HIPAA and Human Subjects Research

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations, which encompass the Privacy Rule and the Security Rule, along with the Health Information Technology for Economic and Clinical Health (HITECH) Act, oversee the manner in which specific health information is collected, maintained, used, and disclosed. The Privacy Rule sets forth a series of precautions applicable to specific categories of health information referred to as Protected Health Information (PHI).

This rule was created to provide a national minimum level of protection for PHI. The HIPAA Privacy Rule affects research and researchers when either:

• research creates or generates PHI, or
• research requires access to and/or use of PHI.

A researcher may use PHI for research purposes, particularly within the context of the HIPAA regulations. Each of these methods has specific requirements and considerations:

• researchers can obtain signed HIPAA Research Authorization from research subjects
• researchers may seek a waiver or partial waiver of research authorization or an alteration of research authorization
• researchers can use a limited data set, which contains a subset of PHI with direct identifiers removed
• researchers may use PHI data that has been de-identified in accordance with HIPAA regulations
• researchers may have limited access to PHI for activities preparatory to research
• research involving the PHI of decedents may be permissible in certain cases

It's essential for researchers to be aware of HIPAA regulations, institutional policies, and ethical considerations when handling PHI for research. Compliance with these guidelines is crucial to protect individuals' privacy and ensure the responsible conduct of research.

PHI is subject to HIPAA regulations, while RHI is not. However, RHI is covered by other state and federal laws for the privacy and confidentiality of research health information. The Office of Technology and Digital Innovation is a resource for how best to get your research project started with security and compliance integrated into your research workflow.