What are the HIPAA exceptions for research purposes?

There are exceptions to the HIPAA privacy rule that allow covered entities to use and disclose protected health information (PHI) for research purposes under specific conditions. These exceptions provide ways for researchers and institutions to conduct valuable research while ensuring that the privacy of an individual's health information is protected.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is designed to protect health information from unauthorized use and disclosure. It outlines various standards for covered entities, such as healthcare providers and plans, regarding the collection, sharing, and protection of PHI. This rule safeguards patients' rights to control their health information and promotes transparency in how their data is used. According to the HHS, "A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations."

Related: What is the HIPAA Privacy Rule?

Exceptions to the HIPAA privacy rule for research purposes

1. Research conducted or sponsored by the Federal Government: Federal agencies, including the Department of Health and Human Services, the National Institutes of Health, and the Centers for Disease Control and Prevention, are exempt from certain aspects of the HIPAA Privacy Rule when conducting or sponsoring research. This exception recognizes the government's role in advancing medical knowledge and underscores the importance of research to public welfare.
2. Research conducted under a waiver of authorization: The privacy rule permits covered entities to seek a waiver of authorization from an Institutional Review Board (IRB) or Privacy Board for research projects involving minimal privacy risks. This waiver allows researchers to access PHI without individual consent while maintaining ethical standards. This provision ensures that research with potential benefits outweighing privacy concerns can move forward responsibly, enhancing the progress of medical discovery.
3. Research on decedents' information: Privacy protections for deceased individuals differ from those of the living. Research on the PHI of individuals who have passed away is not subject to the privacy rule, making such research more accessible and potentially valuable. This exception acknowledges that posthumous research can provide insights that contribute to medical progress and inform better healthcare practices.
4. Research on public health: Covered entities can use and disclose PHI for research endeavors focused on disease prevention, health improvement, and securing funding for health-related activities. This exception highlights the societal benefits of leveraging PHI to address public health challenges, resulting in more effective health interventions.

The HIPAA privacy rule's exceptions for research purposes enable research initiatives to thrive without compromising individuals' privacy by allowing covered entities to access PHI under specific conditions.

Related: HIPAA compliant email: the definitive guide

FAQs

Can a patient revoke their authorization for their PHI to be used in research?

A patient can revoke their authorization at any time, but the revocation will not affect uses or disclosures that were already made based on the initial authorization.

Are researchers required to inform participants if their PHI will be used in future studies?

Researchers must inform participants if their PHI will be used for future studies as part of the initial consent process, ensuring transparency and respect for participant autonomy.

How long must a covered entity retain the authorization records for research purposes?

Covered entities must retain authorization records for a minimum of six years from the date the authorization was created or last in effect, whichever is later.