Policy Steward:  Associate Vice President for Research, Director of the Office for Research Protections


  • Purpose
  • Research Affected By HIPAA
  • Review Of Protocols For HIPAA Compliance
  • Policy
  • Utilization Of PHI In Research By Authorization
  • Utilization Of PHI In Research With A Waiver Of Authorization
  • Reviews Preparatory To Research
  • PHI Of Decedents
  • Tracking Of Disclosures
  • Revocation Of Authorization By Participant
  • Data Security
  • Research Commenced Prior To April 14, 2003
  • Waiver Of Consent Requirement By IRB Prior To April 14, 2003 Grandfathered
  • Further Information
  • Cross Reference


    The Pennsylvania State University ("PSU") has a duty to protect the confidentiality and integrity of an individual's health information as required by law, professional ethics, and accreditation requirements. The Health Insurance Portability and Accountability Act ("HIPAA") of 1996, and its implementing regulations known as the "Privacy Rule" include provisions that protect the privacy of individually identifiable health information, and govern how health information is used and disclosed, including use and disclosure for research purposes. The purpose of this policy is to set forth the requirements that will be applicable to research that is subject to HIPAA requirements.


    In general, research utilizing Protected Health Information ("PHI") which is obtained from (a) health care providers such as physicians and hospitals or (b) health plans, will be subject to HIPAA rules applicable to obtaining, using and protecting such information. "PHI" is individually identifiable health information obtained or maintained by a health care provider who is covered by HIPAA or by a health plan. A "health plan" is a plan that pays the cost of health care expenses.

    Within Penn State (including the facilities of The Milton S. Hershey Medical Center), this means that research will be subject to HIPAA rules if: (a) it uses PHI obtained or maintained by any of the administrative units identified in Policy AD22; (b) it uses PHI obtained or maintained by the hospital and physicians of The Milton S. Hershey Medical Center; or (c) it uses PHI created by a Penn State or Milton S. Hershey Medical Center researcher while in the course of providing medical treatment to an individual.

    Penn State researchers will also be subject to HIPAA rules if the research seeks to use PHI obtained from health care providers, such as physicians, hospitals and nursing homes that are not affiliated with the University, or from health plans. In that case, use of PHI will be governed by this policy as well as any HIPAA policies of such other health care providers or health plans.

    Not all individually identifiable health information is subject to HIPAA rules. Research that involves health information that is not obtained by or from a health care provider or a health plan is not subject to this policy. In that case, even though the research may be utilizing individually identifiable health information, that information is not PHI. For example, a Penn State researcher who is not a health care provider and who only gathers health information from human participants for purposes of research is not subject to HIPAA rules.


    All research protocols involving human participants must be submitted to the Office for Research Protections (ORP), 205 The 330 Building, University Park, PA 16802 for review and a determination whether the protocol will be subject to HIPAA rules governing disclosure and use of PHI. If it is determined that the protocol is subject to HIPAA rules, the terms of this policy will apply to that protocol.


    In order to utilize PHI in connection with research, researchers must (a) obtain written authorization from the individual who is participating as a research subject in accordance with HIPAA standards for authorization, (b) obtain a waiver of the authorization requirement from the Institutional Review Board (IRB) in accordance with HIPAA standards for such waivers, (c) obtain approval for such use as preparatory to research, or d) notify the IRB of such use as research on decedents' information.

    PHI obtained in accordance with this policy may be used only by and disclosed only to the principal investigator and other members of the research team identified in the research protocol application, except that further disclosure may be made (a) as specified in the authorization granted by individual from whom PHI has been obtained as set forth in this policy, or (b) as required or permitted by the HIPAA rules or other law. Approval of the ORP is required for any disclosure request that is not within the scope of an authorization granted by the individual participating in research or as required or permitted by HIPAA rules and other law.


    If an authorization is required in order to utilize PHI in connection with research, the content of the authorization must comply with HIPAA rules.

    Authorization may be obtained by the use of a separate authorization form, which is reviewed with and signed by the individual participating in the research protocol. A template authorization form is available at the Office for Research Protections and should be completed by the principal investigator and submitted for review and approval by the IRB.

    Authorization may also be obtained by including the requisite information in an Informed Consent Form to be used with the protocol. Model provisions for inclusion of an authorization with the Consent Form are available at http://www.research.psu.edu/orp/. The IRB will review the authorization provisions as part of its review of the Informed Consent Form.

    Copies of the authorization as signed by the individual participating in the research protocol must be retained by the principal investigator for a minimum of six years.

    In the event a principal investigator leaves the University prior to the end of the six-year requirement, the investigator will notify the Office for Research Protections and make arrangements for ongoing retention of required research documents at the University.


    If a research protocol proposes to obtain and use PHI in research without an authorization, the principal investigator must submit a request for a waiver of the authorization requirement to the Office for Research Protections. In addition, depending upon the policies of individual health care providers, it may be necessary to obtain approval of the waiver from another IRB or privacy board.

    An application must be in writing and be submitted with the protocol to be reviewed by the IRB. An application form for this purpose is available at http://www.research.psu.edu/orp/. A request for waiver of authorization will be reviewed by the full IRB at a regularly scheduled monthly meeting.

    An application for waiver will be approved only if the IRB concludes that the criteria in the HIPAA rules have been satisfied. These include:

    1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

      1. an adequate plan to protect the identifiers from improper use and disclosure;

      2. an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

      3. adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted under the HIPAA Privacy Rule.

    2. The research could not practicably be conducted without the waiver or alteration; and

    3. The research could not practicably be conducted without access to and use of the protected health information.


    Because it may be necessary for a researcher to obtain access to and review PHI in order to prepare a research protocol, HIPAA rules allow such review upon compliance with specified criteria. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study, or to identify potential participants for a study. An application for review of PHI preparatory to research must be submitted to the Office for Research Protections, and approved by the IRB. An application form is available at http://www.research.psu.edu/orp/.

    The IRB may only approve such applications if it is satisfied that all of the following requirements are satisfied:

    1. The use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research;

    2. No PHI will be removed in any manner, including by means of copying or notes, from the original source of the PHI; and

    3. The PHI for which access is sought is necessary for the research purpose.


    Principal Investigators will notify the Office for Research Protections prior to engaging in research with the PHI of decedents. In order to gain access to the PHI maintained by a covered entity, principal investigators will need to demonstrate:

    1. that the use or disclosure sought is solely for research on the PHI of decedents;

    2. adequate documentation of the death of such individuals; and

    3. that the PHI for which use or disclosure is sought is necessary for the purposes of the proposed research.


    HIPAA rules require that a record be made of a disclosure of any personally identifiable information that is made without an authorization by the research participant. Therefore, tracking of disclosures will have to be undertaken for all disclosures if a waiver of authorization, an approval for review preparatory to research or an approval for the use of a decedent's PHI is obtained for purposes of research, and for any disclosures not previously specified in a signed authorization document. For purposes of this policy, "disclosure" means the release, transfer, provision of access to, or divulging in any other manner of PHI to any person, whether or not employed by PSU, who is not participating in carrying out the research protocol.

    The following information about any disclosure must be recorded and made available upon request to the individual who is the subject of the PHI:

    1. Date of disclosure;

    2. Name of person/entity that received the PHI;

    3. Description of what PHI was disclosed; and

    4. Brief statement regarding the purpose of the disclosure.

    If a research protocol requires multiple disclosures to the same outside party over a period of time, the following information is adequate:

    1. For the first disclosure, all of the above must be recorded.

    2. For subsequent disclosures, tracking can refer to the initial record of disclosure and should include the frequency, periodicity or the number of disclosures that will be made.

    3. The date of the last disclosure must be documented.

    Large Studies with Waiver: HIPAA rules allow a modified tracking method for research that involves the disclosure of PHI from more than 50 people and for which authorization has been waived. In this instance it is unnecessary to maintain a list of the specific persons about whom PHI has been disclosed, but the following information must be available upon the request of any individual whose information may have been included.

    1. The name and description of all protocols involving 50 or more people for which authorization has been waived, including the purpose of these and criteria for selecting records, if the individual's information may have been included;

    2. Brief descriptions of types of PHI disclosed;

    3. Dates or time periods during which disclosures occurred;

    4. Contact information (name, address, telephone number) for sponsors and recipient researchers; and

    5. Statement that a specific individual's PHI may or may not have been disclosed for a particular protocol or research activity.

    In addition, the researcher must also assist in contacting the sponsor and recipient researcher if it is reasonably likely that an individual's PHI was disclosed to them.

    The principal investigator must submit all tracking of disclosure information to ORP, and ORP and the principal investigator must retain the tracking information for no less than six years. ORP shall make the information available to the Privacy Office as needed.

    Note: PHI obtained in connection with research cannot be re-disclosed unless specific authorization has been granted by the individual from whom the PHI was obtained or as required or permitted by HIPAA rules or other law. Prior approval by the Office for Research Protections is required for any disclosure of PHI not within the scope of an authorization.


    HIPAA rules allow a subject to revoke a prior authorization to use or disclose PHI for purposes of research. Participant requests for the revocation of authorization must be requested in writing to the principal investigator. Researchers must honor this request, except to the extent the researcher has already relied on the authorization. Researchers may continue utilizing PHI that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. In addition, use or disclosure of identifiable information previously obtained is permitted for purposes such as accounting for the participant's withdrawal, reporting adverse events, or complying with investigations.


    Researchers are responsible for ensuring that data containing PHI is securely protected from unauthorized disclosures. Researchers must take precautions to securely maintain and dispose of PHI, as described in Policy AD22. (See related policies AD20 and AD23.) Additionally, researchers are responsible for ensuring secure transfer of data containing PHI. When transmitting data electronically, researchers should ensure that 1) the data is securely encrypted; 2) that the receiver of the data is the individual for whom it is intended; and 3) the data remains secure until it is received by the intended receiver. Questions about the security of electronic data transfers may be directed to Security Operations and Services at (814) 863-9533.

    When sending data containing PHI via ground mail services, researchers must also assure the security of the information until it arrives in the hands of the intended receiver. Hard copy documents containing PHI should be sent 1) using an insured carrier; 2) with a receiving signature required; and 3) by a carrier with package tracking services.


    An authorization is not required under the HIPAA rule for participants who were enrolled in a research protocol before April 14, 2003 and who have signed a Common Rule-compliant informed consent form. Even if participants enrolled before April 14th have follow-up visits after that date, authorization will not be required.

    An authorization will be required for any participant enrolled in a study on or after April 14, 2003, even if the study was approved by the IRB prior to that date. Therefore, if all participants were enrolled prior to April 14, 2003, there is no need for an authorization for those participants. However, authorization will be required for any new participants after April 14, 2003, either in the form of a separate authorization document or a modified informed consent form, which includes the required authorization language.


    If researchers are conducting a medical records study under an IRB-approved waiver of consent obtained prior to April 14, 2003, they should continue protecting the privacy of participants' information, but do not need to re-apply to the IRB. Ongoing studies for which the IRB approved a waiver of informed consent before April 14, 2003 are grandfathered under the HIPAA rule. Although a new waiver is not required, it is important to note that the individual rights provided by the Privacy Rule go into effect as of April 14, 2003. As a result, any disclosure of PHI made pursuant to a waiver of authorization must be tracked as noted above.


    For questions, additional detail, or to request changes to this policy, please contact the Office of the Associate Vice President for Research, Director of the Office for Research Protections.


    Other Policies in this Manual may have specific application and should be referred to especially;

    AD20 - Computer and Network Security,

    AD22 - Health Insurance Portability and Accountability Act (HIPAA)

    AD23 - Use of Institutional Data

    RP08 - HIPAA and Research at The Milton S. Hershey Medical Center And Penn State College Of Medicine (Formerly Policy RA23)

    Effective Date: June 8, 2015
    Date Approved: June 4, 2015
    Date Published: June 8, 2015

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Penn State website |