Does HIPAA Apply to Biospecimen Research? Rules, Authorizations, and De‑Identification

HIPAA Privacy Rule Applicability

Whether HIPAA applies to biospecimen research turns on who holds the materials and what information accompanies them. The HIPAA Privacy Rule protects Protected Health Information (PHI) maintained or transmitted by covered entities (health plans, most providers, clearinghouses) and their business associates. If your project uses or discloses PHI from these entities, HIPAA governs your Research Privacy Protections.

A biospecimen itself is not automatically PHI. It is PHI when it carries identifiers on a label, is linkable to a record that identifies an individual, or is handled in systems where identity is readily ascertainable. If you receive unlabeled, irreversibly de-identified specimens with no code or key accessible to you, those materials are generally outside HIPAA.

HIPAA and the federal Common Rule address different questions: HIPAA governs privacy of PHI, while the Common Rule determines when an activity is Human Subject Research requiring IRB review and consent. Many studies require both HIPAA compliance and Common Rule Compliance; some require only one, depending on identifiability and data sources.

De-Identification of Biospecimens

To move activities outside HIPAA, you can de-identify the data associated with biospecimens so it is no longer PHI. HIPAA recognizes two primary pathways:

• Safe Harbor: Remove all 18 categories of direct identifiers (for example, names, full addresses below the state level, contact numbers, device/vehicle IDs, full-face images), aggregate certain details (such as reporting ages 90+ as a single category), and have no actual knowledge that remaining information could identify someone.
• Expert Determination: A qualified expert documents that the risk of re-identification is very small, given the data, context, and safeguards. This approach is well-suited when specimens are tied to complex data (e.g., genomic or high-dimensional datasets) that might otherwise enable re-identification.

Pseudonymization (“coding”) can reduce risk but, by itself, does not equal de-identification if the recipient can access the key. A common practice is using an honest broker: the key is retained by a separate party, and recipients receive only coded data/specimens with contractual prohibitions on re-identification.

Because biospecimens can enable powerful inference (e.g., DNA sequence), pair technical controls with administrative and contractual safeguards to keep re-identification risk very small. Document your de-identification plan and residual risk analysis as part of your Research Privacy Protections.

Secondary Use of De-Identified Biospecimens

Secondary research using biospecimens and associated records that meet HIPAA de-identification standards is not research on PHI; HIPAA authorization and accounting are not required. Keep in place the controls that preserve de-identification, and avoid receiving any key that could re-link specimens to identities.

Under the Common Rule, secondary use typically is not Human Subject Research if investigators cannot readily ascertain identity. If you later combine data in a way that enables re-identification—or obtain a code key—HIPAA and Common Rule obligations may reattach. Honor any repository terms, consent restrictions, or data use conditions even when HIPAA no longer applies.

Secondary Use of Identifiable Biospecimens

When biospecimens are identifiable and obtained from or through a HIPAA covered entity, you generally need either the individual’s HIPAA authorization for research or a HIPAA Authorization Waiver approved by an IRB or Privacy Board. In many cases, you also need Common Rule Compliance via IRB review and informed consent (or a waiver of consent).

HIPAA authorization

An authorization specifies what PHI will be used or disclosed, by whom, to whom, for what purpose, and for how long. It may also permit storage/maintenance and future research uses, if these are described clearly. Authorizations can be “compound” with other research permissions when requirements are met.

Waiver or alteration of authorization

An IRB or Privacy Board may grant a waiver (full or partial) when: the privacy risk is minimal with adequate safeguards; the research could not practicably be done without the waiver; and it could not practicably be done without PHI. The waiver documentation should include a plan to protect identifiers, a plan to destroy them when no longer needed, and assurances against improper reuse or disclosure.

Other permitted pathways

• Preparatory to research: Review PHI on-site to design a study or assess feasibility, without removing PHI from the covered entity.
• Research on decedents’ PHI: Permitted with representations that the use is solely for decedent research and PHI is necessary.
• Business associate arrangements: If a service provider handles PHI for a covered entity’s research-related functions, a business associate agreement is required.

Apply the minimum necessary standard to uses and disclosures made without individual authorization, and maintain accounting of such disclosures as required.

Limited Data Sets for Research

A Limited Data Set (LDS) is still PHI, but it excludes direct identifiers like names, full street addresses, contact numbers, and Social Security or medical record numbers. It may include certain dates (e.g., encounter, admission, discharge), city, state, ZIP code, and ages, which are often essential for analysis.

Before a covered entity discloses an LDS for research, the recipient must sign a Limited Data Set Agreement (often called a Data Use Agreement). The agreement must limit uses and disclosures to specified purposes, require safeguards, mandate reporting of any impermissible use or disclosure, bind downstream agents to the same terms, and prohibit re-identification or contact with individuals.

Use an LDS when full de-identification would undermine scientific validity but direct identifiers are unnecessary. An LDS offers a practical balance between data utility and privacy, with enforceable Research Privacy Protections.

Certificates of Confidentiality

Certificates of Confidentiality add a layer of protection for identifiable, sensitive information, including biospecimens. For many federally funded studies collecting or using identifiable data, Certificates are automatically issued. They generally prohibit compelled disclosure (e.g., subpoenas) and restrict voluntary disclosure, except in limited situations such as participant consent, required reporting (e.g., abuse, communicable disease), or federal oversight.

Certificates complement HIPAA rather than replace it. Continue to follow HIPAA’s authorization/waiver pathways, data minimization, and security requirements, and flow Certificate obligations to collaborators and repositories handling covered biospecimens.

State Laws and Regulations

HIPAA is a federal floor. States may adopt more protective rules that control biospecimen collection, genetic analysis, retention, and sharing. Many jurisdictions have genetic privacy statutes, tissue bank or laboratory laws, or consumer privacy laws that can reach research contexts not squarely covered by HIPAA.

• Expect heightened consent requirements for genetic testing or secondary use of genetic information, including explicit authorization for research or commercial use.
• Watch for rules on retention periods, destruction, and participant rights to withdraw biospecimens from repositories.
• Plan for special protections for minors’ specimens, newborn screening materials, and sensitive conditions.
• For multi-state projects, design governance to meet the most protective applicable standard across sites.

Conclusion

In practice, ask three questions: Are you working with a HIPAA covered entity or its business associate? Are the biospecimens or linked data identifiable PHI? Which lawful pathway fits—de-identification, Limited Data Set with a Limited Data Set Agreement, individual authorization, or a HIPAA Authorization Waiver? Align those answers with Common Rule Compliance and any state-specific rules to build durable Research Privacy Protections for biospecimen research.

FAQs

What types of biospecimens are covered under HIPAA?

HIPAA protects Protected Health Information (PHI), not the physical specimen in isolation. Biospecimens are within HIPAA when they are labeled or readily linkable to an individual through associated records held by covered entities or business associates. Unlabeled, irreversibly de-identified specimens provided without any key or code accessible to you are generally outside HIPAA, though other policies or laws may still apply.

How does de-identification affect HIPAA requirements?

Once you de-identify associated data under HIPAA’s Safe Harbor or Expert Determination standards—and you do not possess or receive a key that would re-identify individuals—the materials are no longer PHI. You may use and disclose them for research without HIPAA authorization or accounting, provided you maintain the controls that keep the set de-identified. If you instead use a Limited Data Set, HIPAA still applies via a Data Use Agreement.

When is HIPAA authorization waiver required for biospecimen research?

A HIPAA Authorization Waiver is required when you need to use or disclose identifiable PHI for research but cannot practicably obtain individual authorizations. An IRB or Privacy Board can approve a waiver if privacy risks are minimal with safeguards, the research cannot be done without PHI, and it cannot be done without the waiver. Partial waivers are common for activities like screening records or recruiting.

Are state laws more restrictive than HIPAA for biospecimen use?

Often yes. Many states impose stricter consent and privacy rules for genetic information, biospecimen storage, or secondary research uses. Because HIPAA sets a floor, more protective state requirements control. For multi-state studies, plan to meet the most stringent applicable standard in your cohort or repository.