UK Office of Research Integrity


ORI Home Page


































































































HIPAA in Human Research

Health Insurance Portability and Accountability Act (HIPAA)

To access a HIPAA topic, click on the description of your choice in the menu below:


UK Researchers - HIPAA Information:
  • UK Hospital Policy (HP05-13) on Release of Records and Data for Research and Study Projects [HTML]
  • UK Kentucky Clinic Policy (KC05-27) on Release of Records and Documentation Requirements [HTML]
Office for Civil Rights (OCR):
  • OCR Final Privacy Rule [HTML]





NOTE: These forms are best downloaded using Internet Explorer (IE) as your web browser. If you are experiencing problems downloading a form from our page, and using an alternate browser has not helped (i.e., Netscape Navigator, Internet Explorer), please click here (new window).

PLEASE NOTE: Researchers not in the Covered Entity may need an authorization form:

  1. to access PHI for their study; or
  2. if they are conducting part of their study in the Covered Entity.

Please contact the Office of Research Integrity at 859-257-9428, or e-mail Joe Brown for a revised authorization/consent form. Do not use the authorization template listed below.

Application Kit:

HIPAA Instructions for all IRB Applications [WORD] [RTF] Revised 7/21/15

"Form I": HIPAA De-Identification Certification Form [WORD] [PDF]form Revised 11/16/12

HIPAA Authorization Regulations [PDF] Revised 8/11/14

If HIPAA Authorization is required for your research, you must use the Informed Consent/HIPAA Combined Template (since 12/5/13) as a guide to develop your consent/authorization document; the template can be found under "All Templates" in the APPLICATION LINKS menu on the left in your E-IRB application.

"Form K": Request for Waiver of HIPAA Authorization Form [WORD] [PDF]form Revised 8/21/07

HIPAA Guidance for Requesting and Completing the Waiver of Authorization [PDF] Revised 6/4/04

Back to Top

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a complex regulation that affects many researchers at the University of Kentucky.  HIPAA is designed to protect the use and disclosure of individually identifiable health information (also defined as Protected Health Information or PHI). PHI is defined as any of the 18 HIPAA recognized identifiers (see below) in combination with health information.

HIPAA recognized identifiers:

  1. Names;
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes;
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
  4. Telephone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images;
  18. Any other unique identifying number, characteristic, or code.

It is important that you understand that you could face criminal and/or civil liabilities for non-compliance. 

This website contains information to help you comply with these regulations.  Note: This information is subject to change frequently as the regulations continue to be interpreted and policies developed; please check back often.

Back to Top

Is My Research Covered By HIPAA?

HIPAA is applicable to you if your college or department uses Protected Health Information in connection with certain covered transactions. Legal counsel with guidance from Deans and other UK leaders have determined which colleges and departments engage in covered transactions and thus are covered by HIPAA. To find out whether your department/college is covered by HIPAA, contact the Office of Research Integrity at (859) 257-9084. Because of its size and the diversity of its activities, the University of Kentucky (UK) is designated as a hybrid entity which means that some departments/colleges are regulated by HIPAA and others are not. An entity, or its covered departments or colleges, that is regulated by HIPAA is called a Covered Entity (CE).

The University of Kentucky is a “covered entity.”

What makes the University of Kentucky a “covered entity?” The University of Kentucky is comprised of several groups that make it a “covered entity” including, University of Kentucky Chandler Medical Center, medical benefit plans, human research, dental clinics, student health services and athletics, among others.

See below for covered entities (Note, there may be others not listed; please contact Joe Brown for assistance (859) 257-9084.):

Entire College of Dentistry
All Hospital Areas
All KY Clinic Operations

(click below units for list)

College of Health Sciences

College of Pharmacy

UK Campus

College of Medicine:


Clinical Affairs

Multidisciplinary Centers

Public Health

If you are employed in a UK Covered Entity component and create, access, or share Protected Health Information, HIPAA applies to your research. For assistance with determining whether you are employed in a UK Covered Entity, contact the Office of Research Integrity at (859) 257-9084.

If in your research you collect Protected Health Information from a UK Covered Entity and your department/college is deemed outside of the Covered Entity, HIPAA applies to your access of the Protected Health Information.

Researchers not in the Covered Entity may need an authorization form:

  1. to access PHI for their study; or,
  2. if they are conducting part of their study in the Covered Entity.
Please contact the Office of Research Integrity at 859-257-9428, or e-mail Joe Brown for a revised authorization/consent form. Do not use the authorization template provided on ORI's HIPAA Forms Page.

Back to Top

Business Associate Agreements

You may need a BAA for your research study if:

  1. You have an outside person/entity that performs a service on behalf of the healthcare provider (including a researcher) or the healthcare institution during which individually identifiable health information is created, used or disclosed.
  2. You (or your department) are not in the Covered Entity and you are either de-identifying information or creating a limited data set.

The IRB does not consider research collaborators as business associates unless they sign a contract to perform certain duties/functions that involves the use and/or disclosure of PHI.

Back to Top

AAMC (Association of American Medical Colleges) Project to Monitor and Document the Effects of HIPAA on Research [HTML]

The Association of American Medical Colleges (AAMC) is collecting data on the Impact of HIPAA on Research. It is critically important for the AAMC to build a comprehensive database of case reports that reflects the impact of HIPAA on the various disciplines of medical and health research. The data received by the AAMC will serve as the basis of future policy recommendations at the federal level.

The AAMC is pleased to announce that the project to monitor and document the effects of HIPAA on research is now accepting electronic reports. Click here for the AAMC survey web site.

Please send questions, comments or requests for further information about the AAMC survey to Rina Hakimian or call 202-828-0484.

Back to Top

Need Additional Information?

For questions regarding HIPAA in Research, contact Joe Brown, Research Privacy Specialist, at (859) 257-9084 or Helene Lake-Bullock, ORI Director, at (859) 257-5943.

For questions regarding HIPAA patient rights or accounting of disclosure, contact UK's Healthcare Privacy Officer, Richard Chapman at (859) 323-1184.

For questions regarding HIPAA agreements such as Data Use Agreements or Business Associate Agreements, contact Harry Dadds, Associate General Counsel, at (859) 323-1161.


Back to Top