HIPAA and human subjects research

Conducted under the University's Humans Subjects Protection Program

Introduction  |   Important concepts  |   How can PHI be accessed for research?  |  HIPAA Training  |   Additional info


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by the U.S. Congress to regulate the protection of private health information for individuals. HIPAA’s Privacy Rule establishes the conditions under which a covered entity can provide faculty, staff and clinicians (hereafter referred to as researcher) access to and use of protected health information (PHI) when necessary to conduct research. The Privacy Rule applies only to PHI held or maintained by a covered entity, its business associate, and anyone “downstream” of a business associate (e.g., a sub-contractee who maintains PHI) acting for the covered entity.

When Do Researchers Need to Apply to the University of Nevada, Reno IRB?

If a study conducted by a University or Affiliate researcher will involve access, use, disclosure or creation of PHI, she/he/they must submit an application to the University IRB for review and approval. Researchers planning to use PHI held by an outside institution (non-University PHI) are also required to submit an application to the IRB for review, but must follow the HIPAA requirements of the institution(s) holding those records.

Important Concepts

What is a Covered Entity?

A covered entity is a health plan, a health care clearinghouse, or a health care provider who electronically transmits health information in connection with a transaction for which the US Department of Health and Human Services (HHS) has adopted a standard (e.g., transactions concerning billing and payment for services or insurance coverage). A covered entity can be an institution, organization, or individual.

Is the University of Nevada, Reno a Covered Entity?

The Regents of the Nevada System of Higher Education (NSHE) have elected to make the system, including the University of Nevada, Reno as a “hybrid entity” under HIPAA, which means the University has both covered and non-covered functions. Most HIPAA regulations only apply to covered functions. Units within the University’s health care component are the University Nevada School of Nevada School of Medicine (UNSOM), which includes Campus Pharmacy – Reno, Department of Psychiatry and Behavioral Sciences, Department of Speech Pathology and Audiology, Family Medicine Center, Internal Medicine and Multispecialty Clinic, Mojave Adult, Child and Family Services, Patient-Centered Family Medicine Center, Pediatric Center, and the Wellness and Weight Management Center.

Additional covered entities at the University include the University of Nevada Student Health Center, the University of Nevada Psychological Services Center, and the Behavioral Health Patient Care Center.

Additionally, to the extent that other campus units perform services to these covered components (e.g., storage of PHI, legal, audit, accounting, information technology, Institutional Review Boards, etc.), they are part of the health care component and must comply with the Privacy Rule. Disclosures of PHI by these covered functions to the rest of the University are regulated by the Privacy Rule and treated like disclosures to entities outside the University.

Are University Human Research Protection Program Affiliated Sites Covered Entities?

For purposes of compliance with HIPAA, Renown Health, Saint Mary’s Regional Health Center, and the VA Sierra Health Care System are also covered entities which must comply with HIPAA requirements.

When is Research at the University or Affiliated Sites Subject to HIPAA Privacy Requirements?

Research is subject to HIPAA privacy requirements when it is conducted alone or in conjunctions with the provision of health care services by individuals who are part of a covered entity or component.

For example, an optometrist who conducts a clinical trial with experimental contact lenses in the course of providing routine care to patients would be subject to the HIPAA Privacy Rule and would produce Protected Health Information (PHI) as part of the study.

What is PHI?

Protected Health Information (PHI) is individually identifiable health information (see the list of Personal Identifiers under HIPAA) transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates. The Privacy Rule protects the PHI of both living and deceased individuals.

See the Research Integrity Policy Manual Definitions for definitions of “Protected Health Information,” “Research Health Information,” and “De-Identified PHI.”

Under the Privacy Rule, the definition of PHI excludes individually identifiable health information that is maintained in education records covered by the US Family Educational Rights and Privacy Act (FERPA).

What is De-identified Health Information?

De-identified health information is a record in which identifying information has been removed to render the health information not subject to HIPAA’s Privacy Rule. Researchers may use or disclose de-identified health information, without restriction, since it is not PHI and thus is not protected by the Privacy Rule.

Covered entities seeking to release health information to researchers must determine that the information has been de-identified using either of the following methods: (1) by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members (see the list of Personal Identifiers under HIPAA), or (2) by using statistical methods to establish de-identification.

How Can PHI Be Accessed for Research?

  1. Obtaining Subject Permission through an Authorization Form
  2. Obtaining an IRB Waiver or Alteration of Authorization
  3. Using a Limited Data Set with a Data Use Agreement
  4. Using PHI for Activities Preparatory to Research
  5. Use or Disclosure of Decedents’ PHI

Authorization Form

An Authorization Form is a form through which a research subject’s signed permission is obtained to allow a covered entity to use and disclose his/her PHI for research purposes. In the case of minors, a signed Authorization Form is obtained from the minor’s parent or legal guardian.

Obtaining HIPAA Authorization is required in addition to obtaining informed consent to participate in research. An Authorization Form focuses on privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. This Authorization pertains to a specific research study.

The subject must be given a copy of the signed form to keep for his/her records. Also, the researcher must retain the signed form for six (6) years from the date of creation or the date it was last in effect, whichever is later.

Researchers can find a copy of the University's HRPP HIPAA Authorization Form in the forms library of the online IRB protocol submission system, IRBNet.

HIPAA Waiver or Alteration of Authorization

A Waiver or Alteration of Authorization can be requested when researchers are unable to use de-identified health information and the research could not practicably be conducted if research participants’ authorization were required.

For research uses and disclosures of the University's PHI, the IRB may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver is when the IRB determines that no Authorization is required for use or disclosure of PHI for a particular research project. A partial waiver of Authorization occurs when the IRB determines that a covered entity does not need Authorization for certain PHI uses and disclosures for research purposes, such as disclosing PHI for research recruitment purposes. An Alteration of Authorization occurs when the IRB is asked to waive one or more required elements of informed consent. For example, if the purpose of the study will not be disclosed to participants in order to avoid bias, this is an alteration because disclosure of the "purpose" is a required element of participant authorization. The IRB may also approve a request to alter or waive the requirements for Authorization under the condition that some PHI be removed from the proposed use or disclosure.

All of the following criteria must be met for the IRB approval of a waiver or alteration of Authorization requirements for use or disclosure of University patient data:

  1. The use or disclosure of the PHI involves no more than minimal risk to the privacy of individuals based on the presence of, at minimum, the following elements:
    1. An adequate plan to protect health information identifiers from improper use and disclosure;
    2. An adequate plan to destroy identifiers at the earliest opportunity consistent with conduct of the research (absent a health or research justification for retaining them or a legal requirement to do so); and
    3. Adequate written assurances that the PHI will not be reused or disclosed to (shared with) any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of the PHI would be permitted under the Privacy Rule.
  2. The research could not practicably be conducted without the waiver or alteration.
  3. The research could not practicably be conducted without access to and use of the PHI.

If a researcher has used or disclosed PHI for research with the IRB approval of a waiver or alteration of Authorization, documentation of that approval must be retained by the researcher for six (6) years from the date of its creation or the date it was last in effect, whichever is later.

Researchers can find a copy of the University's HRPP HIPAA Waiver of Authorization Form in the forms library of the online IRB protocol submission system, IRBNet.

Limited Data Set with a Data Use Agreement

With the establishment of an appropriate data use agreement (i.e., meets HIPAA requirements, including limiting further use or disclosure of PHI) between the holder of the PHI and the researcher, a limited data set may be used or disclosed for research purposes without obtaining either an individual's Authorization or a waiver or an alteration of Authorization.

A Limited Data Set refers to PHI that excludes the following 18 categories of direct identifiers under HIPAA. Inclusion of any of the following 18 variables means the health information is individually identifiable.

  • Names
  • Geographic subdivisions smaller than a state (e.g., street address, city, county, etc.)
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URLs
  • Biometric identifiers, including finger or voice prints
  • Full face photographic images and any comparable images
  • Internet Protocol address numbers
  • Any other unique identifying number characteristic or code

The above identifiers must be removed from health information about the individual and the individual's relatives, employers, or household members if the data are to qualify as a limited data set.

Activities Preparatory to Research

For activities involved in preparing for research, covered entities may disclose PHI to a researcher without an individual's Authorization, a waiver or an alteration of Authorization, or a data use agreement. However, the covered entity must obtain from the researcher the following written or oral representations:

  1. The use or disclosure is requested solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research.
  2. The PHI will not be removed from the covered entity in the course of review.
  3. The PHI for which use or access is requested is necessary for the research.

Decedents’ PHI

The Privacy Rule protects the PHI of deceased individuals. Research that uses or discloses decedent PHI must comply with applicable HIPAA regulations. (Note that HIPAA protections cease for PHI of individuals deceased for more than 50 years.) Authorization from the personal representative or next of kin, a waiver or alteration of the Authorization, and/or a data use agreement are not required by HIPAA in order to use decedent PHI.

Use of decedent health information does not require the IRB review and approval if it has been de-identified before receipt by the researchers or does not meet the definition of PHI, as described in the sections above. However, if the study involves the researchers having direct access to decedent medical records or PHI, even if identifiers will not be recorded by the researchers, an application must be submitted for the IRB review and approval.

Before releasing decedent PHI, the covered entity must obtain the following information from the researcher:

  1. The researcher provides oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents.
  2. The researcher provides oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes.
  3. The researcher provides documentation of the death of the individuals whose PHI is sought by the researchers.


Researchers who plan to use PHI are subject to the requirements of HIPAA and must complete the HIPAA Research Training before their IRB protocol will be approved.

Additional Information

For additional information on research and HIPAA, please visit the links below and/or contact Research Integrity & Security.