HIPAA Privacy Rule
The Privacy Rule is intended to protect research subjects’ health information and to ensure that investigators can access and use medical information necessary for research. The HIPAA Privacy Rule (§45 CFR 164.501, 164.508, and 164.512(i)) outlines the conditions under which health care providers, as part of a covered entity, including physician-investigators, can use or disclose protected health information (i.e., any health-related information that can be used to identify a person) for conducting research. The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Under the Privacy Rule, health care providers may always use or disclose de-identified health information—that is, data stripped of any links to a person’s identity (in accordance with 45 CFR 164.502(d) (link is to an external PDF) (PDF, 156KB) and 164.514(a)-(c) (link is to an external PDF) (PDF, 159KB))—for research purposes.
The Privacy Rule also outlines how health care providers should inform people participating in research of the use and disclosure of their medical information for research, as well as the participants’ rights to access that information.
The Privacy Rule builds upon existing, separate Federal protections for human research subjects, including the Common Rule (45 CFR 46, Subpart A (link is to an external PDF) (PDF, 154KB)) and the Food and Drug Administration’s human subject protection regulations (21 CFR 50 (link is to an external PDF) (PDF, 203KB) and 56 (link is to an external PDF) (PDF, 198KB)), which also protect privacy and confidentiality of information.
The Privacy Rule states that researchers may obtain, create, use, and/or disclose protected health information from research participants who have given authorization. Researchers may use protected health information without a person’s authorization when one of the following conditions is met:
- A researcher obtains documented approval from an institutional review board (IRB) or privacy board (see 45 CFR 164.512(i)(1)(i)) (link is to an external PDF) (PDF, 167KB). For example, investigators may seek IRB approval when research involves the analysis of medical records from which de-identified information cannot be used and participants’ authorization cannot be obtained.
- Protected health information is used or disclosed to prepare a research protocol, design a study, or explore the feasibility of conducting a study (see 45 CFR 164.512(i)(1)(ii)) (link is to an external PDF) (PDF, 167KB).
- Protected health information is used or disclosed for research on people who have died (see 45 CFR 164.512(i)(1)(iii) (link is to an external PDF) (PDF, 167KB)).
- Researchers enter into a data use agreement under which a limited data set omitting direct identifiers is used (see 45 CFR 164.514(e) (link is to an external PDF) (PDF, 155KB)).