Date Updated
Tuesday, March 29, 2016


  1. This policy applies to any UIC investigators and research staff requesting to create, access or use for research purposes any protected health information (PHI) obtained or maintained by the covered components of the University of Illinois at Chicago (UIC).
  2. Protected health information obtained or maintained by covered components of University of Illinois at Chicago for research purposes may not be used internally or disclosed to any persons or organizations outside the Covered Component for research purposes without prior review and approval of the UIC IRB. 
  3. The UIC Institutional Review Boards (IRBs) apply the provisions of the Health Insurance Portability and Accountability Act of 1996 and Omnibus Final Rule of 2013 when reviewing research that creates, uses or discloses PHI. Studies may involve PHI by:
    1. deriving research information by retrospectively or prospectively reviewing medical records.
    2. creating new medical records because as part of the research a health-care service is being performed, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition.
  4. HIPAA permits the use or disclosure of PHI for research under the following circumstances and conditions:
    1. If the individual to whom the PHI belongs has granted specific written permission through an authorization;
    2. If the IRB has granted a waiver of the authorization requirement;
    3. If the PHI has been de-identified in accordance with the standards set by HIPAA;
    4. If preparatory to research;
    5. If research on decedent’s information; or
    6. If the information is released in the form of a limited data set, with certain identifiers removed, and with a data use agreement between the researcher and the covered entity.
  5. In addition to the HIPAA privacy rule, UIC IRBs apply existing federal regulations, state laws and UIC policies governing human subject research and protecting subject privacy and confidentiality of their private information when reviewing research involving PHI.
  6. Refer to UIC policy Research Data Security for a description of UIC policies and procedures related to protecting and securing research data, including PHI.