PHI:

  • Studies involving review of existing medical records as a source of research information. Retrospective studies, such as chart reviews, often do this. Sometimes prospective studies do it also, for example, when they contact a participant's physician to obtain or verify some aspect of the participant's health history.
  • Studies that create new medical information because a health care service is being performed as part of the research, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition. Virtually all sponsored clinical trials that submit data to the U.S. Food and Drug Administration (FDA) will involve PHI.

The IRB's Role

The IRB acts as a Privacy Board (required by HIPAA) to review the use/disclosure of PHI and to determine whether the subjects should sign an authorization (an addendum to the consent to participate in research) or if a waiver of consent (roughly analogous to a Waiver of Consent under the Common Rule) may be granted.

When the IRB determines that subjects should sign a HIPAA research authorization in order to use or disclose PHI for research, subjects are to sign the UC HIPAA research authorization as a part of the informed consent process for participation in the study.

Requesting a Waiver of HIPAA Authorization

Although it is always preferred to get permission / authorization to use an individual's PHI, HIPAA permits research using PHI without obtaining authorization.  This is a referred to as a waiver of HIPAA research authorization, which is granted by the UCI IRB.

In order to waive HIPAA Authorization, the IRB must determine that the study meets all of the following criteria:

  • The use or disclosure of PHI involves no more than minimal risk
  • Granting of the waiver will not adversely affect privacy rights and welfare of the individuals whose records will be used
  • The project could not practicably be conducted without a waiver
  • The project could not practicably be conducted without use of PHI
  • The privacy risks are reasonable relative to the anticipated benefits of research
  • An adequate plan to protect identifiers from improper use and disclosure is included in the research proposal
  • An adequate plan to destroy the identifiers at the earliest opportunity, or justification for retaining identifiers, is included in the research proposal
  • The project plan includes written assurances that PHI will not be re-used or disclosed for other purposes
  • Whenever appropriate, the subjects will be provided with additional pertinent information after participation

Clinical Activities as Research: When IRB Review, Consent, Research HIPAA and California Bill of Rights Apply

The University of California, Office of the President has advised when IRB Review, Consent, Research HIPAA and the California Bill of Rights apply to clinical activities that are treated as research. The following table illustrates this advisory and practice at UCI.

  Expanded Access Humanitarian Use Right to Try
IRB Review Yes Yes Yes
Consent Required Yes Yes Yes
California Bill of Rights[1] Yes No Yes
HIPAA Research Authorization Yes No[2] No[3]

Please contact HRP Staff for any questions.

[1] REQUIRED FOR “medical experiments.” HSC 24174

[2] REQUIRED IF IRB has access to PHI (unusual at UCI)

[3] REQUIRED IF non-UCI covered components will access protected health information (PHI)


Authorization: Under HIPAA, the granting of rights to access PHI. Authorization is required by HIPAA for disclosures or uses other than for Treatment Payment Operations (TPO), which are covered in the Notice of Privacy Practices. Treatment cannot be conditioned on granting of an authorization. An authorization is a specific, detailed document requesting patient-subject permission for the use of covered PHI.

Covered Entity: A covered entity is a health plan, a health care clearinghouse, or a health care provider transmitting health information, and is, therefore, subject to the HIPAA regulations.

Disclosure: The release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the information. Disclosure of PHI requires a specific authorization under HIPAA except if disclosure is related to the provision of TPO (Treatment, Payment, Operations) of the entity responsible for the PHI or under a limited set of other circumstances, such as public health purposes.

Health Information: Any information, whether oral or recorded in any form or medium, that:

  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Hybrid Entity: A single legal covered entity with health care and non-health care functions, where the former are covered functions but are not its primary functions. The University of California is a hybrid entity.

Individually Identifiable Health Information is any information created, used, or received by a health care provider that relates to:

  • The past, present, or future physical or mental heath or condition of an individual,
  • The provision of health care to an individual, or
  • The past, present, or future payment for the provision of health care to an individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual. The collection of individually-identifiable health information for research constitutes human subjects research.

Minimum Necessary Standard: The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request of PHI.

Notice of Privacy Practices: The HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides clear explanations of these rights and practices. The Notice of Privacy Practices is intended to focus individual on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.

Personal Health Information is used on the University of California HIPAA Authorization form in order to (1) capture the meaning of both protected health information (HIPAA term) and medical information (California Health & Safety Code: California Confidentiality of Medical Information term), (2) communicate to the research subject that information is "personal", and (3) convey information at an eighth-grade reading level.

Research Health Information (RHI) is defined as data used in research that would be personally identifiable but not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules. The key distinction between RHI and PHI is that PHI is associated with or derived from a healthcare service event, i.e. the provision of care or payment for care. RHI is covered by other state and federal laws for privacy and confidentiality of research health information.

Protected Health Information (PHI) is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.PHI is information that can be linked to a particular person and that is created, used, or disclosed in the course of providing a health care service (i.e., diagnosis or treatment).