*** Content Under Review ***
*** See www.compliance.wisc.edu/hipaa for up-to-date content. ***
The UW-Madison HIPAA Compliance Program is updating policies, forms, FAQs, and guidelines to better serve your needs. Additionally -- we are migrating content from these pages to www.compliance.wisc.edu/hipaa; once we complete the migration, this site will retire and visitors to these pages will be re-directed to that location. Thank you in advance for your patience!
Please forward your website improvement suggestions to email@example.com.
Human Subjects Research and the HIPAA Privacy Rule
When HIPAA took effect in 2003, it outlined new procedures for collecting and sharing protected health information (“PHI”) in research. Unless one of the exceptions discussed below applies, investigators who wish to use or disclose PHI for research purposes must obtain a signed authorization from each research subject. Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for uses and disclosures of PHI for research purposes. At UW-Madison, the IRBs serve as the Privacy Board. Thus, researchers are not obliged to apply to two separate committees.
See the additional FAQs, Definitions, Forms, and Guidance for using and disclosing PHI in research for more information.
According to federal regulations, all institutions governed by HIPAA must train their employees regarding uses and disclosures of PHI. UW-Madison provides online training for new employees and annual training updates for existing employees.
In addition, UW-Madison researchers involved in human subject research must complete the HIPAA Training Module #1 or 3: Compliance with the Health Insurance Portability and Accountability Act of 1996 in Human Subjects Research.
Research Proposal Requirements Summary
For more details, see the Guidance page of the "For Researchers" tab. Requirements for new research proposals:
Researchers should prepare and submit their research protocols for IRB review and submit their HIPAA-related documents to the IRB at the same time. Researchers whose new protocols involve PHI should either:
- Collect written authorization from patients for the use and/or disclosure of their PHI in research;
- Ask the IRB for a waiver of authorization;
- Use a limited data set (“LDS”) subject to an executed data use agreement; or
- Deidentify the data.
In addition, there are two circumstances under which the IRB approval is not required but in which a researcher must make representations under HIPAA if they are doing work with PHI.
- Research on decedents. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.
- Preparatory to research activities (e.g. review of medical records, data bases, etc.) in order to design a research protocol.