IRB-HSR Home Institutional Review Board for Health Sciences Research
Researchers IRB Members Research Subjects IRB STaff







+ Calendars & Deadlines
+ Office Information
+ Directions & Hours
+ Staff Directory
+ Frequently Asked Questions
+ IRB-HSR Membership Lists
+ FWA Information
+ Organizational Charts
+ Research Concerns
+ Standard Operating Procedures
+ Getting Started
+ Protocol Review Process
+ Managing Protocol After Initial Approval
+ Special Issues
+ Protocol Builder and IRB On-Line: On Grounds or UVa VPN access only
+ Forms
+ CITI Training
+ Education
+ Regulations/Guidelines
+ Ethical Principles
+ Search IRB-HSR Protocols
+ Glossary/Acronyms
+ Useful Websites
+ Go to full list >>


IRB-HSR > Special Issues > HIPAA







HIPAA Regulations and Research

What is HIPAA?
What is PHI?
What Does the Privacy Rule Have To Do With Research?
What is the IRB's Role?
Research Provisions of the Privacy Rule
Additional Resources

HIPAA Learning Shots:

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.

The intention of HIPAA is to protect patients from inappropriate disclosures of "Protected Health Information" (PHI) that can cause harm to a person's insurability, employability, etc.

The privacy provisions of HIPAA found in the Privacy Rule apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.

What is PHI?

PHI is information that can be linked to a particular person and that is created, used, or disclosed in the course of providing a health care service (i.e., diagnosis or treatment).

What Does the Privacy Rule Have To Do With Research?

HIPAA affects only that research which uses, creates, or discloses PHI.

Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies.

The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research.

In general, there are two types of human research that would involve PHI:

  • Studies involving review of existing medical records as a source of research information. Retrospective studies, such as chart reviews, often do this. Sometimes prospective studies do it also, for example, when they contact a participant's physician to obtain or verify some aspect of the participant's health history.
  • Studies that create new medical information because a health care service is being performed as part of the research, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition. Virtually all sponsored clinical trials that submit data to the U.S. Food and Drug Administration (FDA) will involve PHI.

What is the IRB's Role?

The IRB-HSR acts as the Privacy Board at UVa  to review the use/disclosure of PHI and to determine whether the subjects should sign an "Authorization" (Adds additional language to the consent template) or if a Waiver of Authorization (roughly analogous to a Waiver of Consent under the Common Rule) may be granted. At UVa the requirements for a HIPAA Authorization have been incorporated into the research consent form to eliminate the need for multiple forms.  If for some reason a research consent will not be obtained, the IRB-HSR provides a template for a Stand-alone HIPAA Authorization.