Skip to Content

Submissions :: Protocol review process :: Expedited/Exempt Review :: Exemption :: Archival Data :: Private records :: Medical records/HIPAA

Medical Records and HIPAA

The Privacy Rule in the Health Insurance Portability and Accountability Act (HIPAA) directly affects researchers who wish to obtain protected health information (PHI, essentially medical records) about their participants. Obtaining such information requires that additional information be added to the consent form as well as other restrictions.  The IRB-SBS does not review studies where a medical record is used; these studies are reviewed by the IRB-HSR. For a more thorough discussion of this topic, please see their Protected Health Information (HIPAA) section. If you have any questions regarding which IRB should review your study, check out the HSR/SBS decision algorithm.  If this doesn’t answer your question, please contact our office (or the HSR) before completing our protocol form as each IRB has separate submission procedures.

De-identified data are not subject to HIPAA regulations and also qualify for exemption.  HIPAA defines 18 specific identifiers that must be removed from the PHI in order for the data to be considered de-identified (please note that the researcher must not be able to identify the individual after the 18 items are removed based on the remaining data).  These items are listed in the Identifiers section.

The data can be coded for re-identification, but the code cannot be derived from any information about the individual.  However, a re-identification code does not qualify the data as “anonymous” according to IRB regulations; thus the protocol cannot qualify for exemption and a waiver of consent would need to be considered.

Previous :: Private records
Next :: Student data