HIPAA FAQs

There are multiple federal regulations governing human subject protections in research activities. The majority of research is covered by three sets of regulations: the Health and Human Services, the Food and Drug Administration, and the Department of Education. There is a great deal of overlap in the relevant regulations, but they are not identical and in a limited range of cases important differences exist among them. The main federal office for providing guidance on the regulations is the Office of Human Research Protections (OHRP).

The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, handle the individually identifiable health information known as protected health information (PHI). Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research. Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.

It is important to understand that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because they will not be covered entities.  Grand Valley State University is not a covered entity but a hybrid entity. That is, certain components of GVSU are covered entities such as the student health center, the Counseling center and the nurse managed care clinics . The Privacy Rule will not directly regulate researchers who are engaged in research within organizations that are not covered entities even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.

PHI is health information transmitted or maintained in any form or medium that:

  1. identifies or could be used to identify an individual; and
  2. is created or received by a covered entity such as a healthcare provider, health plan, employer or healthcare clearinghouse;and
  3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

Health information which is voluntarily disclosed by an individual and is not verified by accessing health records is not PHI and is therefore not subject to the HIPAA regulations. 

Health-related information is considered PHI if any of the following are true:

  1. The researcher obtains it directly from a provider, health plan, health clearinghouse or employer (other than records relating solely to employment status);
  2. The records were created by any of the entities in "1" and the researcher obtains the records from an intermediate source which is NOT a school record or an employer record related solely to employment status; OR
  3. The researcher obtains it directly from the study subject in the course of providing treatment to the subject.
  1. student records maintained by a school;
  2. employee records maintained by an employer related to employment status; OR
  3. the research subject directly, if the research does NOT involve treatment.

The following records ARE EXEMPTED from the definition of PHI even though they may contain health-related information:

  1. student records maintained by an educational institution, and
  2. employment records maintained by an employer related to employment status.

If your study uses these kinds of records, it is not subject to HIPAA. However, there may be other regulations that apply, such as state employment laws or FERPA.  Existing IRB rules on informed consent and confidentiality still apply.

  1. Obtain the research participant's authorization - use of an authorization form that includes required HIPAA authorization language. (It must be approved by the IRB prior to use - similar to a consent form) - recommended
  2. Obtain an IRB waiver or alteration of subject authorization-if the research is minimal risk to subjects and meets criteria for waiver or alteration.
  3. Use a Limited Data Set - PHI that excludes direct identifiers of the individual or of relatives, employers, or household members of the individual.  This may require a Data Use Agreement.
  4. Use De-identified Data - health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.  This may require a Data Sharing Agreement.
  5. Use (not disclosure) PHI in work preparatory to research-feasibility review only; NOT pilot studies.  No PHI can leave the Covered Entity.
  6. Use or disclosure of decedents' PHI is acceptable without #1 or #2, but this will require the researcher to complete an attestation.  Contact ORCI for more information: [email protected] or (616) 331-3197.

If a study using/disclosing PHI is going to use/disclose this PHI by means of a subject authorization (the most common and recommended means), you should be aware of the following:

  • The authorization form needs to be submitted to the IRB for review. Use our Authorization Form Template filled in with your study specifics.
  • A copy of the signed authorization must be provided to the subject.  The original is kept in the researcher's records. 
  • It is the responsibility of the researcher to keep this authorization form in their records for 3 years after study completion and assure that it is completed correctly.

No. An Authorization differs from an informed consent in that an Authorization focuses on the privacy risks and states how, why, and to whom the PHI will be used and/or disclosed for research. An informed consent, on the other hand, provides research subjects with a description of how the confidentiality of records will be protected, among other things.

It is not required to get the HIPAA Authorization at the time of consent, but it is the most practical time.

Yes. The minor's parent or legal guardian must sign a HIPAA authorization on the minor's behalf. You can use the same HIPAA authorization for minors that you would use for adults. HIPAA does NOT have an added assent requirement for minors.

Yes, but subjects must receive a signed copy of the authorization.

Yes, a subject can revoke his/her authorization at any time in writing. Data already collected under the authorization can be used to a limited extent if necessary to preserve the integrity of the research.

For research uses and disclosures of PHI, the IRB may approve a waiver or an alteration of the Authorization requirement in whole or in part. A complete waiver occurs when the IRB determines that no Authorization will be required for a covered entity to use and disclose PHI for a particular research project. If a researcher has used or disclosed PHI for research under a waiver or alteration of Authorization, documentation of that approval must be retained by the researcher for 6 years from the date of the closure of the study.

It is important to note that the Covered Entity can choose not to accept a GVSU-issued waiver or alteration of HIPAA authorization.  Researchers must abide by the requirements of the Covered Entity when accessing or using PHI under the control of the Covered Entity.  

(Approvals for waivers or alterations will be rare and in most cases researchers are advised to use an Authorization Form with their subjects to use/disclose PHI. HRRC approval is required for this Authorization Form - similar to consent forms.) The following criteria must be met to qualify for a waiver: The use or disclosure of protected health information involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;

  • An adequate plan to protect the identifiers from improper use and disclosure;
  • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  • Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
  • The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;
  • The research could not practicably be conducted without the alteration or waiver or alteration; and
  • The research could not practicably be conducted without access to and use of the protected health information.

The HRRC maintains the authority to make the final decision if a study meets the aforementioned criteria.

Data is considered de-identified under HIPAA when none of the following elements are present:

  1. Name
  2. All geographic subdivisions smaller than a state (street address, city, county, precinct) Note: zip code or equivalents must be removed, but can retain first 3 digits if the geographic unit to which the zip code applies if the zip code area contains more than 20,000 people
  3. For dates directly related to the individual, all elements of dates, except year. (date of birth, admission date, discharge date, date of death)
  4. All ages over 89 or dates indicating such an age
  5. Telephone number
  6. Fax number
  7. Email address
  8. Social Security Number
  9. Medical Record Number
  10. Health Plan Number
  11. Account Numbers
  12. Certificate or license numbers
  13. Vehicle identification/serial numbers, including license plate numbers
  14. Device identification/serial numbers
  15. Universal Resource Locators (URL's)
  16. Internet Protocol addresses (IP's)
  17. Biometric Identifiers
  18. Full face photographs and comparable images
  19. Any other unique identifying number, characteristic or code

Researchers may use or disclose health information that is de-identified without restriction under the Privacy Rule. Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification OR by removing the 18 identifiers from each record as specified in the Privacy Rule.  Even though this data can be used without restriction under the Privacy Rule, researchers are still expected to safeguard the data to ensure it is not lost, stolen, or inappropriately accessed.  

If a researcher accesses identifiable information but only records de-identified data points for analysis, HIPAA authorization (or approved waiver/alteration) is still required.  This is because identifiable information is being accessed, even though it is not being disclosed outside of the Covered Entity. 

  1. Names
  2. Postal address information other than town/city, state and zip.
  3. Telephone number
  4. Fax number
  5. Email address
  6. Social security number
  7. Medical record number
  8. Health plan number
  9. Account numbers
  10. Certificate or license numbers
  11. Vehicle identification/serial numbers, including license plate numbers
  12. Device identification/serial numbers
  13. Universal resource locators (URL)
  14. Internet protocol (IP) addresses
  15. Biometric identifiers, including finger and voice prints
  16. Full face photographs and comparable images


Page last modified July 22, 2016