What HIPAA Includes in Its Definition of Research (45 CFR 164.501)

Systematic Investigations

HIPAA adopts a precise definition of research at 45 CFR 164.501: activities qualify when they are conducted as a systematic investigation. In practice, that means you follow a planned, methodical approach—using a protocol, clearly stated objectives, and defined procedures—to answer a question or test a hypothesis.

Systematic investigations can span clinical trials, retrospective chart reviews, registry analyses, device or software assessments, surveys, and mixed-methods projects. When these activities involve Protected Health Information (PHI), HIPAA’s privacy requirements apply to how you access, use, and disclose that information.

Typical features of a systematic investigation

• A written protocol or study plan with objectives and an analytic strategy.
• Predefined data elements and eligibility criteria.
• Documented procedures for data collection, monitoring, and security.
• Methods selected to produce reliable, reproducible findings.

Research Development and Testing

HIPAA’s definition expressly includes research development, testing, and evaluation. Early-stage feasibility work, pilot studies, methods validation, and usability testing fall within scope when they are conducted systematically. Even if the activity precedes a formal trial, you must treat PHI in compliance with HIPAA.

For example, training an algorithm on clinical images, validating a new survey instrument, or bench-to-bedside protocol development often requires PHI access. You may rely on individual authorization, an IRB/Privacy Board Authorization Waiver, or alternatives like De-identified Data, depending on the design.

Examples you might encounter

• Pilot EHR data pulls to refine inclusion criteria and endpoints.
• Small-scale device evaluations assessing safety signals.
• Measurement validation studies that test reliability and construct validity.

Evaluation for Generalizable Knowledge

To be “research” under HIPAA, the activity must be designed to develop or contribute to generalizable knowledge—insights intended to apply beyond the specific individuals or sites studied. Plans to publish, present, or create broadly applicable tools are common indicators.

Internal quality improvement or program evaluation may fall outside research if the goal is solely local improvement. However, if you design the work to draw conclusions that extend beyond your organization or patient panel, it likely meets the threshold and triggers Human Subject Research Regulation and privacy safeguards.

Signals that knowledge is generalizable

• Study aims framed to inform practice or policy beyond the originating site.
• Hypothesis-testing designs and inferential analyses.
• Intended dissemination (journals, conferences, public toolkits).

Use and Disclosure of PHI for Research

When your project uses PHI, HIPAA permits use or disclosure through several routes. Your choice determines documentation, accounting, and “minimum necessary” obligations.

With individual authorization (45 CFR 164.508)

• Obtain a signed authorization specifying what PHI will be used, by whom, for what purpose, to whom it will be disclosed, and the authorization’s expiration or event (for example, “end of the research study”).
• Include required statements about the right to revoke, potential for redisclosure, and any conditioning of treatment on signing when applicable.
• The minimum necessary standard does not apply to uses/disclosures made pursuant to a valid authorization.

Without authorization (45 CFR 164.512(i))

• IRB or Privacy Board waiver/alteration: A documented approval allows use/disclosure of PHI when criteria are met (see below).
• Reviews preparatory to research: Access PHI on-site to design a protocol or identify eligible subjects; you may not record or remove PHI for research use at this stage.
• Research solely on decedents’ PHI: With documentation of necessity and, when requested, proof of death.
• Limited Data Set with a Data Use Agreement: Share PHI stripped of direct identifiers for research, public health, or health care operations; a data use agreement sets permitted uses and safeguards.

Additional operational safeguards

• Minimum necessary: For disclosures without authorization, limit PHI to what the research reasonably requires.
• Accounting of disclosures: Covered entities must track disclosures made without authorization; special simplified accounting is available for many-subject studies.
• Business associates: Vendors handling PHI for research support functions may require business associate agreements.
• Recruitment: Treat recruitment as a research activity. Covered entities may discuss participation with their own patients; disclosing PHI to external researchers typically requires authorization or a partial waiver.

Institutional Review Board Waivers

An Institutional Review Board or a HIPAA Privacy Board may approve a waiver or alteration of authorization when specific privacy-protective criteria are satisfied. This pathway enables ethically justified research that would be impracticable with individual authorizations.

Required waiver criteria

• The use/disclosure of PHI poses no more than minimal risk to privacy because of adequate safeguards.
• There is a plan to destroy identifiers at the earliest opportunity consistent with the research.
• There are written assurances that PHI will not be reused or disclosed except as required by law, permitted by HIPAA, or for oversight.
• The research could not practicably be conducted without the waiver or alteration.
• The research could not practicably be conducted without access to and use of the PHI.

Documentation and scope

• Written documentation must identify the IRB/Privacy Board, the approval date, the specific PHI authorized for use/disclosure, and determination that all criteria were met.
• Partial waivers may authorize limited disclosures (for example, to contact prospective participants), while full waivers cover the entire study’s PHI use/disclosure.

De-identified Health Information in Research

De-identified Data are not PHI and may be used or disclosed for research without authorization. HIPAA recognizes two methods to de-identify: expert determination and safe harbor removal of specified direct identifiers.

Two de-identification pathways (45 CFR 164.514)

• Expert determination: A qualified expert applies generally accepted methods and documents that the risk of re-identification is very small, given mitigations and context.
• Safe harbor: Remove 18 categories of direct identifiers about individuals, relatives, employers, and household members (for example, names, full-face photos, social security numbers, exact addresses, and medical record numbers), and ensure no actual knowledge of residual identification risk.

Limited Data Set versus de-identified

• A Limited Data Set permits certain elements—dates and some geography (city, state, ZIP)—while excluding direct identifiers; it remains PHI and requires a Data Use Agreement.
• Fully de-identified data fall outside HIPAA; if a re-identification code is assigned, it must not derive from or permit easy inference of identity.

Coordination with Federal Research Regulations

HIPAA’s definition mirrors the Common Rule’s core concepts, but HIPAA governs privacy of PHI while the Common Rule governs Human Subject Research Regulation (risk, consent, and oversight) for federally funded or otherwise covered research. Many projects must demonstrate dual compliance; others may trigger only one framework.

When both frameworks apply

• Federally supported clinical studies at covered entities handling PHI typically require Common Rule Compliance and HIPAA compliance.
• An IRB can serve both roles: human subjects review and HIPAA waiver determinations, reducing duplication.
• Consent and HIPAA authorization may be integrated into a single, coordinated document when allowed.

When only one applies

• HIPAA-only: PHI analyses conducted by a covered entity that are not federally regulated human subjects research (for example, research on decedents or certain secondary data uses).
• Common Rule–only: Studies that involve human subjects but no PHI (for example, non-health data or data collected outside covered entities) still require IRB oversight under the Common Rule when applicable.

Practical alignment tips

• Clarify early whether PHI will be accessed, from whom, and by which mechanism (authorization, waiver, limited data set, or de-identification).
• Map consent, authorization, and data sharing terms to ensure consistent privacy promises across protocols, DUAs, and IRB approvals.
• Design data minimization and security controls to satisfy both frameworks’ expectations.

Conclusion

Under 45 CFR 164.501, research includes systematic investigations—encompassing development, testing, and evaluation—aimed at generalizable knowledge. When PHI is involved, HIPAA provides multiple compliant pathways: individual authorization, IRB/Privacy Board waivers, limited data sets with DUAs, and use of fully de-identified data. Aligning HIPAA with Common Rule obligations early keeps projects efficient, ethical, and publishable.

FAQs

What is the HIPAA definition of research?

HIPAA defines research as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This definition appears in 45 CFR 164.501 and determines when HIPAA’s privacy requirements for PHI apply to a project.

When can PHI be used for research without authorization?

PHI may be used or disclosed without authorization when an Institutional Review Board or HIPAA Privacy Board approves a waiver or alteration; when access is solely preparatory to research and PHI is not removed; for research exclusively on decedents’ information; or through a Limited Data Set under a Data Use Agreement. Fully de-identified data are not PHI and do not require authorization.

How does HIPAA coordinate with the Common Rule?

HIPAA governs privacy protections for PHI, while the Common Rule governs human subjects protections. Many studies must comply with both. You can streamline compliance by using one IRB to handle human subjects review and HIPAA waiver determinations and by integrating consent with HIPAA authorization when appropriate.

What role does an IRB play in HIPAA research disclosures?

An IRB (or a HIPAA Privacy Board) can approve a waiver or alteration of authorization when privacy criteria are met, allowing PHI use/disclosure without individual authorization. The IRB also documents the determination, defines the scope of PHI permitted, and may grant partial waivers to enable activities like screening and recruitment.