HIPAA Research Compliance: Rules, PHI Use, and IRB Waivers Explained

HIPAA Privacy Rule in Research

What HIPAA covers

The HIPAA Privacy Rule governs the use and disclosure of Protected Health Information (PHI) by covered entities and their business associates. In research, PHI is any individually identifiable health information created or held by a provider, plan, or clearinghouse that relates to health status, care, or payment. If you obtain PHI from a covered entity, your access must follow HIPAA pathways tailored for research.

Permitted pathways for research

• Research Subject Authorization: the individual’s signed permission describing what PHI will be used, by whom, for what purpose, and when it expires.
• Authorization Waiver or alteration approved by an Institutional Review Board (IRB) or a Privacy Board when criteria are met.
• Limited Data Set disclosed under a Data Use Agreement (DUA) for research, public health, or health care operations.
• De-identified Data, which are not PHI once properly de-identified.
• Preparatory to research reviews to design a study or assess feasibility (without removing PHI offsite).
• Research solely on decedents’ information with required representations.

Authorization basics

A valid Research Subject Authorization identifies the PHI to be used, the purpose, who may disclose and receive it, an expiration date or event, and the right to revoke in writing. It also explains the potential for redisclosure by recipients not covered by HIPAA. When you rely on an authorization, the “minimum necessary” standard does not apply; when you rely on other pathways (such as a waiver), it does.

Safeguards and accountability

When using PHI for research, apply administrative, physical, and technical safeguards proportional to risk. Limit access to authorized staff, log disclosures when required, and retain HIPAA documentation (authorizations, waivers, DUAs) per institutional recordkeeping policies.

Use of De-identified Health Information

Two paths to de-identification

• Expert Determination: a qualified expert applies accepted statistical or scientific principles and documents that the risk of re-identification is very small.
• Safe Harbor: remove specified direct identifiers (for example, names; contact numbers; full addresses beyond state; all elements of dates except year; medical record, account, and device numbers; biometric identifiers; full-face photos; and similar unique identifiers) and ensure no actual knowledge that remaining information could identify a person.

Coded data considerations

You may assign a code to de-identified data to permit re-linkage, provided the code is not derived from PHI, the key is kept separately by the disclosing covered entity, and the recipient has no means to access the key. Properly de-identified data are not PHI and may be used or shared for research without HIPAA authorization.

Practical tips

• Document the chosen de-identification method and who performed it.
• Audit sample records to confirm no residual identifiers persist in notes or images.
• Use an honest broker or data trustee when re-linkage may later be required.

Limited Data Set

What it includes—and excludes

A Limited Data Set is PHI stripped of direct identifiers (such as names; street addresses; phone, email, or Social Security numbers; medical record numbers; and full-face images) but may retain dates (e.g., admission, discharge, death), city, state, ZIP code, age, and other non-direct identifiers. Because it remains PHI, disclosures must meet HIPAA’s conditions for a Limited Data Set.

Data Use Agreement essentials

A Data Use Agreement is mandatory and must specify permitted uses and disclosures, who may receive and use the data, safeguards to prevent unauthorized use, a prohibition on re-identification or contact with individuals, reporting of any misuse, and downstream obligations for agents or subcontractors. A DUA enables disclosure of a Limited Data Set without an authorization or waiver, but only for research, public health, or operations.

Operational pointers

• Treat the Limited Data Set as PHI: apply minimum necessary access and strong security controls.
• Map each variable to confirm it is allowable (e.g., keep year-level dates unless justified).
• Ensure recipients understand they cannot attempt re-identification or outreach to individuals.

Waiver of HIPAA Authorization

When a waiver is appropriate

An Authorization Waiver allows use or disclosure of PHI for research without obtaining each subject’s signed permission. It is commonly used for retrospective chart reviews, registry linkages, or feasibility queries where contacting every individual is impracticable and privacy risks can be minimized.

Required documentation

• IRB or Privacy Board approval noting whether the waiver is full or partial (or an alteration).
• A statement that HIPAA waiver criteria are satisfied and that the PHI requested is the minimum necessary.
• A description of the PHI to be used/disclosed, approved recipients, and any safeguards or data destruction timelines.
• Approval date and signature of the chair or designee, plus any conditions of approval.

Covered entities rely on this documentation to permit disclosures and to meet any accounting obligations for disclosures without authorization.

Criteria for Waiver Approval

Core HIPAA criteria

• Minimal risk to privacy: based on an adequate plan to protect identifiers from improper use or disclosure, a plan to destroy identifiers at the earliest opportunity consistent with research needs, and written assurances that PHI will not be reused or disclosed except as required by law, for oversight, or for other permitted research.
• Impracticability without a waiver: the research could not be practicably conducted without the waiver or alteration.
• Impracticability without PHI: the research could not be practicably conducted without access to and use of the requested PHI.

Applying the minimum necessary

The IRB or Privacy Board evaluates whether requested elements are limited to what is reasonably necessary. Expect to justify each data field, cohort definition, time window, and recipient list, and to align safeguards with data sensitivity.

Partial Waiver of Authorization

What “partial” means

A partial waiver permits only a subset of the otherwise required authorization elements or a limited use of PHI. Typical examples include permission to review records to identify and contact potential participants, to obtain contact information from a covered entity, or to allow an altered consent/authorization workflow (e.g., remote signatures) for recruitment.

Boundaries and examples

• Permitted: cohort pre-screening in the electronic health record using limited identifiers and sending invitations through the covered entity.
• Permitted: accessing contact fields solely to request Research Subject Authorization from individuals.
• Not permitted: broad, indefinite reuse of PHI beyond the specific partial waiver scope or disclosure to unaffiliated parties not listed in the approval.

Once participants provide a full authorization, subsequent uses should follow that authorization rather than the partial waiver.

IRB's Role in HIPAA Compliance

IRB and Privacy Board functions

An Institutional Review Board may also serve as a Privacy Board for HIPAA purposes. In that capacity, it reviews and documents waivers or alterations of authorization, confirms minimum necessary access, and ensures that privacy safeguards and destruction plans are credible and proportional to risk.

What IRBs typically review

• Data mapping: precise PHI elements requested, data sources, time frames, and recipients.
• Justification: why the study cannot practicably proceed without PHI or without a waiver.
• Safeguards: storage, retention, access controls, encryption, and breach response.
• Alternatives: feasibility of De-identified Data or a Limited Data Set with a Data Use Agreement.
• Documentation: waiver determinations, recruitment procedures, and any required disclosures or accounting processes.

Multi-site studies

For multi-site projects, a single IRB may oversee human subjects review, while each covered entity remains responsible for HIPAA-compliant disclosures. Reliance agreements should clearly allocate Privacy Board responsibilities and define how waivers, DUAs, and data flows are documented and audited.

Conclusion

HIPAA research compliance hinges on selecting the right pathway—Research Subject Authorization, Authorization Waiver, Limited Data Set, or De-identified Data—and proving minimum necessary use with robust safeguards. An IRB or Privacy Board provides independent assurance that privacy risks are minimized and documentation is complete, enabling ethical, lawful, and efficient research.

FAQs.

What are the conditions for waiver of HIPAA authorization in research?

An IRB or Privacy Board may approve a waiver when: (1) the use or disclosure of PHI poses no more than minimal risk to privacy, supported by a plan to protect and destroy identifiers and assurances against reuse; (2) the research could not practicably be conducted without the waiver; and (3) the research could not practicably be conducted without access to and use of the requested PHI. The determination must also reflect the minimum necessary standard.

How does an IRB review HIPAA compliance?

The IRB (or Privacy Board) verifies the HIPAA pathway, maps requested PHI to study aims, applies the waiver criteria if applicable, confirms minimum necessary access, evaluates technical and administrative safeguards, and documents its findings and conditions. It also checks for appropriate use of a Limited Data Set with a Data Use Agreement or the availability of De-identified Data.

What is the difference between a full and partial waiver of authorization?

A full waiver permits the use or disclosure of PHI for the research without obtaining any individual authorizations. A partial waiver authorizes only a limited use—such as record review to identify and contact prospects—or alters specific authorization elements. Partial waivers are narrow, time- and scope-bound to what is necessary for recruitment or specific steps.

How can research subjects revoke their HIPAA authorization?

Individuals may revoke a Research Subject Authorization at any time by submitting a written request to the covered entity or study team identified in the authorization. Revocation stops new uses and disclosures, but information already used or disclosed in reliance on the authorization may continue to be used as needed to maintain study integrity, comply with law, or meet oversight and recordkeeping obligations.