The HIPAA Privacy Rule & Human Subjects Research – Overview


The HIPAA Privacy Rule (the “Privacy Rule”) may impose additional requirements to the federal human subjects protection regulations applied to all human subjects research.

 The purpose of this overview is to clarify concepts and apply them to commonly seen human subjects research activities/studies. Specifically, the sections below highlight some of the main provisions of the Privacy Rule as they relate to human subjects research.

A series of questions and answers explain the scope of the Privacy Rule, the difference between an Authorization, a Waiver of HIPAA Authorization and an Alteration of HIPAA Authorization.  In addition, several sections explain how to address the Privacy Rule in recruitment activities, and when using specimens for research studies.  Examples of research activities and the appropriate HIPAA forms are included in some of those sections.


Section A- Questions related to the Privacy Rule and Human Subjects Research


The Privacy Rule regulates the way certain organizations called covered entities under the Rule handle protected health information (PHI). Since UConn Health is a covered entity, investigators conducting research with UConn Health PHI need to address HIPAA.


Question: How do I know if I need to address the Privacy Rule in my research study?

Answer: The Privacy Rule affects research and researchers when either:

Research creates or generates PHI, or research requires access to and/or use of PHI.

If your study involves the use of PHI you must address the Privacy Rule within your application for approval. PHI means individually identifiable health information transmitted or maintained in any form (electronic means, on paper, or through oral communication) that relates to the past, present or future physical or mental health or condition of an individual. Health information is not considered PHI if it has been de-identified in accordance with the Privacy Rule (i.e., by expert analysis or by removing all identifiers specified in the Privacy Rule of the individual or of relatives, employers, or household members of the individual).

Examples of research studies for which the HIPAA regulations apply are:

  • Studies using individually identifiable health information that is generated as part of a health care service.
  • Studies gathering individually identifiable health information that is entered into a medical record.
  • Studies gathering individually identifiable health information that is used to make treatment decisions.
  • Retrospective or Prospective research studies involving the review of medical records.
  • Research studies involving surveys, questionnaires or focus groups, which obtain PHI from patients receiving treatment.


 Question: When does the Privacy Rule not apply to research?

Answer: Research studies that do not use, disclose or create PHI are not subject to HIPAA regulations.

Examples of studies that are not subject to HIPAA:

  • Studies that use tests that do not go into the medical record because they are part of a basic research study and the results will not be disclosed to the subject.
  • Studies that review de-identified health information.
  • Studies that obtain data from records open to the public.
  • Interviews, focus groups, and surveys studies that collect information that is not considered health information (e.g., opinions, beliefs, wants/preferences, etc.)


 Question: What is the difference between HIPAA “Authorization” and Informed Consent?

Answer: An informed consent is the individual’s volunteer permission to participate in the research. The requirement to obtain the legally effective informed consent of individuals before involving them in research is one of the central protections provided for under the HHS regulations at 45 CFR part 46 ( AKA as the Common Rule).  The Common Rule’s focus is in protecting the safety of the individuals, their privacy, and confidentiality. To do so, the investigators need to include in the consent forms the applicable elements /information described in the Main Consent Form Checklist.doc .

The Privacy Rule, a different regulation, focuses on protecting the privacy and security of PHI. The Privacy Rule generally requires subjects to give written Authorization before a covered entity may use or disclose patients’ PHI for research. A signed HIPAA Authorization represents an individual’s agreement to the use and disclosure of the individual’s PHI for the specified research purpose.

An authorization must contain several required elements and statements, including but not limited to a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the  researcher may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed.


Section B- Questions related to Waiver of HIPAA Authorization and Alteration of HIPAA Authorization


The IRB may approve a HIPAA authorization process which does not include, or which alters some or all of the elements of a valid written authorization, or waives the requirement for written HIPAA authorization if the IRB finds and documents that the use of the subjects’ PHI meets the criteria for a waiver.

In granting an alteration or waiver of HIPAA authorization, the IRB must determine that the alteration or waiver, in whole or in part satisfies each of the following criteria:

  • The use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
  • an adequate plan to protect the identifiers from improper use and disclosure;
  • an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted (i.e., under the HIPAA regulations).
  • The research could not practicably be conducted without the waiver or alteration; and
  • The research could not practicably be conducted without access to or use of the PHI.


  Question: What is the difference between a partial and complete Waiver of HIPAA Authorization?

 Answer: A waiver of HIPAA authorization is a determination that is made by the IRB.  An IRB can waive in full or in part the individual authorization required by the Privacy Rule to use and disclose PHI for research purposes.

Example of research study for which the IRB may grant a complete waiver of the Authorization:

  • A research study limited to a retrospective review of medical records (HIPAA Waiver for the entire study).

Example of research study for which the IRB may grant a partial waiver of the Authorization:

  • A research study collecting information during telephone screening (HIPAA Waiver for a portion of the study).

To request a waiver of HIPAA authorization the investigator must complete pages 1 and 2 of the HIPAA Request for Alteration or Waiver of Authorization.doc form and submit this document to the IRB for review and approval prior to using and/or disclosing PHI.


Question: Is it possible to get a HIPAA waiver to screen patient charts without having each patient first sign an Authorization form?

Answer: Yes. The Privacy Rule allows for certain activities regarding screening, recruiting or determining eligibility (e.g. chart reviews for determining eligibility) to occur without obtaining a HIPAA authorization.

The investigator must submit a HIPAA Request for Alteration or  Waiver of Authorization.doc . The waiver must be granted by the IRB before charts are screened.


Question: What is a HIPAA Alteration of the Required Elements and/or Statements?

Answer: A HIPAA Alteration of the Required Elements and/or Statements is a regulatory determination that is made by the IRB.  An IRB can approve to omit (waive), or change (alter) in part the individual authorization required by the Privacy Rule to use and disclose PHI for research purposes.


When investigators are planning to obtain an individual’s authorization to access their information, and they need to either remove (waive), or change (alter) some of the core elements or statements of an authorization, they must complete and submit Appendix A.  Appendix A is in the fourth page of the HIPAA Request for Alteration or Waiver of Authorization.doc form   The IRB must approve this request prior to the use and/or disclosure of PHI.


Example of an alteration of the authorization:

  • An authorization that requires to remove (waive) the element that describes each purpose of the requested use or disclosure because providing the purpose of the study would affect the results of the study.


Examples of studies withholding information about the study purpose and/or reason for procedures, in order to prevent biasing the results:

  • Subjects are asked to take a quiz for research but they are not told that the research question involves how background noise affects their ability to concentrate.
  •  To further understanding of how representations of same sex couples depicted in commercials influence consumer behavior, subjects are exposed to advertisements featuring gay couples and straight couples while their heart rate, facial muscle movement, and sweat responses are recorded. Subjects are informed that their reactions to the commercials are being studied, but not that the researchers are examining if the sexual orientation of characters in commercials influences them.

 To request to alter the HIPAA authorization, the investigator needs to submit a HIPAA Request for Alteration or Waiver of Authorization.doc  and Appendix A.


 Example of research study that requires waiving documentation/signature of the authorization:

  • Research on sensitive topics, such as domestic violence or illegal activities where the only link of a subject to the study is their signature on the authorization, and there is a risk of breach of confidentiality.

 To request a waiver of the participant’s signature on the HIPAA authorization, the investigator needs to submit a HIPAA Request for Alteration or Waiver of Authorization.doc  and Appendix A.


Section C- Questions Related to IRB Review and the Privacy Rule when Using Specimens for Research


Because the federal definition of human subjects research extends to people who are sources of biological specimens and identifiable private information, research with these materials often requires review and approval by the IRB. The level of IRB review  is based on the level of risk the study poses.

The risks of research with specimens potentially include one or both of the following:

  • The risk of harm from procedures used to obtain specimens, and/or
  • The risk associated with the loss of privacy and confidentiality due to personally identifiable information that may be associated with specimens.

Common questions involving research using human specimens are summarized below.


Question:  What type of IRB review is required for a research project using existing specimens? What HIPAA form do I need to submit?

  Answer: It depends on whether the existing specimens are identifiable. Existing specimens means the  specimens were collected for clinical purposes or for research studies other than the proposed research study.

If the existing specimens are not identifiable, and if the investigator will make no effort to re-identify the specimens, the specimens do not meet the definition of a human subject and IRB review would not be required.

On the other hand, if the specimens are identifiable, or efforts will be made to re-identify the samples, IRB review is required.

Research that only involves the use of existing identifiable specimens may qualify for exemption if one of the following is true:

  • the specimens are publicly available
  • Information is recorded in such a manner that the identity of the human subject cannot readily be ascertained directly or through identifiers linked to the subjects, the investigator does not contact the subjects, and the investigator will not re-identify subjects. In this case, the research may qualify for exempt status under Category 4.ii.

To address HIPAA submit a HIPAA Certification of De-Identification.doc

On the other hand, research involving previously collected specimens that have identifiers associated most likely qualifies for expedited review under category 5.  Use of specimen-associated identifiers must be restricted and privacy protection measures must be in place.

To address HIPAA submit HIPAA Request for Alteration or  Waiver of Authorization.doc


Question:  What type of IRB review is required for a research project using specimens that will be collected for research purposes by noninvasive means? What HIPAA form do I need to submit?

Answer: Research that involves the collection of specimens for research purposes by noninvasive means may qualify for Expedited review- under Category 3.

Examples of these noninvasive collections of specimens are:

  1. Hair and nail clippings in a non-disfiguring manner
  2. Deciduous teeth at time of exfoliation or if routine patient care indicates a need for extraction
  3. Permanent teeth if routine patient care indicates a need for extraction
  4. Excreta and external secretions (including sweat)
  5. Un cannulated saliva collected either in an unstimulated fashion or stimulated by chewing gum base or wax or by applying a dilute citric solution to the tongue
  6. Placenta removed at delivery
  7. Amniotic fluid obtained at the time of rupture of the membrane prior to or during labor
  8. Supra‑ and subgingival dental plaque and calculus, provided the collection procedure is not more invasive than routine prophylactic scaling of the teeth and the process is accomplished in accordance with accepted prophylactic techniques
  9. Mucosal and skin cells collected by buccal scraping or swab, skin swab, or mouth washings
  10. Sputum collected after saline mist nebulization.


You will need to submit a HIPAA Authorization to Use and Disclose PHI for Research Purposes.doc

Question:  What type of IRB review is required for a research project using specimens collected for research purposes by invasive means? What HIPAA form do I need to submit?

Research that involves the collection of specimens for research purposes by invasive means/using procedures that pose greater than minimal risk to participants must undergo full committee review by the IRB.

Examples of these invasive collections of specimens are:

  • Collection of specimens through  a skin Biopsy
  • Collection of specimen through a bronchoscopy, amniocentesis or colonoscopy.


You will need to submit a HIPAA Authorization to Use and Disclose PHI for Research Purposes.doc

Question: My research study involves collecting sputum and lung aspirates from clinical procedures involving chronic smokers that are otherwise going to be thrown away.  The specimens will be provided by the pathology department without identifiers. The pathologist will not be involved in the research.  Do I have to get IRB review?  If so, what HIPAA form do I need to submit?

 Answer: You do not need to submit an application for IRB review nor you need to submit a HIPAA form. Your research is considered secondary research that is not human subjects research because: (a) the specimens were originally collected for clinical care and not specifically for the purpose of the investigator’s current research, (b) the specimens do not come with individually identifiable information, and (c) there is no interaction or intervention done specifically for the research.


Section D- Questions related to the Privacy Rule & Recruitment Activities


The IRB may approve a research proposal in which an investigator will obtain information for the purpose of screening, recruitment or determining the eligibility of prospective subjects without the prospective subject’s HIPAA authorization, however the following conditions must be met:

  • The investigator will obtain information related to screening, recruiting or determining eligibility through oral or written communication with the prospective subject.
  • The investigator will obtain identifiable information or identifiable biospecimens for screening, recruiting or determining eligibility by accessing records or stored identifiable biospecimens.
  • In order to access records or specimens for such purposes, there must be an established relationship between the investigator and the individuals whose records /specimens will be reviewed.  The investigator may delegate the review to designated UConn Health research staff.


Question: At what point in recruitment may we gather information about a potential participant (e.g., if a potential participant calls our office after seeing a flyer, may we screen that person/ ask them about their history, or do we need the person to complete a written HIPAA Authorization prior to screening)?

Answer: If the IRB has approved your recruitment plan, including a partial waiver of Authorization to permit you to collect PHI for screening without written Authorization, you may take the person’s contact and screening information.  Investigators must also submit to the IRB a phone script using the Sample Phone Script for Screening Prior to Consent.doc . The IRB must approve the script prior to collecting information from potential participants over the phone.

The potential participant should know that in order to evaluate whether he or she is a candidate for the research, the researcher will need to share the caller’s information, and the caller may need to share information, with a limited number of others who staff the study.  If the person is deemed qualified for the study, then he/she will be asked to come in to sign an informed consent and a HIPAA Authorization. To protect the privacy of the potential participant all the information they provide will be kept only if he/she qualifies to proceed and decides to participate in the study.


Section E- Questions Related to HIPAA Identifiers and Coded Data/Specimens 


  Question: HIPAA specifies18 identifiers that must be removed to “de-identify” health information.  Is any one of these identifiers, all by itself, PHI?

 Answer: Not necessarily. PHI is information, including demographic information, which relates to (i) the individual’s past, present, or future physical or mental health or condition; (ii) the provision of health care to the individual; or (iii) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.  If the only identifier you have is a DOB and that DOB is not linked to any other health information and could not be sourced to a provider (e.g., UConn Health), the DOB alone would not be PHI.  However, if the DOB is coupled with other information, such as “a patient at UConn Health,” or “was one of 15 enrollees in a particular study,” this combination would be PHI.


 Question: What coded information or coded specimens means?

The Office of Human Research Protections (OHRP) has defined coded as:

  •  identifying information (such as name or social security number) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertain has been replaced with a number, letter, symbol, or combination thereof (i.e., the code);


  • a key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens.


 OHRP considers the term investigator to include anyone involved in conducting the research. OHRP does not consider the act of solely providing coded private information or specimens (for example, by a tissue repository) to constitute involvement in the conduct of the research. Note that if the individuals who provide coded information or specimens collaborate on other activities related to the conduct of this research with the investigators who receive such information or specimens, then OHRP would consider such additional activities to constitute involvement in the conduct of the research.

Examples of such additional activities include, but are not limited to:

(1) The study, interpretation, or analysis of the data resulting from the coded information or specimens; and

(2) Authorship of presentations or manuscripts related to the research.


Question: Is coded information identifiable?

 Answer: The Privacy Rule considers coded information to be de-identified if the 18 specific identifiers of the individual or of relatives, employers, or household members of the individual, listed below are coded and the person cannot reasonably be identified.

However, that code needs to be assigned by someone other than the investigator.  The code cannot be derived from any identifiable piece of information or combination of pieces of identifiable information.  The key to the code cannot be accessible to the investigator or research personnel using the de-identified data.

  • Names;
  • Address (including street address, city, county, zip code). The initial three digits of a zip code may be used if, according to the current publicly available data from the Bureau of Census: 1) the area formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and 2) the initial three digits of a zip code for a region containing 20,000 or fewer people is changed to 000;
  • All elements of dates (except year) for dates directly related to an individual (birth
  • date, admission date, discharge date, date of death), and all ages over 89 and all elements of dates (including year) indicative of such age, except that ages and  elements may be aggregated into a single category of age 90 or older;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers (bank, retirement, credit card, etc.);
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and comparable images; and
  • Any other unique identifying number, characteristic or code.



 HIPAA Privacy Rule and Its Impacts on Research (nih.gov)

  • 2011-014.0.pdf– Health Insurance Portability and Accountability Act (HIPAA) in Research