Skip to main content

HIPAA in Research: How the Rule Works

In the course of conducting research, researchers may obtain, create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose protected health information for research with individual authorization, or without individual authorization under very limited circumstances set forth in the Privacy Rule:

Research Use/Disclosure Without Authorization: to use or disclose protected health information without authorization by the individual whose PHI is planned for research use, a covered entity must obtain one of the following:

Documented IRB or Privacy Board Approval. Documentation that an alteration or waiver of research participant's authorization for use/disclosure of information about them for research purposes has been approved by an IRB or Privacy Board*.

For example, to conduct a records research, a waiver may be appropriate when researchers are unable to use de-identified information, and the research could not practicably be conducted if research participants' authorization were required.

Important Note: the FSU IRB does NOT serve as any institution or organization's Privacy Board. Rather, the FSU IRB is permitted to make HIPAA Authorization waiver determinations applicable to use of only FSU PHI. Additionally, only a few FSU components are deemed HIPAA covered entities whose identifiable health information is deemed PHI for purposes of the HIPAA Privacy Rule. The FSU IRB will NOT render HIPAA Authorization waivers for researchers' use of other covered entities' PHI; researchers must obtain such HIPAA waiver documentation directly from the covered entities and provide such documentation to the FSU IRB for any studies that are reviewed by the FSU IRB. 

DOCUMENTATION for a waiver of authorization approved by an IRB or Privacy Board must meet all the following factors:

    • Identification of the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
    • A statement that the IRB or Privacy Board determined that the waiver or authorization satisfies the three criteria in the Rule;
    • A brief description of the protected health information for which use or access has been determined to be necessary by the IRB or Privacy Board;
    • A statement that the waiver has been reviewed and approved under either normal or expedited review procedures; and
    • The signature of the Chair or other member, as designated by the Chair, of the IRB or Privacy Board, as applicable.

The following three criteria must satisfied for an IRB or Privacy Board to APPROVED a waiver of authorization under the Privacy Rule:

1. The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, the presence of the following elements:

      • an adequate plan to protect the identifiers from improper use and disclosure;
      • an adequate plan to destroy identifiers at the earliest opportunity consistent; with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is required by law; and
      • adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by law.

2. The research could not practicably be conducted without the waiver or alteration; and

3. The research could not practicably be conducted without access to and use of the PHI.

Return to Top

Preparatory to Research: Representations from the researcher, that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from the covered entity, and that the PHI for which access is sought is necessary for the research purposes.

Example: This provision might be used to design a research study or to assess the feasibility of conducting a study.

Research on Protected Health Information of Decedents: Representations from the researcher that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.

Limited Data Sets with a Data Use Agreement: A data use agreement entered into by both the covered entity and the researcher, so that the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. A limited data set excludes specified direct identifiers of the individual or of relatives, employers, or household members of the individual. The agreement must:

  • Establish the permitted uses and disclosures set by the recipient, consistent with the purposes of the research, and which may not include any use or disclosure that would violate the Rule if done by the covered entity;
  • Limit who can use or receive the data; and
  • Require the recipient to agree not to use or disclose the information other than as permitted by the agreement or as otherwise required by law; use appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the data use agreement; report to the covered entity any use or disclosure not provided for by the data use agreement of which the recipient becomes aware; ensure than any agents, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the recipient with respect to the limited data set; and not to identify the information or contact the individual.

Research Use/Disclosure With Individual Authorization: The Privacy Rule also permits covered entities to use or disclosure PHI for research purposes when a research participant authorizes the use or disclosure of information about him or herself.

Example: A research participant's authorization will be sought for clinical trials and records research.

To use or disclose the PHI with authorization by the research participant, the covered entity must obtain an authorization that satisfies the requirements of 45 CFR 164.508. Note that this authorization for a research purpose may state that the authorization does not expire, that there is no expiration date or event, or that the authorization continues until the "end of the research study".

An authorization for the use or disclosure of PHI information for research may be combined with a consent to participate in research, or with any other legal permission related to the research study. FSU encourages that the forms be separate however, to aid the research participant to understand informed consent to research AND authorization to disclose PHI for research purposes.

Accounting for Research Disclosures: In general, the Privacy Rule gives individuals the right to receive an accounting of certain disclosures of PHI made by a covered entity. See 45 CFR 164.528. This accounting must include disclosures of PHI that occurred during the six years prior to the individual's request for an accounting in general.

Return to Top

Definitions (Select)

Authorization- An individual's written permission (signed by the individual or his/her Personal Representative) to allow a covered entity to use/disclose specified 'protected health information' (PHI) for a particular research study. Except as otherwise permitted by the Privacy Rule, a covered entity may not use or disclose PHI for research purposes without a valid Authorization.

Accounting for Disclosures of PHI - Information that describes a covered entity's disclosure of PHI that has taken place within six (6) years of the date of the request (excluding any disclosures taking place prior to the Compliance Date). Accounting of disclosures is not required in the following situations:

  • disclosures for treatment, payment, and health care operations ("TPO")
  • disclosures made pursuant to valid Authorizations
  • disclosure of Limited Data Sets
  • disclosure of de-identified data
  • disclosures of PHI prior to April 14, 2003

Covered Component - Components of a covered entity that engage in 'covered functions' and, any component that engages in activities that would make such component a 'business associate' of a component that performs covered functions if the two components were separate legal entities.

Covered Entity -

  1. A health plan,
  2. A health care clearinghouse, and
  3. A health care provider who transmits any health information in electronic form.

Covered Functions - Functions that make an entity a health plan, a health care provider, or a health care clearinghouse.

Data Use Agreement - An agreement that specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the individual or contact with the individuals. (This agreement may take the form of a formal contract or of a confidentiality agreement).

De-Identified Data - Data that does not identify an individual and with respect to which there is no reasonable basis to believe that information within the data can be used to identify an individual.

The Privacy Rule provides two routes by which data may be de-identified. The first route is to remove a list of eighteen (18) direct identifiers that could be used to identify the individual; a relative of the individual; employer; or household members of the individual. These identifiers are enumerated in the Privacy Rule (see below). The second route is to obtain the services of an expert who can determine and document, using generally accepted statistical and scientific principles and methods, that there is only a 'very small' risk that the information in a data set could be used to identify the subject of the information.

Direct Identifiers:

  1. Names
  2. All geographical subdivisions smaller than a state, including street address, city, county, precinct, Zip Code, and their equivalent geographical codes, except for the initial three digits of a Zip Code if, according to the current publicly available data from the Bureau of the Census:
    1. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
    2. The initial three digits of a ZIP Code for all such geographic units containing 20, 000 or fewer people are changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Telephone numbers.
  5. Facsimile numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health Plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web universal resource locators (URLs)
  15. Internet protocol (IP) address numbers
  16. Biometric identifiers, including fingerprints and voiceprints
  17. Full-face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code.

Return to Top

Disclosure - The release, transfer, access to, or divulging of information in any manner outside the Covered Entity holding the information.

Individually Identifiable Health Information - Information that includes demographic information collected from an individual, and

    1. is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
    2. relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Limited Data Set - A data set that excludes the majority of the eighteen direct identifiers of the individual, relative, employers and/or household members of the individual. In a limited data set, the city, state, ZIP code, birth date, admission date, discharge date, and other numbers/characteristics/codes that are not listed as direct identifiers can be retained.

Limited data sets can be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.

Minimum Necessary - The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request.

Minimal Risk to the Privacy of the Individual - The amount of risk, harm or discomfort, that an individual will ordinarily encounter in day to day activities.

Non-FSU Covered Component Researcher - Researchers who are not employed by any of the 'covered components' of the University.

Personal Representative - A person who is legally authorized to act on behalf of the individual in making health care related decisions.

Privacy Board - A Board that is established to review and approve requests for waivers or alterations of Authorizations in connection with a use or disclosure of PHI.

A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual's privacy rights and related interests. The Board must include at least one member who is not affiliated with either the covered component (covered entity) or with the entity that is conducting or sponsoring the research, and not related to any person who is affiliated with any such entities. Also, it must not have any member participating in a review of any project in which the member has a conflict of interest.

Protected Health Information (PHI) - Individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Education records covered by FERPA, and employment records held by a 'covered entity' in its role as an employer, are excluded from this definition.

Research - A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.

Reviews Preparatory to Research - Using/reviewing of PHI for the purposes of development of a research protocol or a similar activity in preparation of formulating a research hypothesis.

Use - The sharing, application, utilization, examination, analysis, or employment of Individually Identifiable Health Information within an entity that maintains such information.

Waiver, Partial Waiver or Alteration of Authorization - The document that the covered entity (covered component, for FSU) obtains from the Privacy Board which states that the Privacy Board has waived or altered the requirements of the HIPAA Privacy Rule, that an individual must authorize the use or disclosure of an individual's PHI for research purposes.

Return to Top