*** Content Under Review ***  

*** See www.compliance.wisc.edu/hipaa for up-to-date content. ***

The UW-Madison HIPAA Compliance Program is updating policies, forms, FAQs, and guidelines to better serve your needs.  Additionally -- we are migrating content from these pages to www.compliance.wisc.edu/hipaa; once we complete the migration, this site will retire and visitors to these pages will be re-directed to that location.  Thank you in advance for your patience! 

Please forward your website improvement suggestions to hipaa@wisc.edu.   


Human Subjects Research and the HIPAA Privacy Rule

When HIPAA took effect in 2003, it outlined new procedures for collecting and sharing protected health information (“PHI”) in research.   Unless one of the exceptions discussed below applies, investigators who wish to use or disclose PHI for research purposes must obtain a signed authorization from each research subject.   Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for uses and disclosures of PHI for research purposes.   At UW-Madison, the IRBs serve as the Privacy Board.   Thus, researchers are not obliged to apply to two separate committees.

See the additional FAQs, Definitions, Forms, and Guidance for using and disclosing PHI in research for more information.

Mandated Training

According to federal regulations, all institutions governed by HIPAA must train their employees regarding uses and disclosures of PHI.   UW-Madison provides online training for new employees and annual training updates for existing employees.

In addition, UW-Madison researchers involved in human subject research must complete the HIPAA Training Module #1 or 3: Compliance with the Health Insurance Portability and Accountability Act of 1996 in Human Subjects Research.

Research Proposal Requirements Summary

For more details, see the Guidance page of the "For Researchers" tab.  Requirements for new research proposals:

Researchers should prepare and submit their research protocols for IRB review and submit their HIPAA-related documents to the IRB at the same time.   Researchers whose new protocols involve PHI should either:

    1. Collect written authorization from patients for the use and/or disclosure of their PHI in research;
    2. Ask the IRB for a waiver of authorization;
    3. Use a limited data set (“LDS”) subject to an executed data use agreement; or
    4. Deidentify the data.

In addition, there are two circumstances under which the IRB approval is not required but in which a researcher must make representations under HIPAA if they are doing work with PHI.

    1. Research on decedents. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.
    2. Preparatory to research activities (e.g. review of medical records, data bases, etc.) in order to design a research protocol. 



HIPAA Privacy Officer

Amanda K. Reese

4170 Health Sciences Learning Center
750 Highland Avenue
Madison, WI 53705

(608) 262-2059


HIPAA Security Officer

Stefan Wahe 

Room 2164 Computer Science & Statistics
1210 W. Dayton Street
Madison, WI 53706

(608) 265-1177


Anonymous Hotline (Anonymous Human Research Protection Hotline):

To report an IT security incident or loss of sensitive data call the DoIT Help Desk: 
608-264-HELP (4357)