HIPAA Information for Researchers

HIPAA & Human Subjects Research

The Health Insurance Portability and Accountability Act (HIPAA) regulates the protection of private health information for individuals. HIPAA's Privacy Rule sets standards for the use and disclosure of all individually identifiable health information obtained from a covered entity. All forms of health information as defined in 45 CFR 160 are considered to be protected health information (PHI) subject to HIPAA regulations. To access this information, all research studies must obtain either an individual's authorization to access their information, granted by the provider of the PHI, or obtain a waiver of authorization.

HIPAA Training Requirements

If the proposed research involves protected health information (PHI), researchers must complete the online training through CITI.  

CITI Health Information Privacy and Security (HIPS) Training

Training Instructions

HIPAA Training completed on or after October 1, 2018 must be through CITI.  We will no longer be accepting training certification through other training sites.

HIPAA Provisions for IRB Application

If your project includes Protected Health Information (PHI), then address the following issues in your IRB application, in addition to all other sections:


  • Indicate whether the project will involve protected health information (PHI)
  • Describe the procedures that will be used to comply with the HIPAA Policy.
    • Following are examples of information and forms that will need to be included in the plan.
      • Procedures to be used regarding the Notice of Privacy Practices
      • Authorization for Use and/or Disclosure of PHI
        • Procedures to be used in requesting Authorization for Use and Disclosure of PHI from Individuals, or
        • Procedures to be used in requesting a waiver of Authorization from the IRB; or
        • Statement that only “de-identified” individual health information will be used.
  • Request for access to PHI from a Health Care Component within Missouri State
  • Request for access to PHI from a Covered Entity outside of Missouri State

    • Application to Covered Entity for Access to PHI
    • Approval by Covered Entity enabling access to PHI
    • Plan for using other HIPAA procedures and forms, as applicable.