Skip to main content
  1. Research Offices
  2. OHSP
  3. HIPAA in Research
  4. Overview

HIPAA in Research: How the Rule Works

In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under very limited circumstances set forth in the Privacy Rule:

Research Use/Disclosure Without Authorization: to use or disclose protected health information without authorization by the individual whose PHI is planned for research use, a covered entity must obtain one of the following:

Documented IRB or Privacy Board Approval. Documentation that an alteration or waiver of research participant's authorization for use/disclosure of information about them for research purposes has been approved by an IRB or Privacy Board*.

For example, to conduct a records research, a waiver may be appropriate when researchers are unable to use de-identified information, and the research could not practicably be conducted if research participants' authorization were required.

Important Note: the FSU IRB does NOT serve as any institution or organization's Privacy Board. Rather, the FSU IRB is permitted to make HIPAA Authorization waiver determinations applicable to use of only FSU PHI. Additionally, only a few FSU components are deemed HIPAA covered entities whose identifiable health information is deemed PHI for purposes of the HIPAA Privacy Rule. The FSU IRB will NOT render HIPAA Authorization waivers for researchers' use of other covered entities' PHI; researchers must obtain such HIPAA waiver documentation directly from the covered entities and provide such documentation to the FSU IRB for any studies that are reviewed by the FSU IRB. 

DOCUMENTATION for a waiver of authorization approved by an IRB or Privacy Board must meet all the following factors:

    • Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
    • A statement that the IRB or Privacy Board determined that the waiver or authorization satisfies the three criteria in the Rule;
    • A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
    • A statement that the waiver has been reviewed and approved under either normal or expedited review procedures; and
    • The signature of the Chair or other member, as designated by the Chair, of the IRB or Privacy Board, as applicable.

The following three criteria must satisfied for an IRB or Privacy Board to APPROVED a waiver of authorization under the Privacy Rule:

1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, the presence of the following elements:

      • an adequate plan to protect the identifiers from improper use and disclosure;
      • an adequate plan to destroy identifiers at the earliest opportunity consistent; with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is required by law; and
      • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by law.

2. The research could not practicably be conducted without the waiver or alteration; and

3. The research could not practicably be conducted without access to and use of the PHI.

Return to Top

Preparatory to Research: Representations from the researcher, that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from the covered entity, and that the PHI for which access is sought is necessary for the research purposes.

Example: This provision might be used to design a research study or to assess the feasibility of conducting a study.

Research on Protected Health Information of Decedents: Representations from the researcher that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.

Limited Data Sets with a Data Use Agreement: A data use agreement entered into by both the covered entity and the researcher, so that the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. A limited data set excludes specified direct identifiers of the individual or of relatives, employers, or household members of the individual. The agreement must:

  • Establish the permitted uses and disclosures set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the Rule if done by the covered entity;
  • Limit who can use or receive the data; and
  • Require the recipient to agree not to use or disclose the information other than as permitted by the agreement or as otherwise required by law; use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement; report to the covered entity any use or disclosure not provided for by the data use agreement of which the recipient becomes aware; ensure than any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and not to identify the information or contact the individual.

Research Use/Disclosure With Individual Authorization: The Privacy Rule also permits covered entities to use or disclosure PHI for research purposes when a research participant authorizes the use or disclosure of information about him or herself.

Example: A research participant's authorization will be sought for clinical trials and records research.

To use or disclose the PHI with authorization by the research participant, the covered entity must obtain an authorization that satisfies the requirements of 45 CFR 164.508. Note that this authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the "end of the research study".

An authorization for the use or disclosure of PHI information for research may be combined with a consent to participate in research, or with any other legal permission related to the research study. FSU encourages that the forms be separate however, to aid the research participant to understand informed consent to research AND authorization to disclose PHI for research purposes.

Accounting for Research Disclosures: In general, the Privacy Rule gives individuals the right to receive an accounting of certain disclosures of PHI made by a covered entity. See 45 CFR 164.528. This accounting must include disclosures of PHI that occurred during the six years prior to the individual's request for an accounting in general.

 

 

Questions? Click for FAQs!