5 min read

Balancing research progress and privacy under HIPAA

Picture of Kirsten Peremore Kirsten Peremore Mar 18, 2025 5:38:34 PM

Editorial

The HIPAA Privacy Rule protects patient data in research by requiring authorization for using protected health information except in cases where exceptions apply. Authorization forms specify how PHI will be used, while informed consent focuses on research risks. 

Ultimately, some researchers find this to be a barrier to recruitment; 39% of researchers reported HIPAA had negative impacts on human subject protection. For example, according to a report titled HIPAA Creating Barriers to Research and Discovery HIPAA’s restrictions on accessing stored tissue samples, genetic datasets, and electronic medical records have slowed CTSA (Clinical and Translational Science Awards) initiatives aimed at accelerating interdisciplinary research. 

Although HIPAA may pose challenges to research, the regulation is designed to improve public trust by providing for consistency in data handling. By better understanding HIPAA and its implications, researchers are more likely to achieve better outcomes for their study and participants. 

 

Privacy and data governance in research 

Institutional review boards (IRBs) are the ethical gatekeeper in the context of research, ensuring that standards like the Common Rule and HIPAA are upheld. These boards enforce protections like encryption and data minimization. 

State laws add another layer of complexity: California’s California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant residents control over their data, while newer laws like Tennessee’s TDPSA and Indiana’s INCDPA impose requirements for transparency and consumer opt-outs. 

This fragmented system creates challenges, as noted by a 2020 ISACA Journal analysis describing the U.S. system as a "disparate landscape in need of consolidation" due to conflicting standards across industries and jurisdictions. For example, while HIPAA governs health data, financial and educational records fall under the Gramm-Leach-Bliley Act (GLBA) and FERPA, respectively, leading to inconsistencies in enforcement. 

A 2021 study showed that publicly revealing participants increased re-identification risks, necessitating "robust oversight mechanisms" like penalties under laws such as the Computer Fraud and Abuse Act (CFAA). The study published in the Journal of Law and the Biosciences provides, “However, careful drafting of [Date Use Agreements] DUAs is essential. For example, if there is a desire to maximize potential claims by participants, an agreement should explicitly state an intent to benefit them. Even so, the damages from a violation of DUAs are likely to be difficult to prove for research participants seeking to recover or for data holders seeking to deter unwanted behavior.”  

 

The core HIPAA provisions related to research

Definition of PHI and scope

HIPAA defines PHI as individually identifiable health information linked to any of 18 identifiers (e.g., names, dates, Social Security numbers, medical record numbers, biometric data). This includes:

  • Medical records, billing data, and test results.
  • Information created during research (e.g., clinical trial diagnoses) that is entered into medical records.

 

Authorization requirements

Researchers must get written HIPAA authorization from participants to access PHI unless an exception applies. Authorization forms must specify:

  • The PHI to be used/disclosed.
  • The purpose of the disclosure.
  • Expiration date and participant’s right to revoke.

This differs from the Common Rule’s informed consent, which focuses on study risks/benefits rather than privacy specifics.

 

Waivers of authorization

Institutional Review Boards (IRBs) may grant waivers if researchers demonstrate:

  • Minimal privacy risk.
  • The research could not "practicably" be conducted without PHI.
  • Adequate safeguards to protect PHI.

For example, retrospective chart reviews often qualify for waivers, but ambiguity in interpreting "practicability" (e.g., whether cost or feasibility counts) leads to inconsistent IRB decisions.

 

De-identified data

PHI stripped of all 18 identifiers is exempt from HIPAA restrictions. De-identification methods include:

  • Expert determination: Statistical verification that re-identification risk is minimal.
  • Safe harbor: Removal of all specified identifiers (e.g., dates, geographic subdivisions smaller than a state).

 

Limited Data Sets (LDS)

Researchers may use LDSs containing partial identifiers (e.g., dates, city-level locations) if they sign a DUA prohibiting reidentification or unauthorized sharing.

 

Preparatory-to-research activities

Covered entities may disclose PHI without authorization for preparatory tasks like feasibility assessments or recruiting participants, provided:

  • PHI is not removed from the covered entity’s site.
  • Researchers do not record identifiers.

 

Research on the decedents

PHI of deceased individuals may be used without authorization if researchers provide documentation of death and assurances that PHI is necessary for the study.

 

Accounting of disclosures

Covered entities must track and, upon request, provide individuals with a list of PHI disclosures made for research over the past six years. Exceptions include disclosures via authorization or as part of an LDS.

 

Does HIPAA impact the decision-making of IRBs?

Under the Privacy Rule, IRBs are responsible for evaluating whether researchers meet the criteria for waivers of authorization, which require demonstrating that the use of PHI involves "no more than a minimal risk to privacy" and includes adequate safeguards to protect data confidentiality. 

HIPAA also intersects with other regulations like the Common Rule, creating challenges in harmonizing privacy protections across different research contexts. The 2018 revisions to the Common Rule introduced new exempt categories of research, such as secondary use of identifiable data, which shifted some privacy oversight away from IRBs to administrative staff.

 

The use of PHI in research 

With patient authorization 

With patient authorization, researchers must obtain a written HIPAA authorization form that includes six core elements: 

  • A description of the PHI to be used
  • Names of entities disclosing/receiving PHI
  • Specific research purposes
  • Expiration date
  • Participant signature
  • Required statements (e.g., revocation rights, non-conditioning of care).

 

This authorization is study-specific and prohibits PHI reuse for unrelated purposes. For example, a clinical trial might combine HIPAA authorization with informed consent in a single document.

 

Without patient authorization

HIPAA permits PHI use only if an Institutional Review Board (IRB) or Privacy Board grants a waiver of authorization under §164.512(i)(2)(ii). To qualify, researchers must demonstrate:

  • Minimal privacy risk via safeguards like encryption, secure storage, and plans to destroy identifiers post-research.
  • The impracticability of obtaining authorization (e.g., retrospective studies with deceased participants).
  • Necessity of PHI for the research.

 

Advancements in medical research enabled by HIPAA-compliant practices.

Combining informed consent with HIPAA authorization has streamlined clinical trial processes while maintaining ethical standards. It has been particularly impactful in cancer research, where patient-authorized biobanks have driven innovations in immunotherapy and genetic studies. Also, the use of preparatory-to-research provisions under HIPAA has allowed researchers to screen medical records for potential participants without removing PHI from covered entities, expediting recruitment for time-sensitive studies like vaccine trials.

However, HIPAA’s influence extends beyond individual studies. It has encouraged the adoption of advanced encryption technologies and secure data-sharing platforms like the use of HIPAA compliant email. For example, academic medical centers report that compliance with HIPAA has enhanced their ability to participate in multi-center trials and national research networks like the NIH’s All of Us initiative.

 

Potential updates to accommodate modern research methods

HIPAA’s 2025 Security Rule update eliminates the distinction between “addressable” and “required” safeguards, annual vulnerability scans, and encryption for all entities handling electronic PHI (ePHI). Stricter risk analysis requirements also compel organizations to track ePHI movement and address vulnerabilities proactively. Proposed Privacy Rule revisions aim to streamline patient access by reducing the timeframe for PHI disclosure from 30 to 15 days, accelerating recruitment for time-sensitive studies like clinical trials.

Legislators are also addressing gaps in third-party data sharing: updates to the HITECH Act now require accounting for PHI disclosures for treatment, operations, and payment, while proposed mandatory PHI sharing between healthcare providers could enhance data accessibility for research networks. However, challenges persist in balancing innovation with privacy. For example, third-party website tracking tools used in digital health research must undergo assessments to prevent unauthorized PHI sharing, reflecting broader efforts to mitigate risks in emerging technologies. 

A 2023 OIG report criticized HIPAA audits for neglecting technical safeguards, such as encryption and network security. A 2024 Paubox news story notes, “The Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a report accusing the Office for Civil Rights (OCR) of failing to take effective measures to reduce cybersecurity risks in healthcare.” The report found that OCR’s audits focused narrowly on administrative safeguards (e.g., policies) while ignoring physical and technical measures, leaving gaps in cybersecurity oversight. This prompted the 2025 HIPAA Security Rule updates.  

 

FAQs

How do HIPAA and GDPR apply to U.S. researchers collaborating with EU partners?

HIPAA governs PHI in the U.S., while GDPR applies to data from EU residents. For example, a U.S. study recruiting EU participants must comply with GDPR’s stricter anonymization standards, which classify HIPAA deidentified data as pseudonymized (still regulated). Researchers must either exclude EU participants or implement GDPR-compliant safeguards like encryption and Data Use Agreements.

 

Can researchers disclose PHI under a subpoena if they have a Certificate of Confidentiality?

CoCs legally prohibit compelled disclosure of identifiable data, even under court orders.

 

How does COPPA affect studies involving children under 13?

Researchers must obtain verifiable parental consent for collecting personal data (e.g., names, birthdates). For minimal-risk studies, consent can be obtained via mail or fax, while higher-risk studies require in-person parental permission.

Download the HIPAA compliant email checklist

Download the HIPAA compliant email checklist