HIPAA Privacy Rule: Definitions


A research authorization is a document signed and dated by a subject/participant that satisfies the requirements of the Privacy Rule (required elements) and grants permission for the researcher to use and disclose the subject/participant’s protected health information (PHI) to perform a research protocol.  (Research Authorization.)  A research authorization is the preferred method under the Privacy Rule for researchers to obtain permission to use PHI. The use of a research authorization is intended to involve a consent process.

Altered Authorization

An altered authorization is a form of waiver of authorization.

Covered Entity

UW-Madison Health Care Component (HCC)

A covered entity, i.e., an entity to which the Privacy Rule applies, includes a health care provider (person or entity) that provides, bills for, or is paid for health care.
UW-Madison (UW) is a special type of covered entity, called a “hybrid entity,” which means that for the purposes of implementing the Privacy Rule, UW has both covered and noncovered units.

The covered units of UW (which include all the employees of those units and certain researchers outside those units) are called the health care component or HCC. Currently the HCC includes the following units:

  1. Medical School clinical departments
  2. School of Pharmacy (clinical units only)
  3. School of Nursing
  4. University Health Service
  5. State Laboratory of Hygiene
  6. Athletic Department (athletic trainers and health information systems only)
  7. Waisman Center (clinical units only)
  8. L&S Psychology Clinic
  9. UW Internal Audit
  10. UW Privacy Officer
  11. Office of Clinical Trials
  12. UW Legal Services (health law group only)
  13. UW Accounting Services
  14. UW IRBs

Researchers who have appointments in units outside the HCC and who conduct research involving protected health information (PHI) in collaboration with researchers within the HCC are considered within the HCC for the purposes of that collaborative research. For example, scientists in the basic science departments of the Medical School or in the Waisman Center who collaborate with scientists or clinical faculty in the Medical School’s clinical departments are considered within the HCC for the purpose of the collaborative research.

Affiliated Covered Entity (ACE)

UW-Madison is also one of three entities that have agreed to form an affiliated covered entity (ACE). These three entities have agreed to provide consistent protection of patient/subject/participant rights.

The ACE includes:

  • University Hospitals and Clinics (UWHC)
  • University of Wisconsin Medical Foundation (UWMF)
  • A subset of the UW health care component (HCC)

The subset of the HCC in the ACE is comprised of the Medical School clinical departments (including Family Medicine and its five clinics in the Madison area, but not those faculty practicing on the Milwaukee Clinical Campus), the School of Nursing, the School of Pharmacy (clinical units only), and the Waisman Center (clinical units only).

Sharing of protected health information (PHI) within the HCC or within the ACE for research purposes is a “use” for which no accounting is required. Sharing of PHI outside of the HCC or outside the ACE, even with other parts of UW, for research purposes is a “disclosure” and in certain circumstances requires an accounting at the request of any subject/participant in research.

Data Use Agreement

A data use agreement (DUA) is an agreement required by the Privacy Rule between a covered entity and a person or entity that receives a limited data set. The DUA must state that the recipient will use or disclose the information in the limited data set only for specific limited purposes.

De-identified Information

Information that does not allow an individual to be identified because specified identifiers have been removed.

Disclosure of Protected Health Information

A “disclosure” of Protected Health Information (PHI) is the sharing of that PHI outside of a covered entity. The sharing of PHI outside of the health care component or affiliated covered entity is a disclosure. In general, a disclosure of PHI requires an accounting at the request of the individual who is the subject of the PHI, unless that individual gave permission for the disclosure by signing a valid authorization.

Health Care Operations

Any of the following activities of the covered entity to the extent that the activities are related to those functions the performance of which makes the covered entity a health plan, health care provider, or health care clearinghouse:

  • Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.

  • Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

  • Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

  • Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

  • Business management and general administrative activities of the entity, including, but not limited to:

    —Management activities relating to implementation of and
       compliance with the requirements of this subchapter;
    —Customer service, including the provision of data analyses for
       policy holders, plan sponsors, or other customers, provided
       that PHI is not disclosed to such policy holder, plan sponsor,
       or customer;
    —Resolution of internal grievances; and
    —Consistent with the applicable requirements of § 164.514,
       creating de-identified health information or a limited data set,
       and fundraising for the benefit of the covered entity.

Health Care Provider

A person or organization that furnishes, bills, or is paid for health care in the normal course of business.

Limited Data Set

Protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:

  • Name;
  • Postal address information, other than town or city, State, and zip code;
  • Telephone numbers;
  • Fax numbers;
  • Electronic mail addresses;
  • Social security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs);
  • Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints; and
  • Full face photographic images and any comparable images.

Preparatory to Research Activities

The Privacy Rule regulates some of the typical activities done before submitting a protocol to an IRB for review. These activities are designated as “preparatory to research ” in the Privacy Rule and are defined as:

  1. the development of research questions;
  2. the determination of study feasibility (in terms of the available number and eligibility of potential study participants);
  3. the development of eligibility (inclusion and exclusion) criteria; and
  4. the determination of eligibility for study participation of individual potential subjects

The recruitment of subjects or participants is NOT a preparatory to research activity. A recruitment plan is part of a research protocol and requires IRB approval before contact or other information about subjects/participants may be collected. Recruitment is a research activity.

Protected Health Information (PHI)

The Privacy Rule protects “individually identifiable health information,” referred to as protected health information or PHI. The Privacy Rule defines PHI to include information that:

  • is created or received by a “covered entity,” including a health care provider, and
  • relates to the past, present, or future physical or mental health, or condition of an individual, or
  • relates to payment for an individual’s health care, or
  • relates to the provision of health care in the past, present, or future, and
  • identifies an individual or could be used for identifying an individual.

Psychotherapy Notes

Psychotherapy Notes are notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individualís medical record.

Psychotherapy Notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. [45 CFR 164.501, psychotherapy notes]

Public Health

the HIPAA Privacy Rule does not define “public health.” Should you have questions or concerns, please consult the University’s Privacy Officer, Rebecca Hutton.


A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

Use of Protected Health Information (PHI)

A “use “ of PHI is any sharing of that PHI within a covered entity. The sharing of PHI within the health care component (HCC) or within the affiliated covered entity (ACE) is a use. Uses, unlike disclosures, of PHI do not require an accounting at the request of the individual who is the subject of the PHI.

Waiver of Authorization

When obtaining subject/participant authorization is "impracticable," the IRB may approve a waiver of authorization for a researcher to use and disclose protected health information (PHI). The purposes of the research must be described in a waiver application and the IRB must determine that the researcher has satisfied all Privacy Rule requirements for the waiver [see FAQ for waiver]

Return to HIPAA Research Guide main page

Questions or comments? Contact us.
Last updated: September 26, 2003