IRB Ancillary Reviews

HIPCO and the ETHOS/IRB Ancillary Review Process

HIPCO is an ancillary reviewer for all studies submitted to ETHOS that involve individual health information. HIPCO’s ancillary review process includes:

  • Confirming that all University research team members have completed University HIPAA training.
  • Confirming that the research team has either requested a waiver of the HIPAA authorization, or is using the University’s HIPAA Authorization form as appropriate.
  • Requesting the research team to complete the HIPCO Survey, which identifies how the research team is securing the research data throughout the research project (including obtaining the data, analyzing the data, sharing the data and storing the data).
  • Reviewing the HIPCO Survey and the Protocol to ensure that the research team is using University approved methods of securing the research data.

To begin the HIPCO ancillary review, a member of your study team must complete the online HIPCO survey. For a PDF copy of the HIPCO survey, click here.

If you have questions about a HIPCO’s ancillary review process, you may e-mail

Using the University's HIPAA Authorization Form for Research

If you will be using individually identifiable health information during the course of your research, you must use the University's HIPAA Authorization Form. The University updated its HIPAA Authorization Form for Research in 2017.  The updated HIPAA Authorization Form was approved by HIPCO, the IRB, and the Office of General Counsel.  Instructions for how to complete the HIPAA Authorization Form are included at the end of the form.


What information do I need to complete the HIPCO survey?

To complete this form, you should know:

  • How you will gather your research data;
  • What elements your research data will consist of;
  • Where you will store your research data;
  • Where you will analyze your research data;
  • How you will share research data among your research team; and
  • How you might communicate with research participants.

My research team provides treatment to the research participant and I can access information in EPIC.  Why do I need to have the participant complete this form when I can already access all of the information I need?

The law makes a distinction between health information used for treatment purposes and health information used for research purposes.  Even if your team is providing treatment to a patient and you access the patient’s information for treatment purposes, you do not legally have the authorization to use that information for research unless the patient authorizes that use with a HIPAA Authorization, or you obtain a waiver of authorization from the IRB.

What if my sponsor wants to change language in the HIPAA Authorization form?

Any requests for changes to the HIPAA Authorization form should be forwarded to

What if I don’t need any of the “sensitive health information” identified in Section C of the HIPAA Authorization form for my study, but might need that information to report an adverse event?

HIPAA permits reporting information related to an adverse event without the specific authorization of the individual.  If the only reason you may need this sensitive information is to report an adverse event, you do not need to collect the individual’s authorization for this information.

What if I want all of the records in EPIC for my research participants?  How do I complete the form to obtain all of those records?

The information you request via University’s HIPAA Authorization form must match the information listed in the protocol you submit to the IRB in ETHOS.  If your protocol requires all of the records in EPIC, you would need to check the following boxes in Section B:  All Hospital Records, All Clinic Records, Images, Psychological Tests and Financial Records.  You would also need to check all of the boxes in Section C and have the patient initial all of those boxes.

What if I have an optional component of my research study that is not identified in Section G?  Can I add language to include that component?

The University’s HIPAA Authorization form cannot be modified to include optional research activities other than those already identified in Section G.  If there is another optional component of your research study that is not listed in Section G, you will need to have the research participant sign a separate HIPAA Authorization form as if the optional component were a separate research study.

I cannot change the footers on the HIPAA Authorization form.  How am I supposed to perform document control?

The HIPAA Authorization form has been approved by the Office of General Counsel (OGC) and is in the Contracts Library.  Because OGC must be able to confirm that the entire HIPAA Authorization document remains unchanged, no portion of the document may be changed, including the footer.  If a study team is required to perform document control, the IRB recommends adding version information to the IRB Study Number field or other fillable fields at the beginning of the HIPAA Authorization form.

If there are change to how we store data (i.e. setting up a REDCap database) should a new/updated HIPCO survey be uploaded in addition to the ETHOS IRB modification?

Yes. You should submit an updated HIPCO survey and e-mail to describe the change.