Contact Information

Organization

THE COMMITTEE ON HUMAN RESEARCH

HIPAA AND HUMAN RESEARCH: (July 2003)

• Background
• HIPAA Guidance
• HIPAA Definitions
• HIPAA Forms
• Authorizations to Be Used at Other Hospitals or Institutions
• HIPAA Research Training
• Other HIPAA Links
• Questions

Background

The Health Insurance Portability and Accountability Act (HIPAA), also known as “The Privacy Rule,” set new standards and regulations to protect patients from inappropriate disclosures of their “protected health information” (PHI) that could cause harm to their insurability, employability and/or their privacy. PHI is information that can be used to identify an individual which is created, used, or disclosed in the course of providing a health care service, such as diagnosis or treatment. HIPAA does allow for researchers to access and use PHI when necessary to conduct research. The Committee for Human Research will act as the HIPAA-required Privacy Board to review the use/disclosure of PHI for research.

Effective Compliance Date: As of April 14, 2003, all human subjects research must be in compliance with the Privacy Rule.

	HIPAA Guidance:
	•	UCSF Privacy Office
	•	Data Security
	•	UCSF CHR HIPAA Decision Tree
	•	One-Page Guide to HIPAA
	•	PHI: List of 18 Identifiers and Definition of PHI
	•	Authorization: Required Elements
	•	Frequently Asked Questions (FAQs)
	•	Email and Fax Restrictions for Using PHI
	•	Abbreviated Recruitment Guidelines
	•	HIPAA Consent Form Guidance
		•	Standard Consent Forms Formats and Samples
	•	Definitions
	HIPAA Forms:
	•	Waiver of Consent/Authorization
	•	UCSF Subject Authorization for Release of PHI for Research
	•	Spanish Version: UCSF Subject Authorization for Release of PHI for Research
	•	Russian Version: UCSF Subject Authorization for Release of PHI for Research
	•	Cancellation of Permission to Use Personal Health Information for Research (new form 4-04)
	•	SFVAMC Authorization for Release of PHI for Research (revised August 2009)
	•	HIPAA Supplement
	•	Data Use Agreement
Authorizations to Be Used at Other Hospitals or Institutions Other hospitals, medical centers, institutions or clinics will likely have their own versions of the Subject Authorization for access to their own medical records. For example, Kaiser and CPMC and Stanford have their own forms. Those forms will have to be used at their sites, just as the UCSF form must be used at UCSF and the VAMC form must be used at the VAMC. Note: These forms do not have to be reviewed for studies approved before April 14, 2003, but a copy should be submitted with all new, renewal and modified applications (that involve PHI and a consent form).
	HIPAA Research Training (Revised February 2004)
	Other HIPAA Links

Questions

HIPAA Questions: Call the CHR Front Desk at 415-476-1814 and your questions will be answered or your call will be redirected appropriately. You can also contact us.