If the use of PHI is preparatory to research:

• See definition of those activities that are considered preparatory to research.
• File a “Certification of Compliance with the HIPAA Privacy Rule Requirements for Use of PHI in Activities Preparatory to Research” form with UW’s Privacy Officer and with the department, section, center, or institute administrator. See filing instructions on form.

If the use of PHI is to conduct research, i.e., to answer a specific research question:

1. For an existing IRB-approved protocol:
• For subjects enrolled or accrued on or after 4/14/2003, obtain an authorization from each subject or an approval of a waiver of authorization from the IRB.
• For subjects enrolled or accrued prior to 4/14/2003, permission for use of these subjects’ PHI is grandfathered by the Privacy Rule. You need not take any action.
  
2. For protocols approved by the IRB after 4/14/2003:
• Submit a research protocol and an initial review or exemption application to the IRB and include an authorization or justification for waiver of authorization.

If the use of PHI is for re-analysis of existing data that was collected for a different research question or research protocol:

• Submit a new research protocol and an initial review or exemption application to the IRB and include an authorization or justification for waiver of authorization.
• If the re-analysis creates a new database, register the new database.

For all research uses of PHI:

1. Make reasonable efforts to protect the privacy of subjects and the confidentiality of PHI (e.g., use of log-in screens and passwords; locked file cabinets).
2. Implement confidentiality plans approved by the IRB.