Privacy Practices and HIPAA


Privacy practices govern the receipt, use and storage of personal and confidential information in research. Because the use of personal and confidential information is common in both biomedical and behavioral research, confidentiality is a major concern. Currently, most research involving human subjects operates under the Common Rule (45 CFR Part 46, Subpart A) and/or the Food and Drug Administration’s (FDA) human subject protection regulations (21 CFR Parts 50 and 56). However, studies that involve the use of protected health information (PHI) from medical records need to be conducted in compliance with the Health Insurance Portability and Accountability Act (HIPAA), also known as “The Privacy Rule”.

Federal statute(s) require(s) without exception that the confidentiality of the personally identifiable information be maintained throughout the research and thereafter. In proposing a research study, the Principal Investigator s hall consider the nature, probability, and magnitude of harms that would be likely to result from a disclosure of collected information outside the research. The PI shall also evaluate the effectiveness of the proposed anonymizing techniques, coding systems, encryption methods, storage facilities, access limitations, and other relevant factors in determining the adequacy of confidentiality protections.  See the Data Management Security web page for more information on how to protect human subject data.

It is a requirement that the IRB application and consent documentation (if applicable, according to submission category) describe the extent to which confidentiality of records identifying the subject(s) will be maintained (or not maintained). Where deemed necessary, the PI shall obtain a certificate of confidentiality which protects against the compulsory release of individually identifiable research information.

HIPAA Policies

Use of Protected Health Information for Research Purposes
Obtaining Authorization or Waiver of Authorization to Conduct Research
Certification for Research Using Decedent Protected Health Information
Certification of Review Preparatory to Research
Use of Limited Data Sets and Data Use Agreements
Disclosures of De-Identified Health Information


Certification for Research on Decedents’ Only PHI Form
Certification of Review Preparatory to Research Form
HIPAA Authorization Form Templates

HIPAA Privacy Rule FAQs

Individually identifiable health information is health information including demographic information, that is collected from an individual by a covered entity or employer: which relates to the past, present, or future physical, or mental health condition of an individual; the provision of healthcare to an individual; or the past, present or future, payment for healthcare to an individual; and that identifies the individual, or where it is reasonable to believe the information can be used to identify the individual.

PHI is individually identifiable health information that is transmitted or maintained by a covered entity in any form or medium.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and represents efforts by the Federal government to standardize and provide safeguards for the electronic transmission of health information of US citizens, including research subjects.

Covered entities are healthcare providers, health plans, and healthcare clearinghouses, which electronically transmit health information. HIPAA regulations only apply to uses and disclosures of protected health information by covered entities.

Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that investigators continue to have access to medical information necessary to conduct vital research. The Privacy Rule establishes the conditions under which PHI may be used or disclosed for research purposes. The Privacy Rule defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities.

A covered entity may de-identify PHI (remove the 18 identifiers), using either the statistical or the “Safe Harbor” method, in order to provide data to an investigator without being subject to policies and procedures that limit the use and disclosure of protected health information as required by HIPAA Privacy regulations. The Privacy Rule outlines the process for use and disclosure of PHI for research by obtaining an individual authorization or without individual authorization under

A Privacy Rule Authorization is an individual’s signed permission to allow a covered entity to use or disclose the individual’s protected health information (PHI) that is described in the Authorization for the purpose(s) and to the recipient(s) stated in the Authorization. In contrast, an informed consent document is an individual’s agreement to participate in the research study and includes a description of the study, anticipated risks and/or benefits, and how the confidentiality of records will be protected, among other things. An Authorization can be combined with an informed consent document or other permission to participate in research. If a covered entity obtains or receives a valid Authorization for its use or disclosure of PHI for research, it may use or disclose the PHI for the research, but the use or disclosure must be consistent with the Authorization.

Access the FIU IRB HIPAA Authorization Form templates

In some situations, the IRB can waive the requirement that research subjects sign an Authorization Form. A Waiver of Authorization does not mean your research is exempt from HIPAA’s privacy regulations. It only means you do not need signed authorization from each research subject.

To qualify for Waiver of Authorization, investigators should indicate the following in their IRB Approval Form:

  • The research use of the health information does not represent more than a minimal risk to privacy
  • That the research could not be done without the requested health information
  • That it would not be practical to obtain signed authorizations from the research subjects
  • That the specific elements of health information that are requested are not more than the minimum necessary to accomplish the goals of the study.
  • Names;
  • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • Phone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

A limited dataset is a limited set of identifiable information in which most of the HIPAA identifiers for the individual, the individual’s relatives, employers and household members have been removed. The only allowable health information identifiers are:

  • 5 digit zip code (the 4 digit extension is not allowed)
  • dates of birth, death, admission, discharge
  • all geographic subdivisions other than street address

The advantages of using a limited dataset include that the disclosures are not subject to HIPAA accounting requirements and that an individual’s authorization does not need to be obtained. However, the covered entity (provider of the data) will require for the recipient of the data to sign a Data Use Agreement to give assurances that the information will be protected.

Note: The use of a limited dataset will not require IRB approval, since OHRP does not consider that a limited data set meets the definition of a “human subject”.

Yes, researchers accessing protected health information (PHI) will be required to complete the CITI Health Information Privacy and Security (HIPS) Training in addition to the standard CITI IRB Human Subject Training.

U.S. Federal laws do not apply to studies conducted in foreign countries. The standard methods of protecting confidentiality and privacy for research in human subjects still apply and you should have these in place. However, HIPAA may apply if identifiable protected health information will be brought back to the US for analysis.

Investigators are required by HHS regulations to keep signed informed consent forms for at least 3 years after the completion of the study.  Investigators are required to keep signed HIPAA Authorization Forms for at least 6 years from the date of creation or the date when it last was in effect, whichever is later.