HIPAA Research Exemptions Explained: What Qualifies and When Authorization Is Not Required

Understanding HIPAA research exemptions helps you determine when you may use or disclose Protected Health Information (PHI) without obtaining individual authorization. Under the HIPAA Privacy Rule, certain pathways—like IRB waivers, de-identified health data, limited data sets with a Data Use Agreement, publicly available information, and decedent-only research—permit research while protecting privacy. This guide clarifies what qualifies and how to document each route.

HIPAA Authorization Requirement

By default, the HIPAA Privacy Rule requires a valid HIPAA authorization to use or disclose PHI for research. An authorization specifies whose PHI may be used, who may receive it, the purpose, an expiration date or event, and required statements about revocation and potential redisclosure. Disclosures made with a valid authorization are not subject to the “minimum necessary” standard.

When authorization is not required

Authorization is not required if your activity fits one of these HIPAA research exemptions, each discussed in later sections:

• IRB or Privacy Board Waiver of Authorization (full or partial).
• Use of de-identified health data (no longer PHI).
• Use or disclosure of a Limited Data Set under a Data Use Agreement.
• Research solely on decedent information with required representations.
• Use of publicly available data that does not include PHI from a covered entity.

Preparatory to research (distinct from a waiver)

You may review PHI on-site to design a study or assess feasibility without authorization if you represent to the covered entity that: (1) the purpose is solely preparatory to research, (2) no PHI will be removed, and (3) the PHI sought is necessary for the research. Only the minimum necessary PHI may be accessed.

Waiver of Authorization

An Institutional Review Board (IRB) or Privacy Board may approve a waiver or alteration of authorization when strict criteria are met. A partial waiver can permit recruitment or records review while requiring authorization for subsequent interventions.

Authorization Waiver Criteria

• Minimal privacy risk: You have an adequate plan to protect identifiers, a plan to destroy them at the earliest opportunity, and written assurances against improper reuse or disclosure.
• Impracticability without waiver: The research could not practicably be conducted without the waiver or alteration.
• Impracticability without PHI: The research could not practicably be conducted without access to and use of the PHI requested.

Documentation and scope

The IRB/Privacy Board provides written documentation identifying the review date, approval criteria, and the PHI permitted. Covered entities then disclose only the minimum necessary for the approved research purpose.

Use of De-identified Data

De-identified health data are not PHI and are outside the HIPAA Privacy Rule. You can obtain de-identified data by either Safe Harbor or Expert Determination methods.

Safe Harbor

Safe Harbor requires removal of 18 direct identifiers about the individual and relatives, including names, full-face photos, most geographic details smaller than a state (except the initial three ZIP code digits under specific conditions), all elements of dates (except year) related to an individual, and unique numbers or codes that could identify the person.

Expert Determination

A qualified expert applies statistical or scientific principles to determine the risk of re-identification is very small and documents the methods and results. This approach can retain more data utility than Safe Harbor while meeting privacy risk thresholds.

Re-identification codes

A covered entity may assign a code to allow future re-identification, provided the code is not derived from information about the individual and the mechanism is not disclosed publicly. If you later re-identify individuals, HIPAA requirements reattach to the resulting PHI.

Limited Data Set and Data Use Agreements

A Limited Data Set (LDS) is PHI stripped of direct identifiers but may include certain elements, such as dates of service and limited geography (city, state, and ZIP code). Because an LDS remains PHI, you do not need individual authorization, but you must execute a Data Use Agreement (DUA).

What may remain in an LDS

• Dates (admission, discharge, service, birth, death).
• City, state, and ZIP code (not street address).
• Other non-direct identifiers necessary for the research.

Prohibited direct identifiers (must be removed)

• Names; postal address other than city, state, and ZIP; telephone and fax numbers; email addresses.
• Social Security, medical record, health plan, and account numbers.
• Full-face photos and comparable images; biometric identifiers; device identifiers and serial numbers; URLs and IP addresses.

Data Use Agreement essentials

• Permitted uses and disclosures, and who may use or receive the LDS.
• Agreement not to use the data to identify or contact individuals.
• Safeguards, reporting of violations, and flow-down obligations to agents and subcontractors.
• Return or destruction of the LDS when no longer needed, if feasible.

Publicly Available Data for Research

Publicly available information that does not include PHI from a covered entity is not regulated by HIPAA. Examples include published, aggregate health statistics or open datasets released without identifiers under public records laws.

Be careful: data scraped from public forums or news articles may still implicate other legal or ethical requirements. HIPAA applies only to PHI held by covered entities and their business associates; data that never involved PHI is outside HIPAA, though other rules may apply.

Decedent Information and HIPAA

You may use or disclose PHI for research solely on decedents without authorization or waiver if you provide required representations to the covered entity:

• The use or disclosure is sought solely for research on decedents’ information.
• The PHI requested is necessary for the research.
• At the entity’s request, documentation of death for the individuals whose records are sought.

Remember the 50-year rule: health information is no longer PHI beginning 50 years after an individual’s death. If a dataset inadvertently includes living individuals, HIPAA protections for those records still apply.

Researcher Affiliation and HIPAA Applicability

HIPAA governs covered entities (health plans, most health care providers transmitting standard transactions, and health care clearinghouses) and their business associates. Researchers working within these organizations—or receiving PHI from them—must follow the HIPAA Privacy Rule. Hybrid entities may designate health care components where HIPAA applies.

Independent researchers with no access to PHI from a covered entity may be outside HIPAA, though they may still be subject to other regulations (for example, the Common Rule) and institutional policies. Coordinate early with your Institutional Review Board and the covered entity’s privacy office to select the correct pathway: authorization, waiver, de-identified data, or a Limited Data Set with a Data Use Agreement.

Key takeaways

• Start by identifying whether your data are PHI and whether a covered entity is involved.
• When PHI is needed, pursue IRB/Privacy Board waiver only if criteria are satisfied and minimum necessary is enforced.
• Prefer de-identified data or an LDS with a DUA to reduce privacy risk and administrative burden.
• Use decedent-only and preparatory pathways where appropriate, with required representations and safeguards.

FAQs

What criteria must be met to obtain a waiver of HIPAA Authorization?

An IRB or Privacy Board must determine that: (1) the use/disclosure involves no more than minimal privacy risk with adequate protection, timely destruction, and assurances against misuse; (2) the research could not practicably be conducted without the waiver or alteration; and (3) it could not practicably be conducted without the specific PHI requested. The disclosure must also be limited to the minimum necessary.

When is a Data Use Agreement required for research?

A Data Use Agreement is required whenever a Limited Data Set is used or disclosed for research. Because an LDS still contains PHI (for example, dates and limited geography), a DUA sets the permitted uses, prohibits re-identification or contact, and requires safeguards and breach reporting. Individual authorization is not required for an LDS if a DUA is in place.

How does de-identified data relieve researchers from HIPAA restrictions?

Once data are properly de-identified under Safe Harbor or Expert Determination, they are no longer PHI, so HIPAA’s use and disclosure rules do not apply. You may analyze, share, and publish the dataset without HIPAA authorization or a DUA, though ethical norms, data use policies, or other laws may still govern your work.

Can research on decedent information be conducted without HIPAA authorization?

Yes. Research solely on decedents’ PHI may proceed without authorization or waiver if you represent to the covered entity that the research is solely about decedents, the PHI requested is necessary, and, if asked, you provide documentation of death. After 50 years post-death, the information is no longer PHI under HIPAA.