The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that has several provisions affecting research that involves health-related data from human research participants. The HIPAA Privacy Rule establishes for the first time a set of requirements for protecting the confidentiality of person-identifiable data arising as a result of health care services, and includes the requirement that authorization (i.e., consent) be obtained in most cases before this type of data is used for research purposes. The Privacy Rule also requires that research plans for use of this type of data undergo review and approval by an Institutional Review Board (IRB) or Privacy Board.  At UCSD, the Human Research Protections Program is the focal point for compliance with the research provisions of HIPAA.

Provided here are links to help investigators to understand what HIPAA is, to determine whether their research is subject to HIPAA regulations, and if it is, to assist in complying with HIPAA requirements:

Frequently Asked Questions about HIPAA Research

FAQs about HIPAA and Research

Tutorial/Assessment program on Research Aspects of HIPAA

Test your knowledge of the Research aspects of HIPAA. After completing the tutorial, you receive a personalized training certificate.

Criteria for Waiver of Authorization (see item 12, Informed Consent, page 7)

Waiver authorization for studies proposing to do medical records review or use of existing tissue and data that is person-identifiable.

HIPAA Fact Sheet of De-identification

More HIPAA information regarding anonymization of health information.

What is and is not PHI in a research setting

A white paper from the University of California systemwide Task Force on HIPAA.

Sample HIPAA Authorization Forms

These forms are designed to accompany the informed consent document if the project uses Protected Health Information (PHI). Researcher should keep this form in the project's research records along with the signed consent, and give a copy to the participant.

• UCSD HIPAA authorization form - English
• UCSD HIPAA authorization form - Spanish
• UCSD Health System HIPAA authorization form

Privacy practices referenced by the HIPAA authorization language.

UCSD Notice of Privacy Practices - English

UCSD Notice of Privacy Practices - Spanish

UCSD Revocation of Authorization to use HIPAA PHI

These include both English and Spanish versions

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

NIH publication in PDF format that covers basic HIPAA concepts relevant to research.

California Office of HIPAA implementation

Information on California-specific aspects of HIPAA

Text of the HIPAA Privacy Rule

HIPAA Privacy rules on the federal DHHS website

Text of the California Confidentiality of Medical Information Act (CMIA)

California law that is "more restrictive" than HIPAA and adds additional requirements, such as requiring that authorization for use of personally identifiable information be separately signed.

US Office of Civil Rights (OCR) HIPAA Website

includes OCR Guidance on Research aspects of HIPAA Privacy Rule