Office of
Research Services

Research Services

HIPAA's Privacy Rule

Home / Compliance and Commercialization / Compliance / HIPAA / HIPAA's Privacy Rule
HIPAA’s Privacy Rule does not apply to clinical research in a few special circumstances.

There are basically two (2) exempt situations.

  1. Your research is exempt if you do not collect/use/review/record/access “protected health information” (PHI) as part of your research.  Research that falls into this exemption category includes, for example, studies of opinions, the impact of different educational techniques, and studies of health information that is not held by a HIPAA “covered entity,”.
  2. Your research is exempt from HIPAA’s Privacy Rule if

(a) the Principal Investigator of the study is not a member of a covered entity, AND
(b) the research does not involve gathering protected health information about research subjects from covered entities (such as hospitals or doctors’ offices where the subject has received medical care).This research is exempt even if the investigator will be collecting identifiable health information directly from the subjects. HIPAA’s Privacy Rule only applies to PHI gathered by or from covered entities. 

View flowchart here

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

A Waiver of Authorization does not mean your research is exempt from HIPAA’s privacy regulations. It only means you do not need signed authorization from each research subject.

To qualify for Waiver of Authorization, investigators should indicate that:

  • The research use of the health information does not represent more than a minimal risk to privacy
  • That the research could not be done without the requested health information
  • That it would not be practical to obtain signed authorizations from the research subjects
  • That the specific elements of health information that are requested are not more than the minimum necessary to accomplish the goals of the study.

HIPAA allows access for research purposes to health information that includes a limited number of identifiers. This health information, called a Limited Data Set, can include dates, zip codes and city, and any other unique identifying number, characteristic, or code that is not expressly precluded in the list below:

Elements that must be stripped:

  1. Name; 
  2. social security number; 
  3. street address; 
  4. e-mail address; 
  5. telephone number; 
  6. fax number; 
  7. certificate/license number; 
  8. vehicle identification number; 
  9. personal Web page URL; 
  10. IP address; 
  11. full-page photos or other comparable identifying images; 
  12. medical record number; 
  13. health plan beneficiary number; 
  14. any other account number; 
  15. medical device identifier or serial number; 
  16. biometric identifiers include fingerprints and voice prints.

Thus, a limited data set can include:

  • dates of admission, 
  • discharge or other services; 
  • dates of birth or death; 
  • age of participant (including those over 90 years of age); 
  • full five digit zip code and any other geographic subdivision such as county, city, precinct, and equivalent geocode (except street address).

The request for a Limited Data Set for research purposes must be submitted to the IRB Office when you submit your research application. You will also need to complete a Data Use Agreement[WC1] , which represents a formal agreement between you (the investigator) and “covered entities” that hold the health information.

Access to Health Information in Order to Prepare a Research Proposal

Investigators who are members of a covered entity may gain access to protected health information in order to prepare a research application or protocol and/or identify subjects who are eligible for a study. Investigators may not remove protected health information from the covered entity or any of the covered entity’s data sources, including medical records and information technology databases.

To access protected health information for these purposes, the researcher must:

  • Indicate that the use of the health information will be limited to the preparation of a research protocol or similar purpose,
  • Agree not to remove any protected health information from the covered entity,
  • Ensure that the protected health information being requested is necessary for the research purpose.

Investigators from other institutions who are not part of UMKC and/or TMC and are working with research teams at UMKC and/or TMC may not take protected health information from UMKC or TMC. A researcher who is not a part of the covered entity may not use the Prepatory to Research provision to contact prospective research subjects.

If an investigator intends to use the Prepatory to Research form to identify eligible subjects, before contacting the subject the investigator must:

  • Obtain approval of the study from the BU Institutional Review Board (IRB)
  • Use an acceptable HIPAA Authorization form along with IRB required consent forms to enroll subjects

The completed Preparatory to Research Form should be sent to the Research Privacy Advocate in the Office of the Institutional Review Board where it will be reviewed. The investigator will receive an accepted, signed copy from the Research Privacy Advocate that can be given to the “covered entities” that are holding the needed protected health information.

An additional important point: Investigators who receive health information under Preparatory to Research and disclose any of that information to other investigators, institutions, or agencies, the investigator is responsible for keeping an accounting of disclosures. Under HIPAA, subjects can request a record of how often their health information was released to others in the previous six (6) year period. For health information obtained under a Preparatory to Research, it is the investigator’s responsibility to provide this record of disclosures.

Minimum Necessary applies: When using or disclosing PHI or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

To access protected health information from individuals that are deceased, the investigator needs to indicate that:

  • The information that is requested will be used solely for research purposes,
  • The health information is necessary for the purpose of the research, and, if requested by the covered entity,
  • The individuals whose health information is requested are, in fact, deceased.

A completed Decedent Form should be sent to the Research Privacy Advocate who will review the information submitted. Once the form is accepted, the investigator will receive a statement that can be given to the “covered entities” that are holding the needed protected health information.

An additional important point: Investigators who receive health information under Decedent Research and disclose any of that information to other investigators, institutions, or agencies, the investigator is responsible for keeping an accounting of disclosures. Under HIPAA, subjects can request a record of how often their health information was released to others in the previous six (6) year period. For health information obtained under Decedent Research, it is the investigator’s responsibility to provide this record of disclosures.

Minimum Necessary applies: When using or disclosing PHI or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.