HIPAA Privacy Rule Information
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that has
several provisions affecting research that involves health-related data from human research
participants. The HIPAA Privacy Rule establishes for the first time a set of requirements for
protecting the confidentiality of person-identifiable data arising as a result of health care
services, and includes the requirement that authorization (i.e., consent) be obtained in most cases
before this type of data is used for research purposes. The Privacy Rule also requires that research
plans for use of this type of data undergo review and approval by an Institutional Review Board (IRB)
or Privacy Board. At UCSD, the Human Research Protections Program is the focal point for
compliance with the research provisions of HIPAA.
Provided here are links to help investigators to understand what HIPAA is, to determine whether their
research is subject to HIPAA regulations, and if it is,
to assist in complying with HIPAA requirements:
-
Frequently Asked Questions about HIPAA Research
-
FAQs about HIPAA and Research
-
Tutorial/Assessment program on Research Aspects of HIPAA
-
Test your knowledge of the Research aspects of HIPAA. After completing the tutorial, you receive a
personalized training certificate.
-
Criteria for Waiver of Authorization (see item 12, Informed Consent, page 7)
-
Waiver authorization for studies proposing to do medical records review or use of existing tissue
and data that is person-identifiable.
-
HIPAA Fact Sheet of De-identification
-
More HIPAA information regarding anonymization of health information.
-
What is and is not PHI in a research setting
-
A white paper from the University of California systemwide Task Force on HIPAA.
-
Sample HIPAA Authorization Forms
-
These forms are designed to accompany the informed consent document if the project uses Protected
Health Information (PHI). Researcher should keep this form in the project's research records along
with the signed consent, and give a copy to the participant.
-
Privacy practices referenced by the HIPAA authorization language.
-
UCSD Notice of Privacy Practices - English
-
UCSD Notice of Privacy Practices - Spanish
-
UCSD Revocation of Authorization to use HIPAA PHI
-
These include both English and Spanish versions
-
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
-
NIH publication in PDF format that covers basic HIPAA concepts relevant to research.
-
California Office of HIPAA implementation
-
Information on California-specific aspects of HIPAA
-
Text of the HIPAA Privacy Rule
-
HIPAA Privacy rules on the federal DHHS website
-
Text of the California Confidentiality of Medical Information Act (CMIA)
-
California law that is "more restrictive" than HIPAA and adds additional requirements, such as
requiring that authorization for use of personally identifiable information be separately signed.
-
US Office of Civil Rights (OCR) HIPAA Website
includes OCR Guidance on
Research aspects of HIPAA Privacy Rule