Why Should Researchers Be Aware of the HIPAA Privacy Rule?
The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, handle the individually identifiable health information known as protected health information (PHI). Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research. Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.
It is important to understand that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because they will not be covered entities. The Privacy Rule will not directly regulate researchers who are engaged in research within organizations that are not covered entities even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.
In some instances, researchers may have to comply with the Privacy Rule because they may be or may work for a covered entity. For example, the Privacy Rule defines covered entities to include health care providers that transmit health information electronically in connection with certain financial and administrative transactions (such as most hospitals). As such, researchers who are or who work for these covered entities would need to understand the Privacy Rule and how it works because the Rule describes how covered entities can establish relationships in which PHI can be used and shared, as well as the specific ways in which a covered entity may use or disclose the PHI it holds, and under what conditions it can allow use or disclosure of the information.
Researchers in medical and health-related disciplines rely on access to many sources of health information, from medical records and epidemiological databases to disease registries, hospital discharge records, and government compilations of vital and health statistics. For this reason, the Privacy Rule may impact various areas of research, including clinical research, repositories and databases, and health services research. For example, health services researchers study the organization, financing, and delivery of health care services, often by analyzing large databases of health care information maintained by providers, institutions, payers, and government agencies. Clinical researchers often access medical information from patient charts and tissue and data repositories, and create individually identifiable health information in connection with an experimental intervention. For information on how the Privacy Rule may affect specific research areas, see the companion pieces to this booklet: Health Services Research and the HIPAA Privacy Rule; Repositories, Databases, and the HIPAA Privacy Rule; Clinical Research and the HIPAA Privacy Rule; Institutional Review Boards and the HIPAA Privacy Rule; and Privacy Boards and the HIPAA Privacy Rule.
As you read this booklet, keep in mind that—prior to the Privacy Rule—researchers have been concerned about the privacy accorded to subjects’ research-related information and, in fact, may have been required under State and/or Federal laws to take measures to protect such information from inappropriate use and disclosure. The Privacy Rule may add a new layer of privacy protections for those who volunteer for research projects by introducing new ways in which covered entities handle PHI, even for research. This booklet introduces researchers to the Privacy Rule and how covered entities are required to protect individuals’ privacy by giving them more comprehensive rights to know and control how and when their PHI is used and disclosed for research. These protections have the potential to strengthen safeguards researchers typically use to protect those who volunteer themselves and their information for advancing medical knowledge.