Research Health Information
and the HIPAA Privacy Rule

By Samuel Tilden, M.D., J.D., LL.M. candidate

Final amendments to the privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) became effective October 15, 2002. They require compliance by April 14, 2003.  Because several amendments modify procedures to ease the burden of the privacy rule on information for research, medical centers should presently reassess the application of the privacy rule to their research activity.   This article focuses on the exchange mechanisms for protected health information (PHI) between covered entities and research domains following adoption of the final amendments.  The author assumes some knowledge of definitions within the HIPAA privacy regulations, in particular, the meaning of such terms as “authorization,” “covered entity,”  “marketing,” “protected health information,” “business associate,” “institutional review board” (IRB), “privacy board,” “research,” and “use” and “disclosure” of health information.  (See 45 CFR 160.103, 45 CFR 164.501, 45 CFR 504 for the entire set of definitions.)

A. Information Exchange for Research Under HIPAA Privacy Regulations

Covered entities may use or disclose PHI for their own treatment, payment, or health care operations except for marketing or when the information involves psychotherapy notes. Moreover, they may disclose PHI to another covered entity or health care provider for treatment, payment, and many health care operations of the other entity.2  Otherwise, a valid authorization is necessary for covered entities to use or disclose PHI unless some express exception applies.3  Thus use or disclosure of PHI for marketing or from psychotherapy notes without authorization is allowed only under very limited circumstances.4

Because the privacy rule does not consider research to be treatment, payment, or health care operations, authorizations are generally necessary for use or disclosure of PHI for research purposes unless an exception applies.  Specialized features of research authorizations for the use or disclosure of PHI are that the authorizations may be combined with any other type of written permission for the same research study, including other authorizations for the use or disclosure of PHI or consents to participate in such research,5 and covered health care providers may condition the provision of research-related treatment on receipt of a prior authorization for the use or disclosure of PHI.6

Short of authorization, there are several ways PHI may be obtained for research.  Covered entities may use or disclose PHI for research regardless of funding, when they obtain documentation that a waiver of the individual authorization required for use or disclosure of PHI has been approved by either an IRB or a privacy board;  also covered entities may use or disclose PHI if a researcher represents that the protected health information is necessary to prepare a research protocol;  or if the researcher represents that the protected health information is solely for research on decedents.7

To grant a waiver of authorization, an IRB or privacy board must find that the research satisfies the following criteria: (1) use or disclosure of protocol health information involves no more than minimal risk to individuals’ privacy based on the presence of the following three elements – (a) there is an adequate plan to protect identifiers from improper use or disclosure, (b) there is an adequate plan to destroy identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health, research, or legal justification for not doing so, (c) and adequate written assurances are present that the PHI will not be revealed or disclosed to any other entity, except as required by law, for authorized oversight of the study, or for other permitted research uses or disclosures;  (2) the research could not practically be done without  the waiver; and (3) the research could not practically be done without access to and use of the PHI.8   Besides authorization waivers, covered entities also must receive the following information before use or disclosure is permitted:  identity of IRB or privacy board and waiver approval date, a brief description of the PHI involved, review and approval procedures utilized (i.e., full or expedited review under either the “common rule” or privacy regulations), and signature by the Chair or other designated member of the reviewing board.9

For reviews preparatory to research, covered entities may use or disclose PHI after a researcher represents that his review is sought solely for research and is necessary to prepare a research protocol or for similar purposes preparatory to research; no PHI may be removed from a covered entity during the course of the review, and the PHI sought must be necessary for research purposes.10   Likewise, covered entities may use or disclose information for research involving decedents if the researcher represents that the use or disclosure sought is solely for research on the PHI of decedents, is necessary for research purposes, and that documentation of the death of decedents will be supplied if requested by the covered entity.11

For much research, individually identifiable health information is unnecessary for a researcher to test a scientific hypothesis, but having some identifier to individual medical records is essential to collect initial data, verify previously collected data or add necessary data which was not initially perceived as relevant for study purposes.  The privacy rule allows two additional ways to transfer research information using data stripped of identifiers, each way has its own use and disclosure requirements.  First is use or disclosure of “de-identified health information.”  De-identified health information is health information that does not identify an individual and for which there is no reasonable basis to identify an individual. It is not individually identifiable health information.  Thus de-identified information is not PHI.  De-identification may be accomplished in one of two ways: certification by a biostatistician that the method for de-identifying the PHI has a very small risk of identifying the individual using accepted statistical methods or adopting a safe-harbor method by removing a set of 18 identifiers for the individual or for relatives, employers, or household members of the individual.12

The final amendments adopted an additional disclosure method, coined  “limited data set,” which is applicable to PHI for research. Limited data sets are similar to de-identified data sets except they have 15 identifiers removed instead of 18.   Importantly, limited data sets include such identifiers as date of birth, dates of hospital admissions and discharges, and an individual’s residence by city, county, state, and 5 digit zip codes -- all of which are excluded in de-identified data sets.13   Recipients of PHI via  limited data sets must enter into  data use agreements with covered entities in accordance with specific requirements.14  Recipients may serve as business associates to covered entities, however, and create limited data sets from fully identifiable health information. Excluded identifiers from limited data sets may not be disclosed and remains subject to the privacy regulations for use and disclosure.15  For investigators to maintain excluded identifiers, separate business associate agreements between the investigators and covered entities are required.  So researchers by signing two agreements --a business associate agreement and a data use agreement -- may access and use the entire array of PHI without authorizations or waivers of authorization and within the ambit of the privacy regulations. Having such flexibility is very desirable and practical because in the vast majority of instances investigators are the persons uniquely qualified to acquire research data and no additional costs for acquisition is borne by covered entities.. Moreover, only excluded identifiers have to meet the privacy rule’s more stringent security requirements and limited data sets remain more easily accessible to research groups as a whole.   Of course, even with limited data sets, recipients must establish appropriate safeguards to prevent use or disclosure of  data outside of those provided in the agreement.16  No waivers of authorization are required for researchers to receive limited data sets.

B.  Duties and Liabilities Under Privacy Regulations

Under the privacy rule, covered entities must accord individuals specific rights.  They must give notice of their privacy practices, an opportunity to access and/or amend one’s PHI and an accounting of disclosures of PHI.17   Unless an exception applies, individuals have a right to receive an accounting of disclosures of PHI by covered entities for a period of six years prior to a request.  Accounting is not required when PHI is disclosed to researchers pursuant to an authorization 18 or as part of a limited data set.19  Research performed under IRB or privacy board waivers, reviews in preparation for research, or research on decedents are subject to accounting requirements for disclosures.  Fortunately, disclosures prior to the regulatory compliance date are excepted from the accounting requirement.20

Covered entities must also comply with the privacy rule’s minimum necessary standard.21  Under this standard, covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of a use, disclosure, or request for PHI.22  The minimum necessary standard does not apply to disclosures pursuant to authorizations.23  The minimum necessary standard applies for all the other methods of obtaining research information, however, covered entities may reasonably rely on requested disclosures based on IRB waivers, representations by researchers, or data use agreements as satisfying the minimum necessary standard.24, 25

Finally, the privacy regulations impose costs and liability on covered entities.  For research in particular, costs will be increased for documenting and maintaining authorizations, data use agreements, research uses and disclosures that are unauthorized or not part of limited data sets.  In addition, covered entities’ PHI will have to be safeguarded under the HIPAA security regulations that are yet to be finalized.  At this time it is uncertain what the costs will be but they are likely to be substantial.  Furthermore, violations of the privacy rule may lead to civil and criminal penalties.  Monetary fines of $100 per violation up to $25,000 per year for each requirement violated apply. Criminal penalties vary from $50,000 to $250,000 and up to 10 years imprisonment depending on the culpability involved.26

C.  What Strategies To Employ?

Using a strategy to minimize costs and burdens to covered entities under HIPAA privacy rule, several principles surface. First, whenever possible, obtain an authorization to use or disclose PHI for research protocols. All prospective studies involving patient encounters fall into this category. Authorizations should be combined with informed consent documents. The minimum necessary standard and accounting requirements do not apply.

Second consider de-identification and limited data sets. They do not need IRB/privacy board approval and have no accounting requirement. Limited data sets require data use agreements between researchers and covered entities. And if investigators are responsible for creating these data sets for the covered entities than business associate agreements as well. For waivers of informed consent IRB will still be required.

Finally, consider waivers of authorization for PHI by IRBs or privacy boards, reviews preparatory to research, and research on decedents. These require accounting for all disclosures.


 1. 45 CFR 164.506(c)(1)
 2. __ CFR 164.506 (c)(2) - (4)
 3. __ CFR 164.508(a)(1)
 4. __ CFR 164.508 (a)(2) or(3)
 5. __ CFR 164.508 (b)(3)(i)
 6. __ CFR 164.508 (b)(4)(i)
 7. __ CFR 164.512 (i)(l) (i) - (iii)
 8. __ CFR 164.512 (i)(z)
 9. __ CFR 164.512 (i)(l)(ii)
10. __ CFR 164.512(i)(l)(ii)
11. __ CFR 164.514 (a)(b)
12. __ CFR 164.514(e)(2)
13. __ CFR 164.514 (e)(i)
14. 67 FR 53257
15. 45 CFR 164.574 (e)(4)(ii)(A)(z)
16. __ CFR 164.520, 164.524, 164.526, 164.528
17. __ CFR 164.528(l)(iv)
18. __ CFR 164.528(l)(viii)
19. __ CFR 164.528(l)(ix)
20. __ CFR 164.502(b), 164.514(d)
21. __ CFR 164.502(b)(i)
22. __ CFR 164.502 (b)(z)(iii)
23. __ CFR 164.514(c)(3)(iii)(D
24. __ CFR 164.544(6)(3)(iii)(c), 164.514(e)(4)
25. 42 U.S.C.A. Sec 1320d-5
26. 42 U.S.C.A. Sec 1320d-6