Main content

    Institutional Review Board (IRB) - HIPAA Compliance Application

    Printer-friendly version: HIPAA Compliance Application (MSWord 71 KB)
    If you have problems using the Word document, provide the IRB with the information below and submit to:
    IRB Office
    2200 Webster Street, 5th Floor, P-Campus,
    San Francisco, CA 94115

    For questions and help, please call:
    Leigh Pruneau, PhD, RN, CIP., Human Research Protection Program Administrator at (415) 600-3688.

    WHAT IS PHI?

    Protected Health Information (“PHI”) means any information [relating to the past, present or future physical or mental condition of an individual, to the provision of health care to an individual, or to the past, present or future payment for the provision of health care] that has been received, created, or stored by a researcher and which includes information that may be used to identify the patient. PHI includes any such information whether in oral or recorded form (both electronically and written).

    Provide the following information for HIPAA Compliance Application

    • Title of Project:
    • Principal Investigator's name: The Principal Investigator must be a medical staff member or an employee of CPMC. He or she is considered the responsible party for legal and ethical performance of the project.
      • Sutter Affiliation:
      • Department:
      • Mailing Address:
      • Phone Number:
      • Fax Number:
      • E-mail address:
      • If you wish to designate a contact other than the PI to receive correspondence regarding this IRB submission, please include their information: Name of Contact and E-mail address
    1. Enrollment: Subject accrual occurs: Mark the one that applies
      • Daily
      • Weekly
      • Monthly
      • Yearly
    2. Indicate your sources of health information:
      • Hospital/medical records (in patient and out patient)
      • Physician/clinic records
      • Mental Health records
      • Lab, pathology and/or radiology results
      • Data previously collected for research purposes
      • Biological samples obtained from the subjects
      • Billing records
      • Interviews/Questionnaires
      • Other, please describe:
    3. Which of the following identifiers will be used? Mark all that apply
      • Subject's Name
      • Geographic subdivisions smaller than a state (address, city, county, precint, zip code or equivalent geocode)
      • All elements of dates (except year) for dates directly related to an individual- including dates of admission, discharge, birth, death and for persons > 89, the year of the birth cannot be used
      • Telephone numbers
      • Fax numbers
      • E-mail address
      • Social security number
      • Medical record numbers
      • Health plan beneficiary numbers
      • Certificate/license numbers
      • Vehicle identification and serial numbers including license plates
      • Device identifiers and serial numbers
      • Web universal resource locator (URL)
      • Internet protocol addresses (IP)
      • Biometric identifiers, including fingerprints and voice recordings
      • Full face photos and comparable images
      • Any unique identifying number, characteristic, code
      • Without any identifiers. If you marked “without any identifiers”, and the research does not include PHI-- HIPAA regulations do not apply to this study, you do not need to finish this form.
    4. Indicate HOW the research team will USE and RETAIN the health information:
      • With a code that can be linked to the identity of the subject.
      • With a code maintained by the source of the data.
      • With limited identifiers: ZIP codes, geocodes, dates of birth, or other dates only. The study qualifies as a Limited Data Set and requires a Data Use Agreement. Use appropriate forms.
      • With unlimited identifiers. The study requires Consent/Authorization from the subject or a Waiver of Consent/Authorization from the IRB.
    5. Summary: Briefly summarize the collection, use, and sharing of PHI for this research study.
    6. Recruitment: Mark all that apply:
      • PI will recruit his/her own patients.
      • PI will send an IRB approved letter to colleagues asking for referrals of eligible patients who are interested in the research study. The treating physician will make initial patient contact. If the patient is interested, the patient will contact the PI or (with permission of the patient) the treating physician will invite the PI to talk with the patient about enrollment.
      • PI will send an IRB approved letter to colleagues asking the physician to send out IRB approved general "Dear Patient" letters describing the research study. The PI may draft the letter with the treating physicians' signature, but may not have access to the patient names or addresses for mailing. If the PI wants the letters to be addressed to individuals, the personal information would have to be entered by the treating physician.
      • Advertisements/media. All materials must have IRB approval.
      • Other, please describe:
    7. PHI Sharing: Mark all that apply:
      Indicate who may receive PHI during the course of the research study.
      • Coordinating Center
      • Statistician(s)
      • Consultants
      • Colleague(s)
      • Registry(s)
      • Lab(s)
      • Publications
      • Other (specify below):
    8. Data Security: PHI associated with this research study must be kept secured in accordance with HIPAA regulations. Data should be stored behind at least two of the following safeguards. Please mark all that apply.


      9. For electronic data:
      • Secure network
      • Password access
      • Other:
      For hardcopy data:
      • Locked suite
      • Locked office
      • Locked file cabinet
      • Data coded by PI or research team with a master list secured and kept separately.
      • Data de-identified by PI or research team
      • Other:

      Principal Investigator's acknowledgement that the information provided above is complete and correct

      Principal Investigator should provide signature/date