This section of the Investigator Manual details HIPAA requirements, including: the HIPAA authorization document, remote authorization, preparatory to research activities, partial and full waivers of authorization, altered authorizations, data use agreements, accounting for disclosures, and enrolling participants with limited English proficiency.


HIPAA Authorization Document

HRP-502-TEMPLATE CONSENT DOCUMENT includes language to add to your consent form if your study is subject to HIPAA. You are encouraged to use a combined consent and authorization form. In the event you need a separate authorization form, refer to the Templates page.

The consent/authorization document should be uploaded to the application in Word format, as this allows for reviewer edits and comments to be easily placed in the document.

Note that all required elements and statements found in HRP-330-WORKSHEET: HIPAA Authorization must be included in your authorization form, absent an IRB approved altered authorization or waiver of authorization.

Studies that meet the requirements for an exemption and that collect and analyze identifiable health information may still be subject to HIPAA and may require an authorization, an IRB waiver of authorization or a data use agreement.

Remote Authorization

For studies subject to HIPAA regulations in which electronic protected health information (e-PHI) is being accessed, collected, or used during a remote consent process, please refer to the Office of Compliance webpage on Approved Tools for Exchanging and Storing PHI for information on which platforms may be used for your remote consent/authorization process.

For additional information on obtaining consent/authorization remotely, see Remote Consent Process.

Preparatory to Research Activities

The “preparatory to research” provisions of HIPAA permit researchers to access PHI, without patient authorization, for some limited activities to plan research, as follows:

  • The development of research questions;
  • The determination of study feasibility (in terms of the available number and eligibility of potential study participants);
  • The development of eligibility criteria (inclusion and exclusion); and
  • The determination of eligibility for study participation for specific individuals.

Researchers who are employees of the HIPAA covered institution or members of its workforce for purposes of research may also use PHI as a preparatory to research activity to contact potential participants for recruitment.

  • E.g., members of the UW/UW Health Affiliated Covered Entity may use PHI from Health Link to recruit participants as a preparatory to research activity.

No PHI may leave the covered institution.

Researchers who are not employees of the HIPAA covered institution or its workforce for research purposes – even if on the medical staff for clinical care purposes – should request a partial waiver of authorization from the IRB to use PHI for recruitment. See Partial and Full Waivers of Authorization and Accounting for Disclosures in this manual for more information.

All researchers must complete the Preparatory to Research Certification as part of their annual HIPAA training.

See Conducting VA Research for special requirements on the use of preparatory to research activities at the VA.

Partial and Full Waivers of Authorization

Partial waivers of authorization should be requested from the IRB when you will not obtain authorization from some subjects or for some uses of their PHI. Examples include:

  • In one arm of your study, you will obtain authorization from participants with whom you are interacting; however, for another arm of your study, you will use only retrospective medical records from a different group of participants and will not interact with any of the participants in that arm.
  • You will access PHI from a HIPAA covered institution outside of UW/UW Health prior to obtaining authorization in order to contact participants to recruit them to your study. This is true even if you are on the medical staff for purposes of providing clinical care of that other HIPAA covered institution. See Accounting for Disclosures in this manual for more information.

Note, however, that healthcare providers may talk to their own patients about enrolling in potentially therapeutic studies without prior authorization or a partial waiver.

Full waivers of authorization should be requested from the IRB when you will not obtain authorization from any subjects. Examples include:

  • A study using of only retrospective medical records where you will not interact with any participants.

Researchers are prompted to request partial or full waivers of authorization through the Arrow application.

Altered Authorization

An altered authorization means that individuals are asked for permission to collect, use, or disclose their PHI, but some required elements or statements of the authorization are not included. See HRP-330-WORKSHEET: HIPAA Authorization for a list of required elements and statements. The altered authorization may be written, but briefer in nature, or may be an oral authorization process, depending on context. Examples of when an altered authorization may be appropriate include:

  • You are collecting health information as part of a telephone screen and obtaining written, signed authorization would not be practicable.
  • When the only risk in the research is breach of confidentiality and the research as designed, to reduce risks in relation to anticipated benefits, would not be practicable if the consent/authorization form included participants’ signatures.
  • When a patient’s clinician requests permission to share only name and contact information with a study team so that the study team can contact the patient about a research opportunity.**
  • When a patient is in a clinic visit and someone from the healthcare team asks whether the patient is interested in meeting with a member of the research team at the visit.**
  • When using the short form consent for individuals with limited English proficiency to request an oral HIPAA authorization process (except no altered authorization is needed when using the stand-alone HIPAA Authorization that has been translated to Spanish). See: Authorization & Participants with Limited English Proficiency.

** Note that researchers who are employees of the HIPAA covered institution or members of its workforce for purposes of research may access and use PHI as a preparatory to research activity to contact potential participants for recruitment. In this case, no altered authorization is required. See the Clinical Recruitment Guidelines for more information.

If you are using a remote consent/authorization process in non-FDA regulated research as described in Remote Consent Processes and participants will type their name on a signature line, you do not need to request an altered authorization.

Because individuals are giving their permission for access to or use of the PHI, no accounting for disclosures is required.

Data Use Agreements

A data use agreement (DUA) allows researchers to access a limited data set for research purposes without subject authorization. The terms of a DUA are specified in HIPAA and include:

  • Establishing the permitted uses and disclosures (as allowed under HIPAA);
  • Using appropriate safeguards to secure the data;
  • Reporting inappropriate uses or disclosures to the covered entity; and
  • Not attempting to re-identify individuals who are the subjects of the data.

Researchers are prompted within Arrow to the Internal Data Use Agreement for those UW employees receiving a limited data set from within UW-Madison or UW Health, or to the Data Transfer and Use Agreement for receipt or disclosure of a limited data set from/to an institution outside of UW-Madison or UW Health.

UW-Madison has Master DUAs with UW Health, including UW Health Northern Illinois (formerly called SwedishAmerican), and Access Community Health Centers. UW-Madison also has a System Access Agreement with UnityPoint Health – Meriter. More information on who may access data and for what purposes under these agreements is available here: UW Health; Access Community Health Centers; UnityPoint Health – Meriter.

Accounting for Disclosures

An “accounting” is a log of certain disclosures of full PHI that must be made available to a patient upon request that includes information about the disclosure like the date it occurred, the name of the recipient, a description of the PHI and the purpose.

A “disclosure” means the PHI left the institution that is covered by HIPAA (e.g., the hospital, clinic, health system). But it can also mean that a person who is not an employee of the institution viewed or accessed the PHI, even on the institution’s premises.

An accounting for disclosures is required when:

  • Identifiable patient health information is accessed for research purposes; AND
  • Access is without patient authorization (i.e., under an IRB partial or full waiver of authorization); AND
  • You are accessing PHI from UW-Madison’s Health Care Component (HCC) and you are employed outside the HCC or from UW Health and you are employed outside of the Affiliated Covered Entity (ACE); OR
  • You are accessing PHI from other healthcare entities where you are not employed or workforce for research purposes – even if you are on the medical staff for clinical care purposes – such as from UnityPoint Health-Meriter or Access Community Health Centers (ACHC).

See this Accounting for Disclosures Guidance for more information and to access the link to account for disclosures. Note that if you obtained data through the UW Clinical Research Data Services (CRDS), CRDS will account for you when an accounting is required.

Authorization & Participants with Limited English Proficiency

Subjects who have limited English proficiency should be presented with an authorization in a language understandable to them that includes all required elements and statements for use and/or disclosure of their PHI. Persons with limited English proficiency are individuals who do not speak English as their primary language and/or who have a limited ability to read, speak, write, or understand English.

For research involving targeted populations that have limited English proficiency, the use of a written translation of the approved long form consent/authorization document is required. The translated consent/authorization must be approved by the IRB.

If the IRB approves the use of a short form consent, researchers should either use the Spanish translation of the stand-alone HIPAA Authorization for Spanish speakers. For all other languages, request an altered authorization to permit an oral presentation of the HIPAA authorization elements, without signed authorization from the subject or their LAR. Researchers should provide a written summary of what will be discussed. See Enrolling Participants with Limited English Proficiency for more information.