Topics Map > ARROW > Initial Review

Completing the HIPAA Section

How to Complete the HIPAA Section

What is the purpose of the HIPAA section?

The HIPAA section of the initial review smartform asks study teams to indicate whether the research will involve access, collection, use or disclosure of individually identifiable health information. The purpose of this section is to determine whether HIPAA Privacy Rule regulations apply to the research being conducted.

When does the HIPAA section display?

The HIPAA section will display for the following Initial Review Application types: Full review, Exemption, Non-exempt medical records, and National Cancer Institute Central IRB (NCI-CIRB) facilitated review applications. The HIPAA section is the eleventh section of the initial review smartform.

What if I am not sure about whether my study is HIPAA regulated?

For general information about the HIPAA Privacy Rule and whether it applies to a particular research study, review the HIPAA Privacy Rule Research Guidance (http://hipaa.wisc.edu). Also, if you are not sure about how to answer questions in this section of the initial review smartform, please contact the main office to speak to the staff reviewer on call (263-2362) or email asktheirb@medicine.wisc.edu for assistance.

How should study teams answer question 1.1 of the HIPAA section?

Question 1.1 of the HIPAA section asks study teams if the study involves individually identifiable health information. Study teams should answer "Yes" if BOTH of the following are true:

  • The study team will access health information from medical records or collect health information from either medical records or directly from subjects for the purpose of the research.
  • The study team plans to use health information in their research or disclose health information to collaborators outside of the UW-Madison.

Study teams should answer "No" to this question if ANY of the following are true:

  • The study team does not plan to access medical records or obtain health information from either medical records or directly from subjects for use in the research study.
  • The study team will not use or disclose individually identifiable health information for the purposes of the study.

How should study teams answer the second question of the HIPAA section?

Question 1.1.1 of the HIPAA section asks study teams whether anyone involved in conducting the study is part of the HIPAA covered entity at UW-Madison. Study teams should answer "Yes" to this question if any study team member is part of the HIPAA covered entity, known as the UW-Madison Health Care Component (HCC) and Affiliated Covered Entity (ACE). If you are not sure whether your unit or department is part of the UW-Madison HCC or ACE, further information can be found in the HIPAA Privacy Rule Research Guidance Definitions.

How should study teams answer question 2.1 of the HIPAA: Outside UW-Madison HCC page?

This question asks how study teams have access to protected health information (PHI) if all study team members are outside the UW-Madison HCC and ACE. The most common situations involve the subject providing the information directly to the study team, or the study team obtaining a de-identified or a limited dataset (with a data use or data sharing agreement).

How should study teams answer question 3.1 of the HIPAA: Continued page?

This question asks how the study team will address HIPAA requirements. There are six options from which to choose. The following table lists the options and states when they are appropriate.

Obtain HIPAA authorization
Study teams should choose this option if they will be obtaining written HIPAA authorization via a HIPAA authorization form or a combined consent and authorization form.
Request for Waiver of Authorization
Study teams should choose this option if they wish to request a full waiver of authorization for the entire study.  An example of when this is appropriate is a study that involves only review of medical records.
Request for Altered Authorization
Study teams should choose this option if they will obtain HIPAA authorization, but in some way other than via a written authorization form or combined consent and authorization form.  An example of this is obtaining authorization verbally over the phone.
Request for Partial Waiver of Authorization
Study teams should choose this option if they wish to request a full waiver of authorization for part of the study.  An example of when this is appropriate is a study that involves a retrospective chart review of patients who are lost to follow-up in addition to prospective patient recruitment.  A partial waiver of authorization would be requested for the retrospective subjects only, and written HIPAA authorization would be obtained for the prospective subjects.
Data Use Agreements for a Limited Dataset
Study teams should choose this option under the following conditions: 1) if they will share a limited data set outside UW-Madison without obtaining subject authorization, 2) if they will record a limited data set for use within UW-Madison, but without obtaining subject authorization, or 3) if they will receive a limited data set from outside UW-Madison under a Data Use Agreement.
Create a De-identified Dataset
Study teams should choose this option if they will access subject PHI but will not record any HIPAA identifiers or link study data to identifiers via a study ID code.  An example of this is conducting a retrospective chart review without recording or linking to identifiers.

How should study teams answer question 3.2 of the HIPAA: Continued page?

This question asks which HIPAA identifiers will be associated with the study data set. The study team should check all the listed identifiers that will either be included in the study data set or linked to it via a study code. If the study team will record a de-identified data set, “None of the above” should be checked.

How should study teams answer question 4.1 of the HIPAA Authorization page?

If the study team intends to use a separate HIPAA authorization form, it should be uploaded to 4.1. If the study team intends to use a combined consent/authorization form, the form should be uploaded to the Informed Consent: Overview page, not the HIPAA Authorization page.

How should study teams answer question 5.1 of the Request for Waiver, Altered or Partial Waiver of Authorization page?

(Please note that this page must be completed if the study team requests a full waiver of HIPAA authorization, a partial waiver of HIPAA authorization, or altered authorization. It must be completed only once, even if more than one of these options is selected.) This question asks for a list of specific health information that will be used in the study, including the identifiers that were checked in response to 3.2 of the HIPAA section. The study team should list all the health information variables that will be included in the study data set, including any identifiers. The list should be consistent with any data collection forms provided in the application. If the list is extensive, certain similar variables may be grouped into one category, e.g. lab values.

How should study teams answer question 5.1 of the Request for Waiver, Altered or Partial Waiver of Authorization page?

This question asks whether the study team intends to share subjects’ protected health information (PHI) outside the UW-Madison HCC/ACE or the Madison VA Covered Entity under a waiver of authorization. If so, HIPAA accounting requirements may apply to the study and the study team must contact the HIPAA Privacy Officer for UW-Madison or the Privacy Officer for the Madison VA to ensure that HIPAA regulations are met.

How should study teams answer question 5.3 of the Request for Waiver, Altered or Partial Waiver of Authorization page?

This question asks for a summary of the data security measures described in question 1.3 of the Privacy/Confidentiality page.

How should study teams answer question 5.4 of the Request for Waiver, Altered or Partial Waiver of Authorization page?

This question asks how and when the study team will destroy HIPAA identifiers. If there is no plan to destroy them, the study team must state this and provide a justification. Please note that the UW-Madison Faculty Bylaws recommend storing research data and identifiers for 7 years to protect against allegations of research misconduct and fraud.

How should study teams answer question 5.5 of the Request for Waiver, Altered or Partial Waiver of Authorization page?

This question asks for a justification for the waiver of authorization or altered authorization. The response here should address two points: a) why the specific PHI is needed; and b) why written authorization cannot be obtained for the use of PHI. For example, study teams can explain that only the minimum necessary PHI needed will be collected, the medical record is the best source of the PHI, and it would be difficult to obtain written authorization given that the study team will not interact with the patients whose information will be used for the research.

How should study teams answer question 6.1 on the LDS page?

This question asks about the nature of the limited data set the study team will use. Please note that this page does not apply to studies that involve a limited data set from the Madison VA.

Use of a limited dataset collected within the UW-Madison HCC/ACE which will not be disclosed to outside institutions
Study teams should choose this option if they are collecting a limited data set from within the UW-Madison HCC for their own use within the UW-Madison HCC.  Limited data will not be shared outside the UW-Madison HCC.  For more information about when this is appropriate, see http://www.hipaa.wisc.edu/guidance.htm#LimitedDataSet.
Disclosure of a limited dataset collected within the UW-Madison HCC to outside institutions
Study teams should choose this option if they are collecting a limited data set from within the UW-Madison HCC and will share it outside the UW-Madison HCC.  For more information about when this is appropriate, see http://www.hipaa.wisc.edu/guidance.htm#LimitedDataSet under the Data Use Agreement header.
Receipt of a limited dataset from an outside institution
Study teams should choose this option if they will receive a limited data set from outside the UW-Madison HCC for their own use.

How should study teams answer question 6.2 on the LDS page?

If a study team will collect a limited data set from within the UW-Madison HCC/ACE for their own use within the UW-Madison HCC (the first option in 6.1), a Certification for Use of a Limited Data Set is required. This must be completed and signed by the PI, converted to PDF format, and uploaded to 6.2. A copy should be sent to the UW Madison HIPAA Privacy Officer as well. The form is located at http://www.hipaa.wisc.edu/guidance.htm#LimitedDataSet.

How should study teams answer question 6.3 on the LDS page?

If a study team will collect a limited data set from within the UW-Madison HCC/ACE and will share it outside the UW-Madison HCC (the second option in 6.1), a Data Use Agreement is required. Please contact the UW-Madison HIPAA Privacy Officer for assistance in creating a Data Use Agreement. Please note that it must be signed by a UW-Madison Official with Board of Regents signatory authority either in Business Services or Research and Sponsored Programs, by the UW PI, and by the recipient of the limited data set. After all signatures have been obtained, the document must be converted to PDF format and uploaded to 6.2.

How should study teams answer question 6.4 on the LDS page?

If a study team will receive a limited data set from outside the UW-Madison HCC/ACE, a Data Use Agreement will likely be required by the institution from which the data set originates. Please upload a copy of this document in PDF format to 6.4. Please note that investigator’s must not sign the agreement on behalf of UW-Madison. The agreement must be signed by a UW-Madison Official with Board of Regents signatory authority either in Business Services or Research and Sponsored Programs, If there is a question as to whether a DUA is required, the study team should contact the HIPAA Privacy Officer or reviewing IRB at the originating institution.




Keywords:HIPAA, privacy, ACE, HCC,   Doc ID:17449
Owner:Faye L.Group:Health Sciences IRBs
Created:2011-03-24 18:00 CSTUpdated:2016-02-04 10:34 CST
Sites:Health Sciences IRBs
Feedback:  0   0