Institutional Review Board


The HIPAA Privacy Rule as It Relates to Research

The Office of Research Services has collected this information to assist the research community at our institution in complying with the Health Insurance Portability and Accountability Act. 

What is the HIPAA Privacy Rule?

Health Insurance Portability and Accountability Act: Standards for Privacy of Individual Identifiable Health Information
[45 CFR Parts 160 and 164]

The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities. (Because the Health Sciences Center is involved in health care delivery it is a covered entity.) By the compliance date of April 14, 2003, covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. These standards apply to human subjects research.

Is this in Addition to IRB Oversight under the Common Rule?

Yes, although there is considerable overlap in the protection provided subjects under the two programs, the Privacy Rule establishes a second mandated, compliance program, in part, directed at protecting individuals volunteering to participate in research. The Common Rule specifically protects the welfare of subjects. The Privacy Rule expands on this concept and specifically protects the use and disclosure of certain health information. An additional important difference between the two Rules is that, failure to implement and comply with the Privacy Rule standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

How Does the Rule Work with Regard to Research?

In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule. More detailed explanations of the Privacy Rule and how the Privacy Rule relates to research can be seen at the following websites:

Office of Civil Rights Guidance on the Privacy Rule:


Health Information► Any information, whether oral or recorded in any form or medium, that:

Individually Identifiable Health Information► Information that is a subset of health information, including demographic information collected from an individual, and:

Protected Health Information (PHI)► Individually identifiable health information transmitted or maintained in any form or medium, including paper records.

Research Defined in the Privacy Rule as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

How PHI May Be Used in Research?

PHI may be used and disclosed for research purposes in a number of ways:

Health information may also be used in a de-identified form not considered PHI. Note that under the Common Rule there is a group of studies that can be given an “Exempt” status as determined by the IRB. In this determination, anonymity based on lack of recording subject names and not maintaining a link to the subjects name is the deciding factor for classification as “Exempt”. Many of these studies, however, collect information that under the Privacy Rule is considered adequate to identify the subject. This makes the health information PHI and the study subject to the Privacy Rule. The following are considered identifiers under the privacy rule.

Note: The Privacy Rule states that information will be considered identifiable if the covered entity knows that the identity of the person may still be determined.