HIPAA in Human Research

PLEASE NOTE: Researchers not in the Covered Entity may need an authorization form:

1. to access PHI for their study; or
2. if they are conducting part of their study in the Covered Entity.

HIPAA Instructions for all IRB Applications
(Revised 8/4/20)

• HIPAA Authorization Regulations (Revised 8/11/14)
• If HIPAA Authorization is required for your research, you must use the Informed Consent/HIPAA Combined Template (as of 12/5/13) as a guide to develop your consent/authorization document; the template can be found under "All Templates" in the APPLICATION LINKS menu on the left in your E-IRB application.
• "Form K": Request for Waiver of HIPAA Authorization Form (Revised 12/12/16)
  • HIPAA Guidance for Requesting and Completing Waiver of Authorization (Revised 6/4/04)

The Health Insurance Portability and Accountability Act (HIPAA) is a complex regulation that affects many researchers at the University of Kentucky.  HIPAA is designed to protect the use and disclosure of individually identifiable health information (also defined as Protected Health Information or PHI). PHI is defined as any of the 18 HIPAA recognized identifiers in combination with health information.

HIPAA recognized identifiers:

1. Names;
2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes;
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death;
4. Telephone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images;
18. Any other unique identifying number, characteristic, or code.

It is important that you understand that you could face criminal and/or civil liabilities for non-compliance. 

This website contains information to help you comply with these regulations.  Note: This information is subject to change frequently as the regulations continue to be interpreted and policies developed; please check back often.

• Business Associate Agreements
  • You (or your department) are not in the Covered Entity and you are either de-identifying information or creating a limited data set.
  • You have an outside person/entity that performs a service on behalf of the healthcare provider (including a researcher) or the healthcare institution during which individually identifiable health information is created, used or disclosed.
    
    The IRB does not consider research collaborators as business associates unless they sign a contract to perform certain duties/functions that involve the use and/or disclosure of PHI.
• HIPAA in Research SOP (Revised 7/18/11)
• NIH HIPAA Page
• Office for Civil Rights (OCR):
  • OCR HIPAA Page
  • OCR Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
    • The De-identification Standard
• UK Researchers - HIPAA Information: If you are a UK Medical Center employee, please access UKMC's intranet for policies on the release of Protected Health Information (PHI) for research purposes

HIPAA is applicable to you if your college or department uses Protected Health Information in connection with certain covered transactions. Legal counsel with guidance from Deans and other UK leaders have determined which colleges and departments engage in covered transactions and thus are covered by HIPAA. To find out whether your department/college is covered by HIPAA, contact the Office of Research Integrity at (859) 257-9084. Because of its size and the diversity of its activities, the University of Kentucky (UK) is designated as a hybrid entity which means that some departments/colleges are regulated by HIPAA and others are not. An entity, or its covered departments or colleges, that is regulated by HIPAA is called a Covered Entity (CE).

The University of Kentucky is a “covered entity.”

What makes the University of Kentucky a “covered entity?” The University of Kentucky is comprised of several groups that make it a “covered entity” including, University of Kentucky Chandler Medical Center, medical benefit plans, human research, dental clinics, student health services and athletics, among others.

If you are employed in a UK Covered Entity component and create, access, or share Protected Health Information, HIPAA applies to your research. For assistance with determining whether you are employed in a UK Covered Entity, contact the Office of Research Integrity at (859) 257-9084 or see below for an abbreviated list of UK covered entities.

If in your research you collect Protected Health Information from a UK Covered Entity and your department/college is deemed outside of the Covered Entity, HIPAA applies to your access of the Protected Health Information.

Researchers not in the Covered Entity may need an authorization form:

1. to access PHI for their study; or,
2. if they are conducting part of their study in the Covered Entity.

Please contact the Office of Research Integrity at 859-257-9428 or e-mail Joe Brown for more information.

• Business Office
• Communication Disorders
• Physician Assistant Studies

Clinical Affairs

• Anesthesiology (Pain Mgmt Center)
• Diagnostic Radiology
• Emergency Medicine
• Family Practice
• Internal Medicine
• Neurology
• OB/GYN
• Ophthalmology
• Pathology and Lab Medicine
• Pediatrics *UK's Children's Hospital)
• Physical Medicine and Rehabilitation
• Psychiatry
• Radiation Medicine
• Surgery
• Orthopedics/Sports Medicine Center

Department

• Dean's Office
• Chief of Staff

Multidisciplinary Centers

• Business Operations
• Clinic Operation
• Center for Minimally Invasive Surgery
• Diagnostic Clinic (Neurology)
• Gamma Knife Center
• Gill Heart Center
• KY Center for Rural Health Family Practice Clinic
• Kentucky Neurosciences Institute
• (Lucille Parker) Markey Cancer Center Clinical Activities
• Rural Health Center Hazard
• Transplant Center

Public Health

• Preventive Medicine

• Drug Information Services

• College of Social Work: CATS Clinic
• Human Resource Services: Benefits
• Human Resource Services: Employee Relations
• Human Resource Services: The Plan/UKHMO-UKDC
• Internal Audit
• Legal Counsel
• Office of Controller: Accounts Payable
• Office of Controller: Benefits Financial Counseling
• Public Relations

• Joe Brown, Research Privacy Specialist, (859) 257-9084
• Jenny Smith, (859) 257-7903
• Helene Lake-Bullock, ORI Director, (859) 257-5943

• Sarah Hines, UK's Healthcare Privacy Officer, (859) 323-1184

• Erin McMahon, Associate General Counsel, (859) 323-1161