Skip to main content

Privacy Review

Under the Privacy Rule, unless one of the exceptions discussed below applies, investigators who wish to use PHI for research purposes must obtain a signed, valid  HIPAA authorization from each individual whose PHI will be used or accessed for the research study. The Privacy Rule requires that either an IRB or a privacy board must review and approve requests for waivers of authorization for use and disclosure of PHI for research purposes. At UNC-Chapel Hill, the IRB serves in this role.

Mandated Training

According to the Federal Regulations, all institutions governed by HIPAA must train their employees regarding PHI. The University provides online training for new employees and annual training updates for existing employees.

In addition, University employees involved in human subject research must complete IRB-approved ethics training through the Collaborative Institutional Training Initiative (CITI). CITI is a Web-based training package on issues relating to human subjects research. The last module “Research and HIPAA Privacy Protections” is in addition to, and does not replace, any HIPAA training required by UNC Health Care and other covered units at UNC-Chapel Hill.

Research Proposal Requirements

Requirements for New Research Proposals

Researchers should prepare and submit their research protocols for IRB review and submit their HIPAA-related documents to the IRB at the same time. Researchers whose new protocols involve PHI should either:

  1. Collect written authorization from patients for the release of their PHI; or
  2. Ask the IRB for a waiver from the authorization (under defined circumstances, the most important of which is that the research could not be done without the waiver); or
  3. De-identify the data. PHI that has been de-identified (stripped of a long list of identifiers) is not governed by HIPAA regulations.

In addition, there are two circumstances in which the IRB approval is not required but in which a researcher must make representations under HIPAA if they are doing work with PHI.

  1. Research on decedents. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.
  2. Data review (medical records, film library, lab data, etc.) preparatory to designing a research protocol. You will be required to fill out a form and certify to the office that holds the data that you meet certain requirements.

Tracking Disclosures of PHI

If PHI is disclosed to anyone outside your research team, or to someone who was not identified in the patient authorization, you must, unless some exception applies, keep a record of with whom you shared the data and for what purpose.