Obtaining human research data under HIPAA
Obtaining human research data under HIPAA is a complicated process that we have tried to summarize with this representation of a decision tree. If you have any issues understanding the illustration of the process or the text alternate version please contact Research Integrity & Security for assistance.
View a text alternative for the infographic.
Question 1: Will your study access, create, use, and/or disclose protected health information?
No. HIPAA and associated requirements do not apply. Submit protocol directly to the IRB.
Yes. See Question 2.
Question 2: Will it contain any of the 18 HIPAA-defined personal identifiers?
No. HIPAA and associated requirements do not apply. Submit protocol directly to the IRB.
Yes. These data are PHI and protected by HIPAA. See Question 3.
Question 3: Is this a review preparatory to research?
Yes. See Question 4.
No. See Question 6.
Question 4: Does it involve 50 or fewer participants?
Yes. See Question 5.
No. See Question 6.
Question 5: Will PHI leave the premises?
Yes. Obtain IRB approval. See Question 8.
No. Request a waiver of authorization and informed consent from the IRB. Obtain IRB approval. See Question 8.
Question 6: Is there minimal risk of PHI disclosure?
Yes.
- Request a waiver of authorization and informed consent from the IRB.
- Obtain IRB approval. See Question 8.
No. See Question 7.
Question 7: Will you use only service dates or 3-digit ZIP codes?
No. Obtain IRB Approval. See Question 8.
Yes.
- Prepare a Data Use Agreement and request a Limited Dataset.
- Obtain IRB approval. See Question 8.
Question 8: Is this decedent research?
Yes.
- Present proof of dates of death to the IRB.
- Request PHI from entity providing the PHI. Obtain Data Use Agreement or Business Associates Agreement.
- Proceed with research.
No.
- Obtain written HIPAA authorization from patients/participants.
- Request PHI from entity providing the PHI. Obtain Data Use Agreement or Business Associates Agreement.
- Proceed with research.