IRB and Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA), also known as “The Privacy Rule,” set new standards and regulations to protect patients from inappropriate disclosures of their “protected health information” (PHI) that could cause harm to their insurability, employability and their privacy.

PHI is information that can be used to identify an individual that is created, used, or disclosed in the course of providing a health care service, such as diagnosis or treatment. HIPAA does allow for researchers to access and use PHI when necessary to conduct research.

 The UCSC Institutional Review Board (IRB) will act as the HIPAA-required Privacy Board to review the use/disclosure of PHI for research.


If the study involves PHI, all members of the study team are required to complete a HIPAA research certification before the IRB will approve the protocol. UCSD has made their web-based training available to the research community. You can access the training at this website.

You must submit your completion certificate along with your Human Subjects Protocol.

Frequently Asked Questions Regarding HIPAA

What is Individually Identifiable Health Information?

Individually-identifiable health information is any information created, used, or received by a health care provider that relates to:

  • the past, present, or future physical or mental health or condition of an individual
  • the provision of health care to an individual, or
  • the past, present or future payment for the provision of health care to an individual with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

 The collection of individually-identifiable health information for research constitutes human subjects research.

 The HIPAA rule governs the use of individually-identifiable health information when it is Protected Health Information (PHI).

What is PHI?

PHI is defined as any individually identifiable health information collected or created as a consequence of the provision of health care by a covered entity, in any form, including verbal communications.

All UCSC research related disclosures of PHI must obtain prospective approval by a UCSC Institutional Review Board. In general, except for treatment, investigators are restricted to the minimum PHI reasonably necessary to conduct the research.

What Research is covered by HIPAA

  • Research that includes the review of medical records or biological materials with attached information, OR
  • Research that results in the addition of new information to a medical record e.g., research in which a health care service is performed, such as testing a new diagnostic method, or a new drug, biologic, or device, creating new information in a medical record.

What is the IRB's role?

 The IRB will act as a Privacy Board (required by HIPAA) to review the research use or disclosure of PHI and determine whether:

  • Subjects should sign a “HIPAA Authorization,” in addition to the informed consent form for participation in research, or
  • Waiver of Authorization (roughly analogous to a Waiver of Informed Consent under 45 CFR 46) may be granted, and
  • Investigators and research staff have HIPAA research certification.

 The UCSC “HIPAA Authorization” form is posted on the forms page. If applicable, Investigators should download and attach the HIPAA Authorization form to the IRB approved informed consent document.