LSU Health Logo

Office of Compliance Programs

Revised: April 26, 2017

HIPAA and Human Subjects Research Training



Anyone who conducts Human Subjects Research at LSUHSC-NO is required to complete this training module on an annual basis.

The HIPAA Privacy Rule

A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI) about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions.

Generally, research is not an exception to the HIPAA authorization requirement.

What is Considered “Research” under HIPAA?

Researcher in Lab

The HIPAA regulations define research as:

Is it Research or Not?

When in doubt as to whether the activity you are undertaking is human subjects research, you must have the LSUHSC-NO IRB make a determination of whether the activity is human subjects research under the Common Rule, and therefore, the Privacy Rule.

Not all kinds of “Research-Like” activities are included in the definition of research. The following are NOT research

More information on “Research-Like” activities will be discussed later in this presentation.

HIPAA Exceptions that Apply to Research

There are two exceptions to the HIPAA patient authorization requirement that apply to research:

HIPAA's Authorization Requirement for Research

The general rule is that LSUHSC-NO must obtain an individual’s authorization before using or disclosing protected health information (PHI) for RESEARCH purposes.


IRB Review

A Principal Investigator (PI) must comply with the HIPAA Privacy Rule as well as the Common Rule when submitting a research protocol for review by the Institutional Review Board (IRB).

A PI must submit a HIPAA Authorization form template for research in addition to any other documents the IRB may require.

Consequences of Failure To Obtain HIPAA Authorization from Each Research Subject

All data collected from the subject for the research must be DESTROYED and may NOT be used!

  • Additional penalties that can occur:

    Enrollment in a Research Study

    Each person enrolled in the research study MUST have a completed HIPAA Authorization form on file.This authorization allows the PHI of the person signing the authorization to be:

    Where to find LSUHSC-NO’s HIPAA Research Authorization Policy

    LSUHSC-NO’s HIPAA Authorization Policy for research is included in Chancellor’s Memorandum (CM) 53 and may be found at:

    LSUHSC-NO HIPAA Research Authorization Forms

    With HIV/Substance Abuse language without HIV/Substance Abuse language


    Click or tap on Picture to Access full form

    Without HIV/Substance Abuse language without HIV/Substance Abuse language


    Click or tap on Picture to Access full form

    Stanley Scott Cancer Center Authorization


    Click or tap on Picture to Access full form


    The forms on the CM-53 website are the ONLY forms that may be used for purposes described in this training.

    Researchers and their staff members are NOT permitted to create or use any other form for these purposes.

    To do so violates CM-53 and may violate HIPAA, subjecting the researchers and LSUHSC-NO to the penalties described later in this training.

    Defective Authorizations

    An Authorization is not valid if the form signed by the subject has any of the following defects:

    Revocation of Authorizations

    For example, if a patient revokes an authorization, but LSUHSC-NO has already disclosed the information to the sponsor or a government agency based upon that authorization, the disclosure is permissible. However, from the date of the revocation, any further disclosures are not allowed.

    Minimum Necessary Standard

    Research information that is obtained using an authorization IS NOT subject to the minimum necessary standard, but bound by the scope of the signed HIPAA Authorization.

    Information uses and disclosures for research that do not require an authorization ARE subject to the minimum necessary standard. (CM-53 Section D)

    Recruitment of Human Subjects

    HIPAA does not prevent a healthcare provider from discussing with his/her patient recruitment into a research study for whom involvement might be appropriate.

    A patient’s information may not be disclosed to a third party (even another healthcare provider) for the purposes of recruitment into a research study without an authorization from the individual or an approved waiver of authorization from the IRB.

    Treatment Studies

    When an investigator is involved in a Treatment Study of patients, the investigator must:

    This documentation should be kept along with the informed consent and HIPAA Research Authorization.

    Other Ways to Utilize Health Information in Research


    De-identified Information

    De-identification may be accomplished in one of two ways:

    Once the PHI is de-identified, the information is no longer subject to the Privacy Rule and may be disclosed freely.

    Direct Identifiers

    Indirect Identifiers

    Statistical Standard Option

    HIPAA provides that LSUHSC-NO may determine that health information is not individually identifiable if a person with appropriate knowledge of, and experience with, generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; and that person documents the methods and results of the analysis that justify such determination.

    If you feel you need to utilize this option, you must contact the LSUHSC-NO Privacy Officer BEFORE any disclosure of information occurs.

    Re-identification of Data

    LSUHSC-NO may assign a code or other means of record identification to allow de-identified information to be re-identified.

  • The code may not be derived from, or related to any of the removed identifiers.
  • Any tables linking the code to patient identifiers must be kept confidential.
  • If the data is re-identified, the information once again becomes subject to the Privacy Rule.
  • Where to find LSUHSC-NO Policy and Procedures on De-identification of PHI

    LSUHSC-NO’s HIPAA Policies and Procedures on De- identification of PHI are contained in Chancellor’s Memorandum (CM) 53 and may be found at:

    Limited Data Sets

    LSUHSC-NO may disclose PHI in a limited data set (LDS) to a researcher who has entered into an appropriate “data use agreement” in accordance with CM-53 Section N.

    The LDS must have all direct identifiers removed; they may still include information that could “indirectly” identify the subject using statistical methods.

    Data Use Agreement

    LSUHSC-NO must condition the disclosure of the LDS on execution of a “data use agreement.” The data use agreement must establish:

    LSUHSC-NO’s HIPAA Policies and Procedures on Limited Data Sets and Data Use Agreements are contained in Chancellor’s Memorandum (CM) 53 and may be found at:

    Privacy Board/IRB

    Under the Privacy Rule, the Privacy Board can determine or monitor the requirements to patient privacy in research. At LSUHSC-NO,the IRB functions as the Privacy Board. The Privacy Board or Chair may:

  • The Privacy Board or Chair must receive a certification from a researcher who conducts research on decedents.
  • Reviews Preparatory to Research

    A researcher may use or disclose protected health information for reviews preparatory to research, regardless of the source of funding of the research, provided that the researcher certifies to the IRB that:

    LSUHSC-NO’s HIPAA policies and procedures on Reviews Preparatory to Research are contained in Chancellor’s Memorandum (CM) 53 and may be found at:

    Research on Decedents Information

    A researcher may conduct research on decedents information IF

    The researcher must provide certification of these requirements to the IRB/Privacy Board prior to conducting the research.

    Where to find LSUHSC-NO’s Policy and Procedures on Research on Decedents’ Information

    LSUHSC-NO’s HIPAA policies and procedures on Research on Decedents’ Information is contained in Chancellor’s Memorandum (CM) 53 and may be found at:

    Waiver of Authorization

    A patient’s authorization to use or disclose PHI for research purposes is not needed if the researcher obtains a Waiver of Authorization from the LSUHSC- NO IRB in accordance with CM-53 Section S Paragraph 3.4.

    Authorization Waiver Criteria

    In order to approve a waiver of authorization request, the Board must determine that the use or disclosure of PHI involves a minimal risk to the privacy of the persons, based on the following elements:

    Research Data Protection Plan

    All human subjects research studies must have a data protection plan in place to ensure:

    The Data Protection Plan must describe the following elements of the work and computing environments:

    1. List and describe all locations where the original and any copies of the data will be kept (and provide building name, street address, and room numbers);
    2. Describe the computing environment in which the data will be used, including:

    Types of Protection Expected

    Although a successful Data Protection Plan may vary across research projects and depend on the host institution, it should include some or all of the following features:

    Adverse Event Reporting

    LSUHSC-NO may disclose PHI to the FDA or any public health authority that is authorized to receive or collect a report on an adverse event, or to any agency if reporting such an event is required by law.

    Destruction of Unauthorized Data

    Any PHI obtained for research purposes without:

    must be removed from the research data set and destroyed.

    If any PHI obtained without a valid authorization or waiver of authorization, has been shared with a sponsor, publisher, or other external entity, that entity must be contacted and instructed to destroy the data.

    Accounting of Disclosures

    Research disclosures pursuant to an authorization or disclosures pursuant to a limited data set are NOT subject to accounting requirements.

    Research disclosures operating under a Privacy Board waiver to the authorization requirement ARE subject to accounting requirements.

    Contact the LSUHSC-NO Privacy Officer if you receive any requests for Accounting of Disclosures.

    LSUHSC-NO’s HIPAA policies and procedures on Research on Accounting of Disclosures is contained in Chancellor’s Memorandum (CM) 53 and may be found at:

    Policy C: Accounting of Disclosures of Protected Health Information.

    Research-Like Activities

    Cadaveric Organ, Eye or Tissue Donation Purposes

    LSUHSC-NO may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organ, eye or tissue donation and transplantation.

    The disclosure of the PHI does not require a signed HIPAA Authorization form, but the disclosure IS subject to the minimum necessary standard.

    Public Health Activities

    LSUHSC-NO is permitted to disclose to public health authorities or other agencies that are authorized by law to collect and receive data.

    What is a Public Health Authority?

    A Public Health Authority is an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters, as part of its official mandate.

    Contact the LSUHSC-NO Privacy Officer if you are unsure whether the entity requesting information is a public health authority.

    Public Health Disclosures

    Disclosures may relate to:

    Reporting a HIPAA Violation

    If anyone suspects or knows of mishandling or misuse of patient PHI, a complaint can be made to the LSUHSC-NO Privacy Officer or the Office of Compliance Programs by:

    Getting Help

    If you have any questions, please contact the Office of Compliance Programs by: