UW logo
Human Subjects Division (HSD)


Important HIPAA Information

Feb 9, 2010 at 3:44pm

As mentioned in previous newsletters, the ARRA federal stimulus legislation included many revisions and additions to the HIPAA regulations that govern the use of healthcare records.   The changes include significant increases in the procedures and penalties associated with unauthorized access of healthcare records.

HSD has recently become aware that researchers may not realize that the following scenarios are considered "unauthorized access" and therefore are noncompliance with the HIPAA regulations and the IRB approval for a study:

  • Accessing more health care records than proposed in your IRB application. 

Example:   you state in your IRB application that you will review data from 500 medical records, but in fact you review 504 medical records.

  • Accessing health care records after the expiration date on the HIPAA Authorization form signed by subjects.
  • Accessing and recording data for health care provided outside of the time window described in your IRB application.

Example:  you state in your IRB application that you are accessing and recording all cholesterol results from tests performed on subjects between January 1, 2003 and December 31, 2008, but you also record results for tests performed in 2009.

The new HIPAA regulations require UW Medicine to notify all individuals whose healthcare records have been subject to unauthorized access, regardless of the number of individuals.

There are also public reporting requirements (which may including informing the local media) and, as warranted, financial penalties associated with unauthorized access. 

Please consult with any of the following if you have any questions or concerns: