HIPAA Privacy Rule

The Privacy Rule is intended to protect research subjects’ health information and to ensure that investigators can access and use medical information necessary for research. The HIPAA Privacy Rule (§45 CFR 164.501, 164.508, and 164.512[i]) outlines the conditions under which health care providers, as part of a covered entity, including physician-investigators, can use or disclose protected health information (i.e., any health-related information that can be used to identify a person) for conducting research. The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” In general, under the Privacy Rule, health care providers may use or disclose de-identified health information—that does not identify an individual and for which the health care provider has no reasonable basis to believe it can be used to identify an individual (in accordance with 45 CFR 164.502(d) and 164.514(a)-(c))—for research purposes.

The Privacy Rule also outlines how health care providers should inform people participating in research of the use and disclosure of their medical information for research, as well as the participants’ rights to access that information.

The Privacy Rule builds upon existing, separate Federal protections for human research subjects, including the Common Rule (45 CFR 46, Subpart A) and the Food and Drug Administration’s human subject protection regulations (21 CFR 50 and 56), which also protect privacy and confidentiality of information.

The Privacy Rule states that researchers may obtain, create, use, and/or disclose protected health information from research participants who have given authorization. Researchers may use protected health information without a person’s authorization when one of the following conditions is met:

  • A researcher obtains documented approval from an institutional review board (IRB) or privacy board (45 CFR 164.512(i)(1)(i)). For example, investigators may seek IRB approval when research involves the analysis of medical records from which de-identified information cannot be used and participants’ authorization cannot be obtained.
  • Protected health information is used or disclosed to prepare a research protocol, design a study, or explore the feasibility of conducting a study (see 45 CFR 164.512(i)(1)(ii)).
  • Protected health information is used or disclosed for research on people who have died (see 45 CFR 164.512(i)(1)(iii).
  • Researchers enter into a data use agreement under which a limited data set omitting direct identifiers is used (see 45 CFR 164.514(e)).

For more detailed information, see Health Information Privacy at HHS.gov.