UCSF home page UCSF home page About UCSF Search UCSF UCSF Medical Center
UCSF navigation bar
For New Investigators For Researchers
and Staff
Committee on Human Research About the Committee

Contact Information


Applying to the CHR Applying & Reporting to the CHR
forms and templates Applications & Forms
Recruitment and Consent Process Recruitment & Consent Process
policies and guidelines UCSF Guidance on Research Topics & Issues
Veterans Affairs Medical Center Logo Working With the VA
Working with Other Institutions and Units Working With Other Institutions & Units
For Research Volunteers For Research Volunteers
quality improvement unit About the Quality Improvement Unit (QIU)
Education & Training
HIPAA and Research HIPAA & Research
Federal Regulations and Guidance Federal Regulation & Guidance
key Other Useful Links
CHR Member Information CHR Member Information
whats new?

Announcements and Bulletins




What is PHI?
What is Research Health Information (RHI), i.e., not PHI?
What is individually identifiable health information?
Do all human research studies use PHI?
How do I get approval to use and disclose PHI from research subjects at UCSF?
What is the subject’s authorization? What do I use at UCSF, SFVAMC, and other institutions or for sponsors?
Can I obtain verbal authorization?
What is the waiver of authorization? How do I request a waiver?
Will I be able to review medical charts for research purposes? How do I get access after April 14, 2003?
Is CHR approval required for decedent research at UCSF?
What is de-identified data?
What identifiers must be removed to create de-identified data?
What is the statistical method of de-identification?
What is a limited dataset?
Do I need a Business Associate Attachment (BAA) for my research?
Does HIPAA apply to my international study?
Do I have to modify my currently approved CHR study?
Can databases or registries be created under HIPAA?
How do I protect the PHI in my study?
What is a breach of security? What should I do if PHI may have been disclosed to unauthorized individuals?

Q. What is PHI?

Protected or personal health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA defines 18 specific identifiers that create PHI when linked to health information. In addition to the required CHR approval, HIPAA authorization is required for research studies that use, create, or disclose PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations.

For example, PHI is used in any research study that will access the medical record, such as for records review or recruitment purposes. Also, studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or a new drug or device for treating a health condition, create PHI that will be entered into the medical record. For example, sponsored clinical trails that submit data to the U.S. Food and Drug Administration involve PHI and are therefore subject to HIPAA regulations.

However, without the 18 identifiers, health information is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. These identifiers can include anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials.

Q. What is Research Health Information (RHI), i.e., not PHI?

Research Health Information (RHI) is individually identifiable health information obtained or generated through research activities exclusively for research purposes only. It may include health information from questionnaires, interviews, observations of behavior, and even diagnostic tests, as long as none of the information is (i) obtained or generated as part of a health care service (treatment, payment, operations, medical records), (ii) entered into a medical record, or (iii) used to make treatment decisions.

This data must be protected, managed and maintained with the same level of data security and care as Protected Health Information (PHI).

Examples of Research Health Information include:

Example 1:  Information obtained through a behavioral study evaluating medication adherence by individuals who smoke and have asthma where all subjects were recruited through flyers posted in the community and all subject information was collected through subjects completing questionnaires, would be considered Research Health Information.   

Example 2:  Information obtained through a study of the prevalence of a type of flu in a community, where blood is drawn from volunteers at a community health fair, analyzed for antibodies specific to the type of flu, and no individual results are provided to participants would be considered Research Health Information as long as there is no link kept between the signed consent forms and the blood specimens that will be analyzed.

Example 3:  Information obtained through a nutrition study conducted at a community/public/commercial fitness facility, not connected to or associated with a medical facility that provides health services, that tracks the success of a counseling weight-loss intervention in obese volunteers would be considered RHI if:

  • the subjects complete food diaries, medical history questionnaires, and surveys about their behavior and mood;
  • a tube of blood drawn to measure lipid levels; and
  • the blood is evaluated at a private laboratory not associated, and the results are given directly to the subjects.
Q. What is individually identifiable health information?

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). (DHHS.gov - Summary of the HIPAA Privacy Rule/What Information is Protected)

Q. Do all human research studies use PHI?
A. No. Some research studies do not collect PHI for their project or for the recruitment of their research subjects. For example, anonymous surveys and observational studies that do not collect identifiers do not use PHI. Another example would be non-medical studies that recruit subjects through advertisements or flyers where no PHI was accessed for recruitment or collected for the study. If your study does not use PHI, then it will not be affected by the new HIPAA regulations.
Q. How do I get approval to use and disclose PHI from research subjects at UCSF?
A. PHI can be accessed by one or both methods:
  •   Individual Authorization signed by research subject (or legal representative)
  •   Waiver of consent/Authorization (CHR approved)
Q. What is the subject’s authorization? What do I use at UCSF, SFVAMC, and other institutions or for sponsors?

The subject’s authorization for release of personal health information is a required supplement to the standard Informed Consent Form. It does not change any of the information or permissions described in the Informed Consent Form.

This form describes the different ways that the researcher, research team and the research sponsor may use the subject’s personal health information (PHI) for the research study. The subject grants their permission to access their information when they sign this subject authorization form. Alternatively, in lieu of obtaining individual subject authorizations, HIPAA allows the CHR to grant a waiver of authorization to the investigator.

The University of California has developed this authorization form and it is located on the CHR website as the “Authorization for Release of Personal Health Information for Research (Spanish version).” All UCSF-affiliated research investigators obtaining subject authorization to use PHI in their studies must complete and use this form (exceptions noted below) without altering the standard text in the form.

Note: the CHR recommends the use of the separate Subject Authorization form rather than combining the authorization language into the informed consent document. However, investigators have the option to use the combined consent/authorization if they choose (see consent form samples on CHR HIPPA web page).

For the San Francisco Veterans Administration Medical Center (VAMC) investigators, a VAMC-specific authorization will be required in order to access the medical records at the VAMC. Therefore, investigators may need to have two authorizations depending upon which medical records are being accessed.

Also, other non-affiliated medical centers and institutions may require you to use their version of the authorization form to access their medical records. The authorization form originates from the covered entity that owns the PHI (usually medical records) for which you are requesting access. However, smaller clinics have been accepting the UCSF authorization in lieu of their own. You should determine in advance what the HIPAA authorization requirements would be for medical records access. Most affiliates, institutions, and medical centers will have HIPAA information on either their IRB, medical records or HIPAA website.

Clinical trial sponsors may want researchers to use the sponsor’s authorization form. At UCSF, research investigators will only be allowed to use one form (with the exception of the VAMC). If researchers wish to use their Sponsor’s authorization, they must submit it to the CHR for review. This will delay approval as these forms are legal documents representing UC and therefore require careful review by the Privacy Board (at UCSF, this is the CHR).

Top of page
Q. Can I obtain verbal authorization?
A. Yes, but only if you have a CHR-approved waiver of authorization that waives the HIPAA requirement for a written authorization. You will not need to amend your informed consent phone scripts with HIPAA authorization language.
Q. What is the waiver of authorization? How do I request a waiver?
A. A waiver of authorization may be granted in situations where an individual’s authorization to access their PHI will not be obtained. There are several types of research studies that may a need a waiver of authorization such as:
  •   Reviews of medical records for data collection (chart reviews)
    Access to databases that have protected health information in them
  •   Screening and recruitment purposes
  •   Studies that enroll subjects with verbal consent

For example, studies that access clinical databases, hospital medical records, appointment logs, and other similar databases to identify potential subjects for recruitment purposes may need a waiver of authorization. In these situations, a researcher is examining PHI without a subject’s authorization for purposes other than healthcare treatment, payment, or operations. If the clinic has does not have a CHR-approved recruitment protocol, then for recruitment purposes, each research study will have to obtain a CHR-approved waiver of authorization to screen the clinic’s records for subjects. If these potential subjects are then later enrolled in research studies, they must sign both the informed consent and the authorization forms or the combined consent/authorization.

At UCSF, the CHR, as the Privacy Board for research, is allowed to grant a waiver of authorization if it can certify that the research meets the following criteria:

  •   The research could not be practicably conducted without access to the PHI.
  •   The research could not practicably be conducted without the waiver.
  •   The research poses minimal risk to a subject’s privacy and includes a written assurance that the PHI will not be reused or disclosed, an adequate plan to protect the information from improper use or disclosure, and a plan to destroy the identifiers at the earliest opportunity unless there is a justification for retaining them.

The CHR will also expect the research to satisfy the current human subject protection regulations including that the waiver will not adversely affect the rights and welfare of the subject and that the risks are reasonable in relation to the anticipated benefits of the research. Requests for waiver of authorization must be submitted to the CHR and be approved prior to accessing the health information.

The CHR Application in iMedRIS includes questions to determine whether HIPAA authorization is required, or if a waiver of authorization can be granted for the entire study or for recruitment purposes only. The CHR approval letter will document these determinations.

Top of page
Q. Will I be able to review medical records for research purposes? How do I get access after April 14, 2003?
A. You will be able to do medical records reviews under HIPAA for research purposes as long as you have obtained some form of PHI authorization. Health Information Management Services (HIMS) will require that you show proof of this authorization before they give you access to medical records. This proof can be one of the following:
  •   Copy of CHR approval letter with statement of Waiver of Authorization of individual consent
  •   Copy of CHR approval letter with statement that Individual Subject Authorization will be obtained
  •   Copy of CHR approval letter with statement that a Data Use Agreement will be used (not available yet)
  •   Copy of Exempt Certification Form certified by the CHR
Q. Is CHR approval required for decedent research at UCSF?

It depends on whether PHI will be accessed and/or whether State, county, or local death data files will be accessed, as both the Federal and State privacy laws apply. Even if PHI will not be recorded for research purposes, the following will apply:

CHR Requirements for Decedent research
Access to or Use of Medical Records Use of PHI from State, County, Local Death Data Files HIPAA Authorization CHR Application
NO NO None None
NO YES Waiver Expedited*
YES Either YES or NO Waiver

See Decedent section of Medical Records Review guidance.

Q. What is de-identified data?

HIPAA allows the patient information to be "…used and disclosed freely, without being subject to the Privacy Rule's protections" if has been de-identified. De-identified PHI has all identifying information removed but the data could be re-identified if necessary, usually through means of a code. This code cannot be derived from any of the elements removed during de-identification. For example, a unique code cannot be created using the last four digits of a social security number.

However, the UC authorization for release of personal health information form does allow for the use of initials, date of birth and dates of medical care as “personally unidentified study data”. Typically, this type of data is used in case report forms (CRF) for quality control purposes where the CRF is verified with the source documents, especially for sponsors.

There are two acceptable methods for creating de-identified data (PHI) including the removal of 18 primary and secondary identifiers from the dataset, or, using statistical methods of verifying that the data could not be used to re-identify a research subject. Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study.

Note that although the Privacy Rule (HIPAA) allows the unrestricted use of deidentified data, UCSF requires all human subjects research to be reviewed by the Committee for Human Research. You will still have to submit your research protocol to the CHR for both evaluation for human subjects research and the protection of privacy. For example, straightforward database studies that only utilize de-identified data will probably qualify as Exempt or Expedited studies.

Top of page
Q. What specific identifiers must be removed to create de-identified data?

The 18 identifiers that must be removed for de-identification include:

1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Top of page
Q. What is the statistical method of de-identification?
A. A statistical expert must certify that the risk is "very small" that anyone could re-identify the research subjects from the PHI identifiers used in the study. They must document the methods used to determine that data has been rendered de-identified. A statistical expert is someone with "appropriate knowledge and experience with statistical and scientific principles and methods for rendering information not individually identifiable".
Top of page
Q. What is a limited dataset?

A limited dataset is a limited set of identifiable information in which most of the identifiers for the individual, the individual’s relatives, employers and household members have been removed. The only allowable health information identifiers are:

  •   5 digit zip code (the 4 digit extension is not allowed)
  •   dates of birth, death, admission, discharge
  •   all geographic subdivisions other than street address
  The advantages of using a limited dataset include that the disclosures are not subject to HIPAA accounting requirements and that an individual’s authorization does not need to be obtained. However, you may be asked to sign a Data Use Agreement by the purchasing or contracts office of the university or other covered entities to give assurances that the information will be protected.

A CHR application is not required for studies involving Limited Data Sets.

Q. Do I need a Business Associate Attachment (BAA) for my research?

Maybe. If your research project will contract a vendor outside of UCSF for a research service and the vendor may see identifiable personal health information, then that vendor must have a BAA with UCSF before they begin the service. Typically, these types of vendor services are used in research studies that will contract for data analysis, data entry, and consultations to review data. Equipment repair vendors that service machines that have PHI stored on them, such as digital imaging or filmless x-rays, will all need to have BAA in place.

Note, that the BAA is between the vendor and UCSF, not between the vendor and you as the investigator. If your project will need this type of research service, you should contact your Purchasing Officer who then will negotiate the BAA on your behalf with the vendor. BAA forms are located on the UCSF HIPAA website.

Q. Does HIPAA apply to my international study?
A. No. U.S. Federal laws do not apply to studies conducted overseas or in foreign countries. The standard methods of protecting confidentiality and privacy for research in human subjects still apply and you should have these in place. However, the research subjects do not need to sign an authorization to allow access to their PHI.
Q. Do I have to modify my currently approved CHR study?

Research studies that have both CHR approval and signed informed consent documents prior to April 14, 2003 can continue to use the PHI already collected without revising their documents until their next annual renewal of the project. However, any new subjects enrolled after April 14, 2003 and before the annual renewal date must sign an Authorization form in addition to the informed consent document when they are enrolled.

This is also true for studies that obtained CHR approval of waiver of consent prior to April 14, 2003. These studies may continue without obtaining authorization. However, if at any time during the transition period these projects change such that informed consent will be obtained, then PHI individual authorizations must also be obtained.

Note that the subjects authorizations can be separate documents (recommended) or the investigator can use a combined informed consent/authorization document if it has been approved by the CHR prior to obtaining signed consent. If at any time during the transition period (between April 14, 2003 and the next annual renewal date) a modification is made to the informed consent document, then the investigator can either include HIPAA compliant language within the informed consent document or investigators may opt to continue to use two separate forms.

Top of page
Q. Can databases or registries be created under HIPAA? Can I create a research database without obtaining an authorization from every single research subject?
A. Yes. HIPAA allows for the creation of databases for research purposes. A research database can be created without obtaining individual authorizations but only with a CHR approved Waiver of Authorization. The proposal to the CHR must meet all of these waiver criteria, some of which you may already include as part of the confidentiality discussion in your research proposal. These criteria include:
  1. The study represents minimal risk to the privacy of the individual
  2. The study could not practicably be done without access to PHI
  3.  The study could not practicably be done without a waiver of authorization
  The "minimal risk" criteria must include all of the following three elements:
  •  An adequate plan to protect the identifiers from improper use and disclosure;
  •  An adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers (or is required by law), and
  •  An adequate written assurance that the PHI will not be reused or disclosed to anyone else (except for research oversight, other research studies approved to use the PHI, or as required by law)

The PHI maintained in the research database may be disclosed for future research studies if the investigator either obtains an individual's authorization or a CHR approved Waiver of Authorization. The CHR will post further guidance when the Federal and University of California policies become available.

Top of page
Q. How do I protect the  PHI in my study?

Investigators are advised to analyze the flow of PHI through their research projects and develop security policies for both electronic and hard copy PHI. Any type of physical or electronic storage may be used. Simple steps may be all that are required to accomplish the goals of tracking, recovery, and security.

A tracking system is necessary to account for how the PHI is stored, used, and shared, e.g. flow of PHI through your project.

A recovery plan simply means having the capability to recover data if you lose your primary database for both your research and for HIPAA accountability of any PHI disclosures.

A security system that prevents inadvertent disclosure, loss or theft of PHI from your project is required. For example, acceptable security for an isolated computer system or data system could include the following:

  •  Data is kept in locked file cabinet
  •  Data is kept in locked office or suite
  •  Data is stored on a secure network
  •  Electronic data are protected with a password (computer, PDA, laptop)
  •  Electronic data are protected with automatic logoff (computer, PDA, laptop)
  •  Data is coded; data key is kept separately and securely
  •  Data will be de-identified per HIPAA definition

However, there are more serious issues for securing electronic data transmission as almost every form of Internet, intranet, and ftp does not protect PHI. All electronic data should be scanned by anti-virus software both before sending and receiving encrypted data. Any use of the Internet to transmit data must be scrutinized very carefully as very few systems are behind firewalls or within secure zones.

By establishing one protection system and policy for all of the PHI in a research project, it will be easier to train personnel, insure compliance with HIPAA, and maintain the integrity of the datasets. At UCSF, ITS will provide future guidance and currently offers the following on the Information Security website located at
http://isecurity.ucsf.edu/ :

  •  Free anti-virus software (available now)
  •  Any UCSF affiliate may use this anti-virus software
  •  Multi-platform security software
  •  Private firewall software for PCs (in future)
  •  Security information and tools
Q. What is a breach of security? What should I do if PHI may have been disclosed to unauthorized individuals?

A breach of security refers to any unauthorized access to PHI and usually related to electronic files or devices that contain PHI. Common examples include the use of electronic storage devices without password protection, sending email with PHI outside of the UCSF intranet or to the wrong person; a laptop/PDA/electronic storage device with PHI is stolen or lost, and other similar situations.

Investigators, staff and other individuals who are concerned that there may have been a breach of security for their research files should contact the CHR and HIPAA Privacy Office immediately. They will work with you to assess the situation to determine who else may need to be notified.

As HIPAA security polices and procedures are developed, guidelines will be posted on the websites for UCSF HIPAA Implementation and the CHR. Please see the FAQ above for protecting your PHI and consult with your department’s IT staff for guidance to protect electronic devices.