Home Contacts Site Map
Up UB HIPAA overview UB declarations Researchers Faculty-Students Business Associates HIPAA Training

HIPAA worksheet
Data Extraction / Business Associates
UB Research FAQ
Waiver of Authorization
Review Prep to Research
Research on Decedents
Transition Provisions
Limited Datasets

For Researchers at the University at Buffalo

As of April 14, 2003 if your research involves the use or creation of health information about your research subjects there are new steps you must implement to protect the privacy of a research subject's personally identifiable health information. This website will assist you in fulfilling these new federal regulatory requirements.

The privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) require that additional safeguards be put in place to protect the privacy and security of an individual's health information, including persons enrolled as research subjects.

Although the UB research function has been explicitly defined as a non-covered function under HIPAA, research protocols involving the provision of health care, or that will be obtaining health information from a third party entity will be required by the UB IRBs to adhere to the HIPAA regulations as they relate to a non-covered entity for acquiring individually identifiable health information for research purposes from a covered entity.

In general, protocols that must comply with UB HIPAA policy will need to secure from each research subject a signed HIPAA compliant authorization form to use or disclose their personally identifiable health information for research purposes.  In some instances, there are alternatives to obtaining authorization including a waiver of authorization and a certificate of de-identification.  The HIPAA Worksheet (below) will guide you to the correct option available to fulfill the new regulatory requirements and UB's policy for implementing them.

Be mindful that your research protocol may obtain individually identifiable health information from different locations, and for different uses in various stages of the protocol, e.g., subject identification, recruitment, data collection and analysis.  A protocol that is required to comply with UB's HIPAA research policies must have a HIPAA mechanism in place for every piece of individually identifiable health information it obtains.

HIPAA Documents and worksheets

Overview - documents to better understand HIPAA and HIPAA at UB

UB HIPAA Overview - what UB functions are covered under HIPAA and how does HIPAA apply to research.

UB HIPAA Declarations and Guidance - Formal UB position statements on issues such as UB covered functions, non-covered functions, etc.  This page also contains UB Guidance documents aimed at helping the UB community understand specific HIPAA issues (some specifically target research issues).

Organizational Issues Describes the impact of HIPAA on research when multiple entities, each with its own HIPAA issues, participate in research.

HIPAA and UB Research Power Point presentation orienting the researcher to HIPAA at UB is available from this link.

Nuts-And-Bolts - documents needed by UB investigators to assist them in complying with HIPAA at UB.

HIPAA Worksheet This worksheet will assist you in determining if HIPAA will impact your research and, if it does, what mechanisms you need to have in place in order to collect individually identifiable health information so that your research will collect data in a way that is compliant with UB's policy to meet the HIPAA Privacy regulations.

Specific HIPAA information transfer mechanisms:


Authorization.  Use this option if you will be using or collecting health information and personal identifiers from your research subjects and you will be obtaining informed consent from them as well.  This authorization is required in addition to informed consent.  You will also need to seek a Partial Waiver of Authorization (.doc) (.pdf) if you need access to individually identifiable health information any time prior to your obtaining a signed authorization permitting access to that information for recruitment purposes.


Application for Waiver of Authorization (.doc) (.pdf)  Last revised March 16, 2003.  You may apply for a full waiver of authorization when a signed authorization cannot be reasonably obtained, e.g., for medical records research.


Application for Partial Waiver of Authorization for Study Recruitment (.doc) (.pdf) You will need to apply for a partial waiver in situations where individually identifiable health information is needed to identify study candidates prior to contacting them as part of study recruitment.  You will also need to put a HIPAA Authorization in place for subjects who indicate an interest in participating in the study.


Certification of De-Identification (.doc) (.pdf) Last revised July 25, 2003.  If your research will use or collect health related information about individuals but the information will be kept anonymous you may apply for a certificate of de-identification.


Research on Decedents can be performed, with specific constraints, after the research provides the covered entity with the proper representations.  Additional policies limiting access to decedent information may be imposed by the covered entity.


Transition Provisions  How HIPAA will impact research begun before or after 4/14/2003

Specific HIPAA information data extraction mechanisms

The transfer mechanisms above permit a UB researcher or member of their research team to receive PHI from a covered entity, but they do not permit a researcher to access a larger subset of PHI within the covered entity in order to extract the PHI required for research.  For more information on how to engage in this activity, see the Data Extraction link at the upper left of this page.

Additional Resources

HIPAA Definitions.  Key definitions as defined within the HIPAA regulations.


OCR Research Guidance 12/2/2002 HIPAA Privacy rule guidance specific to research from the Depts. of Health and Human Services and the Office of Civil Rights (OCR is charged with enforcing the HIPAA Privacy regulations, which were written by HHS).

NIH HIPAA Privacy Rule Information for Researchers

HHS/OCR HIPAA FAQ (select Category: Research uses and disclosures and then click the 'search' button )

UB HIPAA FAQ Will be updated occasionally as issues relevant to UB are addressed.

HIPAA Resources. A web site where you can find out more than you ever wanted to know about HIPAA

This material is designed for internal University at Buffalo use only and is copyrighted.  Information and documents available on this site may be freely copied and used with appropriate attribution to the University at Buffalo.  None of the information on these pages should be construed as legal advice or expert opinion with respect to how any particular function or entity engages in work to come into compliance with HIPAA.
Last updated: July 28, 2009.  Privacy Policy
Hit Counter