Skip redundant pieces

HIPAA FAQs

What is protected health information?
The Privacy Rule under HIPAA defines Protected Health Information (PHI) as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records. "Identifiable" refers to any health information or data that allows the possibility of individual identification.
When does health information become protected health information?
The Privacy Rule defines Health Information as any information, whether oral or record in any form or medium, that:
  1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment of the provision of health care to an individual.
What do I do if my research falls under HIPAA?
Researchers at the KU-Lawrence campus must complete an Application to the Human Subjects Committee as well as develop a consent form for all projects which involve obtaining medical information.
My research project involves the use of health information. What criteria must my project meet to be approved?
In order for a research to conduct research using health information, one of the following conditions must be met:
  1. Permission must be granted by the research subject, through a written privacy authorization form. This approach will be the one most often used to protect subjects and allow researchers to obtain information needed. A sample consent form may be found in the Instructions for Submitting Applications to the Human Subjects Committee.
  2. The information must be completely de-identified and no longer subject to protection by state or federal law. See §164.514: Other requirements relating to uses and disclosures of protected health information.
  3. The information must be compiled in a "limited data set" and a data use agreement must be executed. Click here for a sample data use agreement.
  4. The activity must be "preparatory to research." See §164.512: Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required of the Final Privacy Rule.
  5. A waiver of individual authorization must be obtained from an IRB or Privacy Board. Click here for "Research Use/Disclosure Without Authorization" for information about waiver of individual authorization.
  6. The researcher must be accessing information solely on decedents. The researcher must state in writing or orally, that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought. The HSCL will require a written statement in such cases, and will not review such research as long as there is no link to living individuals. See "Research Use/Disclosure Without Authorization."
I want to re-analyze some existing data. How does the Privacy Rule affect this?
If you re-analyzing Protected Health Information data to answer a new research question, this is considered to be a new project. A new HSCL Application and Consent Form must be completed and reviewed by the HSCL.
What is the standard HIPAA form I have to submit with my HSCL application if I will be working with Protected Health Information (PHI)?
You must complete the Statement on Use of Protected Health Information (PHI). This form will guide you as the other required HIPAA form(s) you must submit depending on the type of PHI you wish to collect for your research.
My research involves a Business Associate Agreement. What forms do I need to complete and submit to HSCL?
  • The Confidentiality and Security Agreement
  • The Principal Investigator Project Risk Management Checklist and Certification
Please note: The Confidentiality and Security Agreement and Project Risk Management Checklist and Certification form must be kept on file at HSCL. The other HIPAA security forms available on the HSCL website are created for you (as the PI for the project), as you are required to maintain this information in your own records to comply with HIPAA's Confidentiality & Security requirements associated with Business Associate Agreements. These forms are:
  • Authorization of access to Information Systems
  • Termination of access check list
  • Disposal or return of Confidential Data

Questions? Please contact:
David Hann
785-864-7429 | dhann@ku.edu
Coordinator | Human Subjects Committee of Lawrence (HSCL)

— or —

Mary Denning
785-864-7385 | mdenning@ku.edu
Associate Coordinator |Human Subjects Committee of Lawrence (HSCL)