Main content

    California Pacific Medical Center
    Institutional Review Board (IRB)
    HIPAA Guidelines FAQ

    What is HIPAA?

    1. HIPAA stands for Health Insurance Portability and Accountability Act of 1996

    2. HIPAA regulations took effect April 14, 2001.

    3. Providers must comply with the regulations by April 14, 2003

    4. HIPAA requirements, in many cases, repeat those under the California Confidentiality of Medical Information Act. Providers will need to comply with whichever provision of each law provides patients with greater protection

    5. HIPAA gives patients greater access and control over their information

    6. In nearly all cases, providers must get a patient's authorization to use or release information, except for treatment, payment, or health operations. Research is not considered “treatment, payment, or health operations” under HIPAA. Patients can request an accounting of all disclosures of their information that have been made by providers without written authorization, and can file complaints if they believe their privacy protections were violated.

    Back to top

    What is the Privacy Rule?

    The HIPAA provisions that protect confidentiality of patient information, is commonly referred to as the “Privacy Rule”.

    The Privacy Rule includes standards to:

    1. Limit the use and disclosure of health information

    2. Restrict most use and disclosures of health information that are made without authorization to the minimum necessary to carry out the intended purpose of the research

    3. Give patients the right to:

      • Receive a Notice of Privacy Practices describing how a researcher uses and discloses their health information; each patient must receive this document at least one time

      • Receive a listing of certain releases by a researcher of their health information

      • Inspect, copy, and request amendments to their medical records

      • Request restrictions on uses and disclosures of their health information

      • Request alternate forms of communication (e.g., use work address instead of home; no postcards, etc.)

      • File a formal complaint about violations of privacy protections with CPMC IRB or with the Department of Health and Human Services

      • Revoke an authorization for use/ disclosure of identifiable health information to extent the researchers have not already "relied on it".

    4. The Privacy Rule also:

      • Establishes criminal and civil penalties for improper use of disclosure ($25,000) for multiple violations in the same year, $250,000 and/or up to 10 years imprisonment for knowingly misusing a person' s protected health information)

      • Establishes new requirements for access to health-related records by researchers and their use and further disclosure of information.

    Back to top

    Why are researchers covered?

    Researchers who provide health care to individuals (i.e. in a clinical trial) are directly covered as health care providers. Researchers who access protected health information (i.e., medical record, computer databases) must also comply with the HIPAA Privacy Rule.

    Back to top

    When do I need to be in compliance?

    The compliance date for the Privacy Rule is April 14, 2003.

    Back to top

    What are the major implications for researchers?

    The Privacy Rule is extremely complex and requires that CPMC IRB put into place new policies and procedures. Clinical research is one area that is uniquely impacted by the regulations. From a clinical investigator perspective, the new regulations will affect how you access existing health information (medical/database record reviews) and how you handle identifiable information created as part of clinical research.

    In practical terms the major changes are as follows:

    1. In addition to informed consent requirements, investigators will need to obtain an authorization, with more detailed information, in order to use and release identified protected health information for research. An authorization form is a separate document along with the informed consent and experimental bill of rights

    2. The criteria that the IRB will use to waive the authorization and informed consent for medical record, database reviews, and use of specimens in research have become much more stringent. You will be asked to provide more detailed information on your protocol applications and medical records/database request forms

    3. Researchers will need to track individually identified information that is released for research: (1) when the information is released without authorization (2) if an IRB waiver of authorization is granted (3) if the researcher makes certain attestations about the use and disclosure of information released for research preparation activities (such as protocol development or subject recruitment) or (4) for studies involving decedents’ information. The purpose of this tracking is to provide patients, upon their request, with a list of how information about them was released for research and other non-treatment purposes without their knowledge.

    4. In some cases, before arrangements are made with other provider organizations and individual consultants to either use protected information or to generate, analyze or process such information on behalf of a researcher, a "business associate" agreement will need to be established. The business associate agreement is a form mandated by the Department of Health and Human Services, in which the other organization or consultant satisfactorily assures you and the hospital that they will protect the information. Before data is released, there will need to be some specific assurances of the methods the recipient will use to assure the privacy of the information is protected. This will be documented in a data use agreement or business associate agreement, depending on the situation. Call the Office of Clinical Research (415-600-1182) for further information regarding business associates agreements.

    Back to top

    What is Protected Health Information (PHI)?

    Protected Health Information (“PHI”) means any information [relating to the past, present or future physical or mental condition of an individual, to the provision of health care to an individual, or to the past, present or future payment for the provision of health care] that has been received, created, or stored by a researcher and which includes information that may be used to identify the patient. PHI includes any such information whether in oral or recorded form (both electronically and written).

    Back to top

    How are researchers able to access Protected Health Information (PHI) in compliance with the Privacy Rule?

    There are methods that allow patient information to be released for use by researchers. They are as follows:

    1. Through an AUTHORIZATION signed by the subject

    2. OR

    3. One of the following methods of obtaining PHI without the subject’s signed authorization:

      • Research allowing a WAIVER OF AUTHORIZATION

      • All data is DE-IDENTIFIED (according to the specific standards of the Privacy Rule)

      • A LIMITED DATA SET is collected and released (according to the specific standards of the Privacy Rule)

      • Data is collected for PREPARATORY WORK for research purposes only

      • Special provisions are used for research on a DECEDENT'S PHI


    An authorization is a separate document used along with the consent form and the Experimental Subject’s Bill of Rights.

    Elements required in an authorization:

    1. The information you intend to use [description of the protected health information (PHI) to be disclosed]

    2. The people/organizations who may use or disclose the information [In most cases, this will be the principal investigator and his or her research team.]

    3. The people/organizations who will receive the information [study sponsor, clinical research organization, central laboratories, oversight agencies such as IRBs, FDA, or where applicable, the Office of Human Research Protections]

    4. Description of purpose

    5. Expiration date

    6. Right to refuse to sign the authorization

    7. Right to revoke authorization

    8. Advise subject that information may be re-disclosed and no longer protected by HIPAA.

    Will the Privacy Rule affect informed consent documents for clinical research involving intervention or interaction with subjects (clinical trials, survey studies)?

    Yes. The Privacy Rule specifies additional elements that must be included in getting permission from a subject to participate in clinical research. Current regulations already require that a consent document address how confidentiality will be protected. The Privacy Rule imposes more specific requirements for authorization to use identifiable health information. In addition to informed consent, investigators must now obtain specific written authorization for use and disclosure of a subject's protected information.

    Authorization language is required if investigators plan to access existing health information as part of the research and/or for any use or disclosure of health information that is generated during the course of the research.


    Will the Privacy Rule change how I obtain approval for medical record and database reviews and whether informed consent/authorization requirements can be waived?

    The review process to obtain approval for access to medical record and patient data for research purposes will not change. All requests to review records and databases for research purposes must be submitted to the IRB for review. In general, the IRB has been able to allow waivers of informed consent for medical record/database reviews. However, the new Privacy Rule criteria for allowing waivers are slightly different. The IRB will determine whether all of the criteria have been satisfied.

    What criteria will the IRB use to determine whether a waiver of authorization is permitted?

    The criteria include the following:

    1. The use or disclosure of the identifiable protected information involves no more than minimal risk to the privacy of the individual.

    2. The use or disclosure must include a plan to protect the information from improper use and/or disclosure.

    3. All uses and disclosures must be covered by a plan to destroy the identifiers at the earliest opportunity consistent with the conduct of research unless there is a health or research justification for retaining the identifiers, or such retention of identifiers is required by law.

    4. The researcher needs to assure in writing that the protected information will not be reused or disclosed to 3rd parties unless required by the law for authorized oversight of the research study.

    5. The research could not practicably be conducted without the waiver and the waiver must not adversely affect the privacy rights and welfare of the individual.

    6. The research could not be practicably conducted without access to and use of the health information.

    Once I have a waiver of authorization, can I access all of the subject's information?
    No. The Privacy Rule permits only the minimum necessary amount of information to be accessed under a waiver for research. You will need to identify and justify what identifiable information you will need and the waiver will be limited to those elements only.


    Under the Privacy Rule, properly de-identified information is no longer protected health information. However, it is important to make sure that data meets the very stringent criteria under the Privacy Rule for de-identification.

    There are two methods to de-identify data:

    1. ALL of the following 18 elements listed relating to the individual, his or her relatives or employer must be removed, and you must ascertain there is no other available information that could be used alone or in combination to identify an individual:

      • Names

      • Geographic subdivisions smaller than a state (address, city, county, precint, zip code or equivalent geocode)

      • All elements of dates ( except year) for dates directly related to an individual- including dates of admission, discharge, birth, death and for persons > 89 , the year of the birth cannot be used

      • Telephone numbers

      • Fax numbers

      • Electronic mail address

      • Social security number

      • Medical record numbers

      • Health plan beneficiary numbers

      • Account numbers

      • Certificate/license numbers

      • Vehicle identification and serial numbers including license plates

      • Device identifiers and serial numbers

      • Web universal resource locator (URL)

      • Internet protocol addresses (IP)

      • Biometric identifiers, including fingerprints and voice recordings

      • Full face photos and comparable images

      • Any unique identifying number, characteristic, code, etc. Note: An unusual disease or condition could be a unique characteristic sufficient along with other information to identify an individual may be considered an “identifier”.

      The Privacy Rule considers "coded" information to be de-identified if ALL 18 specific identifiers are coded or removed and the individual cannot reasonably be identified. The code cannot be derived from or related to information about the individual. The Privacy Rule does consider the code itself to be protected information; therefore, the entity cannot disclose the code or any re-identification code for any other purpose without the prior approval of the IRB.
      In addition, the recipient must not receive information pertaining to the “code” that would allow identification of the subject.
    2. If one or more of the identifiers listed above is present, then the information cannot be considered "de-identified" unless a person with appropriate expertise (e.g. statisticians) has determined, justified, and documented that the risk is very small that the information could be used alone or in combination with any other reasonably available information by an anticipated recipient to identify the individual.

    If either of the two methods can be used to de-identify information no further steps need to be taken, because the Privacy Rule does not apply to de identified information.


    How can it be used?

    The Privacy Rule also refers to a "limited data set".

    A limited data set is protected health information that has been stripped of 16 specified identifiers. Unlike de-identified data, it retains its characteristics as protected health information and therefore is subject to the minimum necessary standard. However, it can be released without authorization only if the recipient executes a Data Use Agreement that meets regulatory standards. The Department of Health and Human Services (DHHS) believes that execution of a Data Use Agreement is sufficiently protective so that Limited Data Sets are not subject to the accounting standards, even though it is released without authorization.

    HIPAA allows an investigator to use or disclose a "limited data set" provided:

    • The covered entity releases only the minimum necessary information to meet the recipient' s well defined needs.

    • The recipient must enter into a "data use agreement" with CPMC in a form mandated by HIPAA. The data use agreement generally describes the permitted uses and disclosures of the information and prohibits re-identifying or using the information to contact individuals. Any recipient who receives protected health information under the limited data set provisions is required to sign a data use agreement.

    If these criteria are met, then a subject authorization or request for waiver of authorization does not apply.

    How can it be used?

    CPMC IRB may permit a researcher access to PHI without obtaining patient authorization or a waiver of authorization if the researcher submits a signed statement called “Researcher Attestation” that includes the following information:
    • Access to PHI is requested solely to prepare a research protocol or for similar purposes to prepare a research proposal (e.g. to design a research study or to assess the feasibility of conducting a study).

    • No PHI will be removed from the medical record.

    • This is not an acceptable method for screening or recruitment purposes.

    How can it be used?

    HIPAA protects PHI for deceased individuals.

    CPMC IRB may permit a researcher access to the PHI without obtaining patient authorization or a waiver of authorization if the researcher submits a signed statement called “Researcher Attestation” that includes the following information:

    • Access to PHI is requested solely for research on the PHI of decedents.

    • The PHI requested is the minimum necessary for the research purpose.

    • Documentation of the death of the patients whose PHI is being requested, unless the researcher has such documentation in its records.

    • California State Law requires expedited review by the IRB for state-created death registries.

    Back to top

    For Ongoing Research, How Do I Transition To New Privacy Rule Requirements?

    What happens on April 14, 2003? Will I need to use new consents?

    Subjects who were enrolled before April 14, 2003, do not need to sign an authorization, even if the subject has follow-up visits after that date.

    If you enroll subjects after April l4, 2003, even under a previously approved protocol, the Privacy Rule requirements will need to be implemented.

    On and after April 14, 2003, investigators will be asked to attach a separate HIPAA Authorization to each informed consent document. It is the investigator's responsibility to be certain that this form is signed by each research subject enrolled after April 13, 2003 in addition to the informed consent and experimental subject’s bill of rights. Investigators must be certain this requirement is fulfilled. Otherwise, you will not be able to use or disclose subjects' protected information or any related research data, and you will have violated their rights under HIPAA.

    Back to top

    What are the implications of the Privacy Rule on Recruitment Practices?

    Does HIPAA impact how subjects are recruited into clinical trials?

    Recruitment of subjects into clinical trials often requires that identifiable health information be provided to individuals who are performing the research. The IRB will continue to review the proposed recruitment practices as part of protocol review.

    Some situations to note:

    • A potential subject may contact a researcher about a study (e.g. responding to a recruitment notice); HIPAA does not prohibit or affect this, nor does it affect how you should answer potential subject’s inquiries about the nature of the study.

    • A treating physician may share de identified information with a researcher to determine a patient's eligibility for a study, provided the new HIPAA requirements for de identification are met.

    • CPMC medical staff may contact their own patients for purposes of recruiting them to participate in a research study without a patient authorization or a waiver of authorization.

    • If approved by the IRB, a treating physician and researcher should co-sign a recruitment letter to patients, with no new HIP AA requirements

    • If a treating physician proposes to share identified health information with a researcher to discuss potential enrollment in the research, HIPAA requires that either the patient's authorization be obtained by the treating physician or the IRB approve this sharing with a waived authorization.

    • If a researcher wants to review medical records to identify potential subjects, the researcher will need to include this plan either in the research protocol or in writing and the IRB will need to determine whether waiver criteria have been met or an authorization needs to be obtained from the patient.

    Back to top

    What do I need to know about a subject’s ability to revoke an authorization to use his or her protected health information?

    A subject always has the right to revoke consent to participate in the research. The Privacy Rule requires that a subject have the ability to revoke a previously signed authorization for researchers to use or disclose his or her protected, identifiable information for research. Researchers must honor this request, except to the extent they have already "relied on" the permission. As an example, if researchers have already included a person's protected information in the analysis of the data, the analysis can be maintained. In addition, researchers may "continue using and disclosing protected health information that was obtained prior to the time the subject revoked his or her authorization, as necessary to maintain the integrity of the research study.” However, researchers may not use or disclose additional information that they have not yet accessed at the time the authorization is being withdrawn, except for purposes such as accounting for the subject's withdrawal, reporting adverse events, or complying with investigations.

    If a subject revokes authorization to use his or her protected information, HIPAA permits you to withdraw them from the study, including any treatment component (subject of course, to any other professional standards that would prompt their continuation, such as the medical need for them to taper off a study drug).

    Back to top

    When and how do I track/account disclosures of protected health information?

    In certain situations, the Privacy Rule requires keeping track of when, where and what identifiable health information is disclosed outside of CPMC. Tracking is generally required when the authorization of the subject has been waived by the IRB and the information is being disclosed outside of CPMC, or the information has otherwise been obtained, used, or disclosed without authorization as permitted by the Privacy Rule for research on decedent’s information or using information for research preparatory activity. Tracking is also required for disclosures to public registries and to FDA monitors if these activities have not been specifically authorized.

    Tracking is not required for research uses and/or disclosures that have been authorized by the subject as described above. The purpose of this tracking is to provide patients, upon their request, with a list of how information about them was released for research and certain other non-treatment purposes without their knowledge. The investigator will be responsible for entering, or having staff enter, the disclosure into a tracking system.

    Back to top

    What is a Business Associate Agreement and when do I have one?

    A “Business Associate” means a third party with which California Pacific Medical Center has executed a business associate agreement. A Business Associate relationship is created whenever California Pacific Medical Center discloses PHI to a third party in order for that party to perform a service for California Pacific Medical Center.

    HIPAA requires us to enter into a specific form of agreement with any "business associate" before protected health information is disclosed to it.


    A third party that is asked to perform a function on the hospitals' or researchers' behalf that is not itself research may be a business associate if it receives, or analyzes or processes protected health information. For example, the following are all likely to be business associates: a consultant or contractor that analyzes data or performs lab tests on identifiable tissue samples; a software installer who has access to identified information during the installation; a research institution or investigator performing part of the research under a subcontract with CPMC; a web hosting or data storage company that you (rather than the sponsor) have engaged; third parties that handle billing for a research study on your or CPMC behalf; and a third party that handles recruitment and screening engaged by you or CPMC, rather than the sponsor; a third party who de-identifies data or creates a limited data set on behalf of CPMC.


    Outside researchers and coordinating or statistical centers participating in multi-site research are generally not business associates. Third parties that sponsor research are generally not business associates. CROs (contract research organizations), monitors and data warehouses engaged by a sponsor are not your (or CPMC’s) business associates, even if you will receive or have access to their work product (because they are performing these functions on behalf of the sponsor, not you or CPMC).

    Back to top

    Are There Special Considerations For Multi-Center Research?

    Investigators often engage in a variety of collaborative relationships with individuals and entities outside of CPMC. As of April 14, 2003, the sharing of protected identifiable information with researchers and research sites outside of CPMC will constitute a "disclosure" of protected health information subject to the HIPAA Privacy Rule. When information is shared among multiple sites, the Privacy Rule may present issues that do not arise in other research contexts. Investigators involved in multi-center research should consider the following in determining how the Privacy Rule will impact their studies.

    If individually identifiable research data is to be shared with sites outside of CPMC, you will need to consider the following:

    • The consent/authorization form (assuming no waiver has been granted) should list the sites and sponsor (if any) that may be involved in the research and to which subjects' identifiable health information may be disclosed, and for what purposes the information will be disclosed.

    • The sites will have to develop a cooperative mechanism for protecting subjects' individual rights as provided by the Privacy Rule. Specifically sites must be able to:

      1. obtain identifiable health information from one another to respond to a subject's request to inspect or copy the information;

      2. inform one another of amendments to a subject's health information; and

      3. in waivered studies, advise one another (and the sponsor, if any) of a subject's request to receive for accounting/listing of disclosures.

    • The investigator should determine whether any relationship with outside sites or entities with whom identifiable information will be shared are business associate relationships requiring agreements. Outside researchers and research sites, coordinating and statistical centers, and sponsors are generally not business associates. However, certain entities that perform a function on the researchers' behalf that is not itself research (e.g. web hosting companies) may be business associates.

    • If research data can be de-identified or meet the criteria for a limited data set before it is disclosed to other sites or entities, then the disclosure is not subject to the other Privacy Rule requirements. Disclosure of a limited data set would require a data use agreement.

    Back to top