HIPAA Compliance for Research Protocols: What Researchers Need to Know

HIPAA Privacy Rule Requirements

HIPAA applies when your research involves Protected Health Information (PHI) held by a covered entity or its business associate. To maintain Privacy Rule Compliance, you must use or disclose PHI only through permitted pathways and document your legal basis before accessing any records.

Research uses and disclosures of PHI are permitted when you obtain a valid individual authorization; receive an Institutional Review Board (IRB) or Privacy Board Authorization Waiver; review PHI solely “preparatory to research” without removing it from the covered entity; or conduct research solely on decedents’ information with required representations. Business Associate Agreements are required when vendors handle PHI for your study on behalf of a covered entity.

Your protocol should map each data flow to one of these pathways, state who will access PHI, and explain how you will meet the Minimum Necessary standard when it applies. Align your informed consent and HIPAA authorization language to ensure consistent scope and purpose.

De-identified Data Use

Data are not PHI once they are de-identified under HIPAA. You can then use and disclose them for research without HIPAA restrictions, though other rules (e.g., IRB policies or contracts) may still apply.

HIPAA offers two methods: (1) Safe Harbor—remove 18 direct identifiers (for example, names, detailed geographies smaller than a state, all elements of dates except year, phone numbers, Social Security numbers, medical record numbers, full-face photos, URLs/IPs, device IDs, and other unique numbers); or (2) Expert Determination—have a qualified expert document that the risk of re-identification is very small. If you create a re-identification code, it cannot be derived from an identifier and the key must be kept separately with strict controls.

Limited Data Sets and Data Use Agreements

A Limited Data Set (LDS) permits certain elements—such as city, state, ZIP code, and dates (admission, discharge, service, birth, death)—while excluding direct identifiers like names, full addresses, phone numbers, and account numbers. An LDS remains PHI and carries safeguards and use limits.

Before disclosing an LDS, you must execute a Data Use Agreement that specifies permitted uses and disclosures, who may use or receive the data, safeguards to prevent unauthorized use, a Breach Notification and reporting duty, flow-down obligations to agents or subcontractors, and a promise not to identify or contact individuals. The Minimum Necessary standard applies to LDS disclosures—share only what the research requires.

Authorization and IRB Waivers

A HIPAA authorization lets individuals permit the use or disclosure of their PHI for research. Core elements include a description of the PHI, the purpose, the recipient(s), an expiration date or event, the individual’s signature and date, and required statements on the right to revoke and potential redisclosure. Authorizations may be combined with consent forms and may describe future research if your policy allows and the description is sufficiently specific.

An IRB or Privacy Board may grant an Authorization Waiver (or alteration) only if: (1) the use or disclosure poses minimal risk to privacy with adequate plans to protect identifiers, destroy them when no longer needed, and prevent improper reuse; (2) the research could not practicably be conducted without the waiver; and (3) it could not practicably be conducted without access to and use of the PHI. Document the waiver approval, criteria, and dates in your study records.

Minimum Necessary Standard in Research

When the Minimum Necessary standard applies, you must limit uses, disclosures, and requests for PHI to the smallest amount needed to accomplish the research purpose. Define role-based access, data fields, and time frames up front, and align data queries accordingly.

The Minimum Necessary standard does not apply to uses or disclosures made pursuant to an individual’s authorization. It does apply to most disclosures under an IRB waiver, to LDS disclosures, and to preparatory-to-research reviews. Covered entities may reasonably rely on an IRB or Privacy Board’s documentation that a request meets the Minimum Necessary requirement.

Security Safeguards for PHI

For electronic PHI (ePHI), the HIPAA Security Rule requires administrative, physical, and technical Security Safeguards. Conduct a risk analysis, implement risk management, designate security responsibility, train your workforce, and manage vendors through Business Associate Agreements.

Technical controls should include unique user IDs, role-based access, strong authentication, audit logs, automatic logoff, integrity controls, and transmission security. Use encryption in transit and at rest where reasonable and appropriate, and maintain device/media controls for laptops, mobile devices, and removable media.

Operationalize safeguards with data handling SOPs, periodic access reviews, incident response plans, and secure de-identification workflows. Validate that only authorized personnel can view, download, or export PHI, and monitor for anomalous activity.

Record Keeping and Breach Reporting

Maintain documentation of IRB approvals, HIPAA authorizations, Authorization Waivers, Data Use Agreements, preparatory-to-research or decedent research representations, policies and procedures, and accounting of disclosures. HIPAA documentation must generally be retained for six years from the date of creation or last effective date, whichever is later.

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security, unless a risk assessment shows a low probability of compromise. If a breach occurs, provide Breach Notification to affected individuals without unreasonable delay and no later than 60 calendar days after discovery, notify HHS as required, and notify prominent media when 500 or more residents of a state or jurisdiction are affected. Business associates must notify the covered entity so it can meet these timelines.

Record your investigation, mitigation, and corrective actions, and update your safeguards to prevent recurrence. A concise, well-documented compliance posture—mapping legal pathways, applying Minimum Necessary, enforcing Security Safeguards, and planning for Breach Notification—keeps research moving while protecting participant privacy.

FAQs

What is required for HIPAA compliance in research protocols?

Identify whether PHI from a covered entity or business associate will be used, select a lawful pathway (authorization, IRB waiver, preparatory-to-research, or decedent research), apply the Minimum Necessary standard when applicable, implement Security Safeguards for ePHI, execute needed agreements (BAAs and Data Use Agreements), and retain required documentation and accounting of disclosures.

How can researchers use de-identified data under HIPAA?

Use the Safe Harbor method by removing 18 direct identifiers, or obtain Expert Determination that re-identification risk is very small. Once de-identified, the dataset is no longer PHI under HIPAA and may be used or shared for research, subject to any contractual or ethical commitments you have made.

What are the circumstances for obtaining an IRB waiver for PHI use?

An IRB or Privacy Board may grant a waiver when privacy risks are minimal with adequate protections and plans for timely destruction of identifiers, the research could not practicably be done without the waiver, and it could not practicably be done without access to PHI. The approval and criteria must be documented.

How should breaches of PHI be reported in research settings?

After confirming a breach of unsecured PHI and completing a risk assessment, notify affected individuals without unreasonable delay and no later than 60 days from discovery, notify HHS per size thresholds, and notify media if 500 or more residents of a state or jurisdiction are affected. Business associates must promptly inform the covered entity, and all remediation and notifications should be documented.