HIPAA’s Definition of Research: Activities Related to Development, Testing, and Evaluation

Understanding HIPAA’s definition of research helps you determine when activities involving Protected Health Information (PHI) trigger Privacy Rule Compliance. Under HIPAA, research is a planned, systematic inquiry intended to produce knowledge that others can apply beyond your organization. That definition explicitly includes activities related to development, testing, and evaluation, which means your prototypes, pilots, and validations may be subject to research requirements.

This guide explains the investigation principles that shape research, how development, testing, and evaluation fit under HIPAA, and the practical steps you must take to meet compliance, privacy, and ethical standards. You will also see how Institutional Review Board oversight, Research Authorizations, De-Identification Methods, the Minimum Necessary Standard, and Research Data Use Agreements interact in real projects.

Systematic Investigation Principles

What makes an activity “systematic”

“Systematic” means you follow a plan: a protocol with defined objectives, methods, eligibility criteria, data elements, and an analysis strategy. You design the work so another researcher could reproduce your steps and assess your conclusions.

Generalizable knowledge as the touchstone

An activity qualifies as research when it aims to develop or contribute to generalizable knowledge. If you intend to publish, present externally, build widely adoptable tools, or draw conclusions meant for use beyond a single program or site, you are operating in research territory.

Boundary with operations and quality improvement

Internal quality improvement or operations may fall outside research when the intent is solely local optimization and you do not seek to generalize findings. The moment you design the work to inform broader practice—especially with plans to disseminate results—HIPAA’s research rules likely apply.

Institutional Review Board and Privacy Board roles

An Institutional Review Board (IRB) or HIPAA Privacy Board helps determine whether your project is research involving PHI and whether you need Research Authorization or a waiver. Their review focuses on participant privacy risks, safeguards, and whether your plan limits PHI to what is necessary.

Development Activities in Research

What counts as “development”

Development includes creating instruments, surveys, algorithms, models, decision-support tools, or interventions. Building a dataset to train a model, curating features from electronic records, or refining a prototype are development activities when done to produce broadly applicable knowledge.

Using PHI during development

If development requires PHI, you must have a valid HIPAA pathway before accessing it. Common options are participant Research Authorization, an IRB/Privacy Board waiver of authorization, a Limited Data Set under a Research Data Use Agreement, or using de-identified data. Choose the least identifiable data that still supports your objectives.

Pilot and feasibility work

Pilots and feasibility studies often qualify as research because you are evaluating whether a method works and can be generalized. Treat pilot access to PHI the same way you would treat a full study: document your protocol, justify data elements, and secure the appropriate approvals.

Testing Procedures under HIPAA

Defining “testing” in context

Testing includes validating instruments, assessing algorithm performance, conducting reliability and usability checks, and running pre-production trials. When these activities use PHI to support conclusions meant for wider use, they are research testing under HIPAA.

Legal bases for using PHI in testing

• Research Authorization: written, HIPAA-compliant permission from each participant describing the PHI to be used, purpose, parties involved, and expiration.
• IRB/Privacy Board waiver or alteration: permitted when obtaining authorization is impracticable and risks to privacy are minimal, with a plan to protect and eventually destroy identifiers.
• Limited Data Set + Research Data Use Agreement: allows use of data stripped of direct identifiers under a binding agreement that limits use, prohibits re-identification, and requires safeguards.
• De-identified data: use Safe Harbor (removal of specified identifiers) or Expert Determination to ensure very low risk of re-identification; HIPAA no longer applies to the dataset.

Applying the Minimum Necessary Standard

When you rely on a waiver or a Limited Data Set, you must request only the minimum PHI necessary to meet your testing aims. The Minimum Necessary Standard does not apply to uses or disclosures made pursuant to a valid Research Authorization, but good practice still favors data minimization.

Validation discipline and traceability

Maintain an auditable link between requirements, test datasets, analysis code, and results. Record the origin of each data element, access approvals, and any transformations. This traceability demonstrates both scientific rigor and Privacy Rule Compliance.

Evaluation Methods

Measuring outcomes that matter

Evaluation assesses whether development and testing achieved their aims. Define primary and secondary endpoints, specify statistical thresholds in advance, and justify sample sizes. Use performance metrics that reflect clinical or operational relevance, not just convenience.

Bias, subgroup, and safety analyses

Evaluate performance across key subgroups to detect inequities. Examine missingness patterns, label quality, and potential measurement bias. For interventional work, track adverse events and plan stopping rules to protect participants.

Data quality and reproducibility

Document provenance, inclusion/exclusion criteria, and preprocessing steps. Use version control for code and data dictionaries. Independent replication or blinded review strengthens credibility and supports generalizability.

Dissemination with privacy in mind

When sharing results, avoid publishing small-cell counts or illustrative cases that could reveal identities. Aggregate results, suppress or coarsen granular fields, and confirm that dissemination does not conflict with authorizations or agreements.

Compliance Requirements

Core elements of Privacy Rule Compliance

• Define your HIPAA pathway for PHI use: Authorization, waiver, Limited Data Set with a Research Data Use Agreement, or de-identified data.
• Apply the Minimum Necessary Standard when applicable and justify each PHI element.
• Implement administrative, physical, and technical safeguards consistent with the Security Rule for electronic PHI.

Documentation you should maintain

• IRB/Privacy Board determinations, approved protocol, and any Research Authorization forms.
• Executed Research Data Use Agreements, Business Associate Agreements (when services involve PHI), and data management plans.
• Accounting of disclosures for research disclosures not made under individual authorization, retained for required periods.

Special cases to plan for

• Preparatory to research activities: design work using PHI without removal from the covered entity, strictly to prepare a protocol.
• Research solely on decedents’ information: permissible with required representations and documentation.
• Multisite projects: align site-specific approvals, DUAs, and data flows before exchanging PHI.

Data Privacy Considerations

Understanding Protected Health Information

PHI includes identifiable health information in any form. If you can reasonably identify an individual from the data or its combination with other accessible information, treat it as PHI and apply HIPAA safeguards.

De-Identification Methods

Use Safe Harbor by removing specified direct identifiers, or commission Expert Determination to certify that re-identification risk is very small, given the data and context. For many studies, a Limited Data Set plus a Research Data Use Agreement balances utility and risk.

Minimization, access control, and retention

Collect only what you need, restrict access to authorized personnel, enable role-based permissions, and encrypt PHI at rest and in transit. Define retention schedules and document secure destruction methods once the research purpose ends.

Data sharing with guardrails

When sharing beyond your team, prefer de-identified data. If you must share a Limited Data Set, execute a Research Data Use Agreement that specifies permitted uses, recipients, safeguards, breach reporting, flow-down obligations, and a no re-identification clause.

Lifecycle risk management

Assess privacy risk at ingestion, storage, analysis, and dissemination. Monitor re-identification risk after linkage or enrichment, and re-review DUAs when project scope, recipients, or technologies change.

Ethical Standards for Research

Respect for persons

Honor autonomy through informed consent or, when a waiver is used, through robust privacy protections. Be transparent about data uses and any material commercial interests linked to the research.

Beneficence and confidentiality

Design to maximize benefit and minimize harm. Use privacy-by-design practices—pseudonymization, secure enclaves, and access logging—to uphold confidentiality promises made in authorizations or IRB-approved materials.

Justice and equitable participation

Select populations fairly, avoid undue burden on vulnerable groups, and evaluate model or intervention performance across demographics to prevent inequitable outcomes.

Ongoing oversight and accountability

Report unanticipated problems, follow continuing review schedules, and update your protocol, DUAs, and security controls as methods or data sources evolve. Close out studies responsibly by archiving or destroying data per policy.

Conclusion

HIPAA’s definition of research encompasses development, testing, and evaluation when they are part of a systematic plan to generate generalizable knowledge. If PHI is involved, choose an appropriate legal pathway, apply the Minimum Necessary Standard, and reinforce privacy with de-identification and Research Data Use Agreements. Pair rigorous methods with ethical oversight to produce credible results while protecting individuals’ privacy.

FAQs.

What activities qualify as research under HIPAA?

Activities qualify when they follow a systematic plan and aim to create knowledge others can apply broadly. Examples include developing and validating questionnaires or algorithms, running pilot interventions intended for publication, and evaluating processes for insights beyond a single site. Purely internal quality improvement may fall outside research if there is no intent to generalize findings.

How does HIPAA define testing and evaluation in research?

Testing and evaluation are phases of research that assess whether your methods, tools, or interventions work as intended. When you use PHI to validate accuracy, reliability, usability, safety, or effectiveness—and you intend to disseminate the results—HIPAA treats those activities as research, requiring an Authorization, a waiver, a Limited Data Set with a Research Data Use Agreement, or de-identified data.

What privacy safeguards are required for research under HIPAA?

You must identify a lawful basis to use or disclose PHI, apply the Minimum Necessary Standard when applicable, and implement safeguards consistent with the Security Rule. Common measures include IRB/Privacy Board oversight, HIPAA-compliant Research Authorizations, de-identification where possible, Limited Data Sets governed by Research Data Use Agreements, access controls, encryption, training, and accounting of disclosures when required.

How does HIPAA impact data sharing in research?

HIPAA favors sharing de-identified data. If identifiers are needed, you may share a Limited Data Set under a Research Data Use Agreement that restricts use, prohibits re-identification, and mandates safeguards. Disclosures of fully identifiable PHI require participant Authorization or a documented waiver. Align sharing with your protocol, IRB determinations, and the Minimum Necessary Standard, and maintain records of what you disclosed and why.