Skip to main content


What Is HIPPA?

The Health Insurance Portability and Accountability Act (HIPAA), sets forth requirements to protect the privacy and security of health information. HIPAA protects patients from inappropriate disclosures of the patient’s protected health information (PHI) that could cause harm to their insurability, employability and/or their privacy through the Privacy Rule. HIPAA also sets standards for protecting the confidentiality, integrity and availability of electronic protected health information through the Security Rule.

HIPAA allows for research personnel to access and use PHI when necessary to conduct research. Not all research is subject to HIPAA regulations; HIPAA only affects research that uses, creates or discloses PHI. 

Protected Health Information (PHI):

Protected Health Information, or PHI, is any health information that includes any of the 18 elements identified by HIPAA and maintained by a covered entity or any information that can be reasonably used to identify a person.

PHI is information created or received by a healthcare provider relating to:

  • The past, present or future physical or mental health or condition of a patient;
  • The provision of healthcare to an individual; or
  • or the past, present, or future payment for the provision of healthcare to an individual until fifty (50) years following the date of death of the individual.

List of 18 identifiers:

HIPAA defines the 18 identifiers that create PHI when linked to health information.

  1. Names;
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Phone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

Data That Is Not Subject to HIPAA Regulations:

The IRB often approves research studies that do not use, disclose, or create PHI; therefore, the research is not subject to HIPAA regulations.

Personally Identifiable Information (PII) is defined as data used in research that would be personally identifiable but not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules. The key distinction between PII and PHI is that PHI is associated with or derived from a healthcare service event, i.e. the provision of care or payment for care. PII is covered by other state and federal laws for privacy and confidentiality of research health information.

For example, some studies use individually identifiable health information elements that are included in the above list of 18 identifiers; however, the elements are not considered PHI because the data is not:

  • Obtained or generated as part of a health care service (treatment, payment, operations, medical records)
  • Entered into a medical record, or
  • Used to make treatment decisions

Note: Data that is not subject to HIPAA regulations is still regulated by other human research regulations and may also be subject to other privacy regulations.

HIPAA Applicability to Research:

The table below summarizes when HIPAA regulations may apply but there may be exceptions. Please contact the IRB with questions:

Study data are …

  • Derived from a medical record.
  • Added to the hospital or clinical medical record.
  • Created or collected as part of health care.
  • Used to make healthcare decisions.




HIPAA regulations apply.

Study data are only …

  • Obtained from the participant, including interviews, questionnaires.
  • Obtained from participants in a foreign country or countries only.
  • Obtained from records or data available to the public.
  • Obtained from existing and previously IRB reviewed and/or approved research records.




HIPAA regulations do not apply.


The IRB’s Role:

Most studies that involve human participants will require the submission of an application to the Northwestern University IRB using eIRB+.  HIPAA requires that either an IRB or a Privacy Board make determinations about the use of PHI in research. The Northwestern University IRB serves as the Privacy Board for research conducted at Northwestern Memorial HealthCare (NMHC) and Shirley Ryan Ability Lab (SRAlab).

If HIPAA applies to the research study, investigators may obtain approval to use and/or disclose PHI from research participants through the IRB. The IRB determines whether you can assess PHI by using one or both of the following methods:

The IRB approval letter will specify the approved method(s). 

Obtaining an Individual’s HIPAA Authorization:

The IRB must review the combined consent/authorization documents to ensure that the language meets the requirements of HIPAA. The Privacy Rule specifies core elements and required statements that must be included in an Authorization.

An Authorization, whether prepared by a covered entity or by a person requesting PHI from a covered entity, must include the following core elements and required statements:

Authorization Core Elements (see Privacy Rule, 45 C.F.R. §164.508(c)(1))

  • Description of the PHI to be used or disclosed (identifying the information in a specific and meaningful manner).
  • The name(s) or other specific identification of person(s) or class of persons authorized to make the requested use or disclosure.
  • The name(s) or other specific identification of the person(s) or class of persons who may use the PHI or to whom the covered entity may make the requested disclosure.
  • Description of each purpose of the requested use or disclosure. Researchers should note that this element must be research study specific, not for future unspecified research.
  • Authorization expiration date or event that relates to the individual or to the purpose of the use or disclosure (the terms “end of the research study” or “none” may be used for research, including for the creation and maintenance of a research database or repository).
    1. However, if the study involves collection of mental health information, an expiration date must be specified.
  • Signature of the individual and date. If the Authorization is signed by an individual’s personal representative, a description of the representative’s authority to act for the individual.

Authorization Required Statements (see Privacy Rule, 45 C.F.R. § 164.508(c)(2))

  • The individual’s right to revoke his/her Authorization in writing and either (1) the exceptions to the right to revoke and a description of how the individual may revoke Authorization or (2) reference to the corresponding section(s) of the covered entity’s Notice of Privacy Practices.
  • Notice of the covered entity’s ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the Authorization, including research-related treatment, and, if applicable, consequences of refusing to sign the Authorization.
  • The potential for the PHI to be re-disclosed by the recipient and no longer protected by the Privacy Rule. This statement does not require an analysis of risk for re-disclosure but may be a general statement that the Privacy Rule may no longer protect health information.

Requesting an Alteration or a Waiver of HIPAA Authorization

The IRB may grant a waiver or alteration of HIPAA authorization requirements in whole or in part.  It is important to note that there is no distinction between the criteria for a full HIPAA waiver or an alteration of HIPAA authorization under 45 CFR 164.512(i)(2)(ii).

An alteration of HIPAA authorization may include an omission of one or more required elements of HIPAA-compliant authorization.

The IRB may waive HIPAA authorization for an entire study or issue a partial waiver. A waiver of authorization is most frequently sought when the research also qualifies for a waiver of consent. Both the waiver of consent and waiver of authorization must demonstrate that it would not be practicable to conduct the research without either waiver. 

To apply for a waiver of HIPAA authorization or an alteration of HIPAA, the IRB requires:

  • The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
  • an adequate plan to protect the identifiers from improper use and disclosure;
  • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
  • The research could not practicably be conducted without the waiver or alteration; and
  • The research could not practicably be conducted without access to and use of the protected health information.

Requests for alterations or waivers of HIPAA authorization must include a rationale for why the alteration or waiver is being requested (for example: research cannot practicably be carried out without waiver) and must be detailed within the study protocol for IRB review. The IRB has the authority to request modifications or deny a waiver or alteration of HIPAA request if the required components are insufficient to ensuring proper protections are in place. If the IRB has not waived the requirement to obtain HIPAA authorization, you must obtain HIPAA authorization prior to accessing or using protected health information.

A partial waiver of HIPAA authorization occurs when the IRB determines that the covered entity does not need authorization for some uses and disclosures of PHI for research purposes, such as disclosing PHI for research recruitment purposes.

Revocation of Authorization

At any time, a research participant may revoke his/her authorization in writing to the Principal Investigator. The IRB has a template, HIPAA Revocation Template Letter, available for investigators and subjects to complete.

**Please refer to the NMHC Policy on Research Privacy and Confidentiality and the Research Recruitment Guidelines FAQs for additional guidance on uses and disclosures not requiring authorization or an IRB waiver authorization that pertain to:

  • Research on decedents
  • Preparatory to research
  • De-identified data
  • Limited data sets