National Institutes of Health


Sitemap Contact
National Institutes of Health HIPAA Privacy Rule - Information for Researchers
This website is currently in the process of being updated. For guidance on the HIPAA Privacy Rule in research, please see: https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
HomeDictionaryFAQResources

Educational Materials

Clinical Research

Authorizations

Institutional Review Boards

Privacy Boards

Information for Patients

HIPAA Privacy Rule Booklet for Research

Health Services Research and the HIPAA Privacy Rule

Research Repositories, Databases


What Are the Purpose and Background of the Privacy Rule?


Key Points:
  • The Privacy Rule establishes minimum Federal standards for protecting the privacy of individually identifiable health information. The Rule confers certain rights on individuals, including rights to access and amend their health information and to obtain a record of when and why their PHI has been shared with others for certain purposes.
  • The Privacy Rule establishes conditions under which covered entities can provide researchers access to and use of PHI when necessary to conduct research. The Rule is not intended to impede research.
  • Compliance with the Privacy Rule is required on and after April 14, 2003, for most covered entities. (Small health plans have an extra year to comply.)

The purpose of the Privacy Rule is to establish minimum Federal standards for safeguarding the privacy of individually identifiable health information. Covered entities, which must comply with the Rule, are health plans, health care clearinghouses, and certain health care providers. Covered entities may not use or disclose PHI except as permitted or required under the provisions of the Privacy Rule. The Rule also confers certain rights on individuals, including rights to access and amend certain health information and to obtain a record of when and how their PHI has been shared with others for certain purposes. In addition, the Rule establishes administrative requirements for covered entities. Covered entities that fail to comply with the Privacy Rule may be subject to both civil monetary penalties, criminal monetary penalties, and/or imprisonment.

The Privacy Rule recognizes that the research community has legitimate needs to use, access, and disclose individually identifiable health information to carry out a wide range of health research protocols and projects. In the course of conducting research, researchers may create, use, and/or disclose individually identifiable health information. The Privacy Rule protects the privacy of such information when held by a covered entity but also provides various ways in which researchers can access and use the information for research.

The term “Privacy Rule” is often preceded by “HIPAA,” an acronym for the Health Insurance Portability and Accountability Act of 1996. The Department of Health and Human Services (HHS) issued the Privacy Rule in December 2000 to carry out HIPAA’s mandate that HHS establish Federal standards for safeguarding the privacy of individually identifiable health information. To clarify certain provisions, address unintended negative effects on health care, and relieve unintended administrative burdens, HHS amended the Privacy Rule on August 14, 2002. Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have an extra year, until April 14, 2004, to comply. Entities that become covered entities after these dates must be in compliance with the Privacy Rule at such time that they become covered.

Covered Entity - A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.
Protected Health Information - PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.
Health Information - Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, lifeinsurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Individually Indentifiable Health Information - Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Research - A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.

Department of Health and Human Services National Institutes of Health USAGov The HIPAA Privacy Rule