Obtaining human research data under HIPAA

Obtaining human research data under HIPAA is a complicated process that we have tried to summarize with this representation of a decision tree. If you have any issues understanding the illustration of the process or the text alternate version please contact Research Integrity & Security for assistance.

View a text alternative for the infographic.

Flowchart: Obtaining Human Research Data Under HIPAA

Question 1: Will your study access, create, use, and/or disclose protected health information?
No. HIPAA and associated requirements do not apply. Submit protocol directly to the IRB.
Yes. See Question 2.

Question 2: Will it contain any of the 18 HIPAA-defined personal identifiers?
No. HIPAA and associated requirements do not apply. Submit protocol directly to the IRB.
Yes. These data are PHI and protected by HIPAA. See Question 3.

Question 3: Is this a review preparatory to research?
Yes. See Question 4.
No. See Question 6.

Question 4: Does it involve 50 or fewer participants?
Yes. See Question 5.
No. See Question 6.

Question 5: Will PHI leave the premises?
Yes. Obtain IRB approval. See Question 8.
No. Request a waiver of authorization and informed consent from the IRB. Obtain IRB approval. See Question 8.

Question 6: Is there minimal risk of PHI disclosure?
Yes.

  1. Request a waiver of authorization and informed consent from the IRB.
  2. Obtain IRB approval. See Question 8.

No. See Question 7.

Question 7: Will you use only service dates or 3-digit ZIP codes?
No. Obtain IRB Approval. See Question 8.
Yes.

  1. Prepare a Data Use Agreement and request a Limited Dataset.
  2. Obtain IRB approval. See Question 8.

Question 8: Is this decedent research?
Yes.

  1. Present proof of dates of death to the IRB.
  2. Request PHI from entity providing the PHI. Obtain Data Use Agreement or Business Associates Agreement.
  3. Proceed with research.

No.

  1. Obtain written HIPAA authorization from patients/participants.
  2. Request PHI from entity providing the PHI. Obtain Data Use Agreement or Business Associates Agreement.
  3. Proceed with research.