HIPAA and Human Subjects Research

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations, which include the HIPAA Privacy Rule, the Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act, govern the manner in which specific health information is collected, maintained, used, and disclosed. The Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information collectively defined as Protected Health Information (PHI).

The HIPAA Privacy Rule applies to research and researchers when either:

• research creates or generates PHI, or
• research requires access to and/or use of PHI.

A researcher may access or use PHI for research purposes, particularly within the context of the HIPAA regulations. Each of these methods has specific requirements and considerations:

• researchers can obtain signed HIPAA Research Authorization from research participants
• researchers may seek a full or partial waiver of research authorization or an alteration of research authorization
• researchers can use a limited data set, which contains a subset of PHI with direct identifiers removed
• researchers may use data that has been de-identified in accordance with HIPAA regulations
• researchers may have limited access to PHI for activities preparatory to research
• research involving the PHI of decedents may be permissible in certain cases

It is essential for researchers to be aware of HIPAA regulations, institutional policies, and ethical considerations when handling PHI for research. Compliance with these guidelines is crucial to protect individuals' privacy and ensure the responsible conduct of research.

The Office of Technology and Digital Innovation provides resources for researchers using RHI data. PHI is subject to HIPAA regulations, while RHI is not. However, RHI is covered by other state and federal laws for the privacy and confidentiality of research health information.