HIPAA sets strict guidelines for handling and sharing protected health information (PHI) to ensure patient privacy. These guidelines are also applicable to clinical trials and patient research. Researchers must obtain authorization to use PHI, use secure communication channels, and share only the minimum necessary information. HIPAA requires agreements with third-party vendors, restricts data sharing to de-identified information where possible, and requires that patients can access and amend their data.
HIPAA defines protected health information (PHI) as any identifiable information, such as medical records, contact details, or health status, that a covered entity, like a healthcare provider or health plan, collects or maintains. Research programs working with PHI must follow HIPAA guidelines to avoid breaches and penalties. HIPAA compliance applies when studies involve data from covered entities or business associates, including patient data stored in clinical records or electronic health databases.
According to the HHS, "Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research."
Researchers often need access to PHI to recruit patients. However, HIPAA requires researchers to obtain patient authorization or an Institutional Review Board (IRB) waiver.
HIPAA permits limited use of PHI for “preparatory to research” purposes, which means researchers can review PHI to assess eligibility but cannot record or disclose PHI without prior authorization. During recruitment, using secure, HIPAA compliant channels like Paubox's encrypted email protects data in initial communications.
HIPAA requires researchers to obtain signed authorizations for using PHI in clinical research, typically during the informed consent process. The authorization informs participants how their data will be used, shared, and protected. It must include details about the type of PHI collected, specific recipients, and the research’s purpose. Researchers must ensure patients are informed about their rights regarding data access and correction. Detailed authorization forms should clarify these points, promoting transparency and compliance.
However, the FDA states that it "allows an exception from the requirement to obtain informed consent when a clinical investigation poses no more than minimal risk to the human subject and includes appropriate safeguards to protect the rights, safety, and welfare of human subjects."
HIPAA requires using secure communication tools to share PHI, such as encrypted email and secure messaging platforms throughout the study. HIPAA’s “minimum necessary” rule requires only essential PHI be shared with team members. Clear internal protocols for communicating PHI within research teams can minimize unauthorized access and ensure compliance. All communications, from email exchanges to meeting discussions, should respect this rule to protect patient data.
When clinical trials involve third-party vendors, like data storage providers or analytics tools, HIPAA requires business associate agreements (BAAs) with these vendors to ensure secure PHI handling. Research programs may also share data with sponsors or collaborators. In such cases, researchers should use de-identified or limited data sets, which contain fewer identifiers, to comply with the HIPAA guidelines.
Related: How to de-identify protected health information for privacy
HIPAA grants patients the right to access and amend their data, even when used in research. If a patient requests access, the research team must be prepared to provide a copy of their PHI within HIPAA’s timelines. Patients may also request amendments if they find errors in their data. Research programs must balance these requests with trial data integrity, ensuring any modifications are documented carefully. Researchers should update participants if there are changes to data privacy practices.
“Between privacy and confidentiality, confidentiality is arguably the more important one in research,” says the University of Virginia. This is because “privacy is easily assured with proper consent procedures, confidentiality of data takes more effort to maintain.” HIPAA requires that researchers maintain the confidentiality of PHI throughout the entire research process. HIPAA compliant data collection practices involve securing PHI during surveys, assessments, and follow-ups. Communication about results should be safeguarded by encryption and secure storage. HIPAA also requires policies for data retention and disposal; researchers must store PHI securely and dispose of it safely after a trial. When publishing results, de-identification is necessary. Researchers should aggregate data to remove identifiers, ensuring compliance and protecting participants.
HIPAA prohibits sharing identifiable patient information on social media without explicit patient consent. Researchers must be cautious not to disclose PHI in posts or communications that could identify participants, even inadvertently.
Yes, researchers can use EHRs for research purposes. However, they must ensure compliance with HIPAA by obtaining proper authorizations or using de-identified data. Additionally, covered entities must have safeguards to protect PHI when accessing EHRs.
IRBs review research proposals to ensure ethical standards are met, including compliance with HIPAA. They assess whether the proposed use of PHI is justified and if adequate measures are in place to protect participant privacy.