Skip to main content
Research Responsibilities and Compliance

HIPAA and Human Subjects Research

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations, which encompass the Privacy Rule and the Security Rule, along with the Health Information Technology for Economic and Clinical Health (HITECH) Act, oversee the manner in which specific health information is collected, maintained, used, and disclosed. The Privacy Rule sets forth a series of precautions applicable to specific categories of health information referred to as Protected Health Information (PHI).

This rule was created to provide a national minimum level of protection for PHI. The HIPAA Privacy Rule affects research and researchers when either:

  • research creates or generates PHI, or
  • research requires access to and/or use of PHI.

Accessing PHI for Research

A researcher may use PHI for research purposes, particularly within the context of the HIPAA regulations. Each of these methods has specific requirements and considerations:

It's essential for researchers to be aware of HIPAA regulations, institutional policies, and ethical considerations when handling PHI for research. Compliance with these guidelines is crucial to protect individuals' privacy and ensure the responsible conduct of research.

Research Health Information (RHI)

PHI is subject to HIPAA regulations, while RHI is not. However, RHI is covered by other state and federal laws for the privacy and confidentiality of research health information. The Office of Technology and Digital Innovation is a resource for how best to get your research project started with security and compliance integrated into your research workflow.

Templates, Forms and Guidance