National Institutes of Health


Sitemap Contact
National Institutes of Health HIPAA Privacy Rule - Information for Researchers
This website is currently in the process of being updated. For guidance on the HIPAA Privacy Rule in research, please see: https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html
HomeDictionaryFAQResources

Educational Materials

Clinical Research

Authorizations

Institutional Review Boards

Privacy Boards

Information for Patients

HIPAA Privacy Rule Booklet for Research

Health Services Research and the HIPAA Privacy Rule

Research Repositories, Databases


Information for Patients

Get the Adobe Acrobat Reader
Letting Your Personal Health Information Be Used and Shared for Research

The Privacy Rule Authorization Form and Clinical Research: What You Should Know

Medical research helps us learn new information about health, illness, and disease and how we can improve health for everyone. You have been asked to join a clinical research study. If you agree to be in this study after learning about it, the research team will ask you to sign certain important forms. One of these may be an authorization form. This form may ask you to let your doctors or other health care providers give your personal health information to the research team. The authorization form could also ask you to let the research team use or share your personal health information with others for the research study. The research team might need to use and share different types of personal health information, such as:

  • Your name and address
  • Your health background
  • Your health care provider's name
  • Your birthday
  • Your Social Security number
  • Your medical records
  • Your ethnic origin
  • Your lab test results and X-rays
  • Notes taken by a doctor or nurse
  • Your medical diagnosis
Why am I being asked to sign an authorization form?

Photograph of a man's hands resting on a table signing a piece of paperMany people have concerns about who can see and use information about them, particularly information about their health. The U.S. Government created a rule, called the Privacy Rule, under the Health Insurance Portability and Accountability Act (HIPAA) to help protect your personal health information from being used or shared when it shouldn't be.

Examples of
Covered Entities

  • Many hospitals
  • Many doctors or nurses
  • Some researchers
  • Health insurers
  • Medicare and Medicaid plans
  • Since 2003, most hospitals, doctors, and health plans that have your personal health information must follow the Privacy Rule. These hospitals, doctors, and health plans are called "covered entities."

    People who work for "covered entities" also may have to follow the Privacy Rule. This usually means that research teams (such as scientists, nurses, and other hospital staff) that work for "covered entities" can use and share your personal health information for this study only after getting your okay. This also usually means that your doctor can't share your personal health information with the research team for this study unless you give your okay. You give your okay by signing the authorization form.

    The research team may need information in your medical records for the research study. For example, they may need to know your medical diagnosis or know about allergies you may have. The research team may also need to collect health information about you from other health care providers because the information may be important to the study. For example, the research team may need to get your lab test results from your doctor.

    What information will be in the authorization form?

    The authorization form will tell you:

    • Who will use, share, and receive your personal health information. This could be your doctor, other doctors and nurses taking care of you, or the researchers and other members of the research team. This could also be other institutions or companies that pay for the research.
    • What personal health information is needed for the research study. This may include some or all of your medical records, information about the medicines you take, the results of blood tests or X-rays, and other health information.
    • Why your personal health information will be used or shared. This part will describe the research study. It also may tell you the title of the research study.
    • Your Right to change your mind and cancel your authorization at any time.
    • Information on what happens if you do not sign the authorization form, how to cancel your authorization, and how long your information will be used or shared.

    Will everyone who sees my personal health information have to protect it under the Privacy Rule?

    Not always. There may be times when your personal health information is shared with someone who doesn't have to follow the Privacy Rule. Examples of people and organizations that may not have to follow the Privacy Rule are:

    • Sponsors of the research study
    • Makers of drugs for the study
    • Some researchers
    Authorization form checklist:

  • I have read the authorization form completely, either on my own or with someone from the research team.
  • I understand what the authorization form is saying.
  • I understand who may be using my personal health information as part of the research study.
  • I have asked a member of the research team any questions I have, and I understand the answers.
  • I have received a signed copy of my authorization form for the research study I am joining.
    Even though some doctors, researchers, or organizations aren't covered entities under the Privacy Rule, many of them know it's important to keep your information private. They also may have to follow state or other national laws that protect your information.

    I don't understand why the authorization form says that the Privacy Rule may not protect my personal health information if it's shared. Why does the authorization form say this?

    There may be times when your personal health information is shared with some doctors, researchers, or organizations (such as makers of drugs for the study or study sponsors) that don't have to follow the Privacy Rule. The authorization form tells you that the Privacy Rule may not protect your personal health information when it is shared with others so that you are aware of this before you decide to sign the form.

    I am not sure if I should sign the authorization. What happens if I don't sign?

    If you don't sign the form, you may not be able to join the research study. However, your decision to not sign the authorization form won't affect the regular treatment you receive from your regular doctors, nurses, or other professionals normally involved in your health care.

    I want to let the research team have my personal health information so I can join the study. How do I give my authorization?

    To give your authorization, you need to sign and date the authorization form. Signing the form means that you give your okay for the research team to use or share your personal health information for the research study. Signing the authorization form may also mean that you will give your doctor or hospital your okay to share your health information with the research team.

    The authorization form might be given to you as a separate form, or it may be included with the informed consent form you must sign to become part of the study. In either case, the form will tell you how the research team or your doctor or hospital may use or share your personal health information for the study.

    Once I have signed the authorization, can I change my mind and cancel it?

    Yes, you may change your mind and cancel your authorization at any time.

    A doctor talking with patients.How do I cancel my authorization?

    You must cancel your authorization in writing. The authorization form will give you instructions on where to send the written notice or will direct you to another place to find this information. Once the research study team receives your written cancellation, it won't be allowed to collect, use, or share more personal health information about you except in limited cases. For example, they may need to use or share this information to make sure the research study is still reliable, to report when you cancelled your authorization, or to report any unexpected health problems that started before you cancelled your authorization.

    Will I still be able to stay in the study if I cancel my authorization?

    It's up to the research team to decide if you may stay in the research study if you cancel your authorization. Many times a research study can only be helpful if all of the people stay in the study and all of their information can be used and studied for the entire time of the study.

    Can my doctor use my authorization for the research study as my okay to share my information for marketing?

    No. The Privacy Rule does not allow a doctor or another "covered entity" to use your authorization to use or share your information for research as an authorization for marketing.

    What can I do if I think someone has not protected my personal health information?

    A patient handing in a completed form.If you think your privacy rights under the Privacy Rule were violated, you may complain to the "covered entity" (such as the doctor or hospital you visit for the research study). You may also complain to the Office for Civil Rights (OCR). Your complaint must be in writing. To complain to OCR:

    • Send the complaint electronically by email to OCRComplaint@hhs.gov, or as a letter or fax to the OCR regional office where the possible violation happened. These regional offices are on the map and chart shown on the back cover, or you can find them on the OCR website at http://www.hhs.gov/ocr/privacyhowtofile.htm.
    • Print and fill out the form found on the above website or send the same information to the OCR regional office. Name the person or organization you are complaining about, and describe how you think they didn't follow the Privacy Rule.
    • Send in your complaint within 180 days of when you learned about the possible violation.
    • Make sure that any possible violation happened on or after April 14, 2003, which is when the Privacy Rule protection started.

    For more information on the Privacy Rule and for filing complaints go to the OCR website: http://www.hhs.gov/ocr/hipaa. You can also call OCR for free at 1 (800) 368-1019.

    NIH Publication Number 05-5613
    Map of the HRSA Regions
    Region I - CT, ME, MA, NH, RI, VT
    Office for Civil Rights
    U.S. Department of Health and Human Services
    JFK Federal Building - Room 1875
    Boston, MA 02203
    (617) 565-1340
    (617) 565-1343 (TDD)
    (617) 565-3809 FAX

    Region II - NJ, NY, PR, VI
    Office for Civil Rights
    U.S. Department of Health and Human Services
    26 Federal Plaza - Suite 3313
    New York, NY 10278
    (212) 264-3313
    (212) 264-2355 (TDD)
    (212) 264-3039 FAX

    Region III - DE, DC, MD, PA, VA, WV
    Office for Civil Rights
    U.S. Department of Health and Human Services
    150 S. Independence Mall West - Suite 372
    Philadelphia, PA 19106-3499
    (215) 861-4441
    (215) 861-4440 (TDD)
    (215) 861-4431 FAX

    Region IV - AL, FL, GA, KY, MS, NC, SC, TN
    Office for Civil Rights
    U.S. Department of Health and Human Services
    61 Forsyth Street, SW - Suite 3B70
    Atlanta, GA 30323
    (404) 562-7886
    (404) 331-2867 (TDD)
    (404) 562-7881 FAX

    Region V - IL, IN, MI, MN, OH, WI
    Office for Civil Rights
    U.S. Department of Health and Human Services
    233 N. Michigan Avenue - Suite 240
    Chicago, IL 60601
    (312) 886-2359
    (312) 353-5693 (TDD)
    (312) 886-1807 FAX

    Region VI - AR, LA, NM, OK, TX
    Office for Civil Rights
    U.S. Department of Health and Human Services
    1301 Young Street - Suite 1169
    Dallas, TX 75202
    (214) 767-4056
    (214) 767-8940 (TDD)
    (214) 767-0432 FAX

    Region VII - IA, KS, MO, NE
    Office for Civil Rights
    U.S. Department of Health and Human Services
    601 East 12th Street - Room 248
    Kansas City, MO 64106
    (816) 426-7278
    (816) 426-7065 (TDD)
    (816) 426-3686 FAX

    Region VIII - CO, MT, ND, SD, UT, WY
    Office for Civil Rights
    U.S. Department of Health and Human Services
    1961 Stout Street - Room 1426
    Denver, CO 80294
    (303) 844-2024
    (303) 844-3439 (TDD)
    (303) 844-2025 FAX

    Region IX - AZ, CA, HI, NV, AS, GU,The U.S.
    Affiliated Pacific Island Jurisdictions

    Office for Civil Rights
    U.S. Department of Health and Human Services
    50 United Nations Plaza - Room 322
    San Francisco, CA 94102
    (415) 437-8310
    (415) 437-8311 (TDD)
    (415) 437-8329 FAX

    Region X - AK, ID, OR, WA
    Office for Civil Rights
    U.S. Department of Health and Human Services
    2201 Sixth Avenue - Mail Stop RX-11
    Seattle, WA 98121
    (206) 615-2290
    (206) 615-2296 (TDD)
    (206) 615-2297 FAX

     


    Department of Health and Human Services National Institutes of Health USAGov The HIPAA Privacy Rule