Skip to content Skip to main navigation Report an accessibility issue


What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) required the creation of a Privacy Rule for identifiable health information. While the primary impact of the Privacy Rule is on the routine provision of and billing for health care, the Rule also affects the conduct and oversight of research.

For further information visit the Department of Health and Human Services.

The Privacy Rule defines individually identifiable health information transmitted or maintained by a covered entity in any form (electronic, written, or oral) as “protected health information” (PHI) and establishes the conditions under which investigators may access and use this information in the conduct of research. Note that if an individual participant is providing health information directly to a researcher, HIPPA does not apply. Rather, it only applies to health information that researchers obtain from a covered entity such as a hospital, doctor’s office, or insurance company. For more information on what qualifies as a covered entity, see the guidance from OHRP.

The HIPPA Privacy Rule requires that a research subject authorize the use or disclosure of their PHI from a covered entity to be used in research. This authorization is distinct from the subject’s consent to participate in research. We have provided template HIPPA Authorization Template Language here [link to template document]. This language should be added to the end of your research consent form when applicable.

Under certain circumstances, the IRB can grant a waiver or partial waiver of the requirement to obtain written permission to use Protected Health Information for research purposes. A waiver may be granted if:

(A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:

  •  an adequate plan to protect the identifiers from improper use and disclosure
  • an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
  • adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

(B) The research could not practicably be conducted without the waiver or alteration; and

(C) The research could not practicably be conducted without access to and use of the protected health information.