Release of Private Health Information for Research

HIPAA (Health Insurance Portability and Accountability Act) refers to a federal law that protects the privacy of individuals' health information. To summarize, a covered entity (e.g., a clinic that accepts payment for providing health care services) is legally responsible for vigorously protecting patient confidentiality and restricting the use of that information. An IRB can grant HIPAA authorization to use such information under certain circumstances.

While these data were not gathered for research purposes, they often do constitute a rich resource for important research pursuits. Therefore, there are clearly defined processes through which investigators may access such data from a covered entity. These processes are designed to protect the rights of the individuals from whom these data originate; the roles of the IRB, the investigator, and the covered entity are critical and exacting. Such research activities tend to fall into one of the three categories below and incur somewhat different constraints.

Waiving Consent and HIPAA

If you are completing a HIPAA-1 or HIPAA-2 Waiver (HIPAA-3 includes consent), you must also Request to Alter or Waive Informed Consent in order to justify waiving obtaining consent. Be sure to click "Request to Alter or Waive Informed Consent" on the IRB Submission Guidelines Document to ensure the appropriate form appears.


The covered entity agrees to provide de-identified health information data to an investigator. This means that the investigator is absolutely prevented from (nor will seek) knowing or determining the identity of any individual whose data informs the study. The means by which identities are censored by the covered entity range from a formal prohibition to destroying any sort of master key used to organize the data set before the data are released to the investigator. There are specific elements relating to identity that cannot be included (see Table 1) in such a data set. If these conditions are met, the HIPAA-1 form, whereby the covered entity and the investigator attest to these constraints, is used to register with the IRB.

Table 1. List of identifiers that cannot be included in a de-identified data set.
Social security numbers
Birth and/or date; any and all age data for people over 89 (you must aggregate to a single category of 90 and older)
Medical record numbers
Admission and/or discharge data
Health plan beneficiary numbers
Account numbers
Certificate and/or license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Telephone and fax numbers
Internet protocol (IP) addresses and web universal resource locators (URLs)
Email addresses
Biometric identifiers, including finger and voice prints
Device identifiers and serial numbers
Full face photographic and/or comparable images
Any geographic divisions small than the state; you may use all zip codes under the same first three digits if they hold more than 20,000 people (e.g., 971XX)
Any other unique identifying number, characteristic, or code


The covered entity agrees to provide access to and/or release private health information to an investigator for research and it is not feasible to obtain an authorization (i.e., consent) from the individuals whose data inform the study. In this situation, the investigator has access to subject identities. The IRB must review the research plan and may grant a waiver of consent if the study procedures maintain subjects' rights and expose them only to minimal risk (i.e., no greater than those of regular daily life). It is thus critical that the investigator clearly explain how the study procedures will preserve this fundamental objective. Only the minimum amount of private health information absolutely necessary to support the study objectives shall be accessed and used. This route is necessary even if the analyzed data set will not include any of the restricted elements (see Table 1) because the investigator has access. If these conditions apply, the HIPAA-2 form must accompany a fully completed proposal for IRB review.


The covered entity agrees to provide access to and/or release private health information to an investigator for research, but only with the permission of the individuals whose data will inform the study. In this situation, the covered entity collaborates with an investigator to contact individuals (i.e., recruit) who meet study criteria in order to request explicit permission to use their health information for the specific research study. It is essential that the role and collaboration of the covered entity be prominently represented in any communications to potential subjects. The IRB must review the research plan and the permission request (analogous to a modified informed consent) to verify that study procedures maintain the subjects' rights and balance the potential scientific merits with the potential subject risks. If these conditions apply, the HIPAA-3 form must accompany a fully completed proposal for IRB review.

HIPAA Training

The IRB does not provide HIPAA training. Please contact the dean of your respective school and/or college to inquire about HIPAA training.


When submitting the HIPAA waiver to the IRB, be sure you have obtained the appropriate signatures. For HIPAA-protected information within Pacific University, be sure to seek out your area's privacy officer for their approval. 

For questions about submission requirements and schedule changes, please contact your college's or school's IRB representative.