Forms, Policies & Procedures

Here you will find a repository of forms, policies and procedures related to research at the University of Delaware. This repository draws on sources throughout campus to provide quick and easy access to these resources in a variety of formats, such as html, MSWord and Adobe PDF. We encourage you to explore and use the tools provided to narrow your search by word, resource type or category in order to learn more about the content that governs research at UD.

*NOTE: As of October 2020 Google Chrome changed how it handles file downloads. If you encounter difficulties, right click on the “Download” button/link and select “save link as.” Once selected the file download will be executed and can be saved to the desktop. A second method is to use a different browser.

RO Forms, Policies, and Procedures Search 2019

Animal Subjects in Research

For Forms, Policies and Procedures pertaining to Animal Subjects in Research and other resources

Click Here

Conflict of Interest
Contracts and Grant Management
Effort Certification
Export Regulations (ITAR/EAR/OFAC)
Human Subjects in Research
Intellectual Property
Internal Funding
Material Transfer
Reporting Misconduct
Research Administration
Research Agreement Templates
Research Development
RO Forms, Policies, and Procedures Search 2019

Policy: UD Research Office

HIPAA Hybrid Statement

  1. Introduction
    As with some other research-intensive institutions1 , the University of Delaware (“UD”) recognizes that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a consumer protection law intended to protect individually identifiable information relating to the physical or mental health of an individual, the provision of health care to the individual, or the payment for the provision of health care to the individual. HIPAA applies to “Covered Entities,” which include health care providers, health plans and health care clearinghouses that conduct specified transactions electronically (“Covered Entities” or each a “Covered Entity”)2 . UD is engaged in both Covered Entity and non-Covered Entity activities. HIPAA allows entities that are engaged in both Covered Entity functions and other activities that are not Covered Entity functions to designate themselves as “Hybrid Entities,” with the result that the HIPAA regulations do not apply to the non-covered functions.

    1For Example, Vanderbilt University (


  2. Hybrid Entity Status Assessment
    Based upon an assessment of UD units and a review of HIPAA standards, UD designates itself as a Hybrid Entity under HIPAA. Identification of individuals and entities that are part of the UD Covered Entity (“UDCE”) is complicated by the fact that UD is engaged in multiple covered functions and non-covered functions with a mission that includes education, health care, and research. Workforce members often have multiple roles, both covered and non-covered. Therefore, determination of those entities and individuals who are included in the UDCE is a dynamic and ongoing process that is based upon the data used and/or being disclosed, not based upon any particular overall department mission or activity.

    The UDCE includes health-related research centers, interdisciplinary programs, and University-wide programs. Whether a UD function or individual’s activity on behalf of UD is included in the UDCE is hereafter determined based not upon any particular department or unit, but instead upon the data being used and/or disclosed.

  3. Categories of Data
    The following defined categories of data are critical to the determination of covered functions and activities:

    A. Individually identifiable health information (IIHI) is information collected from an individual that is created or received by a health care provider, employer, plan or clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health

    care to an individual; or the past, present, or future payment for the provision of health care to an individual and identifies the individual, or can reasonably be used to identify the individual.

    B. Protected Health information (PHI) is IIHI that is transmitted or maintained in any form or medium by a covered function within the UDCE. This specifically excludes education records, which are protected by other privacy regulations, and employment records held by UD in its role as an employer. This also excludes research health information (see definition below), which is protected by other regulatory requirements.

    C. Research Health Information (RHI) is IIHI that is used for research purposes but that is not PHI, and thus is NOT subject to the requirements of HIPAA. RHI is IIHI that is created in connection with research activity and is not created in connection with patient care activity. When a researcher is not also functioning as a health care provider, and creates IIHI in connection with pure research activities (no patient care involved) the IIHI is not PHI and is not subject to the privacy and security rules of HIPAA. If a researcher is also a health care provider and IIHI is created in connection with the researcher’s health care provider activities, then the IIHI is PHI subject to HIPAA. IIHI that is created as PHI and is needed for research purposes may be disclosed to a researcher (the same individual healthcare provider who is also a researcher may disclose PHI to herself in her research role) pursuant to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed to the research setting, the IIHI transferred to the research setting becomes RHI, which is no longer subject to the requirements of HIPAA. In certain cases such as interventional clinical trials it is expected there will be two copies of some IIHI: a copy kept in the patient’s medical record which is PHI and subject to HIPAA, and a copy of the same data kept in the research record which is RHI and not subject to HIPAA.

    D. Key Determinants: The key determinants as to whether or not information is IIHI and not protected by the Privacy Rule or PHI and protected are: 1) the function being performed by the provider or health plan; and 2) the purpose for which an entity or workforce member has received, created or maintained the medical information (e.g., treatment, payment, operations). Record keeping practices are not the determinant. For example, an assessment of fitness for duty generates PHI when the UDCE administers or oversees a test of a UD employee. When the employee authorizes UD, the health care provider, to turn over the information to UD, the employer, it is a part of the employee’s employment record and no longer PHI. It is important to note that in most circumstances (exceptions include workplace injury, illness or medical surveillance) the employee must provide a signed authorization to the UD health care provider to release the information to UD, the employer.

  4. Determining Covered Functions Criteria
    The following criteria are used to determine whether a function or individual workforce member is included in the UDCE:

    A. Health care or health plan use or disclosure: When the use or disclosure of IIHI is carried out in connection with a health care provider or health plan function by UD workforce members, the individual’s health information is defined as PHI, and HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;

    B. Functions that support health care or health plan: When the use or disclosure of IIHI is carried out by business, financial, legal or administrative functions on behalf of UD’s health care provider and health plan activities, the individual’s information is PHI and the HIPAA privacy and security regulations apply to those functions and to the workforce members who carry out those functions;

    C. Employer and education functions: When the use and disclosure of IIHI is carried out by UD in its capacity as an employer or an educational institution, the information is not PHI and those UD functions are not subject to the privacy or security regulations of HIPAA, but the confidentiality of the individual’s health information is protected by other state and federal law, as well as by UD policy; and

    D. IRB functions: PHI may only be disclosed to a researcher for use in connection with an IRB-approved or exempt protocol and pursuant to a waiver or authorization. When a researcher requests access to PHI that has been created, received or maintained by the UDCE, the Privacy Rule requires that the UDCE receive specific assurances that the PHI will be protected once disclosed to the researcher for use as RHI, and UD must account for certain disclosures as required by the HIPAA regulations. UD’s IRB will function as the Privacy Board as defined by HIPAA.

    E. Examples of UD workforce members who may provide services to covered functions: Workforce members of the following components of UD may provide administrative functions on behalf of the UDCE (use of PHI subject to the requirements of HIPAA) and on behalf of non-covered components of UD (IIHI not subject to the requirements of HIPAA):

  5. Protected Health Information transfer between covered and non-covered componentsA. Patient authorization required: When workforce members who provide services to the UDCE perform services on behalf of non-covered components of UD, these non-covered functions are not part of the UDCE. Workforce members must not disclose PHI to non-covered UD components without the individual or patient’s authorization, or waiver of authorization by the IRB in the case of disclosures for research purposes, as required by the Privacy Rule.

    B. Disclosure between Health Plan and Providers: Workforce members who provide business and finance services to both UDCE providers and UDCE health plans cannot use or disclose PHI between those entities unless it is allowed in the Privacy Rule.

Direct Inquiries to:

Sean Hayes, J.D., Ph.D.
Research Advisor
Institutional Privacy Officer
Phone: 302-831-7445


Cordell Overby, Sc.D.
Associate Vice President for Research & Regulatory Affairs
Phone: 302-831-2383

The complete policy and more can be found on the UD Research Office’s web site.


Policy Details:

OWNER: UD Research Regulatory Affairs


Policy Source Email


Compliance Hotline
Phone: (302) 831-2792

UD Research Office
210 Hullihen Hall
Newark, DE 19716
Phone: (302) 831-2136
Fax: (302) 831-2828
Contact us


From our latest Research Magazine to our latest discoveries, keep in touch with UD Research by signing up for our services below.

Share This