We understand that you might have questions about HIPAA and may need additional guidance to determine if HIPAA applies to you and your department. We have provided answers to some of the most frequently asked questions regarding HIPAA. If you cannot find an answer to you question below, please reach out the the HIPAA Privacy team and we will do our best to help you find the answer you're looking for.
HIPAA Regulations are owned and maintained by US Department of Health and Human Services (HHS). For the most current information on HIPAA, please visit the HSS Health Information Privacy website. For information on the HIPAA Privacy rule, the HIPAA Security Rule, or the Breach Notification Rule, please click on the links provided. For additional information, you can review the links below.
Please refer to the The University of Arizona Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Policy. Additionally, for students and employees, you can review the internal Security Standards and Procedures located on our HIPAA SharePoint site.
All members of the UA community who perform work (paid or unpaid), study, or do research in a department within the University’s HIPAA Components, are required to complete the Stanford HIPAA training.
You can complete the required HIPAA Training by following the instructions below:
1. Select this link to go directly to the HIPAA Certification page, after logging onto the EDGE Learning system with your UA NetID and password.
2. Select the dropdown under "Path Details" to select the English or Spanish training, then select "Register"
3. Select "Complete Registration", then close the confirmation popup window
4. Select "Launch" and complete the training by viewing 100% of the module and answering any questions.
You are required to take the training within 30 days of your start date and must retake the training annually.
Student health records are covered by FERPA when they are maintained by an educational agency or institution that receives federal funding, such as the University of Arizona. These records are considered “education records” or “treatment records” under FERPA and are excluded from HIPAA coverage. In contrast, HIPAA applies when a health care provider not acting on behalf of a FERPA-covered institution maintains student health records and transmits protected health information electronically in connection with covered transactions. For additional information, refer to this joint guidance given by HHS and the Department of Education. For additional information on FERPA, visit the UA FERPA website.
The HIPAA Privacy Rule protects health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses). Researchers are usually not considered covered entities, even though they may use Protected Health Information (PHI). This distinction can make HIPAA rules confusing. This guide explains when HIPAA applies to research, requirements, and the actions that need to be taken. If you have questions about this information and need additional clarification, please contact University Privacy.
The use of PHI occurs when health information is communicated inside of a covered entity. When PHI is communicated to another person or organization that is not part of the covered entity, this is called a disclosure. In most cases, both the use and disclosure of PHI is allowed for research if HIPAA requirements are met and the study is approved by an Institutional Review Board (IRB). This may not always be the case if the study is non-human research such as case reports, quality improvement studies, etc.
What activities are classified as research?
The HIPAA Privacy Rule is primarily concerned with information generated while providing health care services. However, HIPAA recognizes that some research may create, use, and disclose PHI.
Where research is concerned, the Privacy Rule protects individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research.
In order for HIPAA rules to apply to a research project, it is first necessary to determine if the activity meets the definition of research as defined by the Common Rule (45 CFR 46): “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”
When Does HIPAA Apply to Research?
HIPAA applies if your research uses, creates, or discloses PHI from a covered entity. Common scenarios:
Reviewing medical records (retrospective or prospective studies).
Contacting a participant’s provider for health information.
Adding research results to a participant’s medical record at a covered entity.
Providing health-care services as part of the research at a covered entity.
HIPAA does NOT apply if:
You collect health information directly from participants only for research purposes and do not involve a covered entity.
Health information obtained by the researcher directly from the research subject solely for research purposes does not require the researcher to follow the HIPAA Privacy Rule because that information is not being obtained from a covered entity. However if researchers are not obtaining medical record information but are instead placing research results into the subject’s medical record at a covered entity, HIPAA compliance would then be required.
Quick Checklist
Are you using PHI from a covered entity? --> HIPAA applies.
Are you creating a medical record for a covered entity? --> HIPAA applies.
Are you only collecting data directly from participants for research? --> HIPAA does NOT apply.
When conducting research that involves health information, it’s important to distinguish between HIPAA Authorization and Research Consent:
HIPAA Authorization:
Authorization is required when you use or disclose PHI from a covered entity for research purposes, such as reviewing medical records, obtaining health data from a provider, or adding research results to a participant’s medical record.
The authorization letter must be in plain language so that individuals can understand the information contained in the form and make an informed decision.
It must be executed in writing and signed by the research subject (or an authorized representative, including a parent if the subject is a minor).
Research Consent:
Consent is required when the research involves human subjects as defined by the Common Rule (45 CFR 46), regardless of whether PHI is involved. Examples include surveys, interviews, or other similar activities designed to contribute to general knowledge.
Research must first be reviewed and approved by the IRB.
Research is focused on ethical participation, not on HIPAA compliance.
Authorization, Consent, or Both?
Authorization relates to privacy and data sharing under HIPAA.
Consent relates to ethical participation in research under federal regulations.
Many of the studies done at the University of Arizona involve Banner Health PHI. When PHI from a covered entity is used and human subjects are involved, both PHI authorization and research consent are required.
Authorization to Operate: Required for systems (hardware, software, or cloud services) that process or store University data. Focuses on technical and security risk management.
Business Associate Agreement: Required when a vendor or partner will access or handle Protected Health Information (PHI) on behalf of the University under HIPAA.
Data Use Agreement: Required when sharing or receiving a Limited Data Set (a subset of PHI without direct identifiers) for research, public health, or healthcare operations.