A. Use and Disclosure of PHI for Research – General Rule
UAB Covered Entities will only use or disclose PHI for research in accordance with the requirements set forth in this policy.

B. Research Use – Use and Disclosure Without Patient Authorization

1. UAB Covered Entities may use and disclose PHI for research, but without obtaining patient Authorization, under any one of the following circumstances:

a. Reviews preparatory to research – The researcher must agree to and document each of the following statements:

1) the use or disclosure is to the researcher solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;
2) no PHI will be removed from UAB by the researcher in the course of the review; and
3) the PHI for which use or access is sought is necessary for the research.

b. Decedent’s information:

1) Researchers may use the PHI of a deceased individual 50 years after the death of the individual without any HIPAA authorization or waiver.
2) Researchers may use decedent information that is less than 50 years from the date of the death of the individual if the researcher agrees to and documents the following:

a) use or disclosure is solely for research on the PHI of decedents
b) at the request of the UAB Covered Entity, provides documentation of the death of the individuals; and
c) the PHI for which use or access is sought is necessary for the research purposes.

c. Limited Data Set – A Limited Data Set for research must be accompanied by a Data Use Agreement.

1) A Limited Data Set is PHI that excludes the following:

a) names
b) postal address information, other than town or city, State, and zip code;
c) telephone numbers;
d) fax numbers
e) electronic mail addresses
f) social security numbers
g) medical record numbers
h) health plan beneficiary numbers
i) account numbers
j) certificate/license numbers
k) vehicle identifiers and serial numbers, including license plate numbers
l) device identifiers and serial numbers
m) web universal resource locators (URLs)
n) internet protocol (IP) address numbers
o) biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images

2) The researcher who is receiving a Limited Data Set, as well as an authorized representative of the researcher’s institution, must sign a Data Use Agreement.

d. De-identified Information – De-identified information is not PHI. For purposes of this policy, “de-identified health information” means health information that does not contain any of the following:

1) names
2) all geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the Bureau of Census the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
3) all elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4) telephone numbers;
5) fax numbers
6) electronic mail addresses
7) social security numbers
8) medical record numbers
9) health plan beneficiary numbers
10) account numbers
11) certificate/license numbers
12) vehicle identifiers and serial numbers, including license plate numbers
13) device identifiers and serial numbers
14) web universal resource locators (URLs)
15) internet protocol (IP) address numbers
16) biometric identifiers, including finger and voice prints;
17) full face photographic images and any comparable images; and
18) any other unique identifying number, characteristic or code

e. Institutional Review Board (IRB) approval of a waiver of patient authorization – A UAB Covered Entity may use or disclose PHI for research if it has obtained documentation of ALL of the following from the UAB IRB:

1) A statement that the waiver was approved by the UAB IRB or another IRB as permitted by the UAB IRB.
2) A statement identifying the IRB and the date on which the waiver was approved
3) A statement that the IRB has determined that the waiver satisfies the following criteria:

a) the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals based on the presence of the following elements:

1. there is an adequate plan to protect the identifiers from improper use and disclosure
2. there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law
3. there are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by law.

b) the research could not practicably be conducted without the alteration or waiver
c) the research could not practicably be conducted without access to and use of the PHI

1. A brief description of the PHI for which use or access has been determined to be necessary by the IRB
2. A statement that the waiver of authorization has been reviewed and approved under either normal or expedited review procedures
3. Approval letter from the IRB for the research

C. Research Use – Use and Disclosure With Patient Authorization

1. UAB Covered Entities may use and disclose PHI for research by obtaining the individual’s signed Authorization on the approved UAB Authorization form.
2. Compound Authorizations

a. The Authorization form may be combined with any other type of written permission for the same or another research study, such as,

1) With the Informed Consent document to participate in the research.
2) With another Authorization for the same research study.
3) With an Authorization for the creation or maintenance of a research database or repository.

b. If the Authorization form contains one research study that is not conditioned on participation in another study, as well as a study that is conditioned on another study, then the Authorization form must clearly let the individual know the difference between the two Authorizations and identify the research study that is not conditioned on participation in any other study. The individual may not be required to participate in unconditioned research but be given the opportunity to opt in to unconditioned research activities.
c. An Authorization for research involving Psychotherapy Notes cannot be combined with any other Authorizations.
d. The Authorization form may permit future research if the Authorization adequately describes the future research such that it would be reasonable for the individual to expect that his/her PHI could be used or disclosed for that purpose and that the Authorization informs the individual if sensitive research, such as stem cell research or research that may go against some religious convictions, may be a possibility.

D. Each UAB Covered Entity shall develop procedures to implement this policy.
5. REFERENCES: None

6. SCOPE: This policy applies to all UAB Covered Entities and to UAB Medicine Enterprise Covered Entities identified in Section 3.

7. ATTACHMENTS: Note: HIPAA forms may be found at the UAB/UAB Medicine Enterprise HIPAA website.