HIPAA Research Requirements: If You’re Unsure About the Particulars, Start Here

Use this guide to navigate HIPAA Research Requirements from planning through data handling. You’ll learn when HIPAA applies to research with Protected Health Information (PHI), how to meet security expectations for electronic PHI, and which data pathways—de-identified data, a Limited Data Set with a Data Use Agreement, or HIPAA Authorization—fit your study.

HIPAA Privacy Rule Conditions

When HIPAA applies to your study

HIPAA governs research uses and disclosures of PHI held by covered entities (health plans, most health care providers, and clearinghouses) and their business associates. If you, your site, or your data partner is a covered entity or business associate, HIPAA’s Privacy Rule sets the ground rules for accessing and using PHI in research.

Permitted pathways to access or use PHI

• HIPAA Authorization: Obtain an individual’s signed permission describing what PHI will be used, by whom, for what purpose, and for how long.
• IRB/Privacy Board Waiver or Alteration: An Institutional Review Board can waive or alter the authorization when strict criteria are met (details below).
• Preparatory to Research: Review PHI on-site to design a protocol or identify potential participants, without removing PHI from the covered entity.
• Research on Decedents’ PHI: Access is permitted with representations that the PHI is solely for research on decedents.
• Limited Data Set with a Data Use Agreement: Receive a HIPAA Limited Data Set for research, public health, or health care operations, subject to a signed agreement.
• De-identified Data: Use data that meet HIPAA’s de-identification standards; such data are no longer PHI.

Core Privacy Rule expectations

• Minimum Necessary: For most disclosures and internal uses, limit PHI to the least amount needed to accomplish the research task.
• Accountability: Retain documentation—HIPAA Authorizations, IRB approvals or waivers, Data Use Agreements, and your protocol justifying PHI elements.
• Individual Rights: If using Authorizations, participants may revoke prospectively; you may retain and use PHI already relied upon to maintain study integrity.

Elements of a valid HIPAA Authorization

• Specific description of PHI to be used/disclosed and by whom, to whom, and for what research purpose.
• Expiration date or event (for example, “end of the study” or “none” for repositories as permitted).
• Statements covering the right to revoke, potential for redisclosure by recipients, and any conditions tied to research participation.

HIPAA Security Rule Standards

Scope and intent

The Security Rule safeguards electronic PHI (ePHI). You must implement Administrative, Physical, and Technical safeguards—collectively your Electronic PHI Safeguards—to ensure confidentiality, integrity, and availability of research data.

Administrative safeguards

• Risk Analysis and Risk Management: Identify threats to ePHI and implement risk-based controls; revisit when systems or scope change.
• Workforce Security and Training: Authorize, supervise, and train personnel; define sanctions for violations.
• Contingency Planning: Backups, disaster recovery, and emergency mode operations for research systems.
• Security Incident Procedures: Detect, report, and respond to incidents; coordinate with your privacy office.
• Business Associate Agreements: Ensure vendors handling ePHI sign appropriate agreements.

Physical safeguards

• Facility Access Controls: Restrict server rooms and storage areas.
• Workstation Use and Security: Position screens, lock devices, and prevent shoulder surfing.
• Device and Media Controls: Govern acquisition, movement, reuse, and secure disposal of drives and portable media.

Technical safeguards

• Access Controls: Unique user IDs, role-based access, emergency access, automatic logoff, and encryption/decryption.
• Audit Controls and Integrity: Log access and changes; use checksums or hashing where appropriate.
• Person/Entity Authentication: Strong authentication, preferably MFA.
• Transmission Security: Encrypt ePHI in transit; avoid insecure channels.

Practical security tips for researchers

• Use institution-approved storage, encryption at rest and in transit, and managed endpoints.
• Segment research datasets; maintain access logs; review and remove stale access promptly.
• Document your controls in the protocol’s data management and security plan.

Use of De-identified Data

Two compliant methods

• Safe Harbor: Remove all specified direct identifiers (the “18 identifiers”) and have no actual knowledge that remaining data could identify an individual.
• Expert Determination: A qualified expert uses accepted methods to determine that the risk of re-identification is very small and documents the analysis.

Implications for research

Properly de-identified data are not PHI, so HIPAA’s use and disclosure restrictions no longer apply. However, ethical review, data sharing promises, and contractual limits may still govern your use.

Good practices for de-identification

• Generalize or bin dates and ages; suppress small cell sizes; remove rare free-text details.
• Maintain a data dictionary, transformation notes, and quality checks to preserve analytic utility.
• Keep any re-identification key separate, access-controlled, and documented if re-linking is part of approved aims.

Limited Data Set and Data Use Agreements

What counts as a Limited Data Set

A Limited Data Set excludes direct identifiers like names, street addresses, full-face photos, Social Security numbers, and contact numbers, but may include dates (such as admission, discharge, birth, death) and certain geography (city, state, ZIP). It remains PHI and is shareable for research only with a compliant Data Use Agreement.

Essential terms in a Data Use Agreement

• Permitted uses/disclosures and who may use/receive the data.
• Safeguards to prevent unauthorized use, plus a commitment not to re-identify or contact individuals.
• Downstream obligations for agents/subcontractors and return or destruction at project end.
• Reporting duties for any noncompliance or incidents—align with your Breach Notification Policy.

When to choose a Limited Data Set

Use an LDS when you need temporal data or limited geography that Safe Harbor would remove, but do not need direct identifiers. If direct identifiers are necessary, seek HIPAA Authorization or an IRB waiver.

IRB Waiver of Authorization

Role of the Institutional Review Board

An Institutional Review Board (or Privacy Board) may approve a waiver or alteration of HIPAA Authorization if strict privacy safeguards are in place and the research cannot practicably proceed otherwise.

Criteria the IRB must document

• Minimal risk to privacy with: a plan to protect identifiers, a plan to destroy them at the earliest opportunity, and written assurances against improper reuse/disclosure.
• Research could not practicably be conducted without the waiver or alteration.
• Research could not practicably be conducted without access to and use of the specific PHI requested.

Documentation and scope

• Board identity, approval date, and signature of the chair/designee.
• Statement that criteria were met and description of the PHI elements approved under the minimum necessary standard.
• Partial waivers are common for recruitment or screening; full waivers support retrospective chart reviews or registry linkages.

Recruitment and Consent Procedures

Screening and recruitment under HIPAA

• Within a covered entity, clinicians may discuss studies with their own patients; researchers may review PHI on-site “preparatory to research” without removing PHI.
• External researchers typically need a partial IRB waiver to receive limited PHI for initial contact, or the covered entity must perform outreach on their behalf.

Aligning HIPAA Authorization with Informed Consent Protocols

You may combine HIPAA Authorization with your Informed Consent Protocols in a single document when allowed, clearly distinguishing required versus optional elements (for example, optional future use or re-contact). State any conditions tied to participation and how revocation works.

Modern consent practices

• Use e-consent platforms approved by your institution; maintain audit trails and identity verification steps.
• Provide concise, plain-language disclosures about privacy, data sharing, and retention to reduce participant burden.

Recruitment records to maintain

• Screening logs documenting minimum necessary access.
• Signed HIPAA Authorizations or IRB waiver documentation.
• Copies of all participant communications and versions of consent materials.

Training and Breach Notification Requirements

Workforce training essentials

• Train all team members on the Privacy Rule, Security Rule, and your Breach Notification Policy at onboarding and regularly thereafter.
• Cover practical do’s and don’ts: secure storage, approved devices, data sharing limits, and incident reporting routes.
• Keep rosters, curricula, and completion dates; retrain after policy or system changes.

Breach Notification Rule—what to do if something goes wrong

• Act quickly: contain the incident, preserve logs, notify your privacy/security officials, and involve business associates if relevant.
• Conduct the required four-factor risk assessment to determine if PHI was compromised.
• If notification is required, inform affected individuals without unreasonable delay and no later than 60 days; notify HHS (and media if a large breach) as rules require.
• Document decisions and remediation; update controls to prevent recurrence.

Key takeaways

• Map your data pathway early: de-identified, Limited Data Set with a Data Use Agreement, Authorization, or IRB waiver.
• Apply minimum necessary and document every decision affecting PHI.
• Implement proportionate Electronic PHI Safeguards and keep your team trained and accountable.

FAQs

What are the key HIPAA research requirements?

You need a lawful pathway to access or use PHI (HIPAA Authorization, IRB waiver/alteration, Limited Data Set with a Data Use Agreement, de-identified data, decedents, or preparatory to research), must apply the minimum necessary standard, and must safeguard ePHI with administrative, physical, and technical controls. Keep thorough documentation and train your team.

How does an IRB waive HIPAA authorization?

An Institutional Review Board (or Privacy Board) may grant a waiver or alteration when it documents that privacy risks are minimal with adequate protections and destruction plans, the research cannot practicably proceed without the waiver and without PHI access, and only the minimum necessary PHI will be used. The approval must be recorded and signed.

What constitutes a limited data set under HIPAA?

A Limited Data Set excludes direct identifiers (for example, names, full addresses, contact numbers, SSNs, full-face photos) but may include certain dates and limited geography such as city, state, or ZIP code. Because an LDS is still PHI, you may use or receive it for research only with a compliant Data Use Agreement.

How should researchers handle a PHI breach during research?

Immediately contain the incident, alert your privacy/security officials, and start the four-factor risk assessment. If a breach is confirmed, notify affected individuals without unreasonable delay and no later than 60 days, report to HHS (and the media for large breaches), and document remediation. Update your Breach Notification Policy and controls to prevent recurrence.