This section of the Investigator Manual details HIPAA requirements, including: the HIPAA authorization document, remote authorization, preparatory to research activities, partial and full waivers of authorization, altered authorizations, data use agreements, accounting for disclosures, and enrolling participants with limited English proficiency.

HIPAA Authorization Document

HRP-502-TEMPLATE CONSENT DOCUMENT includes language to add to your consent form if your study is subject to HIPAA. You are encouraged to use a combined consent and authorization form. In the event you need a separate authorization form, refer to the Templates page.

The consent/authorization document should be uploaded to the application in Word format, as this allows for reviewer edits and comments to be easily placed in the document.

Note that all required elements and statements found in HRP-330-WORKSHEET: HIPAA Authorization must be included in your authorization form, absent an IRB approved altered authorization or waiver of authorization.

Studies that meet the requirements for an exemption and that collect and analyze identifiable health information may still be subject to HIPAA and may require an authorization, an IRB waiver of authorization or a data use agreement.

Link to this section

Remote Authorization

For studies subject to HIPAA regulations in which electronic protected health information (e-PHI) is being accessed, collected, or used during a remote consent process, please refer to the Office of Compliance webpage on Approved Tools for Exchanging and Storing PHI for information on which platforms may be used for your remote consent/authorization process.

For additional information on obtaining consent/authorization remotely, see Remote Consent Process.

Link to this section

Preparatory to Research Activities

The “preparatory to research” provisions of HIPAA permit researchers to access PHI, without patient authorization, for some limited activities to plan research, as follows:

  • The development of research questions;
  • The determination of study feasibility (in terms of the available number and eligibility of potential study participants);
  • The development of eligibility criteria (inclusion and exclusion); and
  • The determination of eligibility for study participation for specific individuals.

Researchers who are employees of the HIPAA covered institution or members of its workforce for purposes of research may also use PHI as a preparatory to research activity to contact potential participants for recruitment.

  • E.g., members of the UW/UW Health Affiliated Covered Entity may use PHI from Health Link to recruit participants as a preparatory to research activity.

No PHI may leave the covered institution.

Researchers who are not employees of the HIPAA covered institution or its workforce for research purposes – even if on the medical staff for clinical care purposes – should request a partial waiver of authorization from the IRB to use PHI for recruitment. See Partial and Full Waivers of Authorization and Accounting for Disclosures in this manual for more information.

All researchers must complete the Preparatory to Research Certification as part of their annual HIPAA training.

See Conducting VA Research for special requirements on the use of preparatory to research activities at the VA.

Link to this section

Partial and Full Waivers of Authorization

Partial waivers of authorization should be requested from the IRB when you will not obtain authorization from some subjects or for some uses of their PHI. Examples include:

  • In one arm of your study, you will obtain authorization from participants with whom you are interacting; however, for another arm of your study, you will use only retrospective medical records from a different group of participants and will not interact with any of the participants in that arm.
  • You will access PHI from a HIPAA covered institution outside of UW/UW Health prior to obtaining authorization in order to contact participants to recruit them to your study. This is true even if you are on the medical staff for purposes of providing clinical care of that other HIPAA covered institution. See Accounting for Disclosures in this manual for more information.

Note, however, that healthcare providers may talk to their own patients about enrolling in potentially therapeutic studies without prior authorization or a partial waiver.

Full waivers of authorization should be requested from the IRB when you will not obtain authorization from any subjects. Examples include:

  • A study using of only retrospective medical records where you will not interact with any participants.

Researchers are prompted to request partial or full waivers of authorization through the Arrow application.

Link to this section

Altered Authorization

An altered authorization means that individuals are asked for permission to collect, use, or disclose their PHI, but some required elements or statements of the authorization are not included. See HRP-330-WORKSHEET: HIPAA Authorization for a list of required elements and statements. The altered authorization may be written, but briefer in nature, or may be an oral authorization process, depending on context. Examples of when an altered authorization may be appropriate include:

  • You are collecting health information as part of a telephone screen and obtaining written, signed authorization would not be practicable.
  • When the only risk in the research is breach of confidentiality and the research as designed, to reduce risks in relation to anticipated benefits, would not be practicable if the consent/authorization form included participants’ signatures.
  • When a patient’s clinician requests permission to share only name and contact information with a study team so that the study team can contact the patient about a research opportunity.**
  • When a patient is in a clinic visit and someone from the healthcare team asks whether the patient is interested in meeting with a member of the research team at the visit.**
  • When using the short form consent for individuals with limited English proficiency to request an oral HIPAA authorization process (except no altered authorization is needed when using the stand-alone HIPAA Authorization that has been translated to Spanish). See: Authorization & Participants with Limited English Proficiency.

** Note that researchers who are employees of the HIPAA covered institution or members of its workforce for purposes of research may access and use PHI as a preparatory to research activity to contact potential participants for recruitment. In this case, no altered authorization is required. See the Clinical Recruitment Guidelines for more information.

If you are using a remote consent/authorization process in non-FDA regulated research as described in Remote Consent Processes and participants will type their name on a signature line, you do not need to request an altered authorization.

Because individuals are giving their permission for access to or use of the PHI, no accounting for disclosures is required.

Link to this section

Data Use Agreements

A data use agreement (DUA) allows researchers to access a limited data set for research purposes without subject authorization. The terms of a DUA are specified in HIPAA and include:

  • Establishing the permitted uses and disclosures (as allowed under HIPAA);
  • Using appropriate safeguards to secure the data;
  • Reporting inappropriate uses or disclosures to the covered entity; and
  • Not attempting to re-identify individuals who are the subjects of the data.

Researchers are prompted within ARROW to the Internal Data Use Agreement for those UW employees receiving a limited data set from within UW-Madison or UW Health for their own use; limited data will not be shared outside the UW-Madison HCC. A completed Internal DUA should be uploaded to ARROW.

A Data Transfer and Use Agreement is needed for receipt or disclosure of a limited data set from/to an institution outside of UW-Madison or UW Health. When disclosing a limited data set, the DUA template should be uploaded to ARROW to confirm an acceptable template will be used; a signed copy does not need to be included in ARROW. When receiving a limited data set from outside the UW-Madison HCC, the data provider determines whether a DUA is necessary. If a limited data set is not covered by a DUA, it’s appropriate to request a waiver of authorization instead.

UW-Madison has Master DUAs with UW Health, including UW Health Northern Illinois (formerly called SwedishAmerican), and Access Community Health Centers. UW-Madison also has a System Access Agreement with UnityPoint Health – Meriter. More information on who may access data and for what purposes under these agreements is available here: UW Health; Access Community Health Centers; UnityPoint Health – Meriter.

Link to this section

Accounting for Disclosures

An “accounting” is a log of certain disclosures of full PHI that must be made available to a patient upon request that includes information about the disclosure like the date it occurred, the name of the recipient, a description of the PHI and the purpose.

A “disclosure” means the PHI left the institution that is covered by HIPAA (e.g., the hospital, clinic, health system). But it can also mean that a person who is not an employee of the institution viewed or accessed the PHI, even on the institution’s premises.

An accounting for disclosures is required when:

  • Identifiable patient health information is accessed for research purposes; AND
  • Access is without patient authorization (i.e., under an IRB partial or full waiver of authorization); AND
  • You are accessing PHI from UW-Madison’s Health Care Component (HCC) and you are employed outside the HCC or from UW Health and you are employed outside of the Affiliated Covered Entity (ACE); OR
  • You are accessing PHI from other healthcare entities where you are not employed or workforce for research purposes – even if you are on the medical staff for clinical care purposes – such as from UnityPoint Health-Meriter or Access Community Health Centers (ACHC).

See this Accounting for Disclosures Guidance for more information and to access the link to account for disclosures. Note that if you obtained data through the UW Clinical Research Data Services (CRDS), CRDS will account for you when an accounting is required.

Link to this section

Authorization & Participants with Limited English Proficiency

Subjects who have limited English proficiency should be presented with an authorization in a language understandable to them that includes all required elements and statements for use and/or disclosure of their PHI. Persons with limited English proficiency are individuals who do not speak English as their primary language and/or who have a limited ability to read, speak, write, or understand English.

For research involving targeted populations that have limited English proficiency, the use of a written translation of the approved long form consent/authorization document is required. The translated consent/authorization must be approved by the IRB.

If the IRB approves the use of a short form consent, researchers should either use the Spanish translation of the stand-alone HIPAA Authorization for Spanish speakers. For all other languages, request an altered authorization to permit an oral presentation of the HIPAA authorization elements, without signed authorization from the subject or their LAR. Researchers should provide a written summary of what will be discussed. See Enrolling Participants with Limited English Proficiency for more information.

Link to this section

HIPAA & International Research

For existing data that includes identifiable health information (like medical records data), once the identifiable health information is transferred to the HCC, the data should be protected the same as PHI gathered in the U.S. It should be stored in a HIPAA compliant manner.

For prospective data and/or specimen collection, the consent form should include HIPAA authorization language when UW researchers are involved in collection and will transfer the PHI to the UW.

Link to this section

UW Personnel Outside the HCC

If someone outside the HCC is receiving fully identifiable information from a covered entity, there needs to be a legal mechanism for them to obtain the data. For fully identifiable data, those legal mechanisms are:

  1. Authorization
    • If consent/authorization was obtained under a previous study or repository and included consent/authorization for future uses, then an IRB waiver isn’t required.
  2. Waiver of authorization
    • The covered entity providing the PHI can, but does not have to, rely on our waiver of authorization for the sharing. To grant a waiver, there must be an adequate plan to protect the identifiers from improper use and disclosure. If the researchers are outside the HCC, this type of security review likely has not been done. Before the IRB issues a waiver of authorization in this case, there should be some evidence that the researcher can properly protect the data, which may include having a Cybersecurity review. Researchers should confirm that they will undergo the Cybersecurity review and not collect or store data until they have done so; IRB review and certification/approval may proceed, however.

Link to this section

Addressing HIPAA in ARROW

The following table lists the options for addressing HIPAA requirements in ARROW and states when they are appropriate.

Obtain HIPAA AuthorizationStudy teams should choose this option if they will be obtaining written HIPAA authorization. See HRP-330.
Request for Waiver of AuthorizationStudy teams should choose this option if they wish to request a full waiver of authorization for the entire study. An example of when this is appropriate is a study that involves only review of medical records. See HRP-441.
Request for Altered AuthorizationStudy teams should choose this option if they will obtain HIPAA authorization, but do not want to include all required elements or will obtain authorization in some way other than via a written signature. An example of this is obtaining authorization verbally over the phone. See HRP-441.
Request for Partial Waiver of AuthorizationStudy teams should choose this option if they wish to request a full waiver of authorization for part of the study. An example of when this is appropriate is a study that involves a retrospective chart review of patients who are lost to follow-up in addition to prospective patient recruitment. A partial waiver of authorization would be requested for the retrospective subjects only, and written HIPAA authorization would be obtained for the prospective subjects. See HRP-441.
Data Use Agreement for Limited DatasetStudy teams should choose this option under the following conditions:
1) if they will share a limited data set outside UW-Madison without obtaining subject authorization,
2) if they will receive (e.g., from SMPH Informatics) or record a limited data set for use within UW-Madison, but without obtaining subject authorization (Note: If identifiers will be retained beyond the creation of a limited data set, a waiver of authorization is also needed), or
3) if they will receive a limited data set from outside UW-Madison under a DUA.
Create a De-identified DatasetStudy teams should choose this option if they will access subject PHI but will not record any HIPAA identifiers or link study data to identifiers via a study ID code.
Certification for Use of Decedent PHIStudy teams should choose this option if data will be limited to decedents. A completed copy of the certification should be uploaded to ARROW.

Link to this section