Skip to main content
Research Responsibilities and Compliance

HIPAA and Human Subjects Research

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations, which include the HIPAA Privacy Rule, the Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act, govern the manner in which specific health information is collected, maintained, used, and disclosed. The Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information collectively defined as Protected Health Information (PHI).

The HIPAA Privacy Rule applies to research and researchers when either:

  • research creates or generates PHI, or
  • research requires access to and/or use of PHI.

Accessing PHI for Research

A researcher may access or use PHI for research purposes, particularly within the context of the HIPAA regulations. Each of these methods has specific requirements and considerations:

It is essential for researchers to be aware of HIPAA regulations, institutional policies, and ethical considerations when handling PHI for research. Compliance with these guidelines is crucial to protect individuals' privacy and ensure the responsible conduct of research.

Research Health Information (RHI)

The Office of Technology and Digital Innovation provides resources for researchers using RHI data. PHI is subject to HIPAA regulations, while RHI is not. However, RHI is covered by other state and federal laws for the privacy and confidentiality of research health information.

Templates, Forms and Guidance