Clinical Trial Data and HIPAA: What Applies, What’s Exempt, and How to Stay Compliant

Clinical trial data and HIPAA intersect whenever a covered entity or its business associate handles Protected Health Information. This guide explains what parts of a study trigger HIPAA, what’s exempt, and the practical steps you can take to stay compliant while preserving research value.

HIPAA Applicability to Clinical Trials

Who and what HIPAA covers

HIPAA applies to covered entities—health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions—and to their business associates that create, receive, maintain, or transmit PHI on their behalf. PHI is individually identifiable health information linked to a person’s past, present, or future health, care, or payment.

Common clinical trial scenarios

• Investigator sites at hospitals or clinics are typically covered entities. Using or disclosing PHI for research requires a valid Authorization or an IRB/Privacy Board waiver.
• Sponsors are usually not covered entities. They may receive de-identified data, a Limited Data Set under a Data Use Agreement, or PHI if a site’s Authorization or a Business Associate Agreement permits it.
• CROs often act as business associates when they manage study data or site services for covered entities. In that role, they must sign Business Associate Agreements and implement required safeguards.
• Multi-country trials face mixed regimes. HIPAA applies to U.S. covered-entity sites and their business associates, even if the sponsor is based elsewhere.

Minimum Necessary Standard

When HIPAA permits a use or disclosure without individual Authorization (for example, under a waiver or certain Privacy Rule Exceptions), you must limit PHI to the Minimum Necessary. This standard does not apply to uses or disclosures made pursuant to an individual’s signed Authorization or for treatment.

Exemptions from HIPAA in Clinical Research

Situations where HIPAA does not apply

• De-identified information is not PHI. Once properly de-identified, HIPAA no longer governs its use or disclosure.
• Research conducted without any involvement of a covered entity or business associate (for example, direct-to-consumer studies where participants provide data directly to a non-covered sponsor) falls outside HIPAA, unless PHI from a covered entity is introduced.
• Publicly available information and aggregate statistics that cannot identify an individual are outside HIPAA.

Privacy Rule Exceptions that remove the need for Authorization

• Preparatory to research: Investigators may review PHI on-site to design a protocol or assess feasibility, without Authorization, if no PHI leaves the covered entity.
• Research on decedents’ information: Allowed without Authorization with appropriate representations; note that PHI remains protected for 50 years after death.
• Limited Data Set for research: Authorization is not required when a Limited Data Set is used under a Data Use Agreement, although the data remain PHI.

Even when an Authorization is not required, the Minimum Necessary Standard and other safeguards still apply.

De-Identification Methods under HIPAA

Safe Harbor De-Identification

Safe Harbor De-Identification requires removing 18 identifiers about the individual, relatives, household members, and employers, and ensuring no actual knowledge of re-identification risk. These include:

• Names
• Geographic subdivisions smaller than a state (with limited ZIP code exceptions), street address
• All elements of dates (except year) tied to an individual; ages over 89 must be grouped as 90+
• Telephone, fax, email
• Social Security, medical record, health plan beneficiary, and account numbers
• Certificate/license numbers
• Vehicle and device identifiers/serial numbers
• Web URLs and IP addresses
• Biometric identifiers (e.g., fingerprints, voiceprints)
• Full-face photos and comparable images
• Any other unique identifying number, characteristic, or code (except a properly created re-identification code retained separately)

Expert Determination Method

Under the Expert Determination Method, a qualified expert applies accepted statistical and scientific principles to conclude that the risk of re-identifying individuals is very small. The expert documents methods, assumptions, and controls (for example, k-anonymity, l-diversity, or differential privacy), enabling more granular data—such as detailed dates or broader geography—while maintaining low re-identification risk.

Practical tips for trials

• Choose Safe Harbor for speed and clear rules; use Expert Determination when analytical utility requires richer detail.
• Maintain a re-identification code key, if used, separately with strict access controls.
• Pair de-identification with contractual controls that prohibit re-identification or linkage without permission.

Limited Data Sets in Clinical Trials

What a Limited Data Set includes and excludes

A Limited Data Set excludes direct identifiers such as names, full addresses, contact numbers, full-face photos, and full identifiers listed under Safe Harbor. It may include dates (e.g., visit dates), city, state, ZIP code, and certain unique codes. Because it still contains identifiers like dates and location, it remains PHI.

Data Use Agreement essentials

• Specify permitted uses and disclosures for research, public health, or operations.
• Identify who may use or receive the data and require no re-identification or contact with individuals.
• Mandate safeguards, reporting of breaches, and flow-down obligations to subcontractors.

When to use an LDS in trials

• Feasibility assessments and site selection using dates and locality.
• Interim analyses and safety surveillance that need temporal resolution.
• Linkage with registries under a DUA when direct identifiers are not required.

Apply the Minimum Necessary Standard to Limited Data Sets by tailoring fields to the research purpose.

Research Participants' Right to Access PHI

Scope of the access right

Participants generally have a right to access PHI in a designated record set, such as clinical and billing records used to make decisions about them. Research data not used for decision-making, investigator notes, or records held solely for research may fall outside this set.

Timing and format

Covered entities must provide access within required timelines, in the form and format requested if readily producible, including electronic copies. Reasonable, cost-based fees for copies are permitted. Participants may direct their PHI to a third party in writing.

Temporary suspension during an active study

A site may suspend access to PHI created or obtained in a clinical trial while the study is in progress if the participant agreed to the suspension in the informed consent or Authorization. Access must be restored once the research is complete.

Conditioning Participation on Authorization

What can and cannot be conditioned

A provider may condition provision of research-related treatment on signing an Authorization for that specific study. You cannot condition unrelated clinical care, health plan enrollment, or benefits on a research Authorization.

Compound authorizations and revocations

Compound authorizations may combine conditioned and unconditioned elements if presented clearly and with meaningful choice. Participants can revoke Authorization at any time, but the site may continue using already collected PHI as necessary to maintain the study’s integrity and comply with recordkeeping obligations.

HIPAA Compliance for Clinical Research Organizations

Determine your role and agreements

• Map data flows to decide whether you are a covered entity, business associate, or neither for each activity.
• Execute Business Associate Agreements when performing functions involving PHI for covered entities.
• Use Data Use Agreements for Limited Data Sets and clear contracts for de-identified data prohibiting re-identification.

Operational safeguards

• Apply the Minimum Necessary Standard and role-based access; document justification for each data element.
• Meet Security Rule expectations: risk analysis, encryption in transit/at rest, endpoint protection, audit logs, and incident response.
• Implement data lifecycle controls: collection minimization, retention schedules, secure destruction, and provenance tracking.

Documentation and oversight

• Maintain IRB/Privacy Board waivers, signed Authorizations, and accounting of disclosures when required.
• Train staff on Privacy Rule Exceptions, Limited Data Set handling, and breach notification.
• Conduct vendor due diligence; require subcontractor BAAs and technical safeguards for any PHI they touch.

Conclusion

To keep clinical trial data and HIPAA compliance aligned, start by identifying whether PHI from a covered entity is involved, choose the least-identified dataset that still meets your endpoints, and back it with the right agreement—Authorization, waiver, DUA, or de-identification. Enforce Minimum Necessary and robust safeguards, and plan for participant access to PHI from the outset.

FAQs

When does HIPAA apply to clinical trial data?

HIPAA applies when a covered entity or its business associate creates, receives, maintains, or transmits PHI for the study. Typical triggers include investigator sites using EHR data for screening, research visits documented in clinical systems, and disclosures of PHI to sponsors or CROs under Authorizations, waivers, or BAAs. If no covered entity or business associate handles PHI, HIPAA generally does not apply.

What are the exemptions from HIPAA in clinical research?

De-identified data, publicly available information, and research conducted entirely outside covered entities (with no PHI from them) are outside HIPAA. Additionally, certain Privacy Rule Exceptions permit research without Authorization, including preparatory-to-research reviews, research solely on decedents’ information with required representations, and use of a Limited Data Set under a Data Use Agreement.

How can clinical trial data be de-identified under HIPAA?

You can use Safe Harbor De-Identification by removing all 18 identifiers and ensuring no actual knowledge of re-identification, or apply the Expert Determination Method, where a qualified expert documents that re-identification risk is very small using accepted statistical techniques. Both approaches benefit from contractual prohibitions on re-identification and strong technical safeguards.

What rights do research participants have regarding access to their PHI?

Participants can access PHI in the designated record set, receive it in the requested readily producible format, and direct it to a third party. Access may be temporarily suspended for study-related PHI during an active trial if the participant agreed in advance; once the study ends, the right resumes. Reasonable, cost-based fees may apply for copies.