Pol-Action When a Required HIPAA Authorization in Human Subjects Research is not Obtained

policy modified Wed Nov 16 2022 14:10:02 GMT-0500 (Eastern Standard Time)

UofL Logo

University of Louisville



Action When a Required HIPAA Authorization in Human Subjects Research is not Obtained


June 22, 2016




This policy applies to the University Research Community.


The University needs to have a method for handling Protected Health Information used or disclosed for University research purposes when a valid HIPAA authorization has not been obtained from the research subject/s as required by 45 C.F.R. § 164.508.


When it is discovered that a required HIPAA authorization is either missing or is incomplete, the researcher shall submit a deviation to the Institutional Review Board/Privacy Board (Board). For incomplete authorizations, this applies to those without, for instance, a signature or a date, or a relationship if the subject is a minor (see Related Information below to access a complete list of authorization requirements). The submission shall include a Corrective Action Plan that includes steps to be taken to prevent future occurrences and sanctions against the individual responsible. The submission shall describe either the plan to obtain a valid authorization from the subject/s or to sequester the data.

The Board, in consultation with the University Privacy Officer, will determine the outcome of the request. No further PHI for the subject/s shall be obtained or used by the researcher until a final Board decision is made.

If the Board determines that the data cannot be maintained for the study, the researcher will not be allowed to use or disclose any protected health information from or about the study subject/s. All such Protected Health Information shall be eliminated from the active research files and sequestered, as appropriate, and an attestation that the required actions have been completed shall be sent to the Board.


Covered Entity means:

1. A health plan.

2. A health care clearinghouse.

3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Individually Identifiable Health Information - Information that is a subset of health information, including demographic information collected from an individual, and:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

i. That identifies the individual; or

ii. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Protected Health Information - Individually identifiable health information from or about a subject that is:

1. Held by a covered entity, or

2. Received by a UofL researcher who is part of the University’s health care component, regardless of source.


After receipt of a deviation, the Board shall consider all relevant facts, including any regulatory requirements and information contained in the Informed Consent. The Board shall decide whether to:

  • Allow the researcher to obtain an authorization for use of PHI gathered in the past and the future.
  • Require that the data be sequestered except to the extent required by law.

Upon a finding by the Board that research data must be sequestered, the researcher must contact all third parties with whom he/she shared Protected Health Information. The researcher must use his/her best efforts to get the third party either to return the information to the researcher for appropriate disposition or to obtain an assurance from the third party that the information has been destroyed. In addition, if relevant, the researcher must contact the Covered Entity from which the Protected Health Information was obtained, and send a copy of the current authorization, waiver, or sequestering plan.

Once completed, the researcher must send to the Board an attestation that all required actions have been completed. The researcher must maintain in the research records all communication with the Board and third parties regarding this issue, as well as any other relevant documentation.


Vice President for Risk, Audit, and Compliance


Privacy Office
215 Central Avenue, Suite 205
Louisville, KY 40208
Phone: 502-852-3803
Email: privacy@louisville.edu


Original Effective Date: October 1, 2004
Revision Date(s): October 15, 2015; March 5, 2020; November 16, 2022
Reviewed Date(s): June 23, 2016

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.