UCSD Human Research Protections Program

HIPAA Privacy Rule Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that has several provisions affecting research that involves health-related data from human research participants. The HIPAA Privacy Rule establishes for the first time a set of requirements for protecting the confidentiality of person-identifiable data arising as a result of health care services, and includes the requirement that authorization (i.e., consent) be obtained in most cases before this type of data is used for research purposes. The Privacy Rule also requires that research plans for use of this type of data undergo review and approval by an Institutional Review Board (IRB) or Privacy Board.  At UCSD, the Human Research Protections Program is the focal point for compliance with the research provisions of HIPAA.

Provided here are links to help investigators to understand what HIPAA is, to determine whether their research is subject to HIPAA regulations, and if it is, to assist in complying with HIPAA requirements:

Frequently Asked Questions about HIPAA Research
FAQs about HIPAA and Research
Tutorial/Assessment program on Research Aspects of HIPAA
Test your knowledge of the Research aspects of HIPAA. After completing the tutorial, you receive a personalized training certificate.
Criteria for Waiver of Authorization (see item 12, Informed Consent, page 7)
Waiver authorization for studies proposing to do medical records review or use of existing tissue and data that is person-identifiable.
HIPAA Fact Sheet of De-identification
More HIPAA information regarding anonymization of health information.
What is and is not PHI in a research setting
A white paper from the University of California systemwide Task Force on HIPAA.
Sample HIPAA Authorization Forms
These forms are designed to accompany the informed consent document if the project uses Protected Health Information (PHI). Researcher should keep this form in the project's research records along with the signed consent, and give a copy to the participant.
Privacy practices referenced by the HIPAA authorization language.
UCSD Notice of Privacy Practices - English
UCSD Notice of Privacy Practices - Spanish
UCSD Revocation of Authorization to use HIPAA PHI
These include both English and Spanish versions
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
NIH publication in PDF format that covers basic HIPAA concepts relevant to research.
California Office of HIPAA implementation
Information on California-specific aspects of HIPAA
Text of the HIPAA Privacy Rule
HIPAA Privacy rules on the federal DHHS website
Text of the California Confidentiality of Medical Information Act (CMIA)
California law that is "more restrictive" than HIPAA and adds additional requirements, such as requiring that authorization for use of personally identifiable information be separately signed.
US Office of Civil Rights (OCR) HIPAA Website
includes OCR Guidance on Research aspects of HIPAA Privacy Rule


Contact the Human Research Protections Program Office