HIPAA Privacy Rule

The Privacy Rule is intended to protect research subjects’ health information and to ensure that investigators can access and use medical information necessary for research. The HIPAA Privacy Rule (§45 CFR 164.501, 164.508, and 164.512(i)) outlines the conditions under which health care providers, as part of a covered entity, including physician-investigators, can use or disclose protected health information (i.e., any health-related information that can be used to identify a person) for conducting research. The Privacy Rule defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Under the Privacy Rule, health care providers may always use or disclose de-identified health information—that is, data stripped of any links to a person’s identity (in accordance with 45 CFR 164.502(d) (link is to an external PDF) (PDF, 156KB) and 164.514(a)-(c) (link is to an external PDF) (PDF, 159KB))—for research purposes.

The Privacy Rule also outlines how health care providers should inform people participating in research of the use and disclosure of their medical information for research, as well as the participants’ rights to access that information.

The Privacy Rule builds upon existing, separate Federal protections for human research subjects, including the Common Rule (45 CFR 46, Subpart A (link is to an external PDF) (PDF, 154KB)) and the Food and Drug Administration’s human subject protection regulations (21 CFR 50 (link is to an external PDF) (PDF, 203KB) and 56 (link is to an external PDF) (PDF, 198KB)), which also protect privacy and confidentiality of information.

The Privacy Rule states that researchers may obtain, create, use, and/or disclose protected health information from research participants who have given authorization. Researchers may use protected health information without a person’s authorization when one of the following conditions is met: