Clinical Research and the HIPAA Privacy Rule: Compliance Requirements Explained

HIPAA Privacy Rule Applicability

The HIPAA Privacy Rule governs uses and disclosures of Protected Health Information (PHI) by covered entities and their business associates. In clinical research, Privacy Rule Compliance is required whenever PHI is created, received, maintained, or transmitted by a covered entity for research purposes.

Covered entities include health plans, health care clearinghouses, and health care providers who conduct standard electronic transactions. Hybrid entities (such as universities with medical centers) may designate health care components; research occurring within a covered component that uses PHI remains subject to the Rule.

PHI is individually identifiable health information in any form. It excludes de-identified data, education records under FERPA, employment records held in an employment context, and information about individuals deceased for more than 50 years.

The Rule applies to: (1) a covered entity’s research use/disclosure of PHI; (2) disclosures from a covered entity to an external researcher; and (3) business associate activities supporting research. Research conducted without PHI is outside HIPAA’s scope.

Researcher Status as Covered Entities

Researchers become covered entities when they are health care providers that transmit health information in electronic form in connection with HIPAA standard transactions (for example, billing). In integrated systems, an investigator may be part of a covered component even if their primary role is research.

External researchers are not covered entities solely by virtue of performing research. However, a researcher can be a business associate when contracted to perform services for a covered entity (e.g., data analysis) involving PHI. Business associates must execute appropriate agreements and may not use PHI for independent research absent a proper basis (e.g., authorization or IRB waiver).

Use of Protected Health Information for Research

PHI can be used or disclosed for research through one of several permitted pathways. Selecting the least privacy-invasive option that still meets scientific aims is a core element of Privacy Rule Compliance.

• Individual authorization: the participant signs a valid HIPAA authorization that specifically describes the PHI and research purpose.
• IRB or Privacy Board waiver/alteration: permitted when Waiver of Authorization Criteria are met.
• De-identified data: data meeting HIPAA De-identification Standards are not PHI and may be used freely for research.
• Limited Data Set: PHI stripped of direct identifiers may be used for research under a Data Use Agreement.
• Preparatory to research: on-site review of PHI to design a study or assess feasibility, with no removal of PHI.
• Decedent research: permitted with required representations that the PHI relates solely to decedents.

The minimum necessary standard applies to disclosures for research under a waiver, to Limited Data Sets, and to most internal research uses. When using an individual authorization, access is limited to the PHI expressly described in the form.

Authorization Requirements for Research Use

A HIPAA authorization must be in plain language and signed and dated by the individual (or personal representative). It can be standalone or combined with informed consent. For research, it may describe future research uses if the description reasonably conveys the scope.

Core elements

• A specific description of the PHI to be used or disclosed.
• The name or other specific identification of the person(s) or class authorized to make the disclosure and to receive the PHI.
• The purpose of the use or disclosure (e.g., “for the XYZ clinical trial”).
• An expiration date or event (e.g., “end of the study” or “none” where permitted for research repositories/databases).

Required statements

• The right to revoke authorization in writing and any exceptions to the right, plus how to exercise it.
• Notice that treatment, payment, enrollment, or benefits eligibility may not be conditioned on signing, except for research-related treatment where conditioning is permitted.
• A statement that PHI disclosed to the recipient may be redisclosed and may no longer be protected by HIPAA.

Compound authorizations are allowed in research if the form clearly distinguishes conditioned from unconditioned components and offers a choice for any unconditioned component. Documentation must be retained for at least six years from creation or last effective date.

IRB Waiver of Authorization

An Institutional Review Board (IRB) or Privacy Board may approve a waiver or alteration when the Waiver of Authorization Criteria are satisfied and documented.

• Minimal risk to privacy because of: (a) an adequate plan to protect identifiers; (b) a plan to destroy identifiers at the earliest opportunity consistent with research; and (c) written assurances that PHI will not be reused or disclosed except as required by law, for oversight, or as permitted by the Rule.
• The research could not practicably be conducted without the waiver or alteration.
• The research could not practicably be conducted without access to and use of the PHI.

IRB documentation must specify the PHI involved, approved elements (full or partial waiver), and any limits needed to satisfy the minimum necessary standard.

De-identified Data Standards

Data are de-identified when they do not identify an individual and there is no reasonable basis to believe they can be used to identify an individual. HIPAA provides two De-identification Standards.

• Expert determination: a qualified expert applies accepted statistical or scientific principles to conclude that re-identification risk is very small and documents the methods and results.
• Safe Harbor: removal of 18 categories of direct identifiers (e.g., names; all elements of dates except year; contact numbers; e-mail and IP addresses; full-face photos; medical record, account, and device numbers; precise geocodes smaller than state, with limited ZIP exceptions; and any other unique identifiers). Ages 90 and over must be aggregated to a single category.

Re-identification codes may be assigned if not derived from or related to the data and kept separately. De-identified data are not PHI and may be used or disclosed for research without authorization or accounting.

Limited Data Sets and Data Use Agreements

A Limited Data Set (LDS) is PHI that excludes direct identifiers but may include certain elements like dates of service and some geography (city, state, ZIP). LDS use for research requires a Data Use Agreement (DUA) and must satisfy Limited Data Set Requirements.

Minimum elements of a DUA

• Permitted uses and disclosures by the recipient, limited to research, public health, or health care operations.
• Specific identification of who may use or receive the LDS.
• Prohibitions on re-identification and contacting individuals.
• Recipient obligations to use safeguards, report inappropriate uses/disclosures, and ensure downstream compliance by agents.

An authorization or IRB waiver is not required when an LDS is properly released under a DUA. Disclosures of an LDS are generally excluded from the HIPAA accounting requirement, but the minimum necessary standard still applies.

Preparatory Activities Access

Researchers may review PHI on-site to prepare a protocol, design eligibility criteria, or determine feasibility. Before access, the researcher must represent that the review is solely preparatory, the PHI sought is necessary, and no PHI will be removed from the covered entity.

Recruitment often requires either involvement of the provider-of-record or an IRB-approved partial waiver to permit screening and contact. Institutions may have additional safeguards, such as honest broker workflows, to manage access.

Accounting for Disclosures in Research

When a covered entity discloses PHI for research without authorization (for example, under an IRB waiver or for decedent research), it must provide an accounting of such disclosures upon request for up to six years prior to the request date.

• For fewer than 50 records, account individually by date, recipient, description of PHI, and purpose.
• For 50 or more records for the same study, a “protocol listing” may be provided that includes the study name, sponsor, purpose, PHI description, selection criteria, date or period of disclosures, and recipient contact information.
• No accounting is required for disclosures made pursuant to an individual authorization or for Limited Data Sets disclosed under a DUA.

Responsibilities of Principal Investigators

Principal Investigators are responsible for integrating Privacy Rule Compliance into study design and daily operations. The goal is to obtain only the PHI necessary, document the legal basis, and protect it throughout the research lifecycle.

Practical compliance checklist

• Map data flows: identify all PHI elements, sources, recipients, and storage locations.
• Select the least intrusive legal pathway (de-identified data, LDS with DUA, authorization, or IRB waiver) that meets scientific needs.
• Apply the minimum necessary standard to requests and disclosures; justify each data element.
• Secure approvals and documentation: informed consent, HIPAA authorization, IRB determinations, and any Data Use Agreements or business associate agreements.
• Implement safeguards: role-based access, encryption, monitoring, and breach response procedures.
• Maintain required records (e.g., authorizations and waivers) for at least six years and be prepared to support accounting requests.
• Train the study team on PHI handling, re-use limits, and reporting obligations.

Conclusion

Effective clinical research under HIPAA requires choosing the correct data pathway, meeting Authorization or Waiver of Authorization Criteria when applicable, adhering to De-identification Standards or Limited Data Set Requirements, and documenting every step. By planning early and aligning with the IRB, you can advance science while safeguarding privacy.

FAQs.

What constitutes a covered entity under the HIPAA Privacy Rule?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard HIPAA transactions. Hybrid entities may designate covered components; research within those components that uses PHI remains subject to the Rule.

How can researchers use PHI without individual authorization?

Options include an IRB or Privacy Board waiver or alteration, use of a Limited Data Set under a Data Use Agreement, access for preparatory activities with no removal of PHI, and research solely on decedent information with required representations. Alternatively, use de-identified data, which are not PHI.

What are the key elements required in an authorization form?

Core elements are a specific description of the PHI, who may disclose and receive it, the purpose, and an expiration date or event. Required statements include the right to revoke, whether signing is a condition of research-related treatment, and notice of potential redisclosure. The form must be in plain language and signed and dated.

When can an IRB waive the requirement for authorization?

An IRB may waive authorization when privacy risk is minimal with adequate protections and plans for destruction of identifiers, assurances against improper reuse, and when the research could not practicably be done without the waiver and without access to the PHI. The IRB must document its findings and scope of the waiver.