To access a HIPAA topic, click on the description of your choice in the menu below:
Click here for free Acrobat Reader software, needed for opening PDF links. PDF links on this page are set to open a new web page.
NOTE: These forms are best downloaded using Internet Explorer (IE) as your web browser. If you are experiencing problems downloading a form from our page, and using an alternate browser has not helped (i.e., Netscape Navigator, Internet Explorer), please click here (new window).
PLEASE NOTE: Researchers not in the Covered Entity may need an authorization form:
- to access PHI for their study; or
- if they are conducting part of their study in the Covered Entity.
Please contact the Office of Research Integrity at 859-257-9428, or e-mail Joe Brown for a revised authorization/consent form. Do not use the authorization template listed below.
"Form J": HIPAA Authorization Template - Effective 12/5/13, this form has been eliminated. If HIPAA Authorization is required for your research, you must use the Informed Consent/HIPAA Combined Template as a guide to develop your consent/authorization document.
HIPAA Authorization Regulations [PDF] Revised 2/15/12
HIPAA Guidance for Requesting and Completing the Waiver of Authorization [PDF] Revised 6/4/04
The Health Insurance Portability and Accountability Act (HIPAA) is
a complex regulation that affects many researchers at the University
of Kentucky. HIPAA is designed to protect the use and
disclosure of individually identifiable health information (also defined as Protected Health
Information or PHI). PHI is defined as any of the 18 HIPAA recognized
identifiers (see below) in
combination with health information.
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes;
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images;
- Any other unique identifying number, characteristic, or code.
It is important that you understand that you could face criminal and/or civil liabilities for non-compliance.This website contains information to help you comply with these regulations. Note: This information is subject to change frequently as the regulations continue to be interpreted and policies developed; please check back often.
Is My Research Covered By HIPAA?
HIPAA is applicable to you if your college or department uses Protected Health Information in connection with certain covered transactions. Legal counsel with guidance from Deans and other UK leaders have determined which colleges and departments engage in covered transactions and thus are covered by HIPAA. To find out whether your department/college is covered by HIPAA, contact the Office of Research Integrity at (859) 257-9084. Because of its size and the diversity of its activities, the University of Kentucky (UK) is designated as a hybrid entity which means that some departments/colleges are regulated by HIPAA and others are not. An entity, or its covered departments or colleges, that is regulated by HIPAA is called a Covered Entity (CE).
The University of Kentucky is a “covered entity.”
What makes the University of Kentucky a “covered entity?” The University of Kentucky is comprised of several groups that make it a “covered entity” including, University of Kentucky Chandler Medical Center, medical benefit plans, human research, dental clinics, student health services and athletics, among others.
See below for covered entities (Note, there may be others not listed; please contact Joe Brown for assistance (859) 257-9084.):
Entire College of Dentistry
All Hospital Areas
All KY Clinic Operations
(click below units for list)
College of Health Sciences
College of Pharmacy
College of Medicine:
If you are employed in a UK Covered Entity component and create, access, or share Protected Health Information, HIPAA applies to your research. For assistance with determining whether you are employed in a UK Covered Entity, contact the Office of Research Integrity at (859) 257-9084.
If in your research you collect Protected Health Information from a UK Covered Entity and your department/college is deemed outside of the Covered Entity, HIPAA applies to your access of the Protected Health Information.
Researchers not in the Covered Entity may need an authorization form:
- to access PHI for their study; or,
- if they are conducting part of their study in the Covered Entity.
Please contact the Office of Research Integrity at 859-257-9428, or e-mail Joe Brown for a revised authorization/consent form. Do not use the authorization template provided on ORI's HIPAA Forms Page.
Business Associate Agreements
You may need a BAA for your research study if:
- You have an outside person/entity that performs a service on behalf of the healthcare provider (including a researcher) or the healthcare institution during which individually identifiable health information is created, used or disclosed.
- You (or your department) are not in the Covered Entity and you are either de-identifying information or creating a limited data set.
The IRB does not consider research collaborators as business associates unless they sign a contract to perform certain duties/functions that involves the use and/or disclosure of PHI.
AAMC (Association of American Medical Colleges) Project to Monitor and Document the Effects of HIPAA on Research [HTML]
The Association of American Medical Colleges (AAMC) is collecting data on the Impact of HIPAA on Research. It is critically important for the AAMC to build a comprehensive database of case reports that reflects the impact of HIPAA on the various disciplines of medical and health research. The data received by the AAMC will serve as the basis of future policy recommendations at the federal level.
The AAMC is pleased to announce that the project to monitor and document the effects of HIPAA on research is now accepting electronic reports. Click here for the AAMC survey web site.
Please send questions, comments or requests for further information about the AAMC survey to Rina Hakimian or call 202-828-0484.
For questions regarding HIPAA patient rights or accounting of disclosure, contact UK's Healthcare Privacy Officer, at (859) 323-8002.
For questions regarding HIPAA agreements such as Data Use Agreements or Business Associate Agreements, contact Harry Dadds, Associate General Counsel, at (859) 323-1161.