Clinical Research HIPAA Compliance Checklist: PHI Uses, Disclosures, and IRB Requirements

This clinical research HIPAA compliance checklist helps you determine when and how you may use or disclose Protected Health Information (PHI) under the HIPAA Privacy Rule. It walks through HIPAA authorizations, IRB-approved waivers, limited data sets with Data Use Agreements (DUAs), de-identified data pathways, research using decedents’ PHI, the Institutional Review Board (IRB) oversight role, and the Minimum Necessary Standard with accounting for disclosures.

Use these steps to document decisions, reduce privacy risk, and align PHI practices with IRB requirements across the life cycle of a study—from feasibility and recruitment through analysis, sharing, and archiving.

HIPAA Authorization in Research

When you need a HIPAA authorization

You must obtain a HIPAA-compliant authorization from the individual when a covered entity uses or discloses PHI for research and no other Privacy Rule permission applies (for example, no IRB/Privacy Board waiver and the data are not a limited data set under a DUA or de-identified). When applicable, you may combine the authorization with consent under the Common Rule, provided each element remains intact.

Elements of a valid authorization

• Specific description of the PHI to be used or disclosed and the research purpose.
• Who may disclose the PHI (e.g., the covered entity) and who may receive it (e.g., the research team, a data coordinating center).
• Expiration date or event (for example, “end of the research study”).
• Statement of the right to revoke in writing and how to do so, with limits on revocation for actions already taken.
• Statement about the potential for re-disclosure by recipients not covered by HIPAA.
• Whether treatment, payment, enrollment, or eligibility is conditioned on signing and the consequences of refusal, if applicable.
• Individual’s (or representative’s) signature and date; if a representative, description of authority.

Practical tips

• Use plain language and keep the authorization distinct within combined forms so individuals can easily locate key HIPAA Privacy Rule elements.
• Scope the PHI precisely to the study’s needs to support the Minimum Necessary Standard.
• Store signed authorizations securely and retain them per HIPAA documentation requirements.

Authorization checklist

• Confirm authorization is required (no waiver, no DUA/LDS, not de-identified).
• Verify all HIPAA elements are present and unaltered.
• Limit PHI to what the protocol justifies; align with study data maps.
• Capture valid signatures/dates; provide a copy upon request.
• File and retain documentation for at least six years from the last effective date.

Waiver of Authorization Criteria

When a waiver or alteration is appropriate

An IRB or HIPAA Privacy Board may approve a full or partial waiver of authorization when obtaining individual authorization is impracticable and sufficient privacy safeguards are in place. Use this pathway for activities such as retrospective record reviews or feasibility work where direct contact is not feasible.

Required IRB/Privacy Board determinations

• The use or disclosure of PHI involves no more than a minimal risk to privacy, based on:
  • A plan to protect identifiers from improper use and disclosure,
  • A plan to destroy identifiers at the earliest opportunity consistent with research conduct, and
  • Written assurances PHI will not be reused or disclosed except as permitted by HIPAA or required by law.
• The research could not practicably be conducted without the waiver or alteration.
• The research could not practicably be conducted without access to and use of the PHI.

Documentation you must maintain

• IRB/Privacy Board approval with date, signature of the chair or designee, and a statement of the waiver determinations.
• A description of the PHI to be used, the review’s scope, and any limits on disclosure.
• Plans and controls referenced in the minimal risk analysis (e.g., data security, destruction timelines).

Waiver checklist

• Justify impracticability of authorization and need for PHI access.
• Define the smallest PHI set necessary; restrict team access accordingly.
• Implement administrative, physical, and technical safeguards proportionate to risk.
• Record IRB/Privacy Board approval details; monitor adherence to conditions.

Limited Data Sets and Data Use Agreements

What constitutes a limited data set (LDS)

An LDS is PHI stripped of direct identifiers (e.g., names, full postal addresses, phone numbers, email, Social Security numbers, medical record numbers, full-face photos). Unlike de-identified data, an LDS may retain certain elements such as dates (e.g., admission, discharge, birth, death) and some geographic information (e.g., city, state, ZIP code).

Data Use Agreement (DUA) essentials

• Permitted purposes: research, public health, or health care operations.
• Authorized users/recipients and limits on further use/disclosure.
• Agreement not to re-identify or contact individuals.
• Safeguards for the data, reporting of any misuse, and mitigation steps.
• Provisions for return or destruction of the LDS when no longer needed.
• Oversight, including auditing rights and breach notification responsibilities.

LDS/DUA checklist

• Remove all direct identifiers per HIPAA before disclosure.
• Execute a DUA between the sender and recipient prior to any transfer.
• Limit the LDS to variables necessary for the protocol; document a data minimization rationale.
• Enforce technical safeguards (access controls, encryption, logging) and periodic reviews.
• Track disclosures consistent with accounting requirements applicable to your use case.

De-Identified Data in Research

Two de-identification pathways

• Safe Harbor: remove all specified identifiers (the “18 identifiers,” including names, full addresses, all elements of dates except year, full-face photos, and other unique identifiers) and ensure the covered entity has no actual knowledge that the remaining information could identify an individual.
• Expert Determination: a qualified expert applies generally accepted statistical or scientific methods and documents that the risk of re-identification is very small, with the methods and results retained.

Governance and safeguards

• Maintain written evidence of the method used (e.g., expert’s certification or Safe Harbor checklist).
• Apply controls for small cell sizes, outliers, and free-text fields to prevent inadvertent identifiers.
• Document provenance, transformations, and any data quality impacts of de-identification.

De-identified data checklist

• Select Safe Harbor or Expert Determination; document the choice and rationale.
• Validate outputs against De-Identification Standards before sharing.
• Prohibit re-identification attempts in data sharing terms and team SOPs.
• Periodically reassess re-identification risk if datasets are linked or enriched.

Research on Decedents' PHI

Permitted research uses and disclosures

Under the HIPAA Privacy Rule, a covered entity may use or disclose decedents’ PHI for research without authorization or a waiver if the researcher represents that the use is solely for research on decedents, the PHI sought is necessary, and, upon request, provides documentation of death. HIPAA protections for decedents’ PHI apply for 50 years after the date of death.

Decedents’ PHI checklist

• Obtain the required representations from the researcher in writing.
• Limit the PHI to what is necessary for the protocol; apply safeguards and access controls.
• Be prepared to obtain or review documentation of death when requested.
• Track disclosures per your accounting procedures.

IRB's Role in HIPAA Compliance

Core responsibilities

• Review and document Authorization Waiver Criteria for waiver/alteration requests.
• Verify that HIPAA authorizations contain all required elements when used.
• Ensure the Minimum Necessary Standard is addressed in the protocol and data management plan.
• Coordinate with the Privacy Office on DUAs, limited data sets, and data sharing.
• Condition approvals on appropriate safeguards, monitoring, and incident reporting.
• Oversee changes that affect PHI (e.g., new data sources, expanded sharing) via amendments.

IRB oversight checklist

• Require clear data maps showing PHI sources, flows, and recipients.
• Confirm storage, retention, and destruction practices align with HIPAA requirements.
• Capture board determinations and maintain records for at least six years.
• Align Common Rule consent, HIPAA authorization, and protocol privacy protections.

Minimum Necessary Standard and Accounting for Disclosures

Applying the Minimum Necessary Standard

• Applies to uses, disclosures, and requests of PHI except where HIPAA expressly exempts (e.g., disclosures for treatment, to the individual, or pursuant to a valid authorization).
• For research with an IRB/Privacy Board waiver, limit PHI to the least amount needed to accomplish the research purpose.
• For limited data sets, tailor variables to the protocol and enforce role-based access.
• For preparatory-to-research activities, access only what is needed and do not remove PHI from the covered entity.

Accounting for disclosures

• Maintain logs for disclosures of PHI that require accounting, including date, recipient, a brief description of PHI, and the purpose or a copy of the written request.
• Where permitted by HIPAA, provide protocol-level or summary accountings for certain research disclosures instead of listing each individual disclosure.
• Respond to individual requests for an accounting within HIPAA’s required timeframes; one extension is allowed with written notice explaining the delay.
• Retain accounting and waiver/authorization documentation for at least six years.

Bringing these elements together—sound authorizations, well-justified waivers, careful use of limited data sets and DUAs, strong de-identification practices, appropriate handling of decedents’ PHI, active IRB oversight, and diligent application of the Minimum Necessary Standard—gives you a practical, defensible Clinical Research HIPAA Compliance Checklist for PHI uses and disclosures.

FAQs

What are the criteria for an IRB to waive HIPAA authorization?

An IRB or HIPAA Privacy Board may waive or alter authorization when: (1) the PHI use/disclosure poses no more than a minimal risk to privacy with adequate plans to protect and destroy identifiers and assurances against improper reuse; (2) the research could not practicably be conducted without the waiver or alteration; and (3) the research could not practicably be conducted without access to and use of the PHI. The board’s written approval must document these determinations, the PHI involved, and any conditions.

How does the HIPAA Privacy Rule apply to decedents' PHI in research?

HIPAA permits use and disclosure of decedents’ PHI for research without authorization or waiver if the researcher represents that the use is solely for research on decedents, the requested PHI is necessary, and documentation of death can be provided upon request. Protections apply for 50 years after death; you must still apply safeguards, limit access, and track disclosures as required.

What protections are required for limited data sets used in clinical research?

You must remove all direct identifiers to form the limited data set and execute a Data Use Agreement specifying permitted uses (research, public health, or operations), authorized users, safeguards, reporting duties, a ban on re-identification or contact, and return or destruction requirements. Apply access controls, encryption, and auditing, and tailor the LDS to the Minimum Necessary Standard.

What is the IRB’s role in ensuring HIPAA compliance during research?

The IRB (or Privacy Board) evaluates and documents Authorization Waiver Criteria, verifies authorization content when used, ensures the protocol meets the Minimum Necessary Standard, coordinates with the Privacy Office on DUAs and data sharing, requires appropriate safeguards, and monitors changes that affect PHI. The IRB’s documentation and continuing oversight help demonstrate HIPAA-compliant handling of PHI throughout the study.