This section of the Investigator Manual details HIPAA requirements, including: the HIPAA authorization document, remote authorization, preparatory to research activities, partial and full waivers of authorization, altered authorizations, data use agreements, accounting for disclosures, and enrolling participants with limited English proficiency.
Preparatory to Research Activities
The “preparatory to research” provisions of HIPAA permit researchers to access PHI, without patient authorization, for some limited activities to plan research, as follows:
- The development of research questions;
- The determination of study feasibility (in terms of the available number and eligibility of potential study participants);
- The development of eligibility criteria (inclusion and exclusion); and
- The determination of eligibility for study participation for specific individuals.
Researchers who are employees of the HIPAA covered institution or members of its workforce for purposes of research may also use PHI as a preparatory to research activity to contact potential participants for recruitment.
- E.g., members of the UW/UW Health Affiliated Covered Entity may use PHI from Health Link to recruit participants as a preparatory to research activity.
No PHI may leave the covered institution.
Researchers who are not employees of the HIPAA covered institution or its workforce for research purposes – even if on the medical staff for clinical care purposes – should request a partial waiver of authorization from the IRB to use PHI for recruitment. See Partial and Full Waivers of Authorization and Accounting for Disclosures in this manual for more information.
All researchers must complete the Preparatory to Research Certification as part of their annual HIPAA training.
See Conducting VA Research for special requirements on the use of preparatory to research activities at the VA.
Data Use Agreements
A data use agreement (DUA) allows researchers to access a limited data set for research purposes without subject authorization. The terms of a DUA are specified in HIPAA and include:
- Establishing the permitted uses and disclosures (as allowed under HIPAA);
- Using appropriate safeguards to secure the data;
- Reporting inappropriate uses or disclosures to the covered entity; and
- Not attempting to re-identify individuals who are the subjects of the data.
Researchers are prompted within Arrow to the Internal Data Use Agreement for those UW employees receiving a limited data set from within UW-Madison or UW Health, or to the Data Transfer and Use Agreement for receipt or disclosure of a limited data set from/to an institution outside of UW-Madison or UW Health.
UW-Madison has Master DUAs with UW Health, including UW Health Northern Illinois (formerly called SwedishAmerican), and Access Community Health Centers. UW-Madison also has a System Access Agreement with UnityPoint Health – Meriter. More information on who may access data and for what purposes under these agreements is available here: UW Health; Access Community Health Centers; UnityPoint Health – Meriter.
Accounting for Disclosures
An “accounting” is a log of certain disclosures of full PHI that must be made available to a patient upon request that includes information about the disclosure like the date it occurred, the name of the recipient, a description of the PHI and the purpose.
A “disclosure” means the PHI left the institution that is covered by HIPAA (e.g., the hospital, clinic, health system). But it can also mean that a person who is not an employee of the institution viewed or accessed the PHI, even on the institution’s premises.
An accounting for disclosures is required when:
- Identifiable patient health information is accessed for research purposes; AND
- Access is without patient authorization (i.e., under an IRB partial or full waiver of authorization); AND
- You are accessing PHI from UW-Madison’s Health Care Component (HCC) and you are employed outside the HCC or from UW Health and you are employed outside of the Affiliated Covered Entity (ACE); OR
- You are accessing PHI from other healthcare entities where you are not employed or workforce for research purposes – even if you are on the medical staff for clinical care purposes – such as from UnityPoint Health-Meriter or Access Community Health Centers (ACHC).
See this Accounting for Disclosures Guidance for more information and to access the link to account for disclosures. Note that if you obtained data through the UW Clinical Research Data Services (CRDS), CRDS will account for you when an accounting is required.