The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations, including the Privacy Rule and the Security Rule, as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act, govern the way certain health information is collected, maintained, used, and disclosed. The Privacy Rule establishes a set of safeguards on certain types of health information known as protected health information, or PHI. HIPAA is designed to protect individual’s privacy and to inform patients and research subjects how their health information is used and disclosed. See list of 18 PHI identifiers (PDF).

HIPAA requires specified language in the informed consent for the collection, use and/or disclosure of PHI for research. See the HIPAA Authorization template in order to comply with HIPAA requirements, this additional language should be added to the Confidentially Section of the Informed Consent form.

HIPAA Forms And Compliance Procedures

HIPAA Certifications

Reviews Preparatory to Research

Reviews Preparatory to Research Certain activities involving the use/disclosure of PHI are permitted without Authorization. The “preparatory to research” provision allows researchers to use PHI for limited purposes, such as a feasibility assessment (e.g., whether a sufficient population exists to conduct research). However, the Privacy Rule does not permit the researcher to remove PHI. To comply with HIPAA Privacy Rule and human subject’s regulations, researchers are permitted to review PHI, but identifiers may not be recorded. To conduct a review preparatory to research, a researcher must provide CERTIFY all of the following representations:

  • The use or disclosure is requested solely to review PHI as necessary to develop a research protocol or for similar purposes preparatory to research
  • PHI will not be removed in the course of review
  • The PHI for which use or access is requested is necessary for the research


Research Involving Deceased Individuals

The Privacy Rule provides protections to living and deceased individuals. To use decedents’ PHI for research purposes, a researcher must CERTIFY all of the following:

  • Representation that the use or disclosure is solely for research involving the PHI of decedents (e.g., and not also the living relatives of decedents)
  • Representation that the PHI is necessary for the research
  • Documentation (at the request of the covered entity holding the PHI) of the death of the individuals whose PHI is sought.

Note: If the participant population contains both living and deceased individuals, the requirements for Authorization (or waiver or alteration) apply.


 De-Identification Certification



Faculty, fellows, staff, and students participating in human subjects research involving Protected Health Information (PHI) is required to complete the HIPAA Research tutorial. Training must be completed before participating in human subjects research involving PHI.

HIPAA Forms And Compliance Procedures

HIPAA: Research FAQs:

What about research data that has already been collected?

According to HIPAA, such data is grandfathered in.

How will HIPAA impact human subjects who are already enrolled in a research study?

Subjects that have enrolled prior to April 14, 2003 will not be required to re-consent. Investigators may continue to collect and use data gathered from these subjects and no new documentation is required.

What are the HIPAA standards for human subjects research?

There are four ways to perform HIPAA compliant research. They are:

  1. Obtain subject Authorization
  2. Obtain a waiver of authorization from the IRB
  3. Use of de-identified information
  4. Use of limited data set

What about reviews preparatory to research?

Investigators may review PHI without subject authorization to prepare a research protocol or for similar purposes preparatory to research. Also, research on decedent's information involving PHI do not require subject authorization. However, both activities must be approved by the IRB.

What are the new research documents required by HIPAA?

HIPAA compliant research documents include:

  1. Authorization (HIPAA language template form - to be inserted in the consent form)
  2. Waiver of Authorization
  3. Data use agreement

These forms will be made available as they become available and can also be obtained through the IRB.

What about releasing data outside of the USA Health System?

Intentional releases of research data outside USA must be made clear in the research study documents submitted for IRB approval. Such releases should be described within the authorization portion of the informed consent. Upon IRB approval, then such releases are permitted. Disclosures for studies involving de-identified information of a limited data set are also permitted.

For additional information, please contact the Office of Research Compliance and Assurance at (251) 460-6625 or email dlayton@southalabama.edu