Action For Failure to Obtain Required Subject Authorization

Action For Failure to Obtain Required Subject Authorization For the Use or Disclosure of Protected Health Information - Policy


Create a method to handle protected health information used or disclosed for research purposes by researchers at the University of Louisville when a HIPAA authorization has not been signed by the research subject as required by 45 C.F.R. § 164.508.


Individually Identifiable Health Information -Information that is a subset of health information, including demographic information collected from an individual, and:

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  2. Relates to the past, present or future physical or mental health or condition or an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
  • (i)  That identifies the individual; or
  • (ii)  With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Protected Health Information - Individually identifiable health information from or about a subject.


A researcher will not be allowed to use or disclose any protected health information from or about a study subject who has not signed a HIPAA authorization. All such protected health information must be eliminated from the researcher’s files. The researcher will not be permitted to use the information for the research project. The Institutional Review Board, in consultation with the University Privacy Officer, will determine whether the information must be completely destroyed or otherwise appropriately managed.


This policy covers all University of Louisville Institutional Review Board approved research protocols, which require a signed HIPAA authorization from the subject before protected health information from or about the subject, can be used or disclosed. This policy also includes protocols approved by an external IRB on behalf of the University of Louisville Institutional Review Board due to an institutional conflict of interest and any protocols that otherwise require IRB approval, whether obtained or not, under the Common Rule and a HIPAA authorization to conduct the research.


Upon a finding by the IRB that a required authorization was not obtained from a study subject(s), the researcher must contact all third parties with whom he/she shared such protected health information. The research must use his/her best efforts to get the third party to either return the protected health information to the researcher for appropriate disposition or obtain an assurance from the third party that such information has been destroyed. All correspondence with third parties regarding such protected information must be documented, including information regarding the final disposition of the material. The researcher must assure that any disclosures by a covered entity of protected health information made without the required authorization are appropriately accounted for in the covered entity’s records.  
The researcher must make and document any necessary communications with the subject regarding the subject’s continuing participation in the study. 

Subject:  Failure to obtain authorization for the use and disclosure of PHI | Responsible Office:  Privacy Office | Original Effective Date:  10/1/04 | Last Revised Date:  9/3/04