Office for Protection of Human Subjects

How to Comply with HIPAA When Conducting Research

If research involves the use of protected health information (PHI), the researcher may need to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA governs the use and disclusure of "protected health information" by "HIPAA-covered entities." In order to access this information, researchers must have each subject whose PHI is being gathered sign a HIPAA Authorization or HIPAA Release form. The regular informed consent form must include a statement referencing the HIPAA Authorization form. For example, the informed consent form could say "In order to do this research, you must also authorize us to access and use some of your personal health infomation by reviewing and signing the attached authorization form."

HIPAA Authorizations must be written in plain language and must include 6 core elements and three required statements.

Authorization Core Elements:

A specific and meaningful description of the PHI to be used.
The name(s) or specific identification of the person(s) or class of person(s) who will make the disclosure.
The name(s) or specific identification of the person(s) or class of person(s) who will use the PHI or to whom the covered entity will make the disclosure.
Description of each specific purpose of the requested disclosure. Once researchers have obtained PHI, it may not be used for any purposes except those described in the Authorization. Authorizations are study-specific and may not be used for future unspecified research.
Authorization expiration date or event. Researchers may use the terms "end of the research study" or "none" if the PHI is collected for research.
The individual's signature and the date the Authorization is signed.

Authorization Required Statements:

A statement of the individual's right to revoke the Authorization at any time in writing and a description of how to revoke the Authorization.
A notice of the covered entity's ability or inability to condition treatment, payment, enrollment, or eligiblility for benefits on the Authorization, including research-related treatment, and, if applicable, the consequences of refusing to sign the Authorization. NOTE: In most research at the UO, this statement should simply indicate that refusing to sign the Authorization will not affect the subject's medical care and will result only in the subject being excluded from the research.
A statement explaining that the researcher receiving the data could potentially re-disclose the PHI and that the HIPAA Privacy Rule does not apply to the re-disclosure.

OPHS has developed a HIPAA Authorization Form template for researchers to use. As with all templates, researchers may alter the format or wording of the document as long as the elements required by law remain.

For more information about HIPAA and research, please visit the NIH HIPAA information page.