Skip to main content
Book a Consultation
Book a Consultation

Answering FAQs on HIPAA & PHI: Protect Participants’ Privacy & Ensure Compliance

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a critical regulation that safeguards the privacy and security of individuals’ health information. This includes protected health information (PHI), which encompasses the individual’s past, present, or future physical or mental health conditions, healthcare that the individual has received, and payment for that healthcare as well as one or more identifiers which alone or in combination reasonably identify the individual.1 When PHI is used in research, the participant must either give permission for the use of the information or the researcher must obtain a waiver for the use of the information.2 Understanding the nuances of HIPAA waivers, the requirements for obtaining them, and the concept of de-identified data is essential for researchers and healthcare professionals to ensure compliance and protect participant’s privacy. This blog post will delve into common questions regarding aspects of HIPAA and PHI in clinical research.

What types of HIPAA waivers might I need?

When specific characteristics are satisfied, the IRB can grant a waiver of authorization under HIPAA (HIPAA waiver). The two most common types of HIPAA waivers requested by researchers are a partial HIPAA waiver for recruitment and a full HIPAA waiver. Partial HIPAA waivers for recruitment are often requested for studies when the only thing they are doing is looking into the medical records to determine if participants would be eligible even before they contact the individual. If the individual enrolls in the study, they will still need to authorize the use of their PHI prior to collection or use for the research study.

A full HIPAA waiver allows the collection and use of participant PHI for study purposes without obtaining a HIPAA authorization from the participant at all. A full HIPAA waiver is frequently approved in conjunction with a waiver of consent. 

What are the requirements for a HIPAA Waiver?

According to the Code of Federal Regulations, PHI can be used or disclosed for research if there are plans to protect and eventually destroy identifiers, and written assurances that PHI won’t be misused. The regulations state:  

  1. “The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: 
    1. An adequate plan to protect identifiers from improper use and disclosure; 
    2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and 
    3. Adequate written assurances that the PHI will not be reused or redisclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by this subpart; 
  2. The research could not practicably be conducted without the waiver or alteration; and
  3. The research could not practicably be conducted without access to and use of the protected health information.”3

Generally, if there will be an interaction with the participant, or if the participant consents to be in the study, then it is practicable to get authorization as well. Likewise, if the study can be conducted without getting access to PHI, then the IRB should not grant a HIPAA waiver, and the study should be completed without access to PHI.  

What does it mean for data to be de-identified according to HIPAA?

To be de-identified, the data must not contain any of the 18 categories of identifiable information under HIPAA.4  

The more information collected about an individual, even if none of the 18 categories are included, the easier it is to identify that individual. When determining if a data set is truly de-identified, there needs to be an analysis of whether it is possible to re-identify the individuals in the data set either based on the data collected or when used in combination with other readily available data sources.   

If the data set does contain any identifiable information, the data may still be considered de-identified “if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, could identify an individual who is a participant of the information.”5 For example, if the data set includes birthdates and/or zip codes, there may be so many people with the same birthdate or who reside in the same zip code that it is not reasonably possible to identify any one person from that data alone. 

We are only receiving de-identified data. Do we need a waiver of authorization?

No. HIPAA only applies to identifiable information. If the data is coded or de-identified and the researcher does not have a way to re-identify the individuals, then this information is not regulated by HIPAA. 

We keep all HIPAA identifiers separate from health information. We link them by a code that is kept separate from the health information. Is this information still PHI? 

No. If the link between the data set and the identifiers is kept separate, and it is otherwise not possible to re-identify the individuals, then the data would be considered de-identified. 

Do we need to get an authorization or request a waiver of authorization to review our medical records to develop the protocol and/or to screen potential participants?

This will likely depend on institutional requirements. Some institutions specifically require their researcher to obtain a waiver of authorization to review their records. This provides an additional level of protection to ensure that the PHI is being used appropriately. 

If the institution does not have a requirement to obtain a waiver of authorization, then reviewing the medical records usually falls under the Preparatory to Research Exception of HIPAA. The regulation specifically states: 

  1. Standard: Uses and disclosures for research purposes –  
    1. Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: 
  2. Reviews preparatory to research. The covered entity obtains from the researcher representations that: 
    1. Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; 
    2. No protected health information is to be removed from the covered entity by the researcher in the course of the review; and 
    3. The protected health information for which use or access is sought is necessary for the research purposes.”6 

We will generally interpret reviewing medical records to determine which individuals could be potential participants to be similar to preparing a research protocol. 

Our data set includes dates and zip codes but otherwise does not include identifiable information. Do we need to get a HIPAA waiver?

No. This data set would be considered a Limited Data Set. Under HIPAA, this is considered to be de-identified information if there is a Data Use Agreement in place between the covered entity and the researcher where the researcher attests that they will not try to re-identify the individuals and will not disclose the information except as allowed by HIPAA.7 

Do we need to get a HIPAA waiver before screening participants over the phone?

No. In this case, it is the potential participant who is providing the information, so it is not necessary to get a waiver of authorization.   

The sponsor is using remote monitoring visits, do we need to get authorization from the participants or get a waiver of authorization to provide the research records electronically to the sponsor?

In most cases, no. If the participant has authorized the sponsor to have access to their PHI, it generally does not matter if the records are provided electronically or in hard copy. Please note that if the consent form or HIPAA authorization specifically limits how the records will be viewed or shared, we will expect the site to comply with this limitation. For example, if the HIPAA authorization states that the sponsor will only have access to identifiable information when they are at the site, this limitation would preclude providing the records to the sponsor electronically, and in this case, you would need to get authorization from the participants or request a waiver of authorization. 

The participant has withdrawn from the research. Can we continue to collect information about the participant, particularly from publicly available sources like the National Death Index?

There is a distinction between withdrawing from the study and withdrawing authorization to use and disclose PHI. If the participant has withdrawn from the study but has not withdrawn their HIPAA authorization, then the site can continue to collect and use PHI as described in the consent form or HIPAA authorization. If the participant has also withdrawn their authorization to use or disclose their PHI, then the site cannot collect any additional PHI on the participant as part of the study. Please note obtaining information from publicly available data sets is not considered PHI, so sites could view the National Death Index to determine participant survivability. 

My site inadvertently sent Protected Health Information (PHI) on the participant to the sponsor. Do we need to report this as a breach? 

This will be a fact-based analysis, but generally, this will not be considered a breach. If the consent form indicates that the sponsor will have access to identifiable information, or that the research records will be provided to the sponsor, then the participant is authorizing the sponsor to have access to the PHI. In addition, the sponsor has an obligation to monitor the research, which includes going on site to review the research records, and the sponsor will have access to and may view the entire participant record. 

Questions about state-specific HIPAA expiration language added at review

Why has the board added language about HIPAA expiration dates in certain states to my consent form?

While the federal HIPAA law does not require that there be an expiration date for the HIPAA authorization, this can be modified by state law. California has long required an expiration date for the sharing of medical information. More recently, Delaware, Indiana, Illinois, and Washington have made similar requirements. In the case that a template consent form indicates that a HIPAA authorization does not expire, we will add a statement indicating an expiration date that applies to the states above. The date chosen is an arbitrary date at the end of the reasonable time needed for the completion of research goals. The expiration language is added to template consent forms rather than individual sites to avoid errors that could result in incomplete HIPAA authorizations as sites are submitted. 

What are the state regulations that differ regarding requirements for authorization expiration dates?

While most states are aligned with the federal HIPAA requirements, if your trial has sites in the states of California, Delaware, Indiana, Illinois, or Washington, you may need to be aware of laws in those states impacting the expiration of authorizations to share PHI. These regulations are discussed below. 

Federal HIPAA regulations state:

“An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement ‘end of the research study,’ ‘none,’ or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.”8  

The final sentence allows the statement “this authorization does not expire” or similar for research purposes. 

Several states require a specific date of expiry and/or omit the federal allowance for “no expiration” of HIPAA authorizations for research purposes.  

  1. The California Civil Code requires an authorization to disclose medical information. 

    States an expiration date or event. The expiration date or event shall limit the duration of the authorization to one year or less, unless the person signing the authorization requests a specific date beyond a year or unless the authorization is related to an approved clinical trial, as defined in Section 1370.6 of the Health and Safety Code, or medical research study, in which case the authorization may extend beyond one year if the expiration date or event extends no longer than the completion of the relevant clinical trial or research study.” 9   

    California does not include the allowance that research uses of medical information need not expire, but providing a specific date satisfies the state regulations.
  1. Washington regulations state that the authorization “…contain an expiration date or an expiration event that relates to the patient or the purpose of the use or disclosure.”10  
  1. Delaware requires that the “…authorization shall be dated and shall specify to whom the disclosure is authorized, the general purpose for such disclosure, and the time period in which the authorization for the disclosure is effective.”11   
  1. Similarly, Indiana requires the “date, event, or condition on which the consent will expire if not previously revoked.”12   
  1. Illinois expiry pertains specifically to studies including mental health information. However, state law defines mental health very broadly and could include mental health scales commonly used or accessed in many types of medical care and clinical trials. Specifically, “mental health or developmental disabilities services” or “services” includes but is not limited to examination, diagnosis, evaluation, treatment, training, pharmaceuticals, aftercare, habilitation or rehabilitation.13   

The state regulations in Illinois must include “…the calendar date on which the consent expires, provided that if no calendar date is stated, information may be released only on the day the consent form is received by the therapist…13 

Questionnaires and assessments that relate to how the participant is feeling or thinking could be considered mental health, and WCG has chosen to be conservative and include an expiration date for Illinois, even for studies that are not mental health studies. 

The Board added an expiration date for specific states to my HIPAA authorization language for my consent form. Can a different expiration date be chosen? 

Yes. The date is an arbitrary date far enough in the future to encompass the needs of most research, but it can be adjusted to meet the needs of your specific research. Since the sponsor and site may not know when the research will be completed, WCG has chosen an outside date by which the study should have been completed, and it is no longer necessary to use or disclose the medical information collected as part of the research. If the study has been completed, there should not be a reason for the site or sponsor to use and disclose the information, even if the expiration date has not been reached. 

If the site and/or sponsor have a better idea of when the study will be completed, then they can use an expiration date that is more closely aligned with the completion of the study. 

My site is not in a state that has specific requirements for the authorization to share PHI expiration language, but the Board added language about expiration dates for sites in other states to my consent form. Can I request the removal of this sentence from my site’s consent form?

Yes, although the statement is intentionally worded so that it will be accurate regardless of the location of the site, you can request for the language to be removed if your site is not in one of the affected states.  

Conclusion

There are many nuances around requirements for obtaining consent to use PHI in clinical research. To ensure compliance and protect participant’s privacy, it is essential to understand the regulations and implications. If you still have questions regarding HIPAA and PHI, feel free to contact WCG’s IRB experts today by completing the form below. We are at the ready to answer your questions and set your study up for success. 

References

  1. Summary of the HIPAA Privacy rule: https://www.hhs.gov/sites/default/files/privacysummary.pdf.
  2. Protecting Personal Health Information in Research: Understanding the Privacy Rule: http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf.
  3. 45 CFR 164.512(i)(2)(ii).
  4. 45 CFR 164.514(b)(2).
  5. 45 CFR 164.514(b)(1).
  6. 45 CFR 164.512(i)(1)(ii).
  7. 45 CFR 164.512.
  8. 45 CFR 164.508(c)(1)(v).
  9. California Civil Code Division1, Part 2.6, chapter 2 § 56.11(b)(8): https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=1.&title=&part=2.6.&chapter=2.&article=.
  10. Wash. Rev. Code Ann. § 70.02.030(3)(f): https://app.leg.wa.gov/rcw/default.aspx?cite=70.02.030.
  11. 16 Delaware Code § 1210(2): https://delcode.delaware.gov/title16/c012/sc02/index.html#1210.
  12. Indiana Code 16-39-1-4(9): https://iga.in.gov/laws/2023/ic/titles/16#16-39-1-4.
  13. 740 ILCS 110/5(b)(6): https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2043&ChapterID=57.

MAGI 2025

May 18, 2025 - May 21, 2025 @ Boston, MA

Event Details