UW Directories | Calendar | Map | MyUW
UW logo
Skip to Main
Human Subjects Division (HSD)


HIPAA and Research

The UW Institutional Review Board (IRB) serves as the “Privacy Board” required by HIPAA to review research that uses protected health information (PHI).  The UW IRB has the authority to:

  • Approve the use of PHI in research.
  • Approve a waiver or an alteration of the Authorization requirement.

The UW Medicine Compliance Office oversees the UW’s overall compliance with HIPAA, including HIPAA training.

When researchers will use PHI in their research, they need to either:

  1. Obtain Authorization:
    Use the HIPAA Authorization Template.  Researchers modify this template to create a HIPAA Authorization form that subjects sign to give the researcher permission to obtain and use their protected health information (PHI) for research purposes.
  2. Request a Waiver of Authorization:
    Use the Waiver Request: HIPAA Authorization form. Researchers complete this form to request permission to access, obtain, use or disclose a research subject’s protected health information (PHI) for research purposes, without obtaining the subject’s specific authorization.

Related Questions And Answers

  • What are the requirements for authorization when researchers wish to access patient information?

    The HIPAA regulations use the term \"authorization\" to describe the process through which a patient allows researchers to access protected health information (PHI). The information must include:

    • a description of the information to be used for research purposes;
    • who may use or disclose the information;
    • who may receive the information;
    • purpose of the use or disclosure;
    • expiration date or event (if the information will be kept indefinitely, the authorization states that there is no expiration date);
    • individual\'s signature and date;
    • right to revoke authorization;
    • right to refuse to sign authorization (if this happens, the individual may be excluded from the research and any treatment associated with the research);
    • if relevant, that the research subject\'s access rights are to be suspended while the clinical trial is in progress, and that the right to access PHI will be reinstated at the conclusion of the clinical trial.

    Blanket authorizations for research to be conducted in the future are not permitted. Each new use requires a specific authorization.

  • What is HIPAA?

    HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996. The purpose of the Act was to increase the ease with which people could transfer their health care information from one insurer or provider to the next. Congress, as part of HIPAA, required the development of privacy regulations to protect the confidentiality of individually identifiable health care information. The final (HIPAA) privacy rule was issued on August 14, 2002. As of April 14, 2003, The University of Washington is in compliance with the Privacy Rule.

  • What is PHI?

    Protected Health Information is any information pertaining to:

    • the past, present, or future physical or mental health or condition of an individual;
    • the provision of health care to an individual; or
    • the past, present, or future payment for the provision of health care to an individual.

    PHI may be information that is recorded electronically, on paper, or orally. PHI may concern living people or dead people (referred to in the law as "decedents"). PHI does NOT include de-identified information or biological tissue with no accompanying information, such as an accession number or code number that may be linked to an identifier.

  • What is needed to request a "Waiver of HIPAA Authorization?"

    The UW IRB Committees use specific criteria in reviewing requests for a waiver of HIPAA authorization for research. In completing the Human Subjects Review Application (UW 13-11), researchers should explain how:

    • The use or disclosure of protected health information involves no more than minimal risk to the privacy, safety, and welfare of the individual;
    • The research could not practicably be conducted without the waiver or alteration;
    • The research could not practicably be conducted without access to the protected health information;
    • There is an adequate plan to protect the identifiers from improper use or disclosure;
    • There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    • There are adequate written assurances that the protected health information will not be re-used or disclosed to a third party except as required by law, for authorized oversight of the research, or as permitted by an authorization signed by the research subject

    In requesting this waiver, researchers should also provide the following information:

    • Detailed information about the types of protected health information that will be used, including how it will be used, who will have access to it, and when it will be destroyed;
    • What risks are posed by the use of the data, and how they have been minimized
    • The justification for access to the data and why they are necessary to conduct the research.
  • What kind of research and researchers are affected by the HIPAA regulations?

    Any kind of research conducted under the auspices of the UW and UW Medicine that creates or uses protected health information is subject to the HIPAA regulations. This includes such research activities as clinical trials, chart reviews, epidemiological studies, behavioral, and social science studies, as well as basic science research activities. It includes research that involves the provision of treatment as well as research that provides neither treatment nor diagnosis.

    All researchers, whether or not they are directly connected with UW Medicine, who wish to conduct research involving protected health information must complete HIPAA training before they will be allowed to have access to individually identifiable health information in any form.

More …