Protected health information (PHI) is health information that:

  1. is transmitted or maintained in any form (electronic, oral, paper) by a covered entity; and
  2. identifies the individual or could reasonably be used to identify the individual; and
  3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

What kinds of information could identify or reasonably identify the individual? 

Any of the following information for the individual, relative, employer, or household member of the individual are examples if the 18 HIPAA identifiers:

  • Name, street address, city, county, precinct, zip code, geocodes smaller than state
  • Date of birth, ages > 89 years of age, or other dates such as diagnosis dates, procedure dates, admission or discharge dates
  • Telephone numbers, Fax numbers, E-mail addresses, Social Security number, Medical record number
  • Health plan beneficiary numbers, Account numbers, Certificate/license numbers
  • Vehicle identifiers and serial numbers or license numbers, Device identifiers and serial numbers
  • Web URLs, Internet Protocol (IP) address numbers, Biometric identifiers including finger/voice prints
  • Full face photographic images and any comparable images

Covered entity is a:

  1. health plan;
  2. health care clearinghouse (billing service); or
  3. health care provider that transmits health information electronically.

Key points:

  • The Privacy rule applies only to individually identifiable health information that is maintained by a covered entity.
  • If the health information is individually identifiable and if it is held by a covered entity, it is likely to be "protected health information."
  • The University of Iowa is considered a "hybrid entity" because it is a single legal component with both covered (e.g., UI Health Care, student health, College of Dentistry) and non-covered functions.


University of Iowa:



1. Situations in which you can ke​ep screening logs and how to send screening logs to the study sponsor

Let's presume the screening log contains some sort of identifier, such as the person’s initials and date of admission or clinic visit, or the hospital number, or some other way that you would be able to figure out a person’s identity, along with other demographic information and the reason the person was not eligible for the study.  Such information may be kept by the research team so long as it does not leave the University.  Appropriate measures should be taken to protect the confidentiality of the information, such as keeping identifiers to a minimum, keeping the information in a locked file cabinet, and so on.  Screening log information may NOT be sent to the study sponsor UNLESS the IRB has approved a waiver of consent/authorization on the New Project application form, or the investigator has obtained consent/authorization from each person whose name is on the log.

2.  UI rules forbid changes to the UI Informed Consent Document template for the HIPAA section 'Will My Health Information be Used in This Study?', even if the sponsor has asked for changes

The language in the Consent Document has been approved by UIHC and the University's privacy officer and may not be changed.  The University is the covered entity, and as such, has both the responsibility and the liability for complying with the rule, rather than the sponsor.  In addition, the University has defined itself as a hybrid entity, which has implications for the wording of the authorization language used in the Consent.

3.  UI IRB needs to approve all materials even if the sponsor has developed a separate authorization form and wants subjects to sign the sponsor's form, along with the UI Informed Consent Document

All study materials presented to the subject must be approved by the IRB.  Only the UI authorization language may be used, and that language is included within the Informed Consent Document.

4.  Doing a retrospective ch​art review study does not require you to write to the patients to get their permission first

Generally not.  Most retrospective chart reviews involve a large number of records, and therefore the IRB would consider it impracticable (not possible) to do the study if informed consent and authorization were required.  However, the investigator must answer the waiver of consent/authorization questions (section IV.3) on the New Project application form.  It is possible that the IRB would require consent and authorization if a retrospective chart review involved a small number of records from recently-seen patients.  

5.  The difference between the Privacy Notice that UIHC patients receive when they are admitted and the authorization in the Informed Consent Document

Health care and research fall into two different worlds in the Privacy Rule regulations.  An institution providing health care must notify patients regarding how it will use and disclose the patient’s health information for treatment, payment, and health care operations.  Patient permission is not required for the institution to carry out these activities.  The privacy rule stipulates that research is not included in the definition of treatment, payment, and health care operations, and patients must give their permission for the research use or disclosure of their health information, even if the researcher is the same individual who provides treatment to the patient outside of a research context.

6.   The HIPAA privacy rule likely does not require any changes in the way we store Consent Documents and data collection forms, or store computer records

Even before the privacy rule took effect, the IRB expected investigators to protect subject confidentiality.  UI Investigators Guide (Chapter 5.D.) describes issues to consider in protecting subject confidentiality.  The same measures for protecting subject confidentiality would still be expected.  The privacy rule requires, however, that study subjects be given specific information about how their personal information will be used/shared during the course of a study.  This generally means that more detail is now included in a Consent Document.


7.  How to explain the HIPAA privacy rule section in the Consent Document to a potential subject

The federal government has set up some regulations concerning how your health information can be used and shared.  You've probably been given a Privacy Notice about how the hospital will use and share your health information.  You don’t need to give your permission to the hospital for the way it will use your health information in providing care or treatment,  but research studies are different.  To be in a research study that uses your health information, you need to give specific permission so that your health care provider can share that information with the researcher, even if the researcher is also your regular doctor.  The section titled 'Will My Health Information be Used in This Study?' explains that to be in the research study, we need your permission to use your health information.