Anytime you are accessing or using protected health information (PHI) held or transmitted by a covered entity subject to HIPAA protections, HIPAA applies. A covered entity is a (1) health plan, (2) health care clearinghouse, and (3) health care providers who electronically transmit any health information in connection with transactions. For example, doctors, clinics, hospitals, psychologists, dentists, nursing homes, pharmacies. HIPAA applies to MU Health Care records.  

If you do not obtain a HIPAA authorization from patients to access or use their PHI in research, you must obtain a HIPAA waiver by the MU IRB.  

If you are only accessing PHI of the deceased, then HIPAA does not apply. You should submit the “HIPAA-Research on Decedent’s Information form” in eCompliance to confirm HIPAA does not apply. 

You will need a HIPAA waiver to screen the medical record for eligibility when you do not already have permission (a HIPAA authorization) from the subject for your study. You must have an approved waiver prior to accessing the medical record for research purposes. If approved, you may screen the medical record without a HIPAA authorization. The HIPAA waiver that ends up getting approved is placed as an attachment to the IRB approval letter in case it needs to be shared with others who may be helping access the data to know what was approved.  

You need a HIPAA authorization when you are accessing and using protected health information (PHI). When you are already proposing to consent your subjects because there is a planned subject interaction or intervention, and you will need to continue to use or access their PHI for the study, then you will need to include the authorization language in your consent (or use a separate authorization document). This is needed even when you have a HIPAA waiver to identify potential subjects for your study (prescreening). That HIPAA waiver would cover PHI access/use until the point of consent. The authorization would then cover PHI access/use after consent.  

Protected health information includes individually identifiable health information, such as demographic data, medical history, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage.  There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers, it is considered identifiable.  

  • Names  

  • Address - All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent codes  

  • Dates - All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older  

  • Telephone numbers  

  • Fax numbers  

  • Email Addresses  

  • Social Security Numbers  

  • Medical Record Numbers  

  • Health Plan Beneficiary Numbers  

  • Account Numbers  

  • Certificate/License Numbers  

  • Vehicle Identifiers and Serial Numbers, including License Plate Numbers  

  • Device Identifiers and Serial Numbers  

  • Web Universal Resource Locators (URLs)  

  • Internet Protocol (IP) Address Numbers  

  • Biometric Identifiers, Including Fingerprints and Voiceprints  

  • Full-Face Photographic Images and any Comparable Images  

  • Any other Unique Identifying Number, Characteristic, or Code, unless otherwise permitted by the Privacy Rule for Re-Identification  

You may obtain HIPAA authorization over the phone with a HIPAA alteration approved by the MU IRB. The IRB can waive the signature requirement (altering HIPAA) if all elements of a HIPAA authorization are communicated and discussed with the subject. The subject must agree to allow you to use their protected health information. There will be a HIPAA alteration subform within the application that must be completed for this request.  

Yes, it is recommended to combine the HIPAA authorization language in the consent document. MU IRB has biomedical consent templates with HIPAA already embedded to start with. These can be accessed on our Researcher Resources page, under Templates: https://research.missouri.edu/human-subjects-research/researcher-resources. Combining HIPAA language in the consent simplifies the process by only needing to have subjects sign one document instead of two.  

A study only involving the following PHI can choose to enter into a Data Use Agreement with the covered entity instead of applying for a HIPAA waiver. You will need to upload the draft agreement, then upload the final upon receipt using the “Support Letters, Agreements, and Documentation Form” in eCompliance.  

  • Dates such as admission, discharge, service, birth, or death; and/or  

  • City, state, 5 digit or more zip code; and/or  

  • Ages in years, months, days, or hours.  

You will need to submit an Intake Form available through the IRB application or here: https://ecompliance.missouri.edu/ospa/agreement-intakes/  

This will start the process of executing the Data Use Agreement. The Office of Sponsored Programs can answer any questions related to executing the agreement at agmts@missouri.edu.   

The HIPAA waiver is embedded within the IRB application when it is indicated one is needed. You will answer the questions in the “Additional Forms” section to submit your request along with the application.   

  • The HIPAA waiver that ends up getting approved is placed as an attachment to the IRB approval letter in case it needs to be shared with others who may be helping access the data to know what was approved.  

Yes, most minimal risk studies involving record reviews (secondary information use/access without consent) can be exempt under category 4. There are some exceptions/restrictions regarding MU Health protected health information. The record review can only be exempt if at least one investigator on the study is affiliated with MU Health, otherwise it must be reviewed expedited or full board. MU Health consists of MU Health Care, MU School of Medicine, MU Sinclair School of Nursing, and MU School of Health Professions. The investigators must complete the HIPAA waiver within the application. It will be reviewed by the IRB.

Not necessarily. You can potentially justify a waiver for prospective data when:  

  1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
    • an adequate plan to protect the identifiers from improper use and disclosure;
    • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
    • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
  2. The research could not practicably be conducted without the waiver or alteration; and
  3. The research could not practicably be conducted without access to and use of the protected health information.

You should plan to obtain written consent with HIPAA authorization when the study involves protected health information covered under HIPAA. In rare circumstances, a HIPAA waiver may be requested. You will need to complete the Biorepository/Database/Registry Subform within our application to describe your process to obtain consent.

In addition, the following elements of consent will need to be added to the consent form found in our Informed Consent SOP:

  1. The general concept and purpose of database or repository.
  2. The name and location of the database or repository(ies).
  3. The nature and types of future research in as much specific detail as possible.
  4. A summary of the physical and procedural mechanisms for protecting subjects' privacy and the confidentiality of data or biospecimens.
  5. The conditions (if any) under which subject's may withdraw their consent/authorization to use of specimens.
  6. The conditions and requirements under which data or biospecimens and materials derived from biospecimens may be shared with recipient-investigators.
  7. The elements of PHI (if any) to be shared with recipient investigators.
  8. Itemization of the risks related to a breach of confidentiality including impact on privacy, insurability, stigmatization, etc.
  9. Where human genetic research is anticipated, information about the consequences of DNA typing (e.g., regarding possible paternity determinations, impact on insurability, etc.) and related confidentiality risks.

 

  1. It is important to distinguish whether you are requesting the waiver for Prescreening vs. Records research:
    • Prescreening: Only check pre-screening if you have a plan to contact those who meet potential eligibility requirements. This allows you to screen the medical records without consent in order to locate those who may qualify to be in your study.  
    • Records research: Only check this if the study team will not contact subjects to obtain consent at any time. This allows you to review records without consent.  
    • It is possible there is a pre-screening component to your study to contact potential subjects, and a record review component where there is also a review of records, and those subjects will not be contacted. Both would be checked in this case.  
  2. It is important to know what records you need access to, and it must only be the minimum necessary to achieve the goal of the study. Being familiar with the medical record is important, what sections may need to be accessed, what reports and in what area of the health system, etc. If an investigator is not specific about what areas of the medical record will be searched, it will likely get kicked back for editing to achieve the minimum necessary requirement.  
  3. It is important to know what identifiers must be accessed or used with the HIPAA waiver request, whether for pre-screening or record reviews.
    • Pre-screening – The IRB would expect to see certain contact information checked in order to contact subjects, or you will approach them in the clinic.   
    • Consider the minimum necessary requirement and only check identifiers necessary to conduct the study. Each identifier should have a reason to be collected.  
    • If collecting dates related to a subject and/or their care, you will need to list each date needed for the study.  
  4. When justifying reasons for the waiver, be sure not to check each box given as options. Some are only applicable to pre-screening, while others are more applicable to records research. Often, HIPAA waivers need to be returned for justification that does not make sense with the reason for the request.  

If you are working with a covered entity outside of MU Health, you will be subject to the policies and review of that entity. If needed and acceptable to the external covered entity, the MU IRB can review and approve a HIPAA waiver request for access and use of that PHI.