National Institutes of Health

Sitemap Contact
National Institutes of Health HIPAA Privacy Rule - Information for Researchers
This website is currently in the process of being updated. For guidance on the HIPAA Privacy Rule in research, please see:

Educational Materials

Clinical Research


Institutional Review Boards

Privacy Boards

Information for Patients

HIPAA Privacy Rule Booklet for Research

Health Services Research and the HIPAA Privacy Rule

Research Repositories, Databases


The terms and definitions defined or described here have been summarized from the Privacy Rule. Refer to the Privacy Rule for a complete listing of terms and their specific definitions.

Accounting for Disclosures - Information that describes a covered entity's disclosures of PHI other than for treatment, payment, and health care operations; disclosures made with Authorization; and certain other limited disclosures. For those categories of disclosures that need to be in the accounting, the accounting must include disclosures that have occurred during the 6 years (or a shorter time period at the request of the individual) prior to the date of the request for an accounting. However, PHI disclosures made before the compliance date for a covered entity are not part of the accounting requirement.

Authorization - An individual's written permission to allow a covered entity to use or disclose specified PHI for a particular purpose. Except as otherwise permitted by the Rule, a covered entity may not use or disclose PHI for research purposes without a valid Authorization.

Business Associate - A person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Business associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity. A member of a covered entity's workforce is not one of its business associates. A covered entity may be a business associate of another covered entity.

Compliance Date - The date by which a covered entity must comply with a standard, implementation specification, requirement, or modification adopted under the Privacy Rule. With the exception of small health plans, which have an extra year to comply, covered entities must complete implementation of, and be in compliance with, the Privacy Rule by April 14, 2003.

Covered Entity - A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.

Covered Functions - Those functions of a covered entity the performance of which makes the entity a health care provider, health plan, or health care clearinghouse under the HIPAA Administrative Simplification Rules.

Data Use Agreement- An agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used and how it will be protected.

Designated Record Set - A group of records maintained by or for a covered entity that includes (1) medical and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Disclosure - The release, transfer, access to, or divulging of information in any other manner outside the entity holding the information.

FDA Protection of Human Subjects Regulations - Regulations intended to protect the rights, safety, and welfare of participants involved in studies subject to FDA jurisdiction. The FDA Protection of Human Subjects Regulations can be found at Title 21 Code of Federal Regulations, Parts 50 and 56.

Health Care - Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health Care Clearinghouse - A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and "value-added" networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.

Health Care Provider - A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Information - Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) - This Act requires, among other things, under the Administrative Simplification subtitle, the adoption of standards, including standards for protecting the privacy of individually identifiable health information.

Health Plan - For the purposes of Title II of HIPAA, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)) and including entities and government programs listed in the Rule. Health plan excludes: (1) any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and (2) a government-funded program (unless otherwise included at section 160.103 of HIPAA) whose principal purpose is other than providing, or paying for the cost of, health care or whose principal activity is the direct provision of health care to persons or the making of grants to fund the direct provision of health care to persons.

HHS Protection of Human Subjects Regulations - Regulations intended to protect the rights and welfare of human subjects involved in research conducted or supported by HHS. The HHS regulations include the Federal Policy for the Protection of Human Subjects, effective August 19, 1991, and provide additional protections for pregnant women, fetuses, neonates, prisoners, and children involved in research. The HHS regulations can be found at Title 45 of the Code of Federal Regulations, Part 46.

Hybrid Entity - A single legal entity that is a covered entity, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be business associates of one or more of its health care components, depending on the nature of their relationship.

Individually Identifiable Health Information - Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Institutional Review Board (IRB) - An IRB can be used to review and approve a researcher's request to waive or alter the Privacy Rule's requirements for an Authorization. The Privacy Rule does not alter the membership, functions and operations, and review and approval procedures of an IRB regarding the protection of human subjects established by other Federal requirements.

Limited Data Set - Refers to PHI that excludes 16 categories of direct identifiers and may be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or a waiver or an alteration of Authorization for its use and disclosure, with a data use agreement.

Minimum Necessary - The least information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Unless an exception applies, this standard applies to a covered entity when using or disclosing PHI or when requesting PHI from another covered entity. A covered entity that is using or disclosing PHI for research without Authorization must make reasonable efforts to limit PHI to the minimum necessary. A covered entity may rely, if reasonable under the circumstances, on documentation of IRB or Privacy Board approval or other appropriate representations and documentation under section 164.512(i) as establishing that the request for protected health information for the research meets the minimum necessary requirements.

Privacy Board - A board that is established to review and approve requests for waivers or alterations of Authorization in connection with a use or disclosure of PHI as an alternative to obtaining such waivers or alterations from an IRB. A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual's privacy rights and related interests. The board must include at least one member who is not affiliated with the covered entity, is not affiliated with any entity conducting or sponsoring the research, and is not related to any person who is affiliated with any such entities. A Privacy Board cannot have any member participating in a review of any project in which the member has a conflict of interest.

Protected Health Information - PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

Research - A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.

State Law - A constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

Transaction - The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

  1. Health care claims or equivalent encounter information.
  2. Health care payment and remittance advice.
  3. Coordination of benefits.
  4. Health care claim status.
  5. Enrollment and disenrollment in a health plan.
  6. Eligibility for a health plan.
  7. Health-plan premium payments.
  8. Referral certification and authorization.
  9. The HHS Secretary is also required to adopt standards for first report of injury, claims attachments, and other transactions that the HHS Secretary may prescribe by regulation.

Transition Provisions - A section of the Privacy Rule that permits covered entities to rely on express legal permission for use and disclosure of PHI, informed consent, or IRB-approved waiver of informed consent for research, provided the legal permission, informed consent, or IRB-approved waiver was obtained prior to the compliance date.

Use - With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within the entity or health care component (for hybrid entities) that maintains such information.

Waiver or Alteration of Authorization - The documentation that the covered entity obtains from a researcher or an IRB or a Privacy Board that states that the IRB or Privacy Board has waived or altered the Privacy Rule's requirement that an individual must authorize a covered entity to use or disclose the individual's PHI for research purposes.

Workforce - Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of the covered entity, whether or not they are paid by the covered entity.

Department of Health and Human Services National Institutes of Health USAGov The HIPAA Privacy Rule