UK Office of Research Integrity

Menu

ORI Home Page

 

 

 

 

 

 

 

 

HIPAA in Human Research

Health Insurance Portability and Accountability Act (HIPAA)

To access a HIPAA topic, click on the description of your choice in the menu below:

 

  • HIPAA Forms
  • What is HIPAA?
  • Is my Research Covered by HIPAA?
  • HIPAA Educational Module [HTML] (ORI002: Protecting Personal Health Information in Research - Understanding the HIPAA Privacy Rule)
  • Hospital Employees, Mandatory Level 1 HIPAA Information [HTML]
  • Privacy Notice [HTML]
  • Letter to Investigators re: HIPAA
    regulations
    [PDF]
  • Business Associate Agreements
  • Office for Civil Rights (OCR)
    • OCR Final Privacy Rule [HTML]
    • OCR HIPAA Page [HTML]
  • NIH HIPAA Page [HTML]
  • Need More Info?

  • UK Researchers - HIPAA Information
    • UK Hospital Policy (HP05-13) on Release of Records and Data for Research and Study Projects [HTML]
    • UK Kentucky Clinic Policy (KC05-27) on Release of Records and Documentation Requirements [HTML]
  • AAMC Project to Monitor and Document the Effects of HIPAA on Research

  • Click here for free Acrobat Reader software, needed for opening PDF links. PDF links on this page are set to open a new web page.


     

    UK HIPAA Forms

    NOTE: These forms are best downloaded using Internet Explorer (IE) as your web browser. If you are experiencing problems downloading a form from our page, and using an alternate browser has not helped (i.e., Netscape Navigator, Internet Explorer), please click here (new window).

    PLEASE NOTE: Researchers not in the Covered Entity may need an authorization form:

    1. to access PHI for their study; or
    2. if they are conducting part of their study in the Covered Entity.

    Please contact the Office of Research Integrity at 859-257-9428, or e-mail Joe Brown for a revised authorization/consent form. Do not use the authorization template listed below.

    Application Kit:

    HIPAA Instructions for all IRB Applications [WORD] [RTF] Revised 2/15/12

    "Form I": HIPAA De-Identification Certification Form [WORD] [PDF] Revised 11/16/12

    "Form J": HIPAA Authorization Template - Effective 12/5/13, this form has been eliminated. If HIPAA Authorization is required for your research, you must use the Informed Consent/HIPAA Combined Template as a guide to develop your consent/authorization document.

    HIPAA Authorization Regulations [PDF] Revised 2/15/12

    "Form K": Request for Waiver of HIPAA Authorization Form [WORD] [PDF] Revised 8/21/07

    HIPAA Guidance for Requesting and Completing the Waiver of Authorization [PDF] Revised 6/4/04


    Back to Top


    What is HIPAA?

    The Health Insurance Portability and Accountability Act (HIPAA) is a complex regulation that affects many researchers at the University of Kentucky.  HIPAA is designed to protect the use and disclosure of individually identifiable health information (also defined as Protected Health Information or PHI). PHI is defined as any of the 18 HIPAA recognized identifiers (see below) in combination with health information.

    HIPAA recognized identifiers:

    1. Names;
    2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes;
    3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
    4. Telephone numbers;
    5. Fax numbers;
    6. Electronic mail addresses;
    7. Social security numbers;
    8. Medical record numbers;
    9. Health plan beneficiary numbers;
    10. Account numbers;
    11. Certificate/license numbers;
    12. Vehicle identifiers and serial numbers, including license plate numbers;
    13. Device identifiers and serial numbers;
    14. Web Universal Resource Locators (URLs);
    15. Internet Protocol (IP) address numbers;
    16. Biometric identifiers, including finger and voice prints;
    17. Full face photographic images and any comparable images;
    18. Any other unique identifying number, characteristic, or code.

    It is important that you understand that you could face criminal and/or civil liabilities for non-compliance. 

    This website contains information to help you comply with these regulations.  Note: This information is subject to change frequently as the regulations continue to be interpreted and policies developed; please check back often.

    Back to Top


    Is My Research Covered By HIPAA?

    HIPAA is applicable to you if your college or department uses Protected Health Information in connection with certain covered transactions. Legal counsel with guidance from Deans and other UK leaders have determined which colleges and departments engage in covered transactions and thus are covered by HIPAA. To find out whether your department/college is covered by HIPAA, contact the Office of Research Integrity at (859) 257-9084. Because of its size and the diversity of its activities, the University of Kentucky (UK) is designated as a hybrid entity which means that some departments/colleges are regulated by HIPAA and others are not. An entity, or its covered departments or colleges, that is regulated by HIPAA is called a Covered Entity (CE).

    The University of Kentucky is a “covered entity.”

    What makes the University of Kentucky a “covered entity?” The University of Kentucky is comprised of several groups that make it a “covered entity” including, University of Kentucky Chandler Medical Center, medical benefit plans, human research, dental clinics, student health services and athletics, among others.

    See below for covered entities (Note, there may be others not listed; please contact Joe Brown for assistance (859) 257-9084.):

    Entire College of Dentistry
    All Hospital Areas
    All KY Clinic Operations

    (click below units for list)

    College of Health Sciences


    College of Pharmacy


    UK Campus


    College of Medicine:

    Department


    Clinical Affairs


    Multidisciplinary Centers


    Public Health

    If you are employed in a UK Covered Entity component and create, access, or share Protected Health Information, HIPAA applies to your research. For assistance with determining whether you are employed in a UK Covered Entity, contact the Office of Research Integrity at (859) 257-9084.

    If in your research you collect Protected Health Information from a UK Covered Entity and your department/college is deemed outside of the Covered Entity, HIPAA applies to your access of the Protected Health Information.

    Researchers not in the Covered Entity may need an authorization form:

    1. to access PHI for their study; or,
    2. if they are conducting part of their study in the Covered Entity.
    Please contact the Office of Research Integrity at 859-257-9428, or e-mail Joe Brown for a revised authorization/consent form. Do not use the authorization template provided on ORI's HIPAA Forms Page.

    Back to Top



    Business Associate Agreements

    You may need a BAA for your research study if:

    1. You have an outside person/entity that performs a service on behalf of the healthcare provider (including a researcher) or the healthcare institution during which individually identifiable health information is created, used or disclosed.
    2. You (or your department) are not in the Covered Entity and you are either de-identifying information or creating a limited data set.

    The IRB does not consider research collaborators as business associates unless they sign a contract to perform certain duties/functions that involves the use and/or disclosure of PHI.

    Back to Top


    AAMC (Association of American Medical Colleges) Project to Monitor and Document the Effects of HIPAA on Research [HTML]

    The Association of American Medical Colleges (AAMC) is collecting data on the Impact of HIPAA on Research. It is critically important for the AAMC to build a comprehensive database of case reports that reflects the impact of HIPAA on the various disciplines of medical and health research. The data received by the AAMC will serve as the basis of future policy recommendations at the federal level.

    The AAMC is pleased to announce that the project to monitor and document the effects of HIPAA on research is now accepting electronic reports. Click here for the AAMC survey web site.

    Please send questions, comments or requests for further information about the AAMC survey to Rina Hakimian or call 202-828-0484.

    Back to Top


    Need Additional Information?

    For questions regarding HIPAA in Research, contact Joe Brown, Research Privacy Specialist, at (859) 257-9084 or Helene Lake-Bullock, Research Compliance Officer, at (859) 257-5943.

    For questions regarding HIPAA patient rights or accounting of disclosure, contact UK's Healthcare Privacy Officer, at (859) 323-8002.

    For questions regarding HIPAA agreements such as Data Use Agreements or Business Associate Agreements, contact Harry Dadds, Associate General Counsel, at (859) 323-1161.

     

    Back to Top