National Institutes of Health


Sitemap Contact
National Institutes of Health HIPAA Privacy Rule - Information for Researchers
This website is currently in the process of being updated. For guidance on the HIPAA Privacy Rule in research, please see: https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
HomeDictionaryFAQResources

Educational Materials

Clinical Research

Authorizations

Institutional Review Boards

Privacy Boards

Information for Patients

HIPAA Privacy Rule Booklet for Research

Health Services Research and the HIPAA Privacy Rule

Research Repositories, Databases


Frequently Asked Questions

Office for Civil Rights Frequently Asked Questions on the HIPAA Privacy Rule. Click here for access to the complete set.

HIPAA Privacy Rule for Researchers

The following "Frequently Asked Questions" address broadly some of the questions that have arisen about the possible impact of the Privacy Rule on research. We will also be adding to "Frequently Asked Questions" on an ongoing basis as new questions arise. However, for a full understanding of the relevant provisions of the Rule it is important to consult the Rule itself and to discuss compliance issues with the Privacy Officer of your institution.

If there are additional questions about the HIPAA Privacy Rule and research you would like addressed on this site, please submit them to privacyruleandresearch@mail.nih.gov.

  1. What Federal agencies are involved in the implementation and enforcement of the HIPAA Privacy Rule?


  2. Who must comply with these new HIPAA privacy standards?


  3. Will the HIPAA Privacy Rule hinder medical research by making doctors and others less willing and/or able to share with researchers information about individual patients?


  4. Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRBs) and Privacy Boards reviewing similar or identical research projects?


  5. Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information?


  6. Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization?


  7. Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?


  8. How does the Rule help Institutional Review Boards (IRBs) handle the additional responsibilities imposed by the HIPAA Privacy Rule?


  9. By establishing new waiver criteria and authorization requirements, hasn't the HIPAA Privacy Rule, in effect, modified the Common Rule?


  10. When must an Institutional Review Board (IRB) review and approve patient authorizations for use or disclosure of protected health information related to human subjects research activities in order to satisfy requirements of Department of Health and Human Services (HHS) regulations at 45 CFR part 46?


  11. Can an Institutional Review Board (IRB) use an expedited review procedure to review and approve a modification to a previously approved informed consent document where the modification only involves the addition of a patient authorization for use or disclosure of protected health information?


  12. Do Department of Health and Human Services (HHS) regulations at 45 CFR part 46 permit the Institutional Review Board (IRB) to review and approve the insertion of authorization language as a single modification that applies to the informed consent documents of multiple protocols previously approved by the IRB?


  13. Is documentation of Institutional Review Board (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual's authorization?


  14. Does the HIPAA Privacy Rule require a covered entity to create an Institutional Review Board (IRB) or Privacy Board before using or disclosing protected health information for research?


  15. What does the HIPAA Privacy Rule say about a research participant's right of access to research records or results?


  16. Are the HIPAA Privacy Rule's requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?


  17. Do the HIPAA Privacy Rule's requirements for authorization and the Common Rule's requirements for informed consent differ?


  18. When is a researcher a covered health care provider under HIPAA?


  19. When does a covered entity have discretion to determine whether a research component of the entity is part of their covered functions, and therefore, subject to the HIPAA Privacy Rule?


  20. If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?


  21. Can the preparatory research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) be used to recruit individuals into a research study?


  22. The preparatory to research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) addresses certain circumstances in which seeking patient authorization for use or disclosure of protected health information is not required, nor is obtaining Privacy Board or Institutional Review Board (IRB) approval of a waiver of patient authorization required. When do the requirements under Department of Health and Human Services (HHS) regulations at 45 CFR part 46 related to IRB review and informed consent apply to such "preparatory to research" activities?


  23. Does the HIPAA Privacy Rule require documentation of Institutional Review Board (IRB) or Privacy Board approval of an alteration or waiver of individual authorization before a covered entity may use or disclose protected health information for any of the following provisions: (1) for preparatory research at 45 CFR 164.512(i)(1)(ii), (2) for research on the protected health information of decedents at 45 CFR 164.512(i)(1)(iii), or (3) a limited data set with a data use agreement as stipulated at 45 CFR 164.514(e)?


  24. Will the Department of Health and Human Services (HHS) make future changes to the HIPAA Privacy Rule and, if so, how will these changes be made?


  25. If research subjects' consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?


  26. Will the Office for Human Research Protections (OHRP) assess compliance with the requirements of the HIPAA Privacy Rule during OHRP's compliance oversight evaluations?


  27. Can covered entities continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections (OHRP)?


  28. Can covered entities continue to disclose protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections for purposes of determining compliance with the HHS regulations for the protection of human subjects (45 CFR Part 46)?


  29. Does the HIPAA Privacy Rule protect genetic information?


  30. Are State, county or local health departments required to comply with the HIPAA Privacy Rule?


  31. Will the Privacy Rule alter the National Institutes of Health (NIH) peer review process?


  32. How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?


  33. Must the HIPAA Privacy Rule's minimum necessary standard be applied to uses or disclosures that are authorized by an individual?


  34. Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time an entire medical record is disclosed?


  35. Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of protected health information it makes to another covered entity?


  36. Is a business associate contract required for a covered entity to disclose protected health information to a researcher?


  37. How might the Privacy Rule impact the National Institutes of Health (NIH) Grant and Cooperative Agreement Application and Research Contract Processes?


  38. Where can researchers obtain additional information on the Privacy Rule?





  1. Q: What Federal agencies are involved in the implementation and enforcement of the HIPAA Privacy Rule?

  2. A: The roles of several Federal agencies regarding the Privacy Rule are described below:
    Office for Civil Rights (OCR) - Oversight and civil enforcement responsibility for the Privacy Rule are under the auspices of OCR, Department of Health and Human Services (HHS).
    Department of Justice (DOJ) - Enforcement of the criminal penalties for violations of the Privacy Rule is under the auspices of DOJ.
    National Institutes of Health (NIH) - Development of educational materials for researchers, in collaboration with other HHS research agencies, is the role of NIH. NIH is not involved in enforcing or monitoring compliance with the Privacy Rule.



  3. Q: Who must comply with these new HIPAA privacy standards?

  4. A: As required by Congress in HIPAA, the Privacy Rule covers:
    • Health plans
    • Health care clearinghouses
    • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.

    These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits.



  5. Q: Will the HIPAA Privacy Rule hinder medical research by making doctors and others less willing and/or able to share with researchers information about individual patients?

  6. A: We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected. For example, in genetic studies conducted at the National Institutes of Health (NIH), nearly 32 percent of eligible people offered a test for breast cancer risk declined to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason. The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information.

    The Privacy Rule will require some covered health care providers and health plans to change their current practices related to documenting research uses and disclosures. It is possible that some covered health care providers and health plans may conclude that the Rule's requirements for research uses and disclosures are too burdensome and will choose to limit researchers' access to protected health information. We believe few providers will take this route, however, because the Common Rule includes similar, and more rigorous, requirements that have not impaired the willingness of researchers to undertake Federally-funded research. For example, unlike the Privacy Rule, the Common Rule requires an Institutional Review Board (IRB) review for all research proposals under its purview, even if informed consent is to be sought. The Privacy Rule requires documentation of IRB or Privacy Board approval only if patient authorization for the use or disclosure of protected health information for research purposes is to be altered or waived.



  7. Q: Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRBs) and Privacy Boards reviewing similar or identical research projects?

  8. A: Under the HIPAA Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule's criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks. While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants' privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it. Nonetheless, the Department will consider issuing guidance as necessary and appropriate to address concerns that may arise during implementation of these provisions.



  9. Q: Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information?

  10. A: No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.



  11. Q: Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization?

  12. A: Yes. A covered entity may use or disclose protected health information without individuals' authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule - that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.



  13. Q: Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?

  14. A: Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).



  15. Q: How does the Rule help Institutional Review Boards (IRBs) handle the additional responsibilities imposed by the HIPAA Privacy Rule?

  16. A: Recognizing that some institutions may not have IRBs, or that some IRBs may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board-which could have fewer members, and members with different expertise than IRBs.

    In addition, the Rule allows an IRB to use expedited review procedures as permitted by the Common Rule to review and approve requests for waiver of authorizations. Similarly, the Rule permits Privacy Boards to use an expedited review process when the research involves no more than a minimal privacy risk to the individuals. An expedited review process permits covered entities to accept documentation of waiver of authorization when only one or more members of the IRB or Privacy Board have conducted the review.



  17. Q: By establishing new waiver criteria and authorization requirements, hasn't the HIPAA Privacy Rule, in effect, modified the Common Rule?

  18. A: No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.



  19. Q: When must an Institutional Review Board (IRB) review and approve patient authorizations for use or disclosure of protected health information related to human subjects research activities in order to satisfy requirements of Department of Health and Human Services (HHS) regulations at 45 CFR part 46?

  20. A: Under HHS regulations at 45 CFR 46.117(a), IRB review and approval of patient authorizations for use or disclosure of protected health information required by the HIPAA Privacy Rule at 45 CFR 164.508 is only required if the authorization language is going to be part of the IRB-approved informed consent document for human subjects research.

    HHS regulations at 45 CFR part 46 do not require that stand-alone authorizations for use or disclosure of protected health information, not incorporated into the IRB-approved informed consent document, be reviewed and approved by the IRB.



  21. Q: Can an Institutional Review Board (IRB) use an expedited review procedure to review and approve a modification to a previously approved informed consent document where the modification only involves the addition of a patient authorization for use or disclosure of protected health information?

  22. A: Yes. For on-going research protocols previously approved by the IRB, the addition to the IRB-approved informed consent document of language regarding patient authorization for use or disclosure of protected health information may be considered no more than a minor change to the research and, as a result, be reviewed by the IRB under an expedited review procedure, in accordance with the requirements of HHS regulations at 45 CFR 46.110.



  23. Q: Do Department of Health and Human Services (HHS) regulations at 45 CFR part 46 permit the Institutional Review Board (IRB) to review and approve the insertion of authorization language as a single modification that applies to the informed consent documents of multiple protocols previously approved by the IRB?

  24. A: Yes, when patient authorizations for use or disclosure of protected health information are to be incorporated into previously approved informed consent documents for a series of protocols and are composed entirely of identical template language, the IRB may approve the insertion of the authorization language as a single modification that applies to the entire series of protocols.

    However, when the patient authorizations for use or disclosure of protected health information are to be incorporated into previously approved informed consent documents for a series of protocols and the authorization statements include protocol-specific information unique to each of the protocols, the IRB should review and approve the insertion of the authorization language separately for each protocol.

    In both cases, an expedited review procedure may be used.



  25. Q: Is documentation of Institutional Review Board (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual's authorization?

  26. A: No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.



  27. Q: Does the HIPAA Privacy Rule require a covered entity to create an Institutional Review Board (IRB) or Privacy Board before using or disclosing protected health information for research?

  28. A: No. The IRB or Privacy Board could be created by the covered entity or the recipient researcher, or it could be an independent board.



  29. Q: What does the HIPAA Privacy Rule say about a research participant's right of access to research records or results?

  30. A: With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained by a covered entity or its business associate in a "designated record set." A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care provider's medical records and billing records, and a health plan's enrollment, payment, claims adjudication, and case or medical management record systems. While it may be unlikely that a researcher would be maintaining a designated record set, any research records or results that are actually maintained by the covered entity as part of a designated record set would be accessible to research participants unless one of the Privacy Rule's permitted exceptions applies.

    One of the permitted exceptions applies to protected health information created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual's access rights in these cases to be suspended while the clinical trial is in progress, provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access protected health information will be reinstated at the conclusion of the clinical trial.



  31. Q: Are the HIPAA Privacy Rule's requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?

  32. A: Yes. The Privacy Rule does not require clinical laboratories that are also covered health care providers to provide an individual access to information if CLIA prohibits them from doing so. CLIA permits clinical laboratories to provide clinical laboratory test records and reports only to "authorized persons," as defined primarily by State law. The individual who is the subject of the information is not always included as an authorized person. Therefore, the Privacy Rule includes an exception to individuals' general right to access protected health information about themselves if providing an individual such access would be in conflict with CLIA.

    In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories, if they are also a covered health care provider, to provide individuals with access to protected health information because doing so may result in the research laboratory losing its CLIA exemption.



  33. Q: Do the HIPAA Privacy Rule's requirements for authorization and the Common Rule's requirements for informed consent differ?

  34. A: Yes. Under the Privacy Rule, a patient's authorization is for the use and disclosure of protected health information for research purposes. In contrast, an individual's informed consent, as required by the Common Rule and the Food and Drug Administration's (FDA) human subjects regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of protected health information. For this reason, there are important differences between the Privacy Rule's requirements for individual authorization, and the Common Rule's and FDA's requirements for informed consent. However, the Privacy Rule's authorization elements are compatible with the Common Rule's informed consent elements. Thus, both sets of requirements can be met by use of a single, combined form, which is permitted by the Privacy Rule. For example, the Privacy Rule allows the research authorization to state that the authorization will be valid until the conclusion of the research study, or to state that the authorization will not have an expiration date or event. This is compatible with the Common Rule's requirement for an explanation of the expected duration of the research subject's participation in the study. It should be noted that where the Privacy Rule, the Common Rule, and/or FDA's human subjects regulations are applicable, each of the applicable regulations will need to be followed.



  35. Q: When is a researcher a covered health care provider under HIPAA?

  36. A: A researcher is a covered health care provider if he or she furnishes health care services to individuals, including the subjects of research, and transmits any health information in electronic form in connection with a transaction covered by the Transactions Rule. See 45 CFR 160.102, 160.103. For example, a researcher who conducts a clinical trial that involves the delivery of routine health care, such as an MRI or liver function test, and transmits health information in electronic form to a third party payer for payment, would be a covered health care provider under the Privacy Rule. Researchers who provide health care to the subjects of research or other individuals would be covered health care providers even if they do not themselves electronically transmit information in connection with a HIPAA transaction, but have other entities, such as a hospital or billing service, conduct such electronic transactions on their behalf. For further assistance in determining covered entity status, see the "decision tool" at http://www.hhs.gov/ocr/hipaa/.



  37. Q: When does a covered entity have discretion to determine whether a research component of the entity is part of their covered functions, and therefore, subject to the HIPAA Privacy Rule?

  38. A: A covered entity that qualifies as a hybrid entity, meaning that the entity is a single legal entity that performs both covered and non-covered functions, may choose whether it wants to be a hybrid entity. If such a covered entity decides not to be a hybrid entity then it, and all of its components, are subject to the Privacy Rule in its entirety. Therefore, if a researcher is an employee or workforce member of a covered entity that has decided not to be a hybrid entity, the researcher is part of the covered entity and is, therefore, subject to the Privacy Rule.

    If a covered entity decides to be a hybrid entity, it must define and designate as its health care component(s) those parts of the entity that engage in covered functions. "Covered functions" are those functions of a covered entity that make the entity a health plan, a health care provider, or a health care clearinghouse. Thus, research components of a hybrid entity that function as health care providers and engage in standard electronic transactions must be included in the hybrid entity's health care components and be subject to the Privacy Rule.

    However, research components that function as health care providers, but do not engage in standard electronic transactions may, but are not required to, be included in the health care component(s) of the hybrid entity. For example, a hybrid entity, such as a university, has the option to include or exclude a research laboratory, that functions as a health care provider but does not engage in electronic transactions, as part of the hybrid entity's health care component. If such a research laboratory is included in the hybrid entity's health care component, then the employees or workforce members of the laboratory must comply with the Privacy Rule. But if the research laboratory is excluded from the hybrid entity's health care component, the employees or workforce members of the laboratory are not subject to the Privacy Rule.



  39. Q: If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?

  40. A: Covered entities may continue to use and disclose protected health information that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. An individual may not revoke an authorization to the extent the covered entity has acted in reliance on the authorization. For research uses and disclosures, this reliance exception at 45 CFR 164.508(b)(5)(i) permits the continued use and disclosure of protected health information already obtained pursuant to a valid authorization to the extent necessary to preserve the integrity of the research study. For example, the reliance exception would permit the continued use and disclosure of protected health information to account for a subject's withdrawal from the research study, as necessary to incorporate the information as part of a marketing application submitted to the Food and Drug Administration, to conduct investigations of scientific misconduct, or to report adverse events.

    However, the reliance exception would not permit a covered entity to continue disclosing additional protected health information to a researcher or to use for its own research purposes information not already gathered at the time an individual withdraws his or her authorization.



  41. Q: Can the preparatory research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) be used to recruit individuals into a research study?

  42. A: The preparatory research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity's site. As such, a researcher who is an employee or a member of the covered entity's workforce could use protected health information to contact prospective research subjects. The preparatory research provision would allow such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information for a research study. In addition, the Rule permits a covered entity to disclose protected health information to the individual who is the subject of the information. See 45 CFR 164.502(a)(1)(i). Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an Institutional Review Board (IRB) or Privacy Board waiver of the authorization.

    However, a researcher who is not a part of the covered entity may not use the preparatory research provision to contact prospective research subjects. Rather, the outside researcher could obtain contact information through a partial waiver of individual authorization by an IRB or Privacy Board as permitted at 45 CFR 164.512(i)(1)(i). The IRB or Privacy Board waiver of authorization permits the partial waiver of authorization for the purposes of allowing a researcher to obtain protected health information as necessary to recruit potential research subjects. For example, even if an IRB does not waive informed consent and individual authorization for the study itself, it may waive such authorization to permit the disclosure of protected health information as necessary for the researcher to be able to contact and recruit individuals into the study.



  43. Q: The preparatory to research provision of the HIPAA Privacy Rule at 45 CFR 164.512(i)(1)(ii) addresses certain circumstances in which seeking patient authorization for use or disclosure of protected health information is not required, nor is obtaining Privacy Board or Institutional Review Board (IRB) approval of a waiver of patient authorization required. When do the requirements under Department of Health and Human Services (HHS) regulations at 45 CFR part 46 related to IRB review and informed consent apply to such "preparatory to research" activities?

  44. A: Department of Health and Human Services (HHS) regulations for the protection of human subjects at 45 CFR part 46 do not reference "preparatory to research" activities.

    HHS regulations at 45 CFR 46.102(d) define "research" as "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge."

    HHS regulations at 45 CFR 46.102(f) define "human subject" as a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information. . . . Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects. When a "preparatory to research" activity (i) involves human subjects research, as defined above; (ii) is conducted or supported by HHS or conducted under an applicable assurance approved by the Office of Human Research Protections (OHRP); and (iii) does not meet the criteria for exemption under HHS regulations at 45 CFR 46.101(b), the research must be reviewed and approved by an institutional review board in accordance with HHS regulations at 45 CFR 46.109(a), and informed consent of the subjects must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively. The Privacy Rule permits, under the "preparatory to research" provision, investigators who are employees or other members of the covered entity's workforce to obtain and record information from that covered entity's medical records for the purposes of identifying and recruiting potential human subjects. Such activities in which an investigator obtains and records individually identifiable health information would involve human subjects research under the HHS regulations at 45 CFR part 46 and would not satisfy the criteria for any exemption under HHS regulations at 45 CFR 46.101(b). As a result, if such activities are conducted or supported by HHS or conducted under an applicable OHRP-approved assurance, the research activities must be reviewed and approved by an IRB and informed consent of the subjects must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively. The above interpretation does not contradict in any way the Office for Civil Rights' (OCR) interpretation of the HIPAA Privacy Rule. It should be noted that patient authorization for use or disclosure of protected health information provided for under the HIPAA Privacy Rule and legally effective informed consent for research provided for under HHS regulations at 45 CFR 46.116 and 46.117 are not the same.

    Furthermore, the HIPAA Privacy Rule does not preempt any requirements of 45 CFR part 46, and vice-versa. In situations where both 45 CFR part 46 and the HIPAA Privacy Rule are applicable, institutions must adhere to both sets of regulations. For formal guidance on interpretation of the HIPAA Privacy Rule, contact the HHS Office for Civil Rights, http://www.hhs.gov/ocr/hipaa/.

    For formal guidance on interpretation of HHS regulations at 45 CFR part 46, contact OHRP, http://ohrp.osophs.dhhs.gov.



  45. Q: Does the HIPAA Privacy Rule require documentation of Institutional Review Board (IRB) or Privacy Board approval of an alteration or waiver of individual authorization before a covered entity may use or disclose protected health information for any of the following provisions: (1) for preparatory research at 45 CFR 164.512(i)(1)(ii), (2) for research on the protected health information of decedents at 45 CFR 164.512(i)(1)(iii), or (3) a limited data set with a data use agreement as stipulated at 45 CFR 164.514(e)?

  46. A: No. Documentation of IRB or Privacy Board approval of an alteration or waiver of individual authorization is only needed before a covered entity may use or disclose protected health information under 45 CFR 164.512(i)(1)(i).



  47. Q: Will the Department of Health and Human Services (HHS) make future changes to the HIPAA Privacy Rule and, if so, how will these changes be made?

  48. A: Under HIPAA, HHS has the authority to modify the privacy standards as the Secretary may deem appropriate. However, a standard can be modified only once in a 12-month period. As a general rule, future modifications to the Privacy Rule must be made in accordance with the Administrative Procedure Act (APA). HHS will comply with the APA by publishing proposed rule changes, if any, in the Federal Register through a Notice of Proposed Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a modified final rule.



  49. Q: If research subjects' consent was obtained before the compliance date, but the Institutional Review Board (IRB) subsequently modifies the informed consent document after the compliance date and requires that subjects be reconsented, is authorization now required from these previously enrolled research subjects under the HIPAA Privacy Rule?

  50. A: Yes. If informed consent or reconsent (i.e., a revised consent or another informed consent) is obtained from research subjects after the compliance date, the covered entity must obtain individual authorization as required at 45 CFR 164.508 for the use or disclosure of protected health information once the consent obtained before the compliance date is no longer valid for the research. The revised informed consent document may be combined with the authorization elements required by 45 CFR 164.508.



  51. Q: Will the Office for Human Research Protections (OHRP) assess compliance with the requirements of the HIPAA Privacy Rule during OHRP's compliance oversight evaluations?

  52. A: Since OHRP does not implement or enforce the HIPAA Privacy Rule, OHRP will NOT assess compliance with the requirements of the HIPAA Privacy Rule during its compliance oversight evaluations.



  53. Q: Can covered entities continue to disclose adverse event reports that contain protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections (OHRP)?

  54. A: Yes. The OHRP is a public health authority under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to report adverse events to the OHRP either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for public health activities as permitted at 45 CFR 164.512(b).



  55. Q: Can covered entities continue to disclose protected health information to the Department of Health and Human Services (HHS) Office for Human Research Protections (OHRP) for purposes of determining compliance with the HHS regulations for the protection of human subjects (45 CFR part 46)?

  56. A: Yes. The Office for Human Research Protections is a health oversight agency under the HIPAA Privacy Rule. Therefore, covered entities can continue to disclose protected health information to the OHRP for such compliance investigations either with patient authorization as provided at 45 CFR 164.508, or without patient authorization for health oversight activities as permitted at 45 CFR 164.512(d).



  57. Q: Does the HIPAA Privacy Rule protect genetic information?

  58. A: Yes, genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse. See 45 C.F.R 160.103 and 164.501.



  59. Q: Are State, county or local health departments required to comply with the HIPAA Privacy Rule?

  60. A: Yes, if a State, county or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity. For example, a State Medicaid program is a covered entity (i.e., a health plan) as defined in the Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities. For more information, see the definitions of covered entity, health care provider, health plan and health care clearinghouse in 45 CFR 160.103. See also, the "Covered Entity Decision Tools" posted at http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp. These tools address the question of whether a person, business or agency is a covered health care provider, health care clearinghouse or health plan.

    If the health department performs some covered functions (i.e., those activities that make it a provider that conducts certain transactions electronically, a health plan or a health care clearinghouse) and other non-covered functions, it may designate those components (or parts thereof) that perform covered functions as the health care component(s) of the organization and thereby become a type of covered entity known as a "hybrid entity." Most of the requirements of the Privacy Rule apply only to the hybrid entity's health care component(s). If a health department elects to be a hybrid entity, there are restrictions on how its health care component(s) may disclose protected health information to other components of the health department. See 45 CFR 164.504 (a) - (c) for more information about hybrid entities.



  61. Q: Will the Privacy Rule alter the National Institutes of Health (NIH) peer review process?

  62. A: No. New and competing continuation grant and cooperative agreement applications will continue to be evaluated using the existing review criteria found in PHS 398 and reviewers will continue to use the existing NIH Instructions to Reviewers for Evaluating Research Involving Human Subjects. When conducting investigator-initiated research that involves a covered entity the Privacy Rule may influence the environment in which the research takes place. As a result, implementing the Privacy Rule may affect the feasibility, design, and cost of the research. As with any issue that can affect feasibility, design, and cost, researchers should continue to follow the instructions in the PHS 398 and discuss such issues, as needed, in the research plan and budget sections of the application. For additional information see the NIH Grants Guide Notice.



  63. Q: How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

  64. A: The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information.

    The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacrificing the quality of health care.



  65. Q: Must the HIPAA Privacy Rule's minimum necessary standard be applied to uses or disclosures that are authorized by an individual?

  66. A: No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. For example, if a covered health care provider receives an individual's authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. The authorization must meet the requirements of 45 CFR 164.508.



  67. Q: Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time an entire medical record is disclosed?

  68. A: No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record; and a covered entity may use, disclose, or request an entire medical record without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, the policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures and requests would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes.

    The Privacy Rule does not require that a justification be provided with respect to each distinct medical record.

    Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment purposes or disclosures to the individual who is the subject of the protected health information.



  69. Q: Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of protected health information it makes to another covered entity?

  70. A: Covered entities are required to apply the minimum necessary standard to their own requests for protected health information. One covered entity may reasonably rely on another covered entity's request as the minimum necessary, and then does not need to engage in a separate minimum necessary determination. See 45 CFR 164.514(d)(3)(iii). However, if a covered entity does not agree that the amount of information requested by another covered entity is reasonably necessary for the purpose, it is up to both covered entities to negotiate a resolution of the dispute as to the amount of information needed. Nothing in the Privacy Rule prevents a covered entity from discussing its concerns with another covered entity making a request, and negotiating an information exchange that meets the needs of both parties. Such discussions occur today and may continue after the compliance date of the Privacy Rule.



  71. Q: Is a business associate contract required for a covered entity to disclose protected health information to a researcher?

  72. A: No. Disclosures from a covered entity to a researcher for research purposes do not require a business associate contract, even in those instances where the covered entity has hired the researcher to perform research on the covered entity's own behalf. A business associate agreement is required only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of "business associate" at 45 CFR 160.103. However, the HIPAA Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity is only permitted to disclose protected health information to a researcher as permitted by the Rule, that is, with an individual's authorization pursuant to 45 CFR 164.508, without an individual's authorization as permitted by 45 CFR 164.512(i), or as a limited data set provided that a data use agreement is in place as permitted by 45 CFR 164.514(e).



  73. Q: How might the Privacy Rule impact the National Institutes of Health (NIH) Grant and Cooperative Agreement Application and Research Contract Processes?

  74. A: New and Competing Continuation Grant and Cooperative Agreement
    Applications/Contract Proposals - Review and Funding

    Grant and Cooperative Agreement Applications:

    When conducting investigator-initiated research that involves a covered entity the Privacy Rule may influence the environment in which the research takes place. As a result, implementing the Privacy Rule may affect the feasibility, design, and cost of the research. As with any issue that can affect feasibility, design, and cost, researchers should continue to follow the instructions in the PHS 398 (http://grants.nih.gov/grants/funding/phs398/phs398.html) and discuss such issues, as needed, in the research plan and budget sections of the application.

    It is important to note that the Privacy Rule does not replace or act in lieu of existing regulations for the protection of human subjects found in 45 CFR part 46. Therefore, instructions in the Human Subjects section of the PHS 398 remain the same. Researchers should continue to consider issues of privacy and confidentiality as they affect the adequacy of protections of human subjects from research risks, and when appropriate, address these issues in the Human Subjects section of the research plan.

    New and competing continuation grant & cooperative agreement applications will continue to be evaluated using the existing review criteria found in PHS 398 and reviewers will continue to use the existing NIH Instructions to Reviewers for Evaluating Research Involving Human Subjects http://grants.nih.gov/grants/peer/hs_review_inst.pdf.

    Some Requests For Applications (RFAs) and Program Announcements (PAs) may request applications for specific areas of research and could indicate the need to provide a plan for acquiring or accessing data under the Privacy Rule. In such cases, the review criteria listed in the RFA or PA could be augmented to include adequacy of such plans and reviewers would evaluate these.

    NIH funding decisions for new and competing continuation grants and cooperative agreements will continue to be based on scientific merit, programmatic need, and availability of funds. Program staff will continue to discuss and seek resolution of issues or problems noted in the summary statement - including issues noted regarding the effect of the Privacy Rule - with investigators prior to funding.

    Research Contract Proposals:

    When performing research under a research contract that involves a covered entity, the Privacy Rule may affect the environment in which the research takes place. As a result, implementing the Privacy Rule may affect the feasibility, design, and cost of the research. As with any issue that can affect feasibility, design, and cost, researchers should discuss the issues, as needed, in the technical and business proposal sections of the contract proposal.

    It is important to note that the Privacy Rule does not replace or act in lieu of existing regulations for the protection of human subjects found in 45 CFR part 46. Therefore, instructions in Section L of the solicitation remain the same. Researchers should continue to consider issues of privacy and confidentiality as they affect the adequacy of protections of human subjects from research risks, and when appropriate, address these issues in the Human Subjects section of the technical proposal.

    For new contract solicitations, reviewers will use the evaluation criteria set forth in Section M of the solicitation and continue to use the existing instructions found in Manual Chapter 6315-1 (http://www1.od.nih.gov/oma/manualchapters/contracts/6315-1/). Some Requests for Proposals (RFPs) could indicate the need to provide a plan for acquiring or accessing data under the Privacy Rule. In such cases, the review criteria listed in the RFP could be augmented to include adequacy of these plans and reviewers would evaluate these.

    NIH funding decisions for new research contracts will continue to be based on technical merit and cost. The technical evaluation report will include a discussion of issues and problems, including any noted regarding the Privacy Rule. The contracting officer will include these issues and problems during discussions held with offerors in the competitive range and seek resolution prior to award.

    Effects on Non-Competing Applications/Contracts - Progress Monitoring

    Grants and Cooperative Agreements:

    During the period of award, principal investigators of grants and cooperative agreements communicate progress and issues about the research with NIH program and grants management staff in annual progress reports, as well as on as-needed bases. If situations are encountered that significantly delay the study, change the study design or procedures, or change the costs of the research, these issues should be communicated to NIH staff as soon as possible. This same practice applies to significant research delays or problems associated with acquiring or accessing data under the Privacy Rule; issues should be communicated to NIH staff. NIH staff will evaluate situations on a case-by-case basis.

    Research Contracts:

    During the contract period of performance, the contractor communicates progress and issues about the research to the contracting officer and project officer on a regular and as-needed basis. If it encounters situations that significantly delay the study, change the study design or procedures, or change the costs of the research these should be communicated to NIH staff as soon as possible. In this same manner, significant research delays or problems associated with acquiring or accessing data under the Privacy Rule should be communicated to the contracting officer and project officer who will evaluate the situation on a case-by-case basis.



  75. Q: Where can researchers obtain additional information on the Privacy Rule?

  76. A: As part of its oversight role, the Office for Civil Rights (OCR) is providing a number of publications on implementing the Privacy Rule through its web site at http://www.hhs.gov/ocr and http://www.hhs.gov/ocr/hipaa/. As the research community, the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), and the National Institutes of Health (NIH) gain experience with implementation of the Rule, additional FAQ's and publications will be posted on these OCR web sites.

    National Institutes of Health (NIH) staff can provide assistance in locating educational materials on the Privacy Rule. For general questions about how the Privacy Rule may affect the review, funding, and progress monitoring of NIH grants, cooperative agreements and research contracts, please contact program and grants management staff in the NIH relevant to your area of scientific interest.



    If there are additional questions about the HIPAA Privacy Rule and research you would like addressed on this site, please submit them to privacyruleandresearch@mail.nih.gov.


Department of Health and Human Services National Institutes of Health USAGov The HIPAA Privacy Rule